(HAVE_GSSAPI OR USE_WINDOWS_SSPI))
_add_if("NTLM" NOT (CURL_DISABLE_NTLM) AND
(use_curl_ntlm_core OR USE_WINDOWS_SSPI))
- _add_if("NTLM_WB" NOT (CURL_DISABLE_NTLM) AND
- (use_curl_ntlm_core OR USE_WINDOWS_SSPI) AND
- NOT CURL_DISABLE_HTTP AND NTLM_WB_ENABLED)
_add_if("TLS-SRP" USE_TLS_SRP)
_add_if("HTTP2" USE_NGHTTP2)
_add_if("HTTP3" USE_NGTCP2 OR USE_QUICHE OR USE_OPENSSL_QUIC)
AC_MSG_RESULT(yes)
)
-CURL_CHECK_OPTION_NTLM_WB
-
-CURL_CHECK_NTLM_WB
-
dnl ************************************************************
dnl disable TLS-SRP authentication
dnl
if test "x$use_curl_ntlm_core" = "xyes" \
-o "x$USE_WINDOWS_SSPI" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM"
-
- if test "x$CURL_DISABLE_HTTP" != "x1" -a \
- "x$NTLM_WB_ENABLED" = "x1"; then
- SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM_WB"
- fi
fi
fi
as soon as possible and explain to us why this is a problem for you and
how your use case cannot be satisfied properly using a workaround.
-## NTLM_WB auth
-
-This NTLM authentication method is powered by a separate tool,
-`ntlm_auth`. Barely anyone uses this method. It was always a quirky
-implementation (including fork + exec), it has limited portability and we do
-not test it in the test suite and CI.
-
-We keep the native NTLM implementation.
-
-Due to a mistake, the `NTLM_WB` functionality is missing in builds since 8.4.0
-(October 2023). It needs to be manually patched to work. See [PR
-12479](https://github.com/curl/curl/pull/12479).
-
-curl removes the support for NTLM_WB auth in April 2024.
-
## space-separated `NOPROXY` patterns
When specifying patterns/domain names for curl that should *not* go through a
- NSS
- gskit
- mingw v1
+ - NTLM_WB
# `--ntlm-wb`
-Enables NTLM much in the style --ntlm does, but hand over the authentication
-to the separate binary `ntlmauth` application that is executed when needed.
+Deprecated option (added in 8.8.0).
+
+Enabled NTLM much in the style --ntlm does, but handed over the authentication
+to a separate executable that was executed when needed.
*features* mask bit: CURL_VERSION_NTLM_WB
libcurl was built with support for NTLM delegation to a winbind helper.
-(Added in 7.22.0)
+(Added in 7.22.0) This feature was removed from curl in 8.8.0.
## PSL
## CURLAUTH_NTLM_WB
+Support for this is removed since libcurl 8.8.0.
+
NTLM delegating to winbind helper. Authentication is performed by a separate
binary application that is executed when needed. The name of the application
is specified at compile time but is typically **/usr/bin/ntlm_auth**.
send data to a socket which is closed in the other end. libcurl makes an
effort to never cause such SIGPIPE signals to trigger, but some operating
systems have no way to avoid them and even on those that have there are some
-corner cases when they may still happen, contrary to our desire. In addition,
-using *CURLAUTH_NTLM_WB* authentication could cause a SIGCHLD signal to be
-raised.
+corner cases when they may still happen, contrary to our desire.
# DEFAULT
#define CURLAUTH_GSSAPI CURLAUTH_NEGOTIATE
#define CURLAUTH_NTLM (((unsigned long)1)<<3)
#define CURLAUTH_DIGEST_IE (((unsigned long)1)<<4)
+#ifndef CURL_NO_OLDIES
+ /* functionality removed since 8.8.0 */
#define CURLAUTH_NTLM_WB (((unsigned long)1)<<5)
+#endif
#define CURLAUTH_BEARER (((unsigned long)1)<<6)
#define CURLAUTH_AWS_SIGV4 (((unsigned long)1)<<7)
#define CURLAUTH_ONLY (((unsigned long)1)<<31)
curl_memrchr.c \
curl_multibyte.c \
curl_ntlm_core.c \
- curl_ntlm_wb.c \
curl_path.c \
curl_range.c \
curl_rtmp.c \
curl_memrchr.h \
curl_multibyte.h \
curl_ntlm_core.h \
- curl_ntlm_wb.h \
curl_path.h \
curl_printf.h \
curl_range.h \
+++ /dev/null
-/***************************************************************************
- * _ _ ____ _
- * Project ___| | | | _ \| |
- * / __| | | | |_) | |
- * | (__| |_| | _ <| |___
- * \___|\___/|_| \_\_____|
- *
- * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
- * are also available at https://curl.se/docs/copyright.html.
