1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 23:58:49 -05:00

Christopher R. Palmer made it possible to build libcurl with the

USE_WINDOWS_SSPI on Windows, and then libcurl will be built to use the native
way to do NTLM. SSPI also allows libcurl to pass on the current user and its
password in the request.
This commit is contained in:
Daniel Stenberg 2005-03-10 23:15:29 +00:00
parent 2ab2e7675c
commit d1d35ba85f
9 changed files with 272 additions and 15 deletions

View File

@ -7,6 +7,12 @@
Changelog
Daniel (11 March 2005)
- Christopher R. Palmer made it possible to build libcurl with the
USE_WINDOWS_SSPI on Windows, and then libcurl will be built to use the
native way to do NTLM. SSPI also allows libcurl to pass on the current user
and its password in the request.
Daniel (9 March 2005)
- Dan F improved the SSL lib setup in configure.

View File

@ -42,7 +42,25 @@ OPENSSL_PATH = ../../openssl-0.9.7e
ZLIB_PATH = ../../zlib-1.2.1
!ENDIF
# Use the high resolution time by default. Comment this out to use low
# USE_WINDOWS_SSPI uses windows libraries to allow NTLM authentication
# without an openssl installation and offers the ability to authenticate
# using the "current logged in user". It does however require that the
# Windows SDK be installed.
#
# If, for some reason the Windows SDK is installed but not installed
# in the default location, you can specify WINDOWS_SDK_PATH.
# It can be downloaded from:
# http://www.microsoft.com/msdownload/platformsdk/sdkupdate/
# USE_WINDOWS_SSPI = 1
!IFDEF WINDOWS_SSPI
!IFNDEF WINDOWS_SDK_PATH
WINDOWS_SDK_PATH = "C:\Program Files\Microsoft SDK"
!ENDIF
!ENDIF
Use the high resolution time by default. Comment this out to use low
# resolution time and not require winmm.lib
USEMM_LIBS = YES
@ -69,6 +87,11 @@ CFLAGS = $(CFLAGS) /DWITHOUT_MM_LIB
# RSAglue.lib was formerly needed in the SSLLIBS
CFGSET = FALSE
!IFDEF WINDOWS_SSPI
CFLAGS = $(CFLAGS) /DUSE_WINDOWS_SSPI /I$(WINDOWS_SDK_PATH)\include
LFLAGS = $(LFLAGS) $(WINDOWS_SDK_PATH)\lib\secur32.lib
!ENDIF
######################
# release

View File

@ -406,7 +406,7 @@ Curl_http_output_auth(struct connectdata *conn,
/* Send proxy authentication header if needed */
if (conn->bits.httpproxy &&
(conn->bits.tunnel_proxy == proxytunnel)) {
#ifdef USE_SSLEAY
#if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI)
if(authproxy->want == CURLAUTH_NTLM) {
auth=(char *)"NTLM";
result = Curl_output_ntlm(conn, TRUE);
@ -474,7 +474,7 @@ Curl_http_output_auth(struct connectdata *conn,
}
else
#endif
#ifdef USE_SSLEAY
#if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI)
if(authhost->picked == CURLAUTH_NTLM) {
auth=(char *)"NTLM";
result = Curl_output_ntlm(conn, FALSE);
@ -587,7 +587,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
}
else
#endif
#ifdef USE_SSLEAY
#if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI)
/* NTLM support requires the SSL crypto libs */
if(checkprefix("NTLM", start)) {
*availp |= CURLAUTH_NTLM;

