mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-03-25 15:50:32 +08:00
Code Issues Packages Projects Releases Wiki Activity

NTLM_WB: drop support

Browse Source 
The feature has not worked for months and has been marked as DEPRECATED
for six+ months.

Closes #13249
This commit is contained in:
Daniel Stenberg 2024-03-31 16:54:28 +02:00
parent 9e848439d8
commit 50def7c881
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
21 changed files with 25 additions and 723 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CMakeLists.txt
View File

@ -1559,9 +1559,6 @@ if(NOT CURL_DISABLE_INSTALL)
(HAVE_GSSAPI OR USE_WINDOWS_SSPI))
_add_if("NTLM" NOT (CURL_DISABLE_NTLM) AND
(use_curl_ntlm_core OR USE_WINDOWS_SSPI))
_add_if("NTLM_WB" NOT (CURL_DISABLE_NTLM) AND
(use_curl_ntlm_core OR USE_WINDOWS_SSPI) AND
NOT CURL_DISABLE_HTTP AND NTLM_WB_ENABLED)
_add_if("TLS-SRP" USE_TLS_SRP)
_add_if("HTTP2" USE_NGHTTP2)
_add_if("HTTP3" USE_NGTCP2 OR USE_QUICHE OR USE_OPENSSL_QUIC)

9
configure.ac
View File

@ -4179,10 +4179,6 @@ AS_HELP_STRING([--disable-ntlm],[Disable NTLM support]),
AC_MSG_RESULT(yes)
)
CURL_CHECK_OPTION_NTLM_WB
CURL_CHECK_NTLM_WB
dnl ************************************************************
dnl disable TLS-SRP authentication
dnl
@ -4729,11 +4725,6 @@ if test "x$CURL_DISABLE_NTLM" != "x1"; then
if test "x$use_curl_ntlm_core" = "xyes" \
-o "x$USE_WINDOWS_SSPI" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM"
if test "x$CURL_DISABLE_HTTP" != "x1" -a \
"x$NTLM_WB_ENABLED" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM_WB"
fi
fi
fi

16
docs/DEPRECATE.md
View File

@ -12,21 +12,6 @@ email the
as soon as possible and explain to us why this is a problem for you and
how your use case cannot be satisfied properly using a workaround.
## NTLM_WB auth
This NTLM authentication method is powered by a separate tool,
`ntlm_auth`. Barely anyone uses this method. It was always a quirky
implementation (including fork + exec), it has limited portability and we do
not test it in the test suite and CI.
We keep the native NTLM implementation.
Due to a mistake, the `NTLM_WB` functionality is missing in builds since 8.4.0
(October 2023). It needs to be manually patched to work. See [PR
12479](https://github.com/curl/curl/pull/12479).
curl removes the support for NTLM_WB auth in April 2024.
## space-separated `NOPROXY` patterns
When specifying patterns/domain names for curl that should *not* go through a
@ -56,3 +41,4 @@ curl removes the support for space-separated names in July 2024.
- NSS
- gskit
- mingw v1
- NTLM_WB

6
docs/cmdline-opts/ntlm-wb.md
View File

@ -16,5 +16,7 @@ Example:
# `--ntlm-wb`
Enables NTLM much in the style --ntlm does, but hand over the authentication
to the separate binary `ntlmauth` application that is executed when needed.
Deprecated option (added in 8.8.0).
Enabled NTLM much in the style --ntlm does, but handed over the authentication
to a separate executable that was executed when needed.

2
docs/libcurl/curl_version_info.md
View File

@ -267,7 +267,7 @@ supports HTTP NTLM (added in 7.10.6)
*features* mask bit: CURL_VERSION_NTLM_WB
libcurl was built with support for NTLM delegation to a winbind helper.
(Added in 7.22.0)
(Added in 7.22.0) This feature was removed from curl in 8.8.0.
## PSL

2
docs/libcurl/opts/CURLOPT_HTTPAUTH.md
View File

@ -84,6 +84,8 @@ option to work, or build libcurl on Windows with SSPI support.
## CURLAUTH_NTLM_WB
Support for this is removed since libcurl 8.8.0.
NTLM delegating to winbind helper. Authentication is performed by a separate
binary application that is executed when needed. The name of the application
is specified at compile time but is typically **/usr/bin/ntlm_auth**.