- *
- * You may opt to use, copy, modify, merge, publish, distribute and/or sell
- * copies of the Software, and permit persons to whom the Software is
- * furnished to do so, under the terms of the COPYING file.
- *
- * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
- * KIND, either express or implied.
- *
- * SPDX-License-Identifier: curl
- *
- ***************************************************************************/
-
-#include "curl_setup.h"
-
-#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
- defined(NTLM_WB_ENABLED)
-
-/*
- * NTLM details:
- *
- * https://davenport.sourceforge.net/ntlm.html
- * https://www.innovation.ch/java/ntlm.html
- */
-
-#define DEBUG_ME 0
-
-#ifdef HAVE_SYS_WAIT_H
-#include <sys/wait.h>
-#endif
-#include <signal.h>
-#ifdef HAVE_PWD_H
-#include <pwd.h>
-#endif
-
-#include "urldata.h"
-#include "sendf.h"
-#include "select.h"
-#include "vauth/ntlm.h"
-#include "curl_ntlm_core.h"
-#include "curl_ntlm_wb.h"
-#include "url.h"
-#include "strerror.h"
-#include "strdup.h"
-#include "strcase.h"
-
-/* The last 3 #include files should be in this order */
-#include "curl_printf.h"
-#include "curl_memory.h"
-#include "memdebug.h"
-
-#if DEBUG_ME
-# define DEBUG_OUT(x) x
-#else
-# define DEBUG_OUT(x) Curl_nop_stmt
-#endif
-
-/* Portable 'sclose_nolog' used only in child process instead of 'sclose'
- to avoid fooling the socket leak detector */
-#ifdef HAVE_PIPE
-# define sclose_nolog(x) close((x))
-#elif defined(HAVE_CLOSESOCKET)
-# define sclose_nolog(x) closesocket((x))
-#elif defined(HAVE_CLOSESOCKET_CAMEL)
-# define sclose_nolog(x) CloseSocket((x))
-#else
-# define sclose_nolog(x) close((x))
-#endif
-
-static void ntlm_wb_cleanup(struct ntlmdata *ntlm)
-{
- if(ntlm->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD) {
- sclose(ntlm->ntlm_auth_hlpr_socket);
- ntlm->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
- }
-
- if(ntlm->ntlm_auth_hlpr_pid) {
- int i;
- for(i = 0; i < 4; i++) {
- pid_t ret = waitpid(ntlm->ntlm_auth_hlpr_pid, NULL, WNOHANG);
- if(ret == ntlm->ntlm_auth_hlpr_pid || errno == ECHILD)
- break;
- switch(i) {
- case 0:
- kill(ntlm->ntlm_auth_hlpr_pid, SIGTERM);
- break;
- case 1:
- /* Give the process another moment to shut down cleanly before
- bringing down the axe */
- Curl_wait_ms(1);
- break;
- case 2:
- kill(ntlm->ntlm_auth_hlpr_pid, SIGKILL);
- break;
- case 3:
- break;
- }
- }
- ntlm->ntlm_auth_hlpr_pid = 0;
- }
-
- Curl_safefree(ntlm->challenge);
- Curl_safefree(ntlm->response);
-}
-
-static CURLcode ntlm_wb_init(struct Curl_easy *data, struct ntlmdata *ntlm,
- const char *userp)
-{
- curl_socket_t sockfds[2];
- pid_t child_pid;
- const char *username;
- char *slash, *domain = NULL;
- const char *ntlm_auth = NULL;
- char *ntlm_auth_alloc = NULL;
-#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
- struct passwd pw, *pw_res;
- char pwbuf[1024];
-#endif
- char buffer[STRERROR_LEN];
-
-#if defined(CURL_DISABLE_VERBOSE_STRINGS)
- (void) data;
-#endif
-
- /* Return if communication with ntlm_auth already set up */
- if(ntlm->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD ||
- ntlm->ntlm_auth_hlpr_pid)
- return CURLE_OK;
-
- username = userp;
- /* The real ntlm_auth really doesn't like being invoked with an
