From: Daniel Stenberg Date: Sun, 31 Mar 2024 14:54:28 +0000 (+0200) Subject: NTLM_WB: drop support X-Git-Tag: curl-8_8_0~277 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=50def7c881ba560ab6e0235990e8f07fa69f4bc8;p=thirdparty%2Fcurl.git NTLM_WB: drop support The feature has not worked for months and has been marked as DEPRECATED for six+ months. Closes #13249 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 192417adfb..adc06a2c89 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1559,9 +1559,6 @@ if(NOT CURL_DISABLE_INSTALL) (HAVE_GSSAPI OR USE_WINDOWS_SSPI)) _add_if("NTLM" NOT (CURL_DISABLE_NTLM) AND (use_curl_ntlm_core OR USE_WINDOWS_SSPI)) - _add_if("NTLM_WB" NOT (CURL_DISABLE_NTLM) AND - (use_curl_ntlm_core OR USE_WINDOWS_SSPI) AND - NOT CURL_DISABLE_HTTP AND NTLM_WB_ENABLED) _add_if("TLS-SRP" USE_TLS_SRP) _add_if("HTTP2" USE_NGHTTP2) _add_if("HTTP3" USE_NGTCP2 OR USE_QUICHE OR USE_OPENSSL_QUIC) diff --git a/configure.ac b/configure.ac index 354a71a5ab..13c8a1dfc7 100644 --- a/configure.ac +++ b/configure.ac @@ -4179,10 +4179,6 @@ AS_HELP_STRING([--disable-ntlm],[Disable NTLM support]), AC_MSG_RESULT(yes) ) -CURL_CHECK_OPTION_NTLM_WB - -CURL_CHECK_NTLM_WB - dnl ************************************************************ dnl disable TLS-SRP authentication dnl @@ -4729,11 +4725,6 @@ if test "x$CURL_DISABLE_NTLM" != "x1"; then if test "x$use_curl_ntlm_core" = "xyes" \ -o "x$USE_WINDOWS_SSPI" = "x1"; then SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM" - - if test "x$CURL_DISABLE_HTTP" != "x1" -a \ - "x$NTLM_WB_ENABLED" = "x1"; then - SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM_WB" - fi fi fi diff --git a/docs/DEPRECATE.md b/docs/DEPRECATE.md index 27f8b288e0..87cec5483d 100644 --- a/docs/DEPRECATE.md +++ b/docs/DEPRECATE.md @@ -12,21 +12,6 @@ email the as soon as possible and explain to us why this is a problem for you and how your use case cannot be satisfied properly using a workaround. -## NTLM_WB auth - -This NTLM authentication method is powered by a separate tool, -`ntlm_auth`. Barely anyone uses this method. It was always a quirky -implementation (including fork + exec), it has limited portability and we do -not test it in the test suite and CI. - -We keep the native NTLM implementation. - -Due to a mistake, the `NTLM_WB` functionality is missing in builds since 8.4.0 -(October 2023). It needs to be manually patched to work. See [PR -12479](https://github.com/curl/curl/pull/12479). - -curl removes the support for NTLM_WB auth in April 2024. - ## space-separated `NOPROXY` patterns When specifying patterns/domain names for curl that should *not* go through a @@ -56,3 +41,4 @@ curl removes the support for space-separated names in July 2024. - NSS - gskit - mingw v1 + - NTLM_WB diff --git a/docs/cmdline-opts/ntlm-wb.md b/docs/cmdline-opts/ntlm-wb.md index c5bcd4bfdc..4cc52b65e9 100644 --- a/docs/cmdline-opts/ntlm-wb.md +++ b/docs/cmdline-opts/ntlm-wb.md @@ -16,5 +16,7 @@ Example: # `--ntlm-wb` -Enables NTLM much in the style --ntlm does, but hand over the authentication -to the separate binary `ntlmauth` application that is executed when needed. +Deprecated option (added in 8.8.0). + +Enabled NTLM much in the style --ntlm does, but handed over the authentication +to a separate executable that was executed when needed. diff --git a/docs/libcurl/curl_version_info.md b/docs/libcurl/curl_version_info.md index 43365ac6dc..b086a39a73 100644 --- a/docs/libcurl/curl_version_info.md +++ b/docs/libcurl/curl_version_info.md @@ -267,7 +267,7 @@ supports HTTP NTLM (added in 7.10.6) *features* mask bit: CURL_VERSION_NTLM_WB libcurl was built with support for NTLM delegation to a winbind helper. -(Added in 7.22.0) +(Added in 7.22.0) This feature was removed from curl in 8.8.0. ## PSL diff --git a/docs/libcurl/opts/CURLOPT_HTTPAUTH.md b/docs/libcurl/opts/CURLOPT_HTTPAUTH.md index 9e29f7cae3..be1c773233 100644 --- a/docs/libcurl/opts/CURLOPT_HTTPAUTH.md +++ b/docs/libcurl/opts/CURLOPT_HTTPAUTH.md @@ -84,6 +84,8 @@ option to work, or build libcurl on Windows with SSPI support. ## CURLAUTH_NTLM_WB +Support for this is removed since libcurl 8.8.0. + NTLM delegating to winbind helper. Authentication is performed by a separate binary application that is executed when needed. The name of the application is specified at compile time but is typically **/usr/bin/ntlm_auth**. diff --git a/docs/libcurl/opts/CURLOPT_NOSIGNAL.md b/docs/libcurl/opts/CURLOPT_NOSIGNAL.md index 7d147d0f93..f2b2a3cd87 100644 --- a/docs/libcurl/opts/CURLOPT_NOSIGNAL.md +++ b/docs/libcurl/opts/CURLOPT_NOSIGNAL.md @@ -40,9 +40,7 @@ ignore SIGPIPE signals, which otherwise are sent by the system when trying to send data to a socket which is closed in the other end. libcurl makes an effort to never cause such SIGPIPE signals to trigger, but some operating systems have no way to avoid them and even on those that have there are some -corner cases when they may still happen, contrary to our desire. In addition, -using *CURLAUTH_NTLM_WB* authentication could cause a SIGCHLD signal to be -raised. +corner cases when they may still happen, contrary to our desire. # DEFAULT diff --git a/include/curl/curl.h b/include/curl/curl.h index b2377b7895..c79003885f 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -811,7 +811,10 @@ typedef enum { #define CURLAUTH_GSSAPI CURLAUTH_NEGOTIATE #define CURLAUTH_NTLM (((unsigned long)1)<<3) #define CURLAUTH_DIGEST_IE (((unsigned long)1)<<4) +#ifndef CURL_NO_OLDIES + /* functionality removed since 8.8.0 */ #define CURLAUTH_NTLM_WB (((unsigned long)1)<<5) +#endif #define CURLAUTH_BEARER (((unsigned long)1)<<6) #define CURLAUTH_AWS_SIGV4 (((unsigned long)1)<<7) #define CURLAUTH_ONLY (((unsigned long)1)<<31) diff --git a/lib/Makefile.inc b/lib/Makefile.inc index 400e2b1ac5..709c750733 100644 --- a/lib/Makefile.inc +++ b/lib/Makefile.inc @@ -129,7 +129,6 @@ LIB_CFILES = \ curl_memrchr.c \ curl_multibyte.c \ curl_ntlm_core.c \ - curl_ntlm_wb.c \ curl_path.c \ curl_range.c \ curl_rtmp.c \ @@ -271,7 +270,6 @@ LIB_HFILES = \ curl_memrchr.h \ curl_multibyte.h \ curl_ntlm_core.h \ - curl_ntlm_wb.h \ curl_path.h \ curl_printf.h \ curl_range.h \ diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c deleted file mode 100644 index acb0093956..0000000000 --- a/lib/curl_ntlm_wb.c +++ /dev/null @@ -1,500 +0,0 @@ -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - * SPDX-License-Identifier: curl - * - ***************************************************************************/ - -#include "curl_setup.h" - -#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \ - defined(NTLM_WB_ENABLED) - -/* - * NTLM details: - * - * https://davenport.sourceforge.net/ntlm.html - * https://www.innovation.ch/java/ntlm.html - */ - -#define DEBUG_ME 0 - -#ifdef HAVE_SYS_WAIT_H -#include -#endif -#include -#ifdef HAVE_PWD_H -#include -#endif - -#include "urldata.h" -#include "sendf.h" -#include "select.h" -#include "vauth/ntlm.h" -#include "curl_ntlm_core.h" -#include "curl_ntlm_wb.h" -#include "url.h" -#include "strerror.h" -#include "strdup.h" -#include "strcase.h" - -/* The last 3 #include files should be in this order */ -#include "curl_printf.h" -#include "curl_memory.h" -#include "memdebug.h" - -#if DEBUG_ME -# define DEBUG_OUT(x) x -#else -# define DEBUG_OUT(x) Curl_nop_stmt -#endif - -/* Portable 'sclose_nolog' used only in child process instead of 'sclose' - to avoid fooling the socket leak detector */ -#ifdef HAVE_PIPE -# define sclose_nolog(x) close((x)) -#elif defined(HAVE_CLOSESOCKET) -# define sclose_nolog(x) closesocket((x)) -#elif defined(HAVE_CLOSESOCKET_CAMEL) -# define sclose_nolog(x) CloseSocket((x)) -#else -# define sclose_nolog(x) close((x)) -#endif - -static void ntlm_wb_cleanup(struct ntlmdata *ntlm) -{ - if(ntlm->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD) { - sclose(ntlm->ntlm_auth_hlpr_socket); - ntlm->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD; - } - - if(ntlm->ntlm_auth_hlpr_pid) { - int