[libsoup] Reorganize NTLM authentication, fix ntlm_auth support
- From: Dan Winship <danw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libsoup] Reorganize NTLM authentication, fix ntlm_auth support
- Date: Sat, 29 Dec 2012 22:45:11 +0000 (UTC)
commit 9e90b875f77b58c3851d9c6ad5d0cdc052e22c17
Author: Dan Winship <danw gnome org>
Date: Tue Dec 11 11:10:45 2012 +0100
Reorganize NTLM authentication, fix ntlm_auth support
Move the auth-managery parts of SoupAuthManagerNTLM down into
SoupAuthManager, and the NTLMy parts into SoupAuthNTLM (in preparation
for supporting other kinds of connection-based auth such as
Negotiate).
The reorganization also makes it possible to use SoupAuthNTLM to
implement a mock version of /usr/bin/ntlm_auth, so we can extend
ntlm-test to test both the built-in-NTLM and external-NTLM codepaths.
Doing this reveals that, AFAICT, the external codepath did not
previously actually work, because it mis-used
G_SPAWN_FILE_AND_ARGV_ZERO and so ended up passing incorrect arguments
to /usr/bin/ntlm_auth.
.gitignore | 1 +
libsoup/Makefile.am | 2 -
libsoup/soup-auth-manager-ntlm.c | 1359 --------------------------------------
libsoup/soup-auth-manager-ntlm.h | 36 -
libsoup/soup-auth-manager.c | 142 ++++-
libsoup/soup-auth-manager.h | 8 -
libsoup/soup-auth-ntlm.c | 1077 +++++++++++++++++++++++++++++-
libsoup/soup-auth-ntlm.h | 5 -
libsoup/soup-auth.c | 29 +-
libsoup/soup-message.c | 10 +-
libsoup/soup-session.c | 8 +-
tests/Makefile.am | 2 +
tests/ntlm-test-helper.c | 103 +++
tests/ntlm-test.c | 60 ++-
14 files changed, 1352 insertions(+), 1490 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e02235b..9fbae76 100644
--- a/.gitignore
+++ b/.gitignore
@@ -70,6 +70,7 @@ tests/get
tests/getbug
tests/header-parsing
tests/httpd.conf
+tests/ntlm-test-helper
tests/pull-api
tests/simple-httpd
tests/simple-proxy
diff --git a/libsoup/Makefile.am b/libsoup/Makefile.am
index 59553f0..7a9d6fc 100644
--- a/libsoup/Makefile.am
+++ b/libsoup/Makefile.am
@@ -107,8 +107,6 @@ libsoup_2_4_la_SOURCES = \
soup-auth-domain-digest.c \
soup-auth-manager.h \
soup-auth-manager.c \
- soup-auth-manager-ntlm.h \
- soup-auth-manager-ntlm.c \
soup-body-input-stream.h \
soup-body-input-stream.c \
soup-body-output-stream.h \
diff --git a/libsoup/soup-auth-manager.c b/libsoup/soup-auth-manager.c
index 2a2030c..d284826 100644
--- a/libsoup/soup-auth-manager.c
+++ b/libsoup/soup-auth-manager.c
@@ -36,9 +36,13 @@ G_DEFINE_TYPE_WITH_CODE (SoupAuthManager, soup_auth_manager, G_TYPE_OBJECT,
typedef struct {
SoupSession *session;
GPtrArray *auth_types;
+ gboolean has_ntlm;
SoupAuth *proxy_auth;
GHashTable *auth_hosts;
+
+ GHashTable *connauths;
+ GHashTable *sockets_by_msg;
} SoupAuthManagerPrivate;
#define SOUP_AUTH_MANAGER_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), SOUP_TYPE_AUTH_MANAGER, SoupAuthManagerPrivate))
@@ -60,6 +64,10 @@ soup_auth_manager_init (SoupAuthManager *manager)
soup_uri_host_equal,
NULL,
(GDestroyNotify)soup_auth_host_free);
+
+ priv->connauths = g_hash_table_new_full (NULL, NULL,
+ NULL, g_object_unref);
+ priv->sockets_by_msg = g_hash_table_new (NULL, NULL);
}