- empty username. It won't make inferences for itself, and expects
- the client to do so (mostly because it's really designed for
- servers like squid to use for auth, and client support is an
- afterthought for it). So try hard to provide a suitable username
- if we don't already have one. But if we can't, provide the
- empty one anyway. Perhaps they have an implementation of the
- ntlm_auth helper which *doesn't* need it so we might as well try */
- if(!username || !username[0]) {
- username = getenv("NTLMUSER");
- if(!username || !username[0])
- username = getenv("LOGNAME");
- if(!username || !username[0])
- username = getenv("USER");
-#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
- if((!username || !username[0]) &&
- !getpwuid_r(geteuid(), &pw, pwbuf, sizeof(pwbuf), &pw_res) &&
- pw_res) {
- username = pw.pw_name;
- }
-#endif
- if(!username || !username[0])
- username = userp;
- }
- slash = strpbrk(username, "\\/");
- if(slash) {
- domain = strdup(username);
- if(!domain)
- return CURLE_OUT_OF_MEMORY;
- slash = domain + (slash - username);
- *slash = '\0';
- username = username + (slash - domain) + 1;
- }
-
- /* For testing purposes, when DEBUGBUILD is defined and environment
- variable CURL_NTLM_WB_FILE is set a fake_ntlm is used to perform
- NTLM challenge/response which only accepts commands and output
- strings pre-written in test case definitions */
-#ifdef DEBUGBUILD
- ntlm_auth_alloc = curl_getenv("CURL_NTLM_WB_FILE");
- if(ntlm_auth_alloc)
- ntlm_auth = ntlm_auth_alloc;
- else
-#endif
- ntlm_auth = NTLM_WB_FILE;
-
- if(access(ntlm_auth, X_OK) != 0) {
- failf(data, "Could not access ntlm_auth: %s errno %d: %s",
- ntlm_auth, errno, Curl_strerror(errno, buffer, sizeof(buffer)));
- goto done;
- }
-
- if(wakeup_create(sockfds)) {
- failf(data, "Could not open socket pair. errno %d: %s",
- errno, Curl_strerror(errno, buffer, sizeof(buffer)));
- goto done;
- }
-
- child_pid = fork();
- if(child_pid == -1) {
- wakeup_close(sockfds[0]);
- wakeup_close(sockfds[1]);
- failf(data, "Could not fork. errno %d: %s",
- errno, Curl_strerror(errno, buffer, sizeof(buffer)));
- goto done;
- }
- else if(!child_pid) {
- /*
- * child process
- */
-
- /* Don't use sclose in the child since it fools the socket leak detector */
- sclose_nolog(sockfds[0]);
- if(dup2(sockfds[1], STDIN_FILENO) == -1) {
- failf(data, "Could not redirect child stdin. errno %d: %s",
- errno, Curl_strerror(errno, buffer, sizeof(buffer)));
- exit(1);
- }
-
- if(dup2(sockfds[1], STDOUT_FILENO) == -1) {
- failf(data, "Could not redirect child stdout. errno %d: %s",
- errno, Curl_strerror(errno, buffer, sizeof(buffer)));
- exit(1);
- }
-
- if(domain)
- execl(ntlm_auth, ntlm_auth,
- "--helper-protocol", "ntlmssp-client-1",
- "--use-cached-creds",
- "--username", username,
- "--domain", domain,
- NULL);
- else
- execl(ntlm_auth, ntlm_auth,
- "--helper-protocol", "ntlmssp-client-1",
- "--use-cached-creds",
- "--username", username,
- NULL);
-
- sclose_nolog(sockfds[1]);
- failf(data, "Could not execl(). errno %d: %s",
- errno, Curl_strerror(errno, buffer, sizeof(buffer)));
- exit(1);
- }
-
- sclose(sockfds[1]);
- ntlm->ntlm_auth_hlpr_socket = sockfds[0];
- ntlm->ntlm_auth_hlpr_pid = child_pid;