i; - for(i = 0; i < 4; i++) { - pid_t ret = waitpid(ntlm->ntlm_auth_hlpr_pid, NULL, WNOHANG); - if(ret == ntlm->ntlm_auth_hlpr_pid || errno == ECHILD) - break; - switch(i) { - case 0: - kill(ntlm->ntlm_auth_hlpr_pid, SIGTERM); - break; - case 1: - /* Give the process another moment to shut down cleanly before - bringing down the axe */ - Curl_wait_ms(1); - break; - case 2: - kill(ntlm->ntlm_auth_hlpr_pid, SIGKILL); - break; - case 3: - break; - } - } - ntlm->ntlm_auth_hlpr_pid = 0; - } - - Curl_safefree(ntlm->challenge); - Curl_safefree(ntlm->response); -} - -static CURLcode ntlm_wb_init(struct Curl_easy *data, struct ntlmdata *ntlm, - const char *userp) -{ - curl_socket_t sockfds[2]; - pid_t child_pid; - const char *username; - char *slash, *domain = NULL; - const char *ntlm_auth = NULL; - char *ntlm_auth_alloc = NULL; -#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID) - struct passwd pw, *pw_res; - char pwbuf[1024]; -#endif - char buffer[STRERROR_LEN]; - -#if defined(CURL_DISABLE_VERBOSE_STRINGS) - (void) data; -#endif - - /* Return if communication with ntlm_auth already set up */ - if(ntlm->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD || - ntlm->ntlm_auth_hlpr_pid) - return CURLE_OK; - - username = userp; - /* The real ntlm_auth really doesn't like being invoked with an - empty username. It won't make inferences for itself, and expects - the client to do so (mostly because it's really designed for - servers like squid to use for auth, and client support is an - afterthought for it). So try hard to provide a suitable username - if we don't already have one. But if we can't, provide the - empty one anyway. Perhaps they have an implementation of the - ntlm_auth helper which *doesn't* need it so we might as well try */ - if(!username || !username[0]) { - username = getenv("NTLMUSER"); - if(!username || !username[0]) - username = getenv("LOGNAME"); - if(!username || !username[0]) - username = getenv("USER"); -#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID) - if((!username || !username[0]) && - !getpwuid_r(geteuid(), &pw, pwbuf, sizeof(pwbuf), &pw_res) && - pw_res) { - username = pw.pw_name; - } -#endif - if(!username || !username[0]) - username = userp; - } - slash = strpbrk(username, "\\/"); - if(slash) { - domain = strdup(username); - if(!domain) - return CURLE_OUT_OF_MEMORY; - slash = domain + (slash - username); - *slash = '\0'; - username = username + (slash - domain) + 1; - } - - /* For testing purposes, when DEBUGBUILD is defined and environment - variable CURL_NTLM_WB_FILE is set a fake_ntlm is used to perform - NTLM challenge/response which only accepts commands and output - strings pre-written in test case definitions */ -#ifdef DEBUGBUILD - ntlm_auth_alloc = curl_getenv("CURL_NTLM_WB_FILE"); - if(ntlm_auth_alloc) - ntlm_auth = ntlm_auth_alloc; - else -#endif - ntlm_auth = NTLM_WB_FILE; - - if(access(ntlm_auth, X_OK) != 0) { - failf(data, "Could not access ntlm_auth: %s errno %d: %s", - ntlm_auth, errno, Curl_strerror(errno, buffer, sizeof(buffer))); - goto done; - } - - if(wakeup_create(sockfds)) { - failf(data, "Could not open socket pair. errno %d: %s", - errno, Curl_strerror(errno, buffer, sizeof(buffer))); - goto done; - } - - child_pid = fork(); - if(child_pid == -1) { - wakeup_close(sockfds[0]); - wakeup_close(sockfds[1]); - failf(data, "Could not fork. errno %d: %s", - errno, Curl_strerror(errno, buffer, sizeof(buffer))); - goto done; - } - else if(!child_pid) { - /* - * child process - */ - - /* Don't use sclose in the child since it fools the socket leak detector */ - sclose_nolog(sockfds[0]); - if(dup2(sockfds[1], STDIN_FILENO) == -1) { - failf(data, "Could not redirect child stdin. errno %d: %s", - errno, Curl_strerror(errno, buffer, sizeof(buffer))); - exit(1); - } - - if(dup2(sockfds[1], STDOUT_FILENO) == -1) { - failf(data, "Could not redirect child stdout. errno %d: %s", - errno, Curl_strerror(errno, buffer, sizeof(buffer))); - exit(1); - } - - if(domain) - execl(ntlm_auth, ntlm_auth, - "--helper-protocol", "ntlmssp-client-1", - "--use-cached-creds", - "--username", username, - "--domain", domain, - NULL); - else - execl(ntlm_auth, ntlm_auth, - "--helper-protocol", "ntlmssp-client-1", - "--use-cached-creds", - "--username", username, - NULL); - - sclose_nolog(sockfds[1]); - failf(data, "Could not execl(). errno %d: %s", - errno, Curl_strerror(errno, buffer, sizeof(buffer))); - exit(1); - } - - sclose(sockfds[1]); - ntlm->ntlm_auth_hlpr_socket = sockfds[0]; - ntlm->ntlm_auth_hlpr_pid = child_pid; - free(domain); - free(ntlm_auth_alloc); - return CURLE_OK; - -done: - free(domain); - free(ntlm_auth_alloc); - return CURLE_REMOTE_ACCESS_DENIED; -} - -/* if larger than this, something is seriously wrong */ -#define MAX_NTLM_WB_RESPONSE 100000 - -static CURLcode ntlm_wb_response(struct Curl_easy *data, struct ntlmdata *ntlm, - const char *input, curlntlm state) -{ - size_t len_in = strlen(input), len_out = 0; - struct dynbuf b; - char *ptr = NULL; - unsigned char buf[1024]; - Curl_dyn_init(&b, MAX_NTLM_WB_RESPONSE); - - while(len_in > 0) { - ssize_t written = wakeup_write(ntlm->ntlm_auth_hlpr_socket, input, len_in); - if(written == -1) { - /* Interrupted by a signal, retry it */ - if(errno == EINTR) - continue; - /* write failed if other errors happen */ - goto done; - } - input += written; - len_in -= written; - } - /* Read one line */ - while(1) { - ssize_t size = - wakeup_read(ntlm->ntlm_auth_hlpr_socket, buf, sizeof(buf)); - if(size == -1) { - if(errno == EINTR) - continue; - goto done; - } - else if(size == 0) - goto done; - - if(Curl_dyn_addn(&b, buf, size)) - goto done; - - len_out = Curl_dyn_len(&b); - ptr = Curl_dyn_ptr(&b); - if(len_out && ptr[len_out - 1] == '\n') { - ptr[len_out - 1] = '\0'; - break; /* done! */ - } - /* loop */ - } - - /* Samba/winbind installed but not configured */ - if(state == NTLMSTATE_TYPE1 && - len_out == 3 && - ptr[0] == 'P' && ptr[1] == 'W') - goto done; - /* invalid response */ - if(len_out < 4) - goto done; - if(state == NTLMSTATE_TYPE1 && - (ptr[0]!='Y' || ptr[1]!='R' || ptr[2]!=' ')) - goto done; - if(state == NTLMSTATE_TYPE2 && - (ptr[0]!='K' || ptr[1]!='K' || ptr[2]!=' ') && - (ptr[0]!='A' || ptr[1]!='F' || ptr[2]!=' ')) - goto done; - - ntlm->response = strdup(ptr + 3); - Curl_dyn_free(&b); - if(!ntlm->response) - return CURLE_OUT_OF_MEMORY; - return CURLE_OK; -done: - Curl_dyn_free(&b); - return CURLE_REMOTE_ACCESS_DENIED; -} - -CURLcode Curl_input_ntlm_wb(struct Curl_easy *data, - struct connectdata *conn, - bool proxy, - const char *header) -{ - struct ntlmdata *ntlm = proxy ? &conn->proxyntlm : &conn->ntlm; - curlntlm *state = proxy ? &conn->proxy_ntlm_state : &conn->http_ntlm_state; - - (void) data; /* In case it gets unused by nop log macros. */ - - if(!checkprefix("NTLM", header)) - return CURLE_BAD_CONTENT_ENCODING; - - header += strlen("NTLM"); - while(*header && ISSPACE(*header)) - header++; - - if(*header) { - ntlm->challenge = strdup(header); - if(!ntlm->challenge) - return CURLE_OUT_OF_MEMORY; - - *state = NTLMSTATE_TYPE2; /* We got a type-2 message */ - } - else { - if(*state == NTLMSTATE_LAST) { - infof(data, "NTLM auth restarted"); - Curl_http_auth_cleanup_ntlm_wb(conn); - } - else if(*state == NTLMSTATE_TYPE3) { - infof(data, "NTLM handshake rejected"); - Curl_http_auth_cleanup_ntlm_wb(conn); - *state = NTLMSTATE_NONE; - return CURLE_REMOTE_ACCESS_DENIED; - } - else if(*state >= NTLMSTATE_TYPE1) { - infof(data, "NTLM handshake failure (internal error)"); - return CURLE_REMOTE_ACCESS_DENIED; - } - - *state = NTLMSTATE_TYPE1; /* We should send away a type-1 */ - } - - return CURLE_OK; -} - -/* - * This is for creating ntlm header output by delegating challenge/response - * to Samba's winbind daemon helper ntlm_auth. - */ -CURLcode Curl_output_ntlm_wb(struct Curl_easy *data, struct connectdata *conn, - bool proxy) -{ - /* point to the address of the pointer that holds the string to send to the - server, which is for a plain host or for an HTTP proxy */ - char **allocuserpwd; - /* point to the name and password for this */ - const char *userp; - struct ntlmdata *ntlm; - curlntlm *state; - struct auth *authp; - - CURLcode res = CURLE_OK; - - DEBUGASSERT(conn); - DEBUGASSERT(data); - - if(proxy) { -#ifndef CURL_DISABLE_PROXY - allocuserpwd = &data->state.aptr.proxyuserpwd; - userp = conn->http_proxy.user; - ntlm = &conn->proxyntlm; - state = &conn->proxy_ntlm_state; - authp = &data->state.authproxy; -#else - return CURLE_NOT_BUILT_IN; -#endif - } - else { - allocuserpwd = &data->state.aptr.userpwd; - userp = conn->user; - ntlm = &conn->ntlm; - state = &conn->http_ntlm_state; - authp = &data->state.authhost; - } - authp->done = FALSE; - - /* not set means empty */ - if(!userp) - userp = ""; - - switch(*state) { - case NTLMSTATE_TYPE1: - default: - /* Use Samba's 'winbind' daemon to support NTLM authentication, - * by delegating the NTLM challenge/response protocol to a helper - * in ntlm_auth. - * https://web.archive.org/web/20190925164737 - * /devel.squid-cache.org/ntlm/squid_helper_protocol.html - * https://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html - * https://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html - * Preprocessor symbol 'NTLM_WB_ENABLED' is defined when this - * feature is enabled and 'NTLM_WB_FILE' symbol holds absolute - * filename of ntlm_auth helper. - * If NTLM authentication using winbind fails, go back to original - * request handling process. - */ - /* Create communication with ntlm_auth */ - res = ntlm_wb_init(data, ntlm, userp); - if(res) - return res; - res = ntlm_wb_response(data, ntlm, "YR\n", *state); - if(res) - return res; - - free(*allocuserpwd); - *allocuserpwd = aprintf("%sAuthorization: NTLM %s\r\n", - proxy ? "Proxy-" : "", - ntlm->response); - DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd)); - Curl_safefree(ntlm->response); - if(!*allocuserpwd) - return CURLE_OUT_OF_MEMORY; - break; - - case NTLMSTATE_TYPE2: { - char *input = aprintf("TT %s\n", ntlm->challenge); - if(!input) - return CURLE_OUT_OF_MEMORY; - res = ntlm_wb_response(data, ntlm, input, *state); - free(input); - if(res) - return res; - - free(*allocuserpwd); - *allocuserpwd = aprintf("%sAuthorization: NTLM %s\r\n", - proxy ? "Proxy-" : "", - ntlm->response); - DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd)); - *state = NTLMSTATE_TYPE3; /* we sent a type-3 */ - authp->done = TRUE; - Curl_http_auth_cleanup_ntlm_wb(conn); - if(!*allocuserpwd) - return CURLE_OUT_OF_MEMORY; - break; - } - case NTLMSTATE_TYPE3: - /* connection is already authenticated, - * don't send a header in future requests */ - *state = NTLMSTATE_LAST; - FALLTHROUGH(); - case NTLMSTATE_LAST: - Curl_safefree(*allocuserpwd); - authp->done = TRUE; - break; - } - - return CURLE_OK; -} - -void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn) -{ - ntlm_wb_cleanup(&conn->ntlm); - ntlm_wb_cleanup(&conn->proxyntlm); -} - -#endif /* !CURL_DISABLE_HTTP && USE_NTLM && NTLM_WB_ENABLED */ diff --git a/lib/curl_ntlm_wb.h b/lib/curl_ntlm_wb.h deleted file mode 100644 index 37704c0fe0..0000000000 --- a/lib/curl_ntlm_wb.h +++ /dev/null @@ -1,45 +0,0 @@ -#ifndef HEADER_CURL_NTLM_WB_H -#define HEADER_CURL_NTLM_WB_H -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - * SPDX-License-Identifier: curl - * - ***************************************************************************/ - -#include "curl_setup.h" - -#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \ - defined(NTLM_WB_ENABLED) - -/* this is for ntlm header input */ -CURLcode Curl_input_ntlm_wb(struct Curl_easy *data, - struct connectdata *conn, bool proxy, - const char *header); - -/* this is for creating ntlm header output */ -CURLcode Curl_output_ntlm_wb(struct Curl_easy *data, struct connectdata *conn, - bool