View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 1998 - 2004, Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@ -30,7 +30,7 @@
*/
#ifndef CURL_DISABLE_HTTP
#ifdef USE_SSLEAY
#if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI)
/* We need OpenSSL for the crypto lib to provide us with MD4 and DES */
/* -- WIN32 approved -- */
@ -51,6 +51,8 @@
#define _MPRINTF_REPLACE /* use our functions only */
#include <curl/mprintf.h>
#ifndef USE_WINDOWS_SSPI
#include <openssl/des.h>
#include <openssl/md4.h>
#include <openssl/ssl.h>
@ -71,6 +73,12 @@
#define DESKEY(x) &x
#endif
#else
#include <rpc.h>
#endif
/* The last #include file should be: */
#include "memdebug.h"
@ -130,6 +138,14 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn,
ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
#ifdef USE_WINDOWS_SSPI
if ((ntlm->type_2 = malloc(size+1)) == NULL) {
free(buffer);
return CURLE_OUT_OF_MEMORY;
}
ntlm->n_type_2 = size;
memcpy(ntlm->type_2, buffer, size);
#else
if(size >= 48)
/* the nonce of interest is index [24 .. 31], 8 bytes */
memcpy(ntlm->nonce, &buffer[24], 8);
@ -138,6 +154,7 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn,
/* at index decimal 20, there's a 32bit NTLM flag field */
free(buffer);
#endif
}
else {
if(ntlm->state >= NTLMSTATE_TYPE1)
@ -149,6 +166,8 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn,
return CURLNTLM_FINE;
}
#ifndef USE_WINDOWS_SSPI
/*
* Turns a 56 bit key into the 64 bit, odd parity key and sets the key. The
* key schedule ks is also set.
@ -275,6 +294,32 @@ static void mkhash(char *password,
free(pw);
}
#endif
#ifdef USE_WINDOWS_SSPI
static void
ntlm_sspi_cleanup(struct ntlmdata *ntlm)
{
if (ntlm->type_2) {
free(ntlm->type_2);
ntlm->type_2 = NULL;
}
if (ntlm->has_handles) {
DeleteSecurityContext(&ntlm->c_handle);
FreeCredentialsHandle(&ntlm->handle);
ntlm->has_handles = 0;
}
if (ntlm->p_identity) {
if (ntlm->identity.User) free(ntlm->identity.User);
if (ntlm->identity.Password) free(ntlm->identity.Password);
if (ntlm->identity.Domain) free(ntlm->identity.Domain);
ntlm->p_identity = NULL;
}
}
#endif
#define SHORTPAIR(x) ((x) & 0xff), ((x) >> 8)
#define LONGQUARTET(x) ((x) & 0xff), (((x) >> 8)&0xff), \
(((x) >>16)&0xff), ((x)>>24)
@ -333,6 +378,90 @@ CURLcode Curl_output_ntlm(struct connectdata *conn,
switch(ntlm->state) {
case NTLMSTATE_TYPE1:
default: /* for the weird cases we (re)start here */
#ifdef USE_WINDOWS_SSPI
{
SecBuffer buf;
SecBufferDesc desc;
SECURITY_STATUS status;
ULONG attrs;
const char *user;
int domlen;
ntlm_sspi_cleanup(ntlm);
user = strchr(userp, '\\');
if (!user)
user = strchr(userp, '/');
if (user) {
domain = userp;
domlen = user - userp;
user++;
}
else {
user = userp;
domain = "";
domlen = 0;
}
if (user && *user) {
/* note: initialize all of this before doing the mallocs so that
* it can be cleaned up later without leaking memory.
*/
ntlm->p_identity = &ntlm->identity;
memset(ntlm->p_identity, 0, sizeof(*ntlm->p_identity));
if ((ntlm->identity.User = strdup(user)) == NULL)
return CURLE_OUT_OF_MEMORY;
ntlm->identity.UserLength = strlen(user);