- free(domain);
- free(ntlm_auth_alloc);
- return CURLE_OK;
-
-done:
- free(domain);
- free(ntlm_auth_alloc);
- return CURLE_REMOTE_ACCESS_DENIED;
-}
-
-/* if larger than this, something is seriously wrong */
-#define MAX_NTLM_WB_RESPONSE 100000
-
-static CURLcode ntlm_wb_response(struct Curl_easy *data, struct ntlmdata *ntlm,
- const char *input, curlntlm state)
-{
- size_t len_in = strlen(input), len_out = 0;
- struct dynbuf b;
- char *ptr = NULL;
- unsigned char buf[1024];
- Curl_dyn_init(&b, MAX_NTLM_WB_RESPONSE);
-
- while(len_in > 0) {
- ssize_t written = wakeup_write(ntlm->ntlm_auth_hlpr_socket, input, len_in);
- if(written == -1) {
- /* Interrupted by a signal, retry it */
- if(errno == EINTR)
- continue;
- /* write failed if other errors happen */
- goto done;
- }
- input += written;
- len_in -= written;
- }
- /* Read one line */
- while(1) {
- ssize_t size =
- wakeup_read(ntlm->ntlm_auth_hlpr_socket, buf, sizeof(buf));
- if(size == -1) {
- if(errno == EINTR)
- continue;
- goto done;
- }
- else if(size == 0)
- goto done;
-
- if(Curl_dyn_addn(&b, buf, size))
- goto done;
-
- len_out = Curl_dyn_len(&b);
- ptr = Curl_dyn_ptr(&b);
- if(len_out && ptr[len_out - 1] == '\n') {
- ptr[len_out - 1] = '\0';
- break; /* done! */
- }
- /* loop */
- }
-
- /* Samba/winbind installed but not configured */
- if(state == NTLMSTATE_TYPE1 &&
- len_out == 3 &&
- ptr[0] == 'P' && ptr[1] == 'W')
- goto done;
- /* invalid response */
- if(len_out < 4)
- goto done;
- if(state == NTLMSTATE_TYPE1 &&
- (ptr[0]!='Y' || ptr[1]!='R' || ptr[2]!=' '))
- goto done;
- if(state == NTLMSTATE_TYPE2 &&
- (ptr[0]!='K' || ptr[1]!='K' || ptr[2]!=' ') &&
- (ptr[0]!='A' || ptr[1]!='F' || ptr[2]!=' '))
- goto done;
-
- ntlm->response = strdup(ptr + 3);
- Curl_dyn_free(&b);
- if(!ntlm->response)
- return CURLE_OUT_OF_MEMORY;
- return CURLE_OK;
-done:
- Curl_dyn_free(&b);
- return CURLE_REMOTE_ACCESS_DENIED;
-}
-
-CURLcode Curl_input_ntlm_wb(struct Curl_easy *data,
- struct connectdata *conn,
- bool proxy,
- const char *header)
-{
- struct ntlmdata *ntlm = proxy ? &conn->proxyntlm : &conn->ntlm;
- curlntlm *state = proxy ? &conn->proxy_ntlm_state : &conn->http_ntlm_state;
-
- (void) data; /* In case it gets unused by nop log macros. */
-
- if(!checkprefix("NTLM", header))
- return CURLE_BAD_CONTENT_ENCODING;
-
- header += strlen("NTLM");
- while(*header && ISSPACE(*header))
- header++;
-
- if(*header) {
- ntlm->challenge = strdup(header);
- if(!ntlm->challenge)
- return CURLE_OUT_OF_MEMORY;
-
- *state = NTLMSTATE_TYPE2; /* We got a type-2 message */
- }
- else {
- if(*state == NTLMSTATE_LAST) {
- infof(data, "NTLM auth restarted");
- Curl_http_auth_cleanup_ntlm_wb(conn);
- }
- else if(*state == NTLMSTATE_TYPE3) {
- infof(data, "NTLM handshake rejected");
- Curl_http_auth_cleanup_ntlm_wb(conn);
- *state = NTLMSTATE_NONE;
- return CURLE_REMOTE_ACCESS_DENIED;
- }
- else if(*state >= NTLMSTATE_TYPE1) {
- infof(data, "NTLM handshake failure (internal error)");
- return CURLE_REMOTE_ACCESS_DENIED;
- }
-
- *state = NTLMSTATE_TYPE1; /* We should send away a type-1 */
- }
-
- return CURLE_OK;
-}
-
-/*
- * This is for creating ntlm header output by delegating challenge/response
- * to Samba's winbind daemon helper ntlm_auth.