proxy); - -void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn); - -#endif /* !CURL_DISABLE_HTTP && USE_NTLM && NTLM_WB_ENABLED */ - -#endif /* HEADER_CURL_NTLM_WB_H */ diff --git a/lib/http.c b/lib/http.c index 190cf821ed..7cb8b63f8c 100644 --- a/lib/http.c +++ b/lib/http.c @@ -65,7 +65,6 @@ #include "vquic/vquic.h" #include "http_digest.h" #include "http_ntlm.h" -#include "curl_ntlm_wb.h" #include "http_negotiate.h" #include "http_aws_sigv4.h" #include "url.h" @@ -386,8 +385,6 @@ static bool pickoneauth(struct auth *pick, unsigned long mask) #endif else if(avail & CURLAUTH_NTLM) pick->picked = CURLAUTH_NTLM; - else if(avail & CURLAUTH_NTLM_WB) - pick->picked = CURLAUTH_NTLM_WB; #ifndef CURL_DISABLE_BASIC_AUTH else if(avail & CURLAUTH_BASIC) pick->picked = CURLAUTH_BASIC; @@ -446,9 +443,7 @@ static CURLcode http_perhapsrewind(struct Curl_easy *data, /* We'd like to abort the upload - but should we? */ #if defined(USE_NTLM) if((data->state.authproxy.picked == CURLAUTH_NTLM) || - (data->state.authhost.picked == CURLAUTH_NTLM) || - (data->state.authproxy.picked == CURLAUTH_NTLM_WB) || - (data->state.authhost.picked == CURLAUTH_NTLM_WB)) { + (data->state.authhost.picked == CURLAUTH_NTLM)) { ongoing_auth = "NTML"; if((conn->http_ntlm_state != NTLMSTATE_NONE) || (conn->proxy_ntlm_state != NTLMSTATE_NONE)) { @@ -627,15 +622,6 @@ output_auth_headers(struct Curl_easy *data, } else #endif -#if defined(USE_NTLM) && defined(NTLM_WB_ENABLED) - if(authstatus->picked == CURLAUTH_NTLM_WB) { - auth = "NTLM_WB"; - result = Curl_output_ntlm_wb(data, conn, proxy); - if(result) - return result; - } - else -#endif #ifndef CURL_DISABLE_DIGEST_AUTH if(authstatus->picked == CURLAUTH_DIGEST) { auth = "Digest"; @@ -925,31 +911,15 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy, /* NTLM support requires the SSL crypto libs */ if(checkprefix("NTLM", auth) && is_valid_auth_separator(auth[4])) { if((authp->avail & CURLAUTH_NTLM) || - (authp->avail & CURLAUTH_NTLM_WB) || Curl_auth_is_ntlm_supported()) { *availp |= CURLAUTH_NTLM; authp->avail |= CURLAUTH_NTLM; - if(authp->picked == CURLAUTH_NTLM || - authp->picked == CURLAUTH_NTLM_WB) { + if(authp->picked == CURLAUTH_NTLM) { /* NTLM authentication is picked and activated */ CURLcode result = Curl_input_ntlm(data, proxy, auth); if(!result) { data->state.authproblem = FALSE; -#ifdef NTLM_WB_ENABLED - if(authp->picked == CURLAUTH_NTLM_WB) { - *availp &= ~CURLAUTH_NTLM; - authp->avail &= ~CURLAUTH_NTLM; - *availp |= CURLAUTH_NTLM_WB; - authp->avail |= CURLAUTH_NTLM_WB; - - result = Curl_input_ntlm_wb(data, conn, proxy, auth); - if(result) { - infof(data, "Authentication problem. Ignoring this."); - data->state.authproblem = TRUE; - } - } -#endif } else { infof(data, "Authentication problem. Ignoring this."); diff --git a/lib/http_ntlm.c b/lib/http_ntlm.c index b845ddf37f..3dccb5cb78 100644 --- a/lib/http_ntlm.c +++ b/lib/http_ntlm.c @@ -40,7 +40,6 @@ #include "strcase.h" #include "http_ntlm.h" #include "curl_ntlm_core.h" -#include "curl_ntlm_wb.h" #include "curl_base64.h" #include "vauth/vauth.h" #include "url.h" @@ -266,10 +265,6 @@ void Curl_http_auth_cleanup_ntlm(struct connectdata *conn) { Curl_auth_cleanup_ntlm(&conn->ntlm); Curl_auth_cleanup_ntlm(&conn->proxyntlm); - -#if defined(NTLM_WB_ENABLED) - Curl_http_auth_cleanup_ntlm_wb(conn); -#endif } #endif /* !CURL_DISABLE_HTTP && USE_NTLM */ diff --git a/lib/setopt.c b/lib/setopt.c index 61a9244c82..b36d9bd2c5 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -1024,9 +1024,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) /* switch off bits we can't support */ #ifndef USE_NTLM auth &= ~CURLAUTH_NTLM; /* no NTLM support */ - auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */ -#elif !defined(NTLM_WB_ENABLED) - auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */ #endif #ifndef USE_SPNEGO auth &= ~CURLAUTH_NEGOTIATE; /* no Negotiate (SPNEGO) auth without @@ -1105,9 +1102,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) /* switch