4
docs/libcurl/opts/CURLOPT_NOSIGNAL.md
View File

@ -40,9 +40,7 @@ ignore SIGPIPE signals, which otherwise are sent by the system when trying to
send data to a socket which is closed in the other end. libcurl makes an
effort to never cause such SIGPIPE signals to trigger, but some operating
systems have no way to avoid them and even on those that have there are some
corner cases when they may still happen, contrary to our desire. In addition,
using *CURLAUTH_NTLM_WB* authentication could cause a SIGCHLD signal to be
raised.
corner cases when they may still happen, contrary to our desire.
# DEFAULT

3
include/curl/curl.h
View File

@ -811,7 +811,10 @@ typedef enum {
#define CURLAUTH_GSSAPI CURLAUTH_NEGOTIATE
#define CURLAUTH_NTLM (((unsigned long)1)<<3)
#define CURLAUTH_DIGEST_IE (((unsigned long)1)<<4)
#ifndef CURL_NO_OLDIES
/* functionality removed since 8.8.0 */
#define CURLAUTH_NTLM_WB (((unsigned long)1)<<5)
#endif
#define CURLAUTH_BEARER (((unsigned long)1)<<6)
#define CURLAUTH_AWS_SIGV4 (((unsigned long)1)<<7)
#define CURLAUTH_ONLY (((unsigned long)1)<<31)

2
lib/Makefile.inc
View File

@ -129,7 +129,6 @@ LIB_CFILES = \
curl_memrchr.c \
curl_multibyte.c \
curl_ntlm_core.c \
curl_ntlm_wb.c \
curl_path.c \
curl_range.c \
curl_rtmp.c \
@ -271,7 +270,6 @@ LIB_HFILES = \
curl_memrchr.h \
curl_multibyte.h \
curl_ntlm_core.h \
curl_ntlm_wb.h \
curl_path.h \
curl_printf.h \
curl_range.h \

