moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2025-02-28 17:31:46 -05:00
Code Issues Releases Wiki Activity

NTLM single-sign on adjustments (VIII)

Browse Source 
Use preprocessor symbols WINBIND_NTLM_AUTH_ENABLED and WINBIND_NTLM_AUTH_FILE
for Samba's winbind daemon ntlm_auth helper code implementation and filename.

Retain preprocessor symbol USE_NTLM_SSO for NTLM single-sign-on feature
availability implementation independent.

For test harness, prefix NTLM_AUTH environment vars with CURL_

Refactor and rename configure option --with-ntlm-auth to --enable-wb-ntlm-auth[=FILE]
This commit is contained in:
Yang Tse 2011-07-31 20:44:41 +02:00
parent cc3e01cfae
commit 10a0bed485
10 changed files with 107 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
configure.ac
View File

@ -2687,34 +2687,6 @@ then
USE_MANUAL="no"; USE_MANUAL="no";
fi fi
dnl **********************************************************
dnl path of NTLM single-sign-on helper ntlm_auth
dnl
AC_ARG_WITH(ntlm-auth,
AC_HELP_STRING([--with-ntlm-auth=PATH],
[Where to look for ntlm_auth, path points to ntlm_auth installation (default: /usr/bin/ntlm_auth);])
AC_HELP_STRING([--without-ntlm-auth],
[disable ntlm single-sign-on by using ntlm_auth]),
ntlm_auth="$withval",
[if test "$ac_cv_native_windows" = "yes"; then ntlm_auth="no"; else ntlm_auth="/usr/bin/ntlm_auth"; fi])
AC_MSG_CHECKING([if using ntlm_auth is requested])
if test "$ntlm_auth" != "no"; then
AC_DEFINE(USE_NTLM_AUTH, 1, [Whether or not use Samba's 'winbind' daemon helper 'ntlm_auth' for NTLM single-sign-on])
AC_SUBST(USE_NTLM_AUTH, [1])
if test "$ntlm_auth" = "yes"; then
dnl --with-ntlm-auth (without path) used, use default path
ntlm_auth="/usr/bin/ntlm_auth"
fi
AC_MSG_RESULT($ntlm_auth)
else
AC_MSG_RESULT(no)
fi
AC_SUBST(ntlm_auth)
AC_DEFINE_UNQUOTED(NTLM_AUTH, "$ntlm_auth", [Samba's 'winbind' daemon helper 'ntlm_auth' which can be used for NTLM single-sign-on])
dnl ************************************************************************* dnl *************************************************************************
dnl If the manual variable still is set, then we go with providing a built-in dnl If the manual variable still is set, then we go with providing a built-in
dnl manual dnl manual
@ -2823,6 +2795,10 @@ AC_HELP_STRING([--disable-crypto-auth],[Disable cryptographic authentication]),
AC_MSG_RESULT(yes) AC_MSG_RESULT(yes)
) )
CURL_CHECK_OPTION_WINBIND_NTLM_AUTH
CURL_CHECK_WINBIND_NTLM_AUTH
dnl ************************************************************ dnl ************************************************************
dnl disable TLS-SRP authentication dnl disable TLS-SRP authentication
dnl dnl
@ -2998,7 +2974,7 @@ if test "x$CURL_DISABLE_HTTP" != "x1"; then
if test "x$USE_SSLEAY" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \ if test "x$USE_SSLEAY" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" -o "x$NSS_ENABLED" = "x1"; then -o "x$GNUTLS_ENABLED" = "x1" -o "x$NSS_ENABLED" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM" SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM"
if test "x$USE_NTLM_AUTH" = "x1"; then if test "x$WINBIND_NTLM_AUTH_ENABLED" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM_SSO" SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM_SSO"
fi fi
fi fi