if ((ntlm->identity.Password = strdup(passwdp)) == NULL)
return CURLE_OUT_OF_MEMORY;
ntlm->identity.PasswordLength = strlen(passwdp);
if ((ntlm->identity.Domain = malloc(domlen+1)) == NULL)
return CURLE_OUT_OF_MEMORY;
strncpy(ntlm->identity.Domain, domain, domlen);
ntlm->identity.Domain[domlen] = '\0';
ntlm->identity.DomainLength = domlen;
ntlm->identity.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
}
else {
ntlm->p_identity = NULL;
}
if (AcquireCredentialsHandle(
NULL, "NTLM", SECPKG_CRED_OUTBOUND, NULL, ntlm->p_identity,
NULL, NULL, &ntlm->handle, NULL
) != SEC_E_OK) {
return CURLE_OUT_OF_MEMORY;
}
desc.ulVersion = SECBUFFER_VERSION;
desc.cBuffers = 1;
desc.pBuffers = &buf;
buf.cbBuffer = sizeof(ntlmbuf);
buf.BufferType = SECBUFFER_TOKEN;
buf.pvBuffer = ntlmbuf;
status = InitializeSecurityContext(&ntlm->handle, NULL, (char *) host,
ISC_REQ_CONFIDENTIALITY |
ISC_REQ_REPLAY_DETECT |
ISC_REQ_CONNECTION,
0, SECURITY_NETWORK_DREP, NULL, 0,
&ntlm->c_handle, &desc, &attrs, NULL
);
if (status == SEC_I_COMPLETE_AND_CONTINUE ||
status == SEC_I_CONTINUE_NEEDED) {
CompleteAuthToken(&ntlm->c_handle, &desc);
}
else if (status != SEC_E_OK) {
FreeCredentialsHandle(&ntlm->handle);
return CURLE_RECV_ERROR;
}
ntlm->has_handles = 1;
size = buf.cbBuffer;
}
#else
hostoff = 32;
domoff = hostoff + hostlen;
@ -382,6 +511,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn,
/* initial packet length */
size = 32 + hostlen + domlen;
#endif
/* now keeper of the base64 encoded package size */
size = Curl_base64_encode((char *)ntlmbuf, size, &base64);
@ -417,6 +547,41 @@ CURLcode Curl_output_ntlm(struct connectdata *conn,
*/
{
#ifdef USE_WINDOWS_SSPI
SecBuffer type_2, type_3;
SecBufferDesc type_2_desc, type_3_desc;
SECURITY_STATUS status;
ULONG attrs;
type_2_desc.ulVersion = type_3_desc.ulVersion = SECBUFFER_VERSION;
type_2_desc.cBuffers = type_3_desc.cBuffers = 1;
type_2_desc.pBuffers = &type_2;
type_3_desc.pBuffers = &type_3;
type_2.BufferType = SECBUFFER_TOKEN;
type_2.pvBuffer = ntlm->type_2;
type_2.cbBuffer = ntlm->n_type_2;
type_3.BufferType = SECBUFFER_TOKEN;
type_3.pvBuffer = ntlmbuf;
type_3.cbBuffer = sizeof(ntlmbuf);
status = InitializeSecurityContext(&ntlm->handle, &ntlm->c_handle,
(char *) host,
ISC_REQ_CONFIDENTIALITY |
ISC_REQ_REPLAY_DETECT |
ISC_REQ_CONNECTION,
0, SECURITY_NETWORK_DREP, &type_2_desc,
0, &ntlm->c_handle, &type_3_desc,
&attrs, NULL);
if (status != SEC_E_OK)
return CURLE_RECV_ERROR;
size = type_3.cbBuffer;
ntlm_sspi_cleanup(ntlm);
#else
int lmrespoff;
int ntrespoff;
int useroff;
@ -556,6 +721,8 @@ CURLcode Curl_output_ntlm(struct connectdata *conn,
ntlmbuf[56] = (unsigned char)(size & 0xff);
ntlmbuf[57] = (unsigned char)(size >> 8);
#endif
/* convert the binary blob into base64 */
size = Curl_base64_encode((char *)ntlmbuf, size, &base64);
@ -587,5 +754,16 @@ CURLcode Curl_output_ntlm(struct connectdata *conn,
return CURLE_OK;
}
void
Curl_ntlm_cleanup(struct connectdata *conn)
{
#ifdef USE_WINDOWS_SSPI
ntlm_sspi_cleanup(&conn->ntlm);
ntlm_sspi_cleanup(&conn->proxyntlm);
#endif
}
#endif /* USE_SSLEAY */
#endif /* !CURL_DISABLE_HTTP */