off bits we can't support */ #ifndef USE_NTLM auth &= ~CURLAUTH_NTLM; /* no NTLM support */ - auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */ -#elif !defined(NTLM_WB_ENABLED) - auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */ #endif #ifndef USE_SPNEGO auth &= ~CURLAUTH_NEGOTIATE; /* no Negotiate (SPNEGO) auth without diff --git a/lib/url.c b/lib/url.c index 786953c978..b2f501b245 100644 --- a/lib/url.c +++ b/lib/url.c @@ -937,13 +937,12 @@ ConnectionExists(struct Curl_easy *data, struct Curl_llist_element *curr; #ifdef USE_NTLM - bool wantNTLMhttp = ((data->state.authhost.want & - (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && + bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) && (needle->handler->protocol & PROTO_FAMILY_HTTP)); #ifndef CURL_DISABLE_PROXY bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd && ((data->state.authproxy.want & - (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && + CURLAUTH_NTLM) && (needle->handler->protocol & PROTO_FAMILY_HTTP))); #else bool wantProxyNTLMhttp = FALSE; @@ -1415,12 +1414,6 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) conn->connect_only = data->set.connect_only; conn->transport = TRNSPRT_TCP; /* most of them are TCP streams */ -#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \ - defined(NTLM_WB_ENABLED) - conn->ntlm.ntlm_auth_hlpr_socket = CURL_SOCKET_BAD; - conn->proxyntlm.ntlm_auth_hlpr_socket = CURL_SOCKET_BAD; -#endif - /* Initialize the easy handle list */ Curl_llist_init(&conn->easyq, NULL); @@ -3752,14 +3745,14 @@ static CURLcode create_conn(struct Curl_easy *data, /* If NTLM is requested in a part of this connection, make sure we don't assume the state is fine as this is a fresh connection and NTLM is connection based. */ - if((data->state.authhost.picked & (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && + if((data->state.authhost.picked & CURLAUTH_NTLM) && data->state.authhost.done) { infof(data, "NTLM picked AND auth done set, clear picked"); data->state.authhost.picked = CURLAUTH_NONE; data->state.authhost.done = FALSE; } - if((data->state.authproxy.picked & (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && + if((data->state.authproxy.picked & CURLAUTH_NTLM) && data->state.authproxy.done) { infof(data, "NTLM-proxy picked AND auth done set, clear picked"); data->state.authproxy.picked = CURLAUTH_NONE; diff --git a/lib/urldata.h b/lib/urldata.h index 226d1af71d..95a3add703 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -444,14 +444,6 @@ struct ntlmdata { unsigned char nonce[8]; unsigned int target_info_len; void *target_info; /* TargetInfo received in the ntlm type-2 message */ - -#if defined(NTLM_WB_ENABLED) - /* used for communication with Samba's winbind daemon helper ntlm_auth */ - curl_socket_t ntlm_auth_hlpr_socket; - pid_t ntlm_auth_hlpr_pid; - char *challenge; /* The received base64 encoded ntlm type-2 message */ - char *response; /* The generated base64 ntlm type-1/type-3 message */ -#endif #endif }; #endif diff --git a/lib/version.c b/lib/version.c index 88f3696dec..942cf56130 100644 --- a/lib/version.c +++ b/lib/version.c @@ -497,10 +497,6 @@ static const struct feat features_table[] = { #ifdef USE_NTLM FEATURE("NTLM", NULL, CURL_VERSION_NTLM), #endif -#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \ - defined(NTLM_WB_ENABLED) - FEATURE("NTLM_WB", NULL, CURL_VERSION_NTLM_WB), -#endif #if defined(USE_LIBPSL) FEATURE("PSL", NULL, CURL_VERSION_PSL), #endif diff --git a/m4/curl-confopts.m4 b/m4/curl-confopts.m4 index 1d2d6fed46..1ee5d50c46 100644 --- a/m4/curl-confopts.m4 +++ b/m4/curl-confopts.m4 @@ -568,70 +568,6 @@ AC_DEFUN([CURL_CHECK_LIB_ARES], [ fi ]) - -dnl CURL_CHECK_OPTION_NTLM_WB -dnl ------------------------------------------------- -dnl Verify if configure has been invoked with option -dnl --enable-ntlm-wb or --disable-ntlm-wb, and set -dnl shell variable want_ntlm_wb and want_ntlm_wb_file -dnl as