6
lib/http.c
View File

@ -542,9 +542,13 @@ output_auth_headers(struct connectdata *conn,
#ifdef USE_NTLM_SSO #ifdef USE_NTLM_SSO
if(authstatus->picked == CURLAUTH_NTLM_SSO) { if(authstatus->picked == CURLAUTH_NTLM_SSO) {
auth="NTLM_SSO"; auth="NTLM_SSO";
#ifdef WINBIND_NTLM_AUTH_ENABLED
result = Curl_output_ntlm_sso(conn, proxy); result = Curl_output_ntlm_sso(conn, proxy);
if(result) if(result)
return result; return result;
#else
return CURLE_REMOTE_ACCESS_DENIED;
#endif
} }
else else
#endif #endif
@ -767,7 +771,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
Curl_input_ntlm(conn, (bool)(httpcode == 407), start); Curl_input_ntlm(conn, (bool)(httpcode == 407), start);
if(CURLNTLM_BAD != ntlm) { if(CURLNTLM_BAD != ntlm) {
data->state.authproblem = FALSE; data->state.authproblem = FALSE;
#ifdef USE_NTLM_SSO #ifdef WINBIND_NTLM_AUTH_ENABLED
if(authp->picked == CURLAUTH_NTLM_SSO) { if(authp->picked == CURLAUTH_NTLM_SSO) {
*availp &= ~CURLAUTH_NTLM; *availp &= ~CURLAUTH_NTLM;
authp->avail &= ~CURLAUTH_NTLM; authp->avail &= ~CURLAUTH_NTLM;

34
lib/http_ntlm.c
View File

@ -33,14 +33,16 @@
#define DEBUG_ME 0 #define DEBUG_ME 0
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_UNISTD_H #ifdef HAVE_UNISTD_H
#include <unistd.h> #include <unistd.h>
#endif #endif
#ifdef HAVE_SYS_WAIT_H
#ifdef USE_NTLM_SSO
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h> #include <sys/wait.h>
#endif
#ifdef HAVE_SIGNAL_H
#include <signal.h> #include <signal.h>
#endif #endif
@ -677,7 +679,7 @@ static void unicodecpy(unsigned char *dest,
} }
#endif #endif
#ifdef USE_NTLM_SSO #ifdef WINBIND_NTLM_AUTH_ENABLED
static void sso_ntlm_close(struct connectdata *conn) static void sso_ntlm_close(struct connectdata *conn)
{ {
if(conn->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD) { if(conn->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD) {
@ -742,17 +744,17 @@ static CURLcode sso_ntlm_initiate(struct connectdata *conn,
username = username + (slash - domain) + 1; username = username + (slash - domain) + 1;
} }
/* When DEBUGBUILD is defined and environment variable NTLM_AUTH is set /* For testing purposes, when DEBUGBUILD is defined and environment
* (in test case 2005), use a fake_ntlm to do NTLM challenge/response, variable CURL_NTLM_AUTH is set a fake_ntlm is used to perform
* which only accept commands and output strings pre-written/saved in NTLM challenge/response which only accepts commands and output
* test case 2005 */ strings pre-written in test case definitions */
#ifdef DEBUGBUILD #ifdef DEBUGBUILD
ntlm_auth_alloc = curl_getenv("NTLM_AUTH"); ntlm_auth_alloc = curl_getenv("CURL_NTLM_AUTH");
if(ntlm_auth_alloc) if(ntlm_auth_alloc)
ntlm_auth = ntlm_auth_alloc; ntlm_auth = ntlm_auth_alloc;
else else
#endif #endif
ntlm_auth = NTLM_AUTH; ntlm_auth = WINBIND_NTLM_AUTH_FILE;
if(access(ntlm_auth, X_OK) != 0) { if(access(ntlm_auth, X_OK) != 0) {
error = ERRNO; error = ERRNO;
@ -940,9 +942,9 @@ CURLcode Curl_output_ntlm_sso(struct connectdata *conn,
* http://devel.squid-cache.org/ntlm/squid_helper_protocol.html * http://devel.squid-cache.org/ntlm/squid_helper_protocol.html
* http://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html * http://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html
* http://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html * http://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html
* The preprocessor variable 'USE_NTLM_AUTH' indicates whether * Preprocessor symbol 'WINBIND_NTLM_AUTH_ENABLED' is defined when
* this feature is enabled. Another one 'NTLM_AUTH' contains absolute * this feature is enabled and 'WINBIND_NTLM_AUTH_FILE' symbol holds
* path of it. * absolute filename of ntlm_auth helper.
* If NTLM single-sign-on fails, go back to original request * If NTLM single-sign-on fails, go back to original request
* handling process. * handling process.
*/ */
@ -996,7 +998,7 @@ CURLcode Curl_output_ntlm_sso(struct connectdata *conn,
return CURLE_OK; return CURLE_OK;
} }
#endif /* USE_NTLM_SSO */ #endif /* WINBIND_NTLM_AUTH_ENABLED */
/* this is for creating ntlm header output */ /* this is for creating ntlm header output */
CURLcode Curl_output_ntlm(struct connectdata *conn, CURLcode Curl_output_ntlm(struct connectdata *conn,
@ -1644,7 +1646,7 @@ Curl_ntlm_cleanup(struct connectdata *conn)
ntlm_sspi_cleanup(&conn->ntlm); ntlm_sspi_cleanup(&conn->ntlm);
ntlm_sspi_cleanup(&conn->proxyntlm); ntlm_sspi_cleanup(&conn->proxyntlm);
#else #else
#ifdef USE_NTLM_SSO #ifdef WINBIND_NTLM_AUTH_ENABLED
sso_ntlm_close(conn); sso_ntlm_close(conn);
#endif #endif
(void)conn; (void)conn;

