1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at http://curl.haxx.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 ***************************************************************************/
23 #include "curl_setup.h"
25 #if defined(USE_NTLM) && defined(NTLM_WB_ENABLED)
30 * http://davenport.sourceforge.net/ntlm.html
31 * http://www.innovation.ch/java/ntlm.html
36 #ifdef HAVE_SYS_WAIT_H
46 #include "curl_ntlm_msgs.h"
47 #include "curl_ntlm_wb.h"
50 #include "curl_memory.h"
52 #define _MPRINTF_REPLACE /* use our functions only */
53 #include <curl/mprintf.h>
55 /* The last #include file should be: */
59 # define DEBUG_OUT(x) x
61 # define DEBUG_OUT(x) Curl_nop_stmt
64 /* Portable 'sclose_nolog' used only in child process instead of 'sclose'
65 to avoid fooling the socket leak detector */
66 #if defined(HAVE_CLOSESOCKET)
67 # define sclose_nolog(x) closesocket((x))
68 #elif defined(HAVE_CLOSESOCKET_CAMEL)
69 # define sclose_nolog(x) CloseSocket((x))
71 # define sclose_nolog(x) close((x))
74 void Curl_ntlm_wb_cleanup(struct connectdata *conn)
76 if(conn->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD) {
77 sclose(conn->ntlm_auth_hlpr_socket);
78 conn->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
81 if(conn->ntlm_auth_hlpr_pid) {
83 for(i = 0; i < 4; i++) {
84 pid_t ret = waitpid(conn->ntlm_auth_hlpr_pid, NULL, WNOHANG);
85 if(ret == conn->ntlm_auth_hlpr_pid || errno == ECHILD)
89 kill(conn->ntlm_auth_hlpr_pid, SIGTERM);
92 /* Give the process another moment to shut down cleanly before
93 bringing down the axe */
97 kill(conn->ntlm_auth_hlpr_pid, SIGKILL);
103 conn->ntlm_auth_hlpr_pid = 0;
106 Curl_safefree(conn->challenge_header);
107 conn->challenge_header = NULL;
108 Curl_safefree(conn->response_header);
109 conn->response_header = NULL;
112 static CURLcode ntlm_wb_init(struct connectdata *conn, const char *userp)
114 curl_socket_t sockfds[2];
116 const char *username;
117 char *slash, *domain = NULL;
118 const char *ntlm_auth = NULL;
119 char *ntlm_auth_alloc = NULL;
122 /* Return if communication with ntlm_auth already set up */
123 if(conn->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD ||
124 conn->ntlm_auth_hlpr_pid)
128 slash = strpbrk(username, "\\/");
130 if((domain = strdup(username)) == NULL)
131 return CURLE_OUT_OF_MEMORY;
132 slash = domain + (slash - username);
134 username = username + (slash - domain) + 1;
137 /* For testing purposes, when DEBUGBUILD is defined and environment
138 variable CURL_NTLM_WB_FILE is set a fake_ntlm is used to perform
139 NTLM challenge/response which only accepts commands and output
140 strings pre-written in test case definitions */
142 ntlm_auth_alloc = curl_getenv("CURL_NTLM_WB_FILE");
144 ntlm_auth = ntlm_auth_alloc;
147 ntlm_auth = NTLM_WB_FILE;
149 if(access(ntlm_auth, X_OK) != 0) {
151 failf(conn->data, "Could not access ntlm_auth: %s errno %d: %s",
152 ntlm_auth, error, Curl_strerror(conn, error));
156 if(socketpair(AF_UNIX, SOCK_STREAM, 0, sockfds)) {
158 failf(conn->data, "Could not open socket pair. errno %d: %s",
159 error, Curl_strerror(conn, error));
164 if(child_pid == -1) {
168 failf(conn->data, "Could not fork. errno %d: %s",
169 error, Curl_strerror(conn, error));
172 else if(!child_pid) {
177 /* Don't use sclose in the child since it fools the socket leak detector */
178 sclose_nolog(sockfds[0]);
179 if(dup2(sockfds[1], STDIN_FILENO) == -1) {
181 failf(conn->data, "Could not redirect child stdin. errno %d: %s",
182 error, Curl_strerror(conn, error));
186 if(dup2(sockfds[1], STDOUT_FILENO) == -1) {
188 failf(conn->data, "Could not redirect child stdout. errno %d: %s",
189 error, Curl_strerror(conn, error));
194 execl(ntlm_auth, ntlm_auth,
195 "--helper-protocol", "ntlmssp-client-1",
196 "--use-cached-creds",
197 "--username", username,
201 execl(ntlm_auth, ntlm_auth,
202 "--helper-protocol", "ntlmssp-client-1",
203 "--use-cached-creds",