appropriate. - -AC_DEFUN([CURL_CHECK_OPTION_NTLM_WB], [ - AC_BEFORE([$0],[CURL_CHECK_NTLM_WB])dnl - OPT_NTLM_WB="default" - AC_ARG_ENABLE(ntlm-wb, -AS_HELP_STRING([--enable-ntlm-wb@<:@=FILE@:>@],[Enable NTLM delegation to winbind's ntlm_auth helper, where FILE is ntlm_auth's absolute filename (default: /usr/bin/ntlm_auth)]) -AS_HELP_STRING([--disable-ntlm-wb],[Disable NTLM delegation to winbind's ntlm_auth helper]), - OPT_NTLM_WB=$enableval) - want_ntlm_wb_file="/usr/bin/ntlm_auth" - case "$OPT_NTLM_WB" in - no) - dnl --disable-ntlm-wb option used - want_ntlm_wb="no" - ;; - default) - dnl configure option not specified - want_ntlm_wb="yes" - ;; - *) - dnl --enable-ntlm-wb option used - want_ntlm_wb="yes" - if test -n "$enableval" && test "$enableval" != "yes"; then - want_ntlm_wb_file="$enableval" - fi - ;; - esac -]) - - -dnl CURL_CHECK_NTLM_WB -dnl ------------------------------------------------- -dnl Check if support for NTLM delegation to winbind's -dnl ntlm_auth helper will finally be enabled depending -dnl on given configure options and target platform. - -AC_DEFUN([CURL_CHECK_NTLM_WB], [ - AC_REQUIRE([CURL_CHECK_OPTION_NTLM_WB])dnl - AC_REQUIRE([CURL_CHECK_NATIVE_WINDOWS])dnl - AC_MSG_CHECKING([whether to enable NTLM delegation to winbind's helper]) - if test "$curl_cv_native_windows" = "yes" || - test "x$SSL_ENABLED" = "x"; then - want_ntlm_wb_file="" - want_ntlm_wb="no" - elif test "x$ac_cv_func_fork" != "xyes"; then - dnl ntlm_wb requires fork - want_ntlm_wb="no" - fi - AC_MSG_RESULT([$want_ntlm_wb]) - if test "$want_ntlm_wb" = "yes"; then - AC_DEFINE(NTLM_WB_ENABLED, 1, - [Define to enable NTLM delegation to winbind's ntlm_auth helper.]) - AC_DEFINE_UNQUOTED(NTLM_WB_FILE, "$want_ntlm_wb_file", - [Define absolute filename for winbind's ntlm_auth helper.]) - NTLM_WB_ENABLED=1 - fi -]) - dnl CURL_CHECK_OPTION_ECH dnl ----------------------------------------------------- dnl Verify whether configure has been invoked with option diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 5cb898852b..f50992f8a6 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -1356,6 +1356,12 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ nextarg = (char *)""; switch(cmd) { + case C_RANDOM_FILE: /* --random-file */ + case C_EGD_FILE: /* --egd-file */ + case C_NTLM_WB: /* --ntlm-wb */ + warnf(global, "--%s is deprecated and has no function anymore", + a->lname); + break; case C_DNS_IPV4_ADDR: /* --dns-ipv4-addr */ if(!curlinfo->ares_num) /* c-ares is needed for this */ err = PARAM_LIBCURL_DOESNT_SUPPORT; @@ -1370,10 +1376,6 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ /* addr in dot notation */ err = getstr(&config->dns_ipv6_addr, nextarg, DENY_BLANK); break; - case C_RANDOM_FILE: /* --random-file */ - break; - case C_EGD_FILE: /* --egd-file */ - break; case C_OAUTH2_BEARER: /* --oauth2-bearer */ err = getstr(&config->oauth_bearer, nextarg, DENY_BLANK); if(!err) { @@ -1480,14 +1482,6 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ else err = PARAM_LIBCURL_DOESNT_SUPPORT; break; - case C_NTLM_WB: /* --ntlm-wb */ - if(!toggle) - config->authtype &= ~CURLAUTH_NTLM_WB; - else if(feature_ntlm_wb) - config->authtype |= CURLAUTH_NTLM_WB; - else - err = PARAM_LIBCURL_DOESNT_SUPPORT; - break; case C_BASIC: /* --basic */ if(toggle) config->authtype |= CURLAUTH_BASIC; diff --git a/src/tool_setopt.c b/src/tool_setopt.c index 656adbda8a..c6c203a5c0 100644 --- a/src/tool_setopt.c +++ b/src/tool_setopt.c @@ -78,7 +78,6 @@ const struct NameValueUnsigned setopt_nv_CURLAUTH[] = { NV(CURLAUTH_GSSNEGOTIATE), NV(CURLAUTH_NTLM), NV(CURLAUTH_DIGEST_IE), - NV(CURLAUTH_NTLM_WB), NV(CURLAUTH_ONLY), NV(CURLAUTH_NONE), NVEND, diff --git a/tests/test1177.pl b/tests/test1177.pl index e989e3a895..83c3ee8ba5 100755 --- a/tests/test1177.pl +++ b/tests/test1177.pl @@ -65,6 +65,7 @@ while(<$s>) { } } close($s); +$sourcename{'NTLM_WB'}++; # deprecated, fake its presence in code for my $h (keys %headerversion) { if(!$manversion{$h}) {