500
lib/curl_ntlm_wb.c
View File

@ -1,500 +0,0 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "curl_setup.h"
#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
defined(NTLM_WB_ENABLED)
/*
* NTLM details:
*
* https://davenport.sourceforge.net/ntlm.html
* https://www.innovation.ch/java/ntlm.html
*/
#define DEBUG_ME 0
#ifdef HAVE_SYS_WAIT_H
#include <sys/wait.h>
#endif
#include <signal.h>
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
#include "urldata.h"
#include "sendf.h"
#include "select.h"
#include "vauth/ntlm.h"
#include "curl_ntlm_core.h"
#include "curl_ntlm_wb.h"
#include "url.h"
#include "strerror.h"
#include "strdup.h"
#include "strcase.h"
/* The last 3 #include files should be in this order */
#include "curl_printf.h"
#include "curl_memory.h"
#include "memdebug.h"
#if DEBUG_ME
# define DEBUG_OUT(x) x
#else
# define DEBUG_OUT(x) Curl_nop_stmt
#endif
/* Portable 'sclose_nolog' used only in child process instead of 'sclose'
to avoid fooling the socket leak detector */
#ifdef HAVE_PIPE
# define sclose_nolog(x) close((x))
#elif defined(HAVE_CLOSESOCKET)
# define sclose_nolog(x) closesocket((x))
#elif defined(HAVE_CLOSESOCKET_CAMEL)
# define sclose_nolog(x) CloseSocket((x))
#else
# define sclose_nolog(x) close((x))
#endif
static void ntlm_wb_cleanup(struct ntlmdata *ntlm)
{
if(ntlm->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD) {
sclose(ntlm->ntlm_auth_hlpr_socket);
ntlm->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
}
if(ntlm->ntlm_auth_hlpr_pid) {
int i;
for(i = 0; i < 4; i++) {
pid_t ret = waitpid(ntlm->ntlm_auth_hlpr_pid, NULL, WNOHANG);
if(ret == ntlm->ntlm_auth_hlpr_pid || errno == ECHILD)
break;
switch(i) {
case 0:
kill(ntlm->ntlm_auth_hlpr_pid, SIGTERM);
break;
case 1:
/* Give the process another moment to shut down cleanly before
bringing down the axe */
Curl_wait_ms(1);
break;
case 2:
kill(ntlm->ntlm_auth_hlpr_pid, SIGKILL);
break;
case 3:
break;
}
}
ntlm->ntlm_auth_hlpr_pid = 0;
}
Curl_safefree(ntlm->challenge);
Curl_safefree(ntlm->response);
}
static CURLcode ntlm_wb_init(struct Curl_easy *data, struct ntlmdata *ntlm,
const char *userp)
{
curl_socket_t sockfds[2];
pid_t child_pid;
const char *username;
char *slash, *domain = NULL;
const char *ntlm_auth = NULL;
char *ntlm_auth_alloc = NULL;
#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
struct passwd pw, *pw_res;
char pwbuf[1024];
#endif
char buffer[STRERROR_LEN];
#if defined(CURL_DISABLE_VERBOSE_STRINGS)
(void) data;
#endif
/* Return if communication with ntlm_auth already set up */
if(ntlm->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD ||
ntlm->ntlm_auth_hlpr_pid)
return CURLE_OK;
username = userp;
/* The real ntlm_auth really doesn't like being invoked with an
empty username. It won't make inferences for itself, and expects
the client to do so (mostly because it's really designed for
servers like squid to use for auth, and client support is an
afterthought for it). So try hard to provide a suitable username
if we don't already have one. But if we can't, provide the
empty one anyway. Perhaps they have an implementation of the
ntlm_auth helper which *doesn't* need it so we might as well try */
if(!username || !username[0]) {
username = getenv("NTLMUSER");
if(!username || !username[0])
username = getenv("LOGNAME");
if(!username || !username[0])
username = getenv("USER");
#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
if((!username || !username[0]) &&
!getpwuid_r(geteuid(), &pw, pwbuf, sizeof(pwbuf), &pw_res) &&
pw_res) {
username = pw.pw_name;
}
#endif
if(!username || !username[0])
username = userp;
}
slash = strpbrk(username, "\\/");
if(slash) {
domain = strdup(username);
if(!domain)
return CURLE_OUT_OF_MEMORY;
slash = domain + (slash - username);
*slash = '\0';
username = username + (slash - domain) + 1;
}
/* For testing purposes, when DEBUGBUILD is defined and environment
variable CURL_NTLM_WB_FILE is set a fake_ntlm is used to perform