11
lib/http_ntlm.h
View File

@ -1,5 +1,5 @@
#ifndef __HTTP_NTLM_H #ifndef HEADER_CURL_HTTP_NTLM_H
#define __HTTP_NTLM_H #define HEADER_CURL_HTTP_NTLM_H
/*************************************************************************** /***************************************************************************
* _ _ ____ _ * _ _ ____ _
* Project ___| | | | _ \| | * Project ___| | | | _ \| |
@ -38,9 +38,9 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn, bool proxy,
/* this is for creating ntlm header output */ /* this is for creating ntlm header output */
CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy); CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy);
#ifdef USE_NTLM_SSO #ifdef WINBIND_NTLM_AUTH_ENABLED
/* this is for creating ntlm header output by delegating challenge/response /* this is for creating ntlm header output by delegating challenge/response
* to a Samba's daemon helper ntlm_auth */ to Samba's winbind daemon helper ntlm_auth */
CURLcode Curl_output_ntlm_sso(struct connectdata *conn, bool proxy); CURLcode Curl_output_ntlm_sso(struct connectdata *conn, bool proxy);
#endif #endif
@ -152,4 +152,5 @@ void Curl_ntlm_cleanup(struct connectdata *conn);
#define NTLMFLAG_NEGOTIATE_56 (1<<31) #define NTLMFLAG_NEGOTIATE_56 (1<<31)
/* Indicates that 56-bit encryption is supported. */ /* Indicates that 56-bit encryption is supported. */
#endif
#endif /* HEADER_CURL_HTTP_NTLM_H */

2
lib/setup.h
View File

@ -566,7 +566,7 @@ int netware_init(void);
#if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI) || \ #if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI) || \
defined(USE_GNUTLS) || defined(USE_NSS) defined(USE_GNUTLS) || defined(USE_NSS)
#define USE_NTLM #define USE_NTLM
#if defined(USE_NTLM_AUTH) #if defined(WINBIND_NTLM_AUTH_ENABLED)
/* Support NTLM single-sign-on by using Samba's winbind daemon helper /* Support NTLM single-sign-on by using Samba's winbind daemon helper
'ntlm_auth' */ 'ntlm_auth' */
#define USE_NTLM_SSO #define USE_NTLM_SSO