204 "--username", username,
208 sclose_nolog(sockfds[1]);
209 failf(conn->data, "Could not execl(). errno %d: %s",
210 error, Curl_strerror(conn, error));
215 conn->ntlm_auth_hlpr_socket = sockfds[0];
216 conn->ntlm_auth_hlpr_pid = child_pid;
217 Curl_safefree(domain);
218 Curl_safefree(ntlm_auth_alloc);
222 Curl_safefree(domain);
223 Curl_safefree(ntlm_auth_alloc);
224 return CURLE_REMOTE_ACCESS_DENIED;
227 static CURLcode ntlm_wb_response(struct connectdata *conn,
228 const char *input, curlntlm state)
231 char buf[NTLM_BUFSIZE];
233 size_t len_in = strlen(input);
234 size_t len_out = sizeof(buf);
237 ssize_t written = swrite(conn->ntlm_auth_hlpr_socket, input, len_in);
239 /* Interrupted by a signal, retry it */
242 /* write failed if other errors happen */
250 size = sread(conn->ntlm_auth_hlpr_socket, tmpbuf, len_out);
258 else if(tmpbuf[size - 1] == '\n') {
259 tmpbuf[size - 1] = '\0';
267 /* Samba/winbind installed but not configured */
268 if(state == NTLMSTATE_TYPE1 &&
270 buf[0] == 'P' && buf[1] == 'W')
271 return CURLE_REMOTE_ACCESS_DENIED;
272 /* invalid response */
275 if(state == NTLMSTATE_TYPE1 &&
276 (buf[0]!='Y' || buf[1]!='R' || buf[2]!=' '))
278 if(state == NTLMSTATE_TYPE2 &&
279 (buf[0]!='K' || buf[1]!='K' || buf[2]!=' ') &&
280 (buf[0]!='A' || buf[1]!='F' || buf[2]!=' '))
283 conn->response_header = aprintf("NTLM %.*s", size - 4, buf + 3);
286 return CURLE_REMOTE_ACCESS_DENIED;
290 * This is for creating ntlm header output by delegating challenge/response
291 * to Samba's winbind daemon helper ntlm_auth.
293 CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
296 /* point to the address of the pointer that holds the string to send to the
297 server, which is for a plain host or for a HTTP proxy */
299 /* point to the name and password for this */
301 /* point to the correct struct with this */
302 struct ntlmdata *ntlm;
305 CURLcode res = CURLE_OK;
309 DEBUGASSERT(conn->data);
312 allocuserpwd = &conn->allocptr.proxyuserpwd;
313 userp = conn->proxyuser;
314 ntlm = &conn->proxyntlm;
315 authp = &conn->data->state.authproxy;
318 allocuserpwd = &conn->allocptr.userpwd;
321 authp = &conn->data->state.authhost;
325 /* not set means empty */
329 switch(ntlm->state) {
330 case NTLMSTATE_TYPE1:
332 /* Use Samba's 'winbind' daemon to support NTLM authentication,
333 * by delegating the NTLM challenge/response protocal to a helper
335 * http://devel.squid-cache.org/ntlm/squid_helper_protocol.html
336 * http://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html
337 * http://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html
338 * Preprocessor symbol 'NTLM_WB_ENABLED' is defined when this
339 * feature is enabled and 'NTLM_WB_FILE' symbol holds absolute
340 * filename of ntlm_auth helper.
341 * If NTLM authentication using winbind fails, go back to original
342 * request handling process.
344 /* Create communication with ntlm_auth */
345 res = ntlm_wb_init(conn, userp);
348 res = ntlm_wb_response(conn, "YR\n", ntlm->state);
352 Curl_safefree(*allocuserpwd);
353 *allocuserpwd = aprintf("%sAuthorization: %s\r\n",
354 proxy ? "Proxy-" : "",
355 conn->response_header);
356 DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
357 Curl_safefree(conn->response_header);
358 conn->response_header = NULL;
360 case NTLMSTATE_TYPE2:
361 input = aprintf("TT %s\n", conn->challenge_header);
363 return CURLE_OUT_OF_MEMORY;
364 res = ntlm_wb_response(conn, input, ntlm->state);
370 Curl_safefree(*allocuserpwd);
371 *allocuserpwd = aprintf("%sAuthorization: %s\r\n",
372 proxy ? "Proxy-" : "",
373 conn->response_header);
374 DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));
375 ntlm->state = NTLMSTATE_TYPE3; /* we sent a type-3 */
377 Curl_ntlm_wb_cleanup(conn);
379 case NTLMSTATE_TYPE3:
380 /* connection is already authenticated,
381 * don't send a header in future requests */
393 #endif /* USE_NTLM && NTLM_WB_ENABLED */