NTLM challenge/response which only accepts commands and output
strings pre-written in test case definitions */
#ifdef DEBUGBUILD
ntlm_auth_alloc = curl_getenv("CURL_NTLM_WB_FILE");
if(ntlm_auth_alloc)
ntlm_auth = ntlm_auth_alloc;
else
#endif
ntlm_auth = NTLM_WB_FILE;
if(access(ntlm_auth, X_OK) != 0) {
failf(data, "Could not access ntlm_auth: %s errno %d: %s",
ntlm_auth, errno, Curl_strerror(errno, buffer, sizeof(buffer)));
goto done;
}
if(wakeup_create(sockfds)) {
failf(data, "Could not open socket pair. errno %d: %s",
errno, Curl_strerror(errno, buffer, sizeof(buffer)));
goto done;
}
child_pid = fork();
if(child_pid == -1) {
wakeup_close(sockfds[0]);
wakeup_close(sockfds[1]);
failf(data, "Could not fork. errno %d: %s",
errno, Curl_strerror(errno, buffer, sizeof(buffer)));
goto done;
}
else if(!child_pid) {
/*
* child process
*/
/* Don't use sclose in the child since it fools the socket leak detector */
sclose_nolog(sockfds[0]);
if(dup2(sockfds[1], STDIN_FILENO) == -1) {
failf(data, "Could not redirect child stdin. errno %d: %s",
errno, Curl_strerror(errno, buffer, sizeof(buffer)));
exit(1);
}
if(dup2(sockfds[1], STDOUT_FILENO) == -1) {
failf(data, "Could not redirect child stdout. errno %d: %s",
errno, Curl_strerror(errno, buffer, sizeof(buffer)));
exit(1);
}
if(domain)
execl(ntlm_auth, ntlm_auth,
"--helper-protocol", "ntlmssp-client-1",
"--use-cached-creds",
"--username", username,
"--domain", domain,
NULL);
else
execl(ntlm_auth, ntlm_auth,
"--helper-protocol", "ntlmssp-client-1",
"--use-cached-creds",
"--username", username,
NULL);
sclose_nolog(sockfds[1]);
failf(data, "Could not execl(). errno %d: %s",
errno, Curl_strerror(errno, buffer, sizeof(buffer)));
exit(1);
}
sclose(sockfds[1]);
ntlm->ntlm_auth_hlpr_socket = sockfds[0];
ntlm->ntlm_auth_hlpr_pid = child_pid;
free(domain);
free(ntlm_auth_alloc);
return CURLE_OK;
done:
free(domain);
free(ntlm_auth_alloc);
return CURLE_REMOTE_ACCESS_DENIED;
}
/* if larger than this, something is seriously wrong */
#define MAX_NTLM_WB_RESPONSE 100000
static CURLcode ntlm_wb_response(struct Curl_easy *data, struct ntlmdata *ntlm,
const char *input, curlntlm state)
{
size_t len_in = strlen(input), len_out = 0;
struct dynbuf b;
char *ptr = NULL;
unsigned char buf[1024];
Curl_dyn_init(&b, MAX_NTLM_WB_RESPONSE);
while(len_in > 0) {
ssize_t written = wakeup_write(ntlm->ntlm_auth_hlpr_socket, input, len_in);
if(written == -1) {
/* Interrupted by a signal, retry it */
if(errno == EINTR)
continue;
/* write failed if other errors happen */
goto done;
}
input += written;
len_in -= written;
}
/* Read one line */
while(1) {
ssize_t size =
wakeup_read(ntlm->ntlm_auth_hlpr_socket, buf, sizeof(buf));
if(size == -1) {
if(errno == EINTR)
continue;
goto done;
}
else if(size == 0)
goto done;
if(Curl_dyn_addn(&b, buf, size))
goto done;
len_out = Curl_dyn_len(&b);
ptr = Curl_dyn_ptr(&b);
if(len_out && ptr[len_out - 1] == '\n') {
ptr[len_out - 1] = '\0';
break; /* done! */
}
/* loop */
}
/* Samba/winbind installed but not configured */
if(state == NTLMSTATE_TYPE1 &&
len_out == 3 &&
ptr[0] == 'P' && ptr[1] == 'W')
goto done;
/* invalid response */
if(len_out < 4)
goto done;
if(state == NTLMSTATE_TYPE1 &&
(ptr[0]!='Y' || ptr[1]!='R' || ptr[2]!=' '))
goto done;
if(state == NTLMSTATE_TYPE2 &&
(ptr[0]!='K' || ptr[1]!='K' || ptr[2]!=' ') &&
(ptr[0]!='A' || ptr[1]!='F' || ptr[2]!=' '))
goto done;
ntlm->response = strdup(ptr + 3);
Curl_dyn_free(&b);
if(!ntlm->response)
return CURLE_OUT_OF_MEMORY;
return CURLE_OK;
done:
Curl_dyn_free(&b);
return CURLE_REMOTE_ACCESS_DENIED;
}
CURLcode Curl_input_ntlm_wb(struct Curl_easy *data,
struct connectdata *conn,
bool proxy,
const char *header)
{
struct ntlmdata *ntlm = proxy ? &conn->proxyntlm : &conn->ntlm;
curlntlm *state = proxy ? &conn->proxy_ntlm_state : &conn->http_ntlm_state;
(void) data; /* In case it gets unused by nop log macros. */