2
lib/url.c
View File

@ -3515,7 +3515,7 @@ static struct connectdata *allocate_conn(struct SessionHandle *data)
conn->ip_version = data->set.ipver; conn->ip_version = data->set.ipver;
#ifdef USE_NTLM_SSO #ifdef WINBIND_NTLM_AUTH_ENABLED
conn->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD; conn->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
conn->ntlm_auth_hlpr_pid = 0; conn->ntlm_auth_hlpr_pid = 0;
conn->challenge_header = NULL; conn->challenge_header = NULL;

5
lib/urldata.h
View File

@ -905,9 +905,8 @@ struct connectdata {
single requests! */ single requests! */
struct ntlmdata proxyntlm; /* NTLM data for proxy */ struct ntlmdata proxyntlm; /* NTLM data for proxy */
#ifdef USE_NTLM_SSO #ifdef WINBIND_NTLM_AUTH_ENABLED
/* data used for communication with Samba's winbind daemon helper /* used for communication with Samba's winbind daemon helper ntlm_auth */
ntlm_auth */
curl_socket_t ntlm_auth_hlpr_socket; curl_socket_t ntlm_auth_hlpr_socket;
pid_t ntlm_auth_hlpr_pid; pid_t ntlm_auth_hlpr_pid;
char* challenge_header; char* challenge_header;

64
m4/curl-confopts.m4
View File

@ -5,7 +5,7 @@
# | (__| |_| | _ <| |___ # | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____| # \___|\___/|_| \_\_____|
# #
# Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al. # Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
# #
# This software is licensed as described in the file COPYING, which # This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms # you should have received as part of this distribution. The terms
@ -21,7 +21,7 @@
#*************************************************************************** #***************************************************************************
# File version for 'aclocal' use. Keep it a single number. # File version for 'aclocal' use. Keep it a single number.
# serial 14 # serial 15
dnl CURL_CHECK_OPTION_THREADED_RESOLVER dnl CURL_CHECK_OPTION_THREADED_RESOLVER
dnl ------------------------------------------------- dnl -------------------------------------------------
@ -496,3 +496,63 @@ AC_DEFUN([CURL_CHECK_LIB_ARES], [
fi fi
]) ])
dnl CURL_CHECK_OPTION_WINBIND_NTLM_AUTH
dnl -------------------------------------------------
dnl Verify if configure has been invoked with option
dnl --enable-ntlm-auth or --disable-ntlm-auth, and
dnl set shell variable want_wb_ntlm_auth and
dnl want_wb_ntlm_auth_file as appropriate.
AC_DEFUN([CURL_CHECK_OPTION_WINBIND_NTLM_AUTH], [
AC_BEFORE([$0],[CURL_CHECK_WINBIND_NTLM_AUTH])dnl
OPT_WINBIND_NTLM_AUTH="default"
AC_ARG_ENABLE(wb-ntlm-auth,
AC_HELP_STRING([--enable-wb-ntlm-auth@<:@=FILE@:>@],[Enable winbind's ntlm_auth helper for NTLM SSO, where FILE is ntlm_auth's absolute filename (default: /usr/bin/ntlm_auth)])
AC_HELP_STRING([--disable-wb-ntlm-auth],[Disable winbind's ntlm_auth helper for NTLM SSO]),
OPT_WINBIND_NTLM_AUTH=$enableval)
want_wb_ntlm_auth_file="/usr/bin/ntlm_auth"
case "$OPT_WINBIND_NTLM_AUTH" in
no)
dnl --disable-wb-ntlm-auth option used
want_wb_ntlm_auth="no"
;;
default)
dnl configure option not specified
want_wb_ntlm_auth="yes"
;;
*)
dnl --enable-wb-ntlm-auth option used
want_wb_ntlm_auth="yes"
if test -n "$enableval" && test "$enableval" != "yes"; then
want_wb_ntlm_auth_file="$enableval"
fi
;;
esac
])
dnl CURL_CHECK_WINBIND_NTLM_AUTH
dnl -------------------------------------------------
dnl Check if winbind's ntlm_auth helper support will
dnl finally be enabled depending on configure option
dnl given and target platform.
AC_DEFUN([CURL_CHECK_WINBIND_NTLM_AUTH], [
AC_REQUIRE([CURL_CHECK_OPTION_WINBIND_NTLM_AUTH])dnl
AC_REQUIRE([CURL_CHECK_NATIVE_WINDOWS])dnl
AC_MSG_CHECKING([whether to enable winbind's ntlm_auth support for NTLM SSO])
if test "$ac_cv_native_windows" = "yes"; then
want_wb_ntlm_auth_file=""
want_wb_ntlm_auth="no"
fi
AC_MSG_RESULT([$want_wb_ntlm_auth])
if test "$want_wb_ntlm_auth" = "yes"; then
AC_DEFINE(WINBIND_NTLM_AUTH_ENABLED, 1,
[Define to enable winbind's ntlm_auth support for NTLM SSO.])
AC_DEFINE_UNQUOTED(WINBIND_NTLM_AUTH_FILE, "$want_wb_ntlm_auth_file",
[Define absolute filename for winbind's ntlm_auth helper.])
WINBIND_NTLM_AUTH_ENABLED=1
fi
])