static void
@@ -73,6 +81,9 @@ soup_auth_manager_finalize (GObject *object)
g_clear_object (&priv->proxy_auth);
+ g_hash_table_destroy (priv->connauths);
+ g_hash_table_destroy (priv->sockets_by_msg);
+
G_OBJECT_CLASS (soup_auth_manager_parent_class)->finalize (object);
}
@@ -120,6 +131,10 @@ soup_auth_manager_add_feature (SoupSessionFeature *feature, GType type)
auth_class = g_type_class_ref (type);
g_ptr_array_add (priv->auth_types, auth_class);
g_ptr_array_sort (priv->auth_types, auth_type_compare_func);
+
+ if (type == SOUP_TYPE_AUTH_NTLM)
+ priv->has_ntlm = TRUE;
+
return TRUE;
}
@@ -134,8 +149,12 @@ soup_auth_manager_remove_feature (SoupSessionFeature *feature, GType type)
return FALSE;
auth_class = g_type_class_peek (type);
+
for (i = 0; i < priv->auth_types->len; i++) {
if (priv->auth_types->pdata[i] == (gpointer)auth_class) {
+ if (type == SOUP_TYPE_AUTH_NTLM)
+ priv->has_ntlm = FALSE;
+
g_ptr_array_remove_index (priv->auth_types, i);
return TRUE;
}
@@ -162,13 +181,6 @@ soup_auth_manager_has_feature (SoupSessionFeature *feature, GType type)
return FALSE;
}
-void
-soup_auth_manager_emit_authenticate (SoupAuthManager *manager, SoupMessage *msg,
- SoupAuth *auth, gboolean retrying)
-{
- g_signal_emit (manager, signals[AUTHENTICATE], 0, msg, auth, retrying);
-}
-
static void
soup_auth_manager_attach (SoupSessionFeature *manager, SoupSession *session)
{
@@ -252,7 +264,7 @@ next_challenge_start (GSList *items)
return NULL;
}
-char *
+static char *
soup_auth_manager_extract_challenge (const char *challenges, const char *scheme)
{
GSList *items, *i, *next;
@@ -416,15 +428,77 @@ authenticate_auth (SoupAuthManager *manager, SoupAuth *auth,
soup_uri_set_password (uri, NULL);
soup_uri_set_user (uri, NULL);
} else if (!soup_auth_is_authenticated (auth) && can_interact) {
- soup_auth_manager_emit_authenticate (manager, msg, auth,
- prior_auth_failed);
+ g_signal_emit (manager, signals[AUTHENTICATE], 0,
+ msg, auth, prior_auth_failed);
}
return soup_auth_is_authenticated (auth);
}
static void
-update_auth (SoupMessage *msg, gpointer manager)
+delete_connauth (SoupSocket *socket, gpointer user_data)
+{
+ SoupAuthManagerPrivate *priv = user_data;
+
+ g_hash_table_remove (priv->connauths, socket);
+ g_signal_handlers_disconnect_by_func (socket, delete_connauth, priv);
+}
+
+static SoupAuth *
+get_connauth (SoupAuthManagerPrivate *priv, SoupSocket *socket)
+{
+ SoupAuth *auth;
+
+ if (!priv->has_ntlm)
+ return NULL;
+
+ auth = g_hash_table_lookup (priv->connauths, socket);
+ if (!auth) {
+ auth = g_object_new (SOUP_TYPE_AUTH_NTLM, NULL);
+ g_hash_table_insert (priv->connauths, socket, auth);
+ g_signal_connect (socket, "disconnected",
+ G_CALLBACK (delete_connauth), priv);
+ }
+
+ return auth;
+}
+
+static void
+unset_socket (SoupMessage *msg, gpointer user_data)
+{
+ SoupAuthManagerPrivate *priv = user_data;
+
+ g_hash_table_remove (priv->sockets_by_msg, msg);
+ g_signal_handlers_disconnect_by_func (msg, unset_socket, priv);
+}
+
+static void
+set_socket_for_msg (SoupAuthManagerPrivate *priv,
+ SoupMessage *msg, SoupSocket *sock)
+{
+ if (!g_hash_table_lookup (priv->sockets_by_msg, msg)) {