if(!checkprefix("NTLM", header))
return CURLE_BAD_CONTENT_ENCODING;
header += strlen("NTLM");
while(*header && ISSPACE(*header))
header++;
if(*header) {
ntlm->challenge = strdup(header);
if(!ntlm->challenge)
return CURLE_OUT_OF_MEMORY;
*state = NTLMSTATE_TYPE2; /* We got a type-2 message */
}
else {
if(*state == NTLMSTATE_LAST) {
infof(data, "NTLM auth restarted");
Curl_http_auth_cleanup_ntlm_wb(conn);
}
else if(*state == NTLMSTATE_TYPE3) {
infof(data, "NTLM handshake rejected");
Curl_http_auth_cleanup_ntlm_wb(conn);
*state = NTLMSTATE_NONE;
return CURLE_REMOTE_ACCESS_DENIED;
}
else if(*state >= NTLMSTATE_TYPE1) {
infof(data, "NTLM handshake failure (internal error)");
return CURLE_REMOTE_ACCESS_DENIED;
}
*state = NTLMSTATE_TYPE1; /* We should send away a type-1 */
}
return CURLE_OK;
}
/*
* This is for creating ntlm header output by delegating challenge/response
* to Samba's winbind daemon helper ntlm_auth.
*/
CURLcode Curl_output_ntlm_wb(struct Curl_easy *data, struct connectdata *conn,
bool proxy)
{
/* point to the address of the pointer that holds the string to send to the
server, which is for a plain host or for an HTTP proxy */
char **allocuserpwd;
/* point to the name and password for this */
const char *userp;
struct ntlmdata *ntlm;
curlntlm *state;
struct auth *authp;
CURLcode res = CURLE_OK;
DEBUGASSERT(conn);
DEBUGASSERT(data);
if(proxy) {
#ifndef CURL_DISABLE_PROXY
allocuserpwd = &data->state.aptr.proxyuserpwd;
userp = conn->http_proxy.user;
ntlm = &conn->proxyntlm;
state = &conn->proxy_ntlm_state;
authp = &data->state.authproxy;
#else
return CURLE_NOT_BUILT_IN;
#endif
}
else {
allocuserpwd = &data->state.aptr.userpwd;
userp = conn->user;
ntlm = &conn->ntlm;
state = &conn->http_ntlm_state;
authp = &data->state.authhost;
}
authp->done = FALSE;
/* not set means empty */
if(!userp)
userp = "";
switch(*state) {
case NTLMSTATE_TYPE1:
default:
/* Use Samba's 'winbind' daemon to support NTLM authentication,
* by delegating the NTLM challenge/response protocol to a helper
* in ntlm_auth.
* https://web.archive.org/web/20190925164737
* /devel.squid-cache.org/ntlm/squid_helper_protocol.html
* https://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html
* https://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html
* Preprocessor symbol 'NTLM_WB_ENABLED' is defined when this
* feature is enabled and 'NTLM_WB_FILE' symbol holds absolute
* filename of ntlm_auth helper.
* If NTLM authentication using winbind fails, go back to original
* request handling process.
*/
/* Create communication with ntlm_auth */
res = ntlm_wb_init(data, ntlm, userp);
if(res)
return res;
res = ntlm_wb_response(data, ntlm, "YR\n", *state);
if(res)
return res;
free(*allocuserpwd);
*allocuserpwd = aprintf("%sAuthorization: NTLM %s\r\n",
proxy ? "Proxy-" : "",
ntlm->response);
DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
Curl_safefree(ntlm->response);
if(!*allocuserpwd)
return CURLE_OUT_OF_MEMORY;
break;
case NTLMSTATE_TYPE2: {
char *input = aprintf("TT %s\n", ntlm->challenge);
if(!input)
return CURLE_OUT_OF_MEMORY;
res = ntlm_wb_response(data, ntlm, input, *state);
free(input);
if(res)
return res;
free(*allocuserpwd);
*allocuserpwd = aprintf("%sAuthorization: NTLM %s\r\n",
proxy ? "Proxy-" : "",
ntlm->response);
DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));
*state = NTLMSTATE_TYPE3; /* we sent a type-3 */
authp->done = TRUE;
Curl_http_auth_cleanup_ntlm_wb(conn);
if(!*allocuserpwd)
return CURLE_OUT_OF_MEMORY;
break;
}
case NTLMSTATE_TYPE3:
/* connection is already authenticated,
* don't send a header in future requests */
*state = NTLMSTATE_LAST;
FALLTHROUGH();
case NTLMSTATE_LAST:
Curl_safefree(*allocuserpwd);
authp->done = TRUE;
break;
}
return CURLE_OK;
}
void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn)
{
ntlm_wb_cleanup(&conn->ntlm);
ntlm_wb_cleanup(&conn->proxyntlm);
}
#endif /* !CURL_DISABLE_HTTP && USE_NTLM && NTLM_WB_ENABLED */