- */
-CURLcode Curl_output_ntlm_wb(struct Curl_easy *data, struct connectdata *conn,
- bool proxy)
-{
- /* point to the address of the pointer that holds the string to send to the
- server, which is for a plain host or for an HTTP proxy */
- char **allocuserpwd;
- /* point to the name and password for this */
- const char *userp;
- struct ntlmdata *ntlm;
- curlntlm *state;
- struct auth *authp;
-
- CURLcode res = CURLE_OK;
-
- DEBUGASSERT(conn);
- DEBUGASSERT(data);
-
- if(proxy) {
-#ifndef CURL_DISABLE_PROXY
- allocuserpwd = &data->state.aptr.proxyuserpwd;
- userp = conn->http_proxy.user;
- ntlm = &conn->proxyntlm;
- state = &conn->proxy_ntlm_state;
- authp = &data->state.authproxy;
-#else
- return CURLE_NOT_BUILT_IN;
-#endif
- }
- else {
- allocuserpwd = &data->state.aptr.userpwd;
- userp = conn->user;
- ntlm = &conn->ntlm;
- state = &conn->http_ntlm_state;
- authp = &data->state.authhost;
- }
- authp->done = FALSE;
-
- /* not set means empty */
- if(!userp)
- userp = "";
-
- switch(*state) {
- case NTLMSTATE_TYPE1:
- default:
- /* Use Samba's 'winbind' daemon to support NTLM authentication,
- * by delegating the NTLM challenge/response protocol to a helper
- * in ntlm_auth.
- * https://web.archive.org/web/20190925164737
- * /devel.squid-cache.org/ntlm/squid_helper_protocol.html
- * https://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html
- * https://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html
- * Preprocessor symbol 'NTLM_WB_ENABLED' is defined when this
- * feature is enabled and 'NTLM_WB_FILE' symbol holds absolute
- * filename of ntlm_auth helper.
- * If NTLM authentication using winbind fails, go back to original
- * request handling process.
- */
- /* Create communication with ntlm_auth */
- res = ntlm_wb_init(data, ntlm, userp);
- if(res)
- return res;
- res = ntlm_wb_response(data, ntlm, "YR\n", *state);
- if(res)
- return res;
-
- free(*allocuserpwd);
- *allocuserpwd = aprintf("%sAuthorization: NTLM %s\r\n",
- proxy ? "Proxy-" : "",
- ntlm->response);
- DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
- Curl_safefree(ntlm->response);
- if(!*allocuserpwd)
- return CURLE_OUT_OF_MEMORY;
- break;
-
- case NTLMSTATE_TYPE2: {
- char *input = aprintf("TT %s\n", ntlm->challenge);
- if(!input)
- return CURLE_OUT_OF_MEMORY;
- res = ntlm_wb_response(data, ntlm, input, *state);
- free(input);
- if(res)
- return res;
-
- free(*allocuserpwd);
- *allocuserpwd = aprintf("%sAuthorization: NTLM %s\r\n",
- proxy ? "Proxy-" : "",
- ntlm->response);
- DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));
- *state = NTLMSTATE_TYPE3; /* we sent a type-3 */
- authp->done = TRUE;
- Curl_http_auth_cleanup_ntlm_wb(conn);
- if(!*allocuserpwd)
- return CURLE_OUT_OF_MEMORY;
- break;
- }
- case NTLMSTATE_TYPE3:
- /* connection is already authenticated,
- * don't send a header in future requests */
- *state = NTLMSTATE_LAST;
- FALLTHROUGH();
- case NTLMSTATE_LAST:
- Curl_safefree(*allocuserpwd);
- authp->done = TRUE;
- break;
- }
-
- return CURLE_OK;
-}
-
-void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn)
-{
- ntlm_wb_cleanup(&conn->ntlm);
- ntlm_wb_cleanup(&conn->proxyntlm);
-}
-
-#endif /* !CURL_DISABLE_HTTP && USE_NTLM && NTLM_WB_ENABLED */
+++ /dev/null
-#ifndef HEADER_CURL_NTLM_WB_H
-#define HEADER_CURL_NTLM_WB_H
-/***************************************************************************
- * _ _ ____ _
- * Project ___| | | | _ \| |
- * / __| | | | |_) | |
- * | (__| |_| | _ <| |___
- * \___|\___/|_| \_\_____|
- *
- * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
- * are also available at https://curl.se/docs/copyright.html.
- *
- * You may opt to use, copy, modify, merge, publish, distribute and/or sell
- * copies of the Software, and permit persons to whom the Software is
- * furnished to do so, under the terms of the COPYING file.