+ g_signal_connect (msg, "finished",
+ G_CALLBACK (unset_socket), priv);
+ g_signal_connect (msg, "restarted",
+ G_CALLBACK (unset_socket), priv);
+ }
+ g_hash_table_insert (priv->sockets_by_msg, msg, sock);
+}
+
+static SoupAuth *
+get_connauth_for_msg (SoupAuthManagerPrivate *priv, SoupMessage *msg)
+{
+ SoupSocket *sock;
+
+ sock = g_hash_table_lookup (priv->sockets_by_msg, msg);
+ if (sock)
+ return g_hash_table_lookup (priv->connauths, sock);
+ else
+ return NULL;
+}
+
+static void
+auth_got_headers (SoupMessage *msg, gpointer manager)
{
SoupAuthManagerPrivate *priv = SOUP_AUTH_MANAGER_GET_PRIVATE (manager);
SoupAuthHost *host;
@@ -434,6 +508,20 @@ update_auth (SoupMessage *msg, gpointer manager)
GSList *pspace, *p;
gboolean prior_auth_failed = FALSE;
+ auth = get_connauth_for_msg (priv, msg);
+ if (auth) {
+ const char *header;
+
+ header = auth_header_for_message (msg);
+ if (header && soup_auth_update (auth, msg, header)) {
+ if (!soup_auth_is_authenticated (auth)) {
+ g_signal_emit (manager, signals[AUTHENTICATE], 0,
+ msg, auth, FALSE);
+ }
+ return;
+ }
+ }
+
host = get_auth_host_for_message (priv, msg);
/* See if we used auth last time */
@@ -492,17 +580,25 @@ update_auth (SoupMessage *msg, gpointer manager)
}
static void
-requeue_if_authenticated (SoupMessage *msg, gpointer manager)
+auth_got_body (SoupMessage *msg, gpointer manager)
{
SoupAuthManagerPrivate *priv = SOUP_AUTH_MANAGER_GET_PRIVATE (manager);
- SoupAuth *auth = lookup_auth (priv, msg);
+ SoupAuth *auth;
+
+ auth = get_connauth_for_msg (priv, msg);
+ if (auth && soup_auth_is_authenticated (auth)) {
+ SoupMessageFlags flags;
+ flags = soup_message_get_flags (msg);
+ soup_message_set_flags (msg, flags & ~SOUP_MESSAGE_NEW_CONNECTION);
+ } else
+ auth = lookup_auth (priv, msg);
if (auth && soup_auth_is_authenticated (auth))
soup_session_requeue_message (priv->session, msg);
}
static void
-update_proxy_auth (SoupMessage *msg, gpointer manager)
+proxy_auth_got_headers (SoupMessage *msg, gpointer manager)
{
SoupAuthManagerPrivate *priv = SOUP_AUTH_MANAGER_GET_PRIVATE (manager);
SoupAuth *prior_auth;
@@ -527,7 +623,7 @@ update_proxy_auth (SoupMessage *msg, gpointer manager)
}
static void
-requeue_if_proxy_authenticated (SoupMessage *msg, gpointer manager)
+proxy_auth_got_body (SoupMessage *msg, gpointer manager)
{
SoupAuthManagerPrivate *priv = SOUP_AUTH_MANAGER_GET_PRIVATE (manager);
SoupAuth *auth = priv->proxy_auth;
@@ -543,17 +639,17 @@ soup_auth_manager_request_queued (SoupSessionFeature *manager,
{
soup_message_add_status_code_handler (
msg, "got_headers", SOUP_STATUS_UNAUTHORIZED,
- G_CALLBACK (update_auth), manager);
+ G_CALLBACK (auth_got_headers), manager);
soup_message_add_status_code_handler (
msg, "got_body", SOUP_STATUS_UNAUTHORIZED,
- G_CALLBACK (requeue_if_authenticated), manager);
+ G_CALLBACK (auth_got_body), manager);
soup_message_add_status_code_handler (
msg, "got_headers", SOUP_STATUS_PROXY_UNAUTHORIZED,
- G_CALLBACK (update_proxy_auth), manager);
+ G_CALLBACK (proxy_auth_got_headers), manager);
soup_message_add_status_code_handler (
msg, "got_body", SOUP_STATUS_PROXY_UNAUTHORIZED