45
lib/curl_ntlm_wb.h
View File

@ -1,45 +0,0 @@
#ifndef HEADER_CURL_NTLM_WB_H
#define HEADER_CURL_NTLM_WB_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "curl_setup.h"
#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
defined(NTLM_WB_ENABLED)
/* this is for ntlm header input */
CURLcode Curl_input_ntlm_wb(struct Curl_easy *data,
struct connectdata *conn, bool proxy,
const char *header);
/* this is for creating ntlm header output */
CURLcode Curl_output_ntlm_wb(struct Curl_easy *data, struct connectdata *conn,
bool proxy);
void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn);
#endif /* !CURL_DISABLE_HTTP && USE_NTLM && NTLM_WB_ENABLED */
#endif /* HEADER_CURL_NTLM_WB_H */

34
lib/http.c
View File

@ -65,7 +65,6 @@
#include "vquic/vquic.h"
#include "http_digest.h"
#include "http_ntlm.h"
#include "curl_ntlm_wb.h"
#include "http_negotiate.h"
#include "http_aws_sigv4.h"
#include "url.h"
@ -386,8 +385,6 @@ static bool pickoneauth(struct auth *pick, unsigned long mask)
#endif
else if(avail & CURLAUTH_NTLM)
pick->picked = CURLAUTH_NTLM;
else if(avail & CURLAUTH_NTLM_WB)
pick->picked = CURLAUTH_NTLM_WB;
#ifndef CURL_DISABLE_BASIC_AUTH
else if(avail & CURLAUTH_BASIC)
pick->picked = CURLAUTH_BASIC;
@ -446,9 +443,7 @@ static CURLcode http_perhapsrewind(struct Curl_easy *data,
/* We'd like to abort the upload - but should we? */
#if defined(USE_NTLM)
if((data->state.authproxy.picked == CURLAUTH_NTLM) ||
(data->state.authhost.picked == CURLAUTH_NTLM) ||
(data->state.authproxy.picked == CURLAUTH_NTLM_WB) ||
(data->state.authhost.picked == CURLAUTH_NTLM_WB)) {
(data->state.authhost.picked == CURLAUTH_NTLM)) {
ongoing_auth = "NTML";
if((conn->http_ntlm_state != NTLMSTATE_NONE) ||
(conn->proxy_ntlm_state != NTLMSTATE_NONE)) {
@ -627,15 +622,6 @@ output_auth_headers(struct Curl_easy *data,
}
else
#endif
#if defined(USE_NTLM) && defined(NTLM_WB_ENABLED)
if(authstatus->picked == CURLAUTH_NTLM_WB) {
auth = "NTLM_WB";
result = Curl_output_ntlm_wb(data, conn, proxy);
if(result)
return result;
}
else
#endif
#ifndef CURL_DISABLE_DIGEST_AUTH
if(authstatus->picked == CURLAUTH_DIGEST) {
auth = "Digest";
@ -925,31 +911,15 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy,
/* NTLM support requires the SSL crypto libs */
if(checkprefix("NTLM", auth) && is_valid_auth_separator(auth[4])) {
if((authp->avail & CURLAUTH_NTLM) ||
(authp->avail & CURLAUTH_NTLM_WB) ||
Curl_auth_is_ntlm_supported()) {
*availp |= CURLAUTH_NTLM;
authp->avail |= CURLAUTH_NTLM;
if(authp->picked == CURLAUTH_NTLM ||
authp->picked == CURLAUTH_NTLM_WB) {
if(authp->picked == CURLAUTH_NTLM) {
/* NTLM authentication is picked and activated */
CURLcode result = Curl_input_ntlm(data, proxy, auth);
if(!result) {
data->state.authproblem = FALSE;
#ifdef NTLM_WB_ENABLED
if(authp->picked == CURLAUTH_NTLM_WB) {
*availp &= ~CURLAUTH_NTLM;
authp->avail &= ~CURLAUTH_NTLM;
*availp |= CURLAUTH_NTLM_WB;
authp->avail |= CURLAUTH_NTLM_WB;
result = Curl_input_ntlm_wb(data, conn, proxy, auth);
if(result) {
infof(data, "Authentication problem. Ignoring this.");
data->state.authproblem = TRUE;
}
}
#endif
}
else {
infof(data, "Authentication problem. Ignoring this.");

5
lib/http_ntlm.c
View File

@ -40,7 +40,6 @@
#include "strcase.h"
#include "http_ntlm.h"
#include "curl_ntlm_core.h"
#include "curl_ntlm_wb.h"
#include "curl_base64.h"
#include "vauth/vauth.h"
#include "url.h"
@ -266,10 +265,6 @@ void Curl_http_auth_cleanup_ntlm(struct connectdata *conn)
{
Curl_auth_cleanup_ntlm(&conn->ntlm);
Curl_auth_cleanup_ntlm(&conn->proxyntlm);
#if defined(NTLM_WB_ENABLED)
Curl_http_auth_cleanup_ntlm_wb(conn);
#endif
}
#endif /* !CURL_DISABLE_HTTP && USE_NTLM */

6
lib/setopt.c
View File

@ -1024,9 +1024,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
/* switch off bits we can't support */
#ifndef USE_NTLM
auth &= ~CURLAUTH_NTLM; /* no NTLM support */
auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
#elif !defined(NTLM_WB_ENABLED)
auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
#endif
#ifndef USE_SPNEGO
auth &= ~CURLAUTH_NEGOTIATE; /* no Negotiate (SPNEGO) auth without
@ -1105,9 +1102,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
/* switch off bits we can't support */
#ifndef USE_NTLM
auth &= ~CURLAUTH_NTLM; /* no NTLM support */
auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
#elif !defined(NTLM_WB_ENABLED)
auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
#endif
#ifndef USE_SPNEGO
auth &= ~CURLAUTH_NEGOTIATE; /* no Negotiate (SPNEGO) auth without