View File

@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 1998 - 2004, Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@ -38,7 +38,7 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn, bool proxy, char *header);
/* this is for creating ntlm header output */
CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy);
void Curl_ntlm_cleanup(struct SessionHandle *data);
void Curl_ntlm_cleanup(struct connectdata *conn);
/* Flag bits definitions based on http://davenport.sourceforge.net/ntlm.html */

View File

@ -832,7 +832,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
{
long auth = va_arg(param, long);
/* switch off bits we can't support */
#ifndef USE_SSLEAY
#if ! defined(USE_SSLEAY) && !defined(USE_WINDOWS_SSPI)
auth &= ~CURLAUTH_NTLM; /* no NTLM without SSL */
#endif
#ifndef HAVE_GSSAPI
@ -1449,6 +1449,10 @@ CURLcode Curl_disconnect(struct connectdata *conn)
data->state.authhost.want;
data->state.authproblem = FALSE;
#if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI)
Curl_ntlm_cleanup(conn);
#endif
}
if(conn->curl_disconnect)

View File

@ -188,10 +188,30 @@ typedef enum {
NTLMSTATE_LAST
} curlntlm;
#ifdef USE_WINDOWS_SSPI
/* When including these headers, you must define either SECURITY_WIN32
* or SECURITY_KERNEL, indicating who is compiling the code.
*/
#define SECURITY_WIN32 1
#include <sspi.h>
#include <Security.h>
#include <rpc.h>
#endif
/* Struct used for NTLM challenge-response authentication */
struct ntlmdata {
curlntlm state;
#ifdef USE_WINDOWS_SSPI
CredHandle handle;
CtxtHandle c_handle;
SEC_WINNT_AUTH_IDENTITY identity;
SEC_WINNT_AUTH_IDENTITY *p_identity;
int has_handles;
void *type_2;
int n_type_2;
#else
unsigned char nonce[8];
#endif
};
#ifdef HAVE_GSSAPI

View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 1998 - 2004, Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@ -194,6 +194,8 @@ static curl_version_info_data version_info = {
#endif
#ifdef USE_SSLEAY
| CURL_VERSION_SSL
#endif
#if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI)
| CURL_VERSION_NTLM /* since this requires OpenSSL */
#endif
#ifdef HAVE_LIBZ

View File

@ -23,6 +23,24 @@ ZLIB_PATH = ../../zlib-1.2.1
OPENSSL_PATH = ../../openssl-0.9.7e
!ENDIF
# USE_WINDOWS_SSPI uses windows libraries to allow NTLM authentication
# without an openssl installation and offers the ability to authenticate
# using the "current logged in user". It does however require that the
# Windows SDK be installed.
#
# If, for some reason the Windows SDK is installed but not installed
# in the default location, you can specify WINDOWS_SDK_PATH.
# It can be downloaded from:
# http://www.microsoft.com/msdownload/platformsdk/sdkupdate/
# USE_WINDOWS_SSPI = 1
!IFDEF WINDOWS_SSPI
!IFNDEF WINDOWS_SDK_PATH
WINDOWS_SDK_PATH = "C:\Program Files\Microsoft SDK"
!ENDIF
!ENDIF
########################################################
## Nothing more to do below this line!
ZLIB_CFLAGS = /DHAVE_ZLIB_H /DHAVE_ZLIB /DHAVE_LIBZ /I "$(ZLIB_PATH)"
@ -49,6 +67,12 @@ CFLAGS = /I../lib /I../include /nologo /W3 /GX /DWIN32 /YX /FD /c
LFLAGS = /nologo /out:$(PROGRAM_NAME) /subsystem:console /machine:I386
RESFLAGS = /i../include
!IFDEF WINDOWS_SSPI
CFLAGS = $(CFLAGS) /DUSE_WINDOWS_SSPI /I$(WINDOWS_SDK_PATH)\include
LFLAGS = $(LFLAGS) $(WINDOWS_SDK_PATH)\lib\secur32.lib
!ENDIF
CFLAGS = $(CFLAGS) /DCURLDEBUG
RELEASE_OBJS= \
hugehelpr.obj \