- *
- * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
- * KIND, either express or implied.
- *
- * SPDX-License-Identifier: curl
- *
- ***************************************************************************/
-
-#include "curl_setup.h"
-
-#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
- defined(NTLM_WB_ENABLED)
-
-/* this is for ntlm header input */
-CURLcode Curl_input_ntlm_wb(struct Curl_easy *data,
- struct connectdata *conn, bool proxy,
- const char *header);
-
-/* this is for creating ntlm header output */
-CURLcode Curl_output_ntlm_wb(struct Curl_easy *data, struct connectdata *conn,
- bool proxy);
-
-void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn);
-
-#endif /* !CURL_DISABLE_HTTP && USE_NTLM && NTLM_WB_ENABLED */
-
-#endif /* HEADER_CURL_NTLM_WB_H */
#include "vquic/vquic.h"
#include "http_digest.h"
#include "http_ntlm.h"
-#include "curl_ntlm_wb.h"
#include "http_negotiate.h"
#include "http_aws_sigv4.h"
#include "url.h"
#endif
else if(avail & CURLAUTH_NTLM)
pick->picked = CURLAUTH_NTLM;
- else if(avail & CURLAUTH_NTLM_WB)
- pick->picked = CURLAUTH_NTLM_WB;
#ifndef CURL_DISABLE_BASIC_AUTH
else if(avail & CURLAUTH_BASIC)
pick->picked = CURLAUTH_BASIC;
/* We'd like to abort the upload - but should we? */
#if defined(USE_NTLM)
if((data->state.authproxy.picked == CURLAUTH_NTLM) ||
- (data->state.authhost.picked == CURLAUTH_NTLM) ||
- (data->state.authproxy.picked == CURLAUTH_NTLM_WB) ||
- (data->state.authhost.picked == CURLAUTH_NTLM_WB)) {
+ (data->state.authhost.picked == CURLAUTH_NTLM)) {
ongoing_auth = "NTML";
if((conn->http_ntlm_state != NTLMSTATE_NONE) ||
(conn->proxy_ntlm_state != NTLMSTATE_NONE)) {
}
else
#endif
-#if defined(USE_NTLM) && defined(NTLM_WB_ENABLED)
- if(authstatus->picked == CURLAUTH_NTLM_WB) {
- auth = "NTLM_WB";
- result = Curl_output_ntlm_wb(data, conn, proxy);
- if(result)
- return result;
- }
- else
-#endif
#ifndef CURL_DISABLE_DIGEST_AUTH
if(authstatus->picked == CURLAUTH_DIGEST) {
auth = "Digest";
/* NTLM support requires the SSL crypto libs */
if(checkprefix("NTLM", auth) && is_valid_auth_separator(auth[4])) {
if((authp->avail & CURLAUTH_NTLM) ||
- (authp->avail & CURLAUTH_NTLM_WB) ||
Curl_auth_is_ntlm_supported()) {
*availp |= CURLAUTH_NTLM;
authp->avail |= CURLAUTH_NTLM;
- if(authp->picked == CURLAUTH_NTLM ||
- authp->picked == CURLAUTH_NTLM_WB) {
+ if(authp->picked == CURLAUTH_NTLM) {
/* NTLM authentication is picked and activated */
CURLcode result = Curl_input_ntlm(data, proxy, auth);
if(!result) {
data->state.authproblem = FALSE;
-#ifdef NTLM_WB_ENABLED
- if(authp->picked == CURLAUTH_NTLM_WB) {
- *availp &= ~CURLAUTH_NTLM;
- authp->avail &= ~CURLAUTH_NTLM;
- *availp |= CURLAUTH_NTLM_WB;
- authp->avail |= CURLAUTH_NTLM_WB;
-
- result = Curl_input_ntlm_wb(data, conn, proxy, auth);
- if(result) {
- infof(data, "Authentication problem. Ignoring this.");
- data->state.authproblem = TRUE;
- }
- }
-#endif
}
else {
infof(data, "Authentication problem. Ignoring this.");
#include "strcase.h"
#include "http_ntlm.h"
#include "curl_ntlm_core.h"
-#include "curl_ntlm_wb.h"
#include "curl_base64.h"
#include "vauth/vauth.h"
#include "url.h"
{
Curl_auth_cleanup_ntlm(&conn->ntlm);
Curl_auth_cleanup_ntlm(&conn->proxyntlm);
-
-#if defined(NTLM_WB_ENABLED)
- Curl_http_auth_cleanup_ntlm_wb(conn);
-#endif
}
#endif /* !CURL_DISABLE_HTTP && USE_NTLM */
/* switch off bits we can't support */