15
lib/url.c
View File

@ -937,13 +937,12 @@ ConnectionExists(struct Curl_easy *data,
struct Curl_llist_element *curr;
#ifdef USE_NTLM
bool wantNTLMhttp = ((data->state.authhost.want &
(CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) &&
(needle->handler->protocol & PROTO_FAMILY_HTTP));
#ifndef CURL_DISABLE_PROXY
bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd &&
((data->state.authproxy.want &
(CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
CURLAUTH_NTLM) &&
(needle->handler->protocol & PROTO_FAMILY_HTTP)));
#else
bool wantProxyNTLMhttp = FALSE;
@ -1415,12 +1414,6 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
conn->connect_only = data->set.connect_only;
conn->transport = TRNSPRT_TCP; /* most of them are TCP streams */
#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
defined(NTLM_WB_ENABLED)
conn->ntlm.ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
conn->proxyntlm.ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
#endif
/* Initialize the easy handle list */
Curl_llist_init(&conn->easyq, NULL);
@ -3752,14 +3745,14 @@ static CURLcode create_conn(struct Curl_easy *data,
/* If NTLM is requested in a part of this connection, make sure we don't
assume the state is fine as this is a fresh connection and NTLM is
connection based. */
if((data->state.authhost.picked & (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
if((data->state.authhost.picked & CURLAUTH_NTLM) &&
data->state.authhost.done) {
infof(data, "NTLM picked AND auth done set, clear picked");
data->state.authhost.picked = CURLAUTH_NONE;
data->state.authhost.done = FALSE;
}
if((data->state.authproxy.picked & (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
if((data->state.authproxy.picked & CURLAUTH_NTLM) &&
data->state.authproxy.done) {
infof(data, "NTLM-proxy picked AND auth done set, clear picked");
data->state.authproxy.picked = CURLAUTH_NONE;

8
lib/urldata.h
View File

@ -444,14 +444,6 @@ struct ntlmdata {
unsigned char nonce[8];
unsigned int target_info_len;
void *target_info; /* TargetInfo received in the ntlm type-2 message */
#if defined(NTLM_WB_ENABLED)
/* used for communication with Samba's winbind daemon helper ntlm_auth */
curl_socket_t ntlm_auth_hlpr_socket;
pid_t ntlm_auth_hlpr_pid;
char *challenge; /* The received base64 encoded ntlm type-2 message */
char *response; /* The generated base64 ntlm type-1/type-3 message */
#endif
#endif
};
#endif

4
lib/version.c
View File

@ -497,10 +497,6 @@ static const struct feat features_table[] = {
#ifdef USE_NTLM
FEATURE("NTLM", NULL, CURL_VERSION_NTLM),
#endif
#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
defined(NTLM_WB_ENABLED)
FEATURE("NTLM_WB", NULL, CURL_VERSION_NTLM_WB),
#endif
#if defined(USE_LIBPSL)
FEATURE("PSL", NULL, CURL_VERSION_PSL),
#endif