6
tests/data/test1310
View File

@ -70,11 +70,11 @@ CURL_GETHOSTNAME=curlhost
# we try to use the LD_PRELOAD hack, if not a debug build # we try to use the LD_PRELOAD hack, if not a debug build
LD_PRELOAD=%PWD/libtest/.libs/libhostname.so LD_PRELOAD=%PWD/libtest/.libs/libhostname.so
# set path to fake_auth instead of real ntlm_auth to generate NTLM type1 and type 3 messages # set path to fake_auth instead of real ntlm_auth to generate NTLM type1 and type 3 messages
NTLM_AUTH=%PWD/server/fake_ntlm CURL_NTLM_AUTH=%PWD/server/fake_ntlm
# set source directory so fake_ntlm can find the test files # set source directory so fake_ntlm can find the test files
NTLM_AUTH_SRCDIR=%SRCDIR CURL_NTLM_AUTH_SRCDIR=%SRCDIR
# set the test number # set the test number
NTLM_AUTH_TESTNUM=1310 CURL_NTLM_AUTH_TESTNUM=1310
</setenv> </setenv>
<command> <command>
http://%HOSTIP:%HTTPPORT/1310 -u testuser:anypasswd --ntlm-sso http://%HOSTIP:%HTTPPORT/1310 -u testuser:anypasswd --ntlm-sso

8
tests/server/fake_ntlm.c
View File

@ -168,21 +168,21 @@ int main(int argc, char *argv[])
helper_user, helper_proto, helper_domain, helper_user, helper_proto, helper_domain,
(use_cached_creds == TRUE) ? "yes" : "no"); (use_cached_creds == TRUE) ? "yes" : "no");
env = getenv("NTLM_AUTH_TESTNUM"); env = getenv("CURL_NTLM_AUTH_TESTNUM");
if (env) { if (env) {
char *endptr; char *endptr;
long lnum = strtol(env, &endptr, 10); long lnum = strtol(env, &endptr, 10);
if((endptr != env + strlen(env)) || (lnum < 1L)) { if((endptr != env + strlen(env)) || (lnum < 1L)) {
logmsg("Test number not valid in NTLM_AUTH_TESTNUM"); logmsg("Test number not valid in CURL_NTLM_AUTH_TESTNUM");
exit(1); exit(1);
} }
testnum = lnum; testnum = lnum;
} else { } else {
logmsg("Test number not specified in NTLM_AUTH_TESTNUM"); logmsg("Test number not specified in CURL_NTLM_AUTH_TESTNUM");
exit(1); exit(1);
} }
env = getenv("NTLM_AUTH_SRCDIR"); env = getenv("CURL_NTLM_AUTH_SRCDIR");
if (env) { if (env) {
path = env; path = env;
} }