#ifndef USE_NTLM
auth &= ~CURLAUTH_NTLM; /* no NTLM support */
- auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
-#elif !defined(NTLM_WB_ENABLED)
- auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
#endif
#ifndef USE_SPNEGO
auth &= ~CURLAUTH_NEGOTIATE; /* no Negotiate (SPNEGO) auth without
/* switch off bits we can't support */
#ifndef USE_NTLM
auth &= ~CURLAUTH_NTLM; /* no NTLM support */
- auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
-#elif !defined(NTLM_WB_ENABLED)
- auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
#endif
#ifndef USE_SPNEGO
auth &= ~CURLAUTH_NEGOTIATE; /* no Negotiate (SPNEGO) auth without
struct Curl_llist_element *curr;
#ifdef USE_NTLM
- bool wantNTLMhttp = ((data->state.authhost.want &
- (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
+ bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) &&
(needle->handler->protocol & PROTO_FAMILY_HTTP));
#ifndef CURL_DISABLE_PROXY
bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd &&
((data->state.authproxy.want &
- (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
+ CURLAUTH_NTLM) &&
(needle->handler->protocol & PROTO_FAMILY_HTTP)));
#else
bool wantProxyNTLMhttp = FALSE;
conn->connect_only = data->set.connect_only;
conn->transport = TRNSPRT_TCP; /* most of them are TCP streams */
-#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
- defined(NTLM_WB_ENABLED)
- conn->ntlm.ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
- conn->proxyntlm.ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
-#endif
-
/* Initialize the easy handle list */
Curl_llist_init(&conn->easyq, NULL);
/* If NTLM is requested in a part of this connection, make sure we don't
assume the state is fine as this is a fresh connection and NTLM is
connection based. */
- if((data->state.authhost.picked & (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
+ if((data->state.authhost.picked & CURLAUTH_NTLM) &&
data->state.authhost.done) {
infof(data, "NTLM picked AND auth done set, clear picked");
data->state.authhost.picked = CURLAUTH_NONE;
data->state.authhost.done = FALSE;
}
- if((data->state.authproxy.picked & (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
+ if((data->state.authproxy.picked & CURLAUTH_NTLM) &&
data->state.authproxy.done) {
infof(data, "NTLM-proxy picked AND auth done set, clear picked");
data->state.authproxy.picked = CURLAUTH_NONE;
unsigned char nonce[8];
unsigned int target_info_len;
void *target_info; /* TargetInfo received in the ntlm type-2 message */
-
-#if defined(NTLM_WB_ENABLED)
- /* used for communication with Samba's winbind daemon helper ntlm_auth */
- curl_socket_t ntlm_auth_hlpr_socket;
- pid_t ntlm_auth_hlpr_pid;
- char *challenge; /* The received base64 encoded ntlm type-2 message */
- char *response; /* The generated base64 ntlm type-1/type-3 message */
-#endif
#endif
};
#endif
#ifdef USE_NTLM
FEATURE("NTLM", NULL, CURL_VERSION_NTLM),
#endif
-#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
- defined(NTLM_WB_ENABLED)
- FEATURE("NTLM_WB", NULL, CURL_VERSION_NTLM_WB),
-#endif
#if defined(USE_LIBPSL)
FEATURE("PSL", NULL, CURL_VERSION_PSL),
#endif
fi
])
-
-dnl CURL_CHECK_OPTION_NTLM_WB
-dnl -------------------------------------------------
-dnl Verify if configure has been invoked with option
-dnl --enable-ntlm-wb or --disable-ntlm-wb, and set
-dnl shell variable want_ntlm_wb and want_ntlm_wb_file
-dnl as appropriate.