64
m4/curl-confopts.m4
View File

@ -568,70 +568,6 @@ AC_DEFUN([CURL_CHECK_LIB_ARES], [
fi
])
dnl CURL_CHECK_OPTION_NTLM_WB
dnl -------------------------------------------------
dnl Verify if configure has been invoked with option
dnl --enable-ntlm-wb or --disable-ntlm-wb, and set
dnl shell variable want_ntlm_wb and want_ntlm_wb_file
dnl as appropriate.
AC_DEFUN([CURL_CHECK_OPTION_NTLM_WB], [
AC_BEFORE([$0],[CURL_CHECK_NTLM_WB])dnl
OPT_NTLM_WB="default"
AC_ARG_ENABLE(ntlm-wb,
AS_HELP_STRING([--enable-ntlm-wb@<:@=FILE@:>@],[Enable NTLM delegation to winbind's ntlm_auth helper, where FILE is ntlm_auth's absolute filename (default: /usr/bin/ntlm_auth)])
AS_HELP_STRING([--disable-ntlm-wb],[Disable NTLM delegation to winbind's ntlm_auth helper]),
OPT_NTLM_WB=$enableval)
want_ntlm_wb_file="/usr/bin/ntlm_auth"
case "$OPT_NTLM_WB" in
no)
dnl --disable-ntlm-wb option used
want_ntlm_wb="no"
;;
default)
dnl configure option not specified
want_ntlm_wb="yes"
;;
*)
dnl --enable-ntlm-wb option used
want_ntlm_wb="yes"
if test -n "$enableval" && test "$enableval" != "yes"; then
want_ntlm_wb_file="$enableval"
fi
;;
esac
])
dnl CURL_CHECK_NTLM_WB
dnl -------------------------------------------------
dnl Check if support for NTLM delegation to winbind's
dnl ntlm_auth helper will finally be enabled depending
dnl on given configure options and target platform.
AC_DEFUN([CURL_CHECK_NTLM_WB], [
AC_REQUIRE([CURL_CHECK_OPTION_NTLM_WB])dnl
AC_REQUIRE([CURL_CHECK_NATIVE_WINDOWS])dnl
AC_MSG_CHECKING([whether to enable NTLM delegation to winbind's helper])
if test "$curl_cv_native_windows" = "yes" ||
test "x$SSL_ENABLED" = "x"; then
want_ntlm_wb_file=""
want_ntlm_wb="no"
elif test "x$ac_cv_func_fork" != "xyes"; then
dnl ntlm_wb requires fork
want_ntlm_wb="no"
fi
AC_MSG_RESULT([$want_ntlm_wb])
if test "$want_ntlm_wb" = "yes"; then
AC_DEFINE(NTLM_WB_ENABLED, 1,
[Define to enable NTLM delegation to winbind's ntlm_auth helper.])
AC_DEFINE_UNQUOTED(NTLM_WB_FILE, "$want_ntlm_wb_file",
[Define absolute filename for winbind's ntlm_auth helper.])
NTLM_WB_ENABLED=1
fi
])
dnl CURL_CHECK_OPTION_ECH
dnl -----------------------------------------------------
dnl Verify whether configure has been invoked with option

18
src/tool_getparam.c
View File

@ -1356,6 +1356,12 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
nextarg = (char *)"";
switch(cmd) {
case C_RANDOM_FILE: /* --random-file */
case C_EGD_FILE: /* --egd-file */
case C_NTLM_WB: /* --ntlm-wb */
warnf(global, "--%s is deprecated and has no function anymore",
a->lname);
break;
case C_DNS_IPV4_ADDR: /* --dns-ipv4-addr */
if(!curlinfo->ares_num) /* c-ares is needed for this */
err = PARAM_LIBCURL_DOESNT_SUPPORT;
@ -1370,10 +1376,6 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
/* addr in dot notation */
err = getstr(&config->dns_ipv6_addr, nextarg, DENY_BLANK);
break;
case C_RANDOM_FILE: /* --random-file */
break;
case C_EGD_FILE: /* --egd-file */
break;
case C_OAUTH2_BEARER: /* --oauth2-bearer */
err = getstr(&config->oauth_bearer, nextarg, DENY_BLANK);
if(!err) {
@ -1480,14 +1482,6 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
else
err = PARAM_LIBCURL_DOESNT_SUPPORT;
break;
case C_NTLM_WB: /* --ntlm-wb */
if(!toggle)
config->authtype &= ~CURLAUTH_NTLM_WB;
else if(feature_ntlm_wb)
config->authtype |= CURLAUTH_NTLM_WB;
else
err = PARAM_LIBCURL_DOESNT_SUPPORT;
break;
case C_BASIC: /* --basic */
if(toggle)
config->authtype |= CURLAUTH_BASIC;

1
src/tool_setopt.c
View File

@ -78,7 +78,6 @@ const struct NameValueUnsigned setopt_nv_CURLAUTH[] = {
NV(CURLAUTH_GSSNEGOTIATE),
NV(CURLAUTH_NTLM),
NV(CURLAUTH_DIGEST_IE),
NV(CURLAUTH_NTLM_WB),
NV(CURLAUTH_ONLY),
NV(CURLAUTH_NONE),
NVEND,

1
tests/test1177.pl
View File

@ -65,6 +65,7 @@ while(<$s>) {
}
}
close($s);
$sourcename{'NTLM_WB'}++; # deprecated, fake its presence in code
for my $h (keys %headerversion) {
if(!$manversion{$h}) {