-
-AC_DEFUN([CURL_CHECK_OPTION_NTLM_WB], [
- AC_BEFORE([$0],[CURL_CHECK_NTLM_WB])dnl
- OPT_NTLM_WB="default"
- AC_ARG_ENABLE(ntlm-wb,
-AS_HELP_STRING([--enable-ntlm-wb@<:@=FILE@:>@],[Enable NTLM delegation to winbind's ntlm_auth helper, where FILE is ntlm_auth's absolute filename (default: /usr/bin/ntlm_auth)])
-AS_HELP_STRING([--disable-ntlm-wb],[Disable NTLM delegation to winbind's ntlm_auth helper]),
- OPT_NTLM_WB=$enableval)
- want_ntlm_wb_file="/usr/bin/ntlm_auth"
- case "$OPT_NTLM_WB" in
- no)
- dnl --disable-ntlm-wb option used
- want_ntlm_wb="no"
- ;;
- default)
- dnl configure option not specified
- want_ntlm_wb="yes"
- ;;
- *)
- dnl --enable-ntlm-wb option used
- want_ntlm_wb="yes"
- if test -n "$enableval" && test "$enableval" != "yes"; then
- want_ntlm_wb_file="$enableval"
- fi
- ;;
- esac
-])
-
-
-dnl CURL_CHECK_NTLM_WB
-dnl -------------------------------------------------
-dnl Check if support for NTLM delegation to winbind's
-dnl ntlm_auth helper will finally be enabled depending
-dnl on given configure options and target platform.
-
-AC_DEFUN([CURL_CHECK_NTLM_WB], [
- AC_REQUIRE([CURL_CHECK_OPTION_NTLM_WB])dnl
- AC_REQUIRE([CURL_CHECK_NATIVE_WINDOWS])dnl
- AC_MSG_CHECKING([whether to enable NTLM delegation to winbind's helper])
- if test "$curl_cv_native_windows" = "yes" ||
- test "x$SSL_ENABLED" = "x"; then
- want_ntlm_wb_file=""
- want_ntlm_wb="no"
- elif test "x$ac_cv_func_fork" != "xyes"; then
- dnl ntlm_wb requires fork
- want_ntlm_wb="no"
- fi
- AC_MSG_RESULT([$want_ntlm_wb])
- if test "$want_ntlm_wb" = "yes"; then
- AC_DEFINE(NTLM_WB_ENABLED, 1,
- [Define to enable NTLM delegation to winbind's ntlm_auth helper.])
- AC_DEFINE_UNQUOTED(NTLM_WB_FILE, "$want_ntlm_wb_file",
- [Define absolute filename for winbind's ntlm_auth helper.])
- NTLM_WB_ENABLED=1
- fi
-])
-
dnl CURL_CHECK_OPTION_ECH
dnl -----------------------------------------------------
dnl Verify whether configure has been invoked with option
nextarg = (char *)"";
switch(cmd) {
+ case C_RANDOM_FILE: /* --random-file */
+ case C_EGD_FILE: /* --egd-file */
+ case C_NTLM_WB: /* --ntlm-wb */
+ warnf(global, "--%s is deprecated and has no function anymore",
+ a->lname);
+ break;
case C_DNS_IPV4_ADDR: /* --dns-ipv4-addr */
if(!curlinfo->ares_num) /* c-ares is needed for this */
err = PARAM_LIBCURL_DOESNT_SUPPORT;
/* addr in dot notation */
err = getstr(&config->dns_ipv6_addr, nextarg, DENY_BLANK);
break;
- case C_RANDOM_FILE: /* --random-file */
- break;
- case C_EGD_FILE: /* --egd-file */
- break;
case C_OAUTH2_BEARER: /* --oauth2-bearer */
err = getstr(&config->oauth_bearer, nextarg, DENY_BLANK);
if(!err) {
else
err = PARAM_LIBCURL_DOESNT_SUPPORT;
break;
- case C_NTLM_WB: /* --ntlm-wb */
- if(!toggle)
- config->authtype &= ~CURLAUTH_NTLM_WB;
- else if(feature_ntlm_wb)
- config->authtype |= CURLAUTH_NTLM_WB;
- else
- err = PARAM_LIBCURL_DOESNT_SUPPORT;
- break;
case C_BASIC: /* --basic */
if(toggle)
config->authtype |= CURLAUTH_BASIC;
NV(CURLAUTH_GSSNEGOTIATE),
NV(CURLAUTH_NTLM),
NV(CURLAUTH_DIGEST_IE),
- NV(CURLAUTH_NTLM_WB),
NV(CURLAUTH_ONLY),
NV(CURLAUTH_NONE),
NVEND,
}
}
close($s);
+$sourcename{'NTLM_WB'}++; # deprecated, fake its presence in code
for my $h (keys %headerversion) {
if(!$manversion{$h}) {
projects / thirdparty / curl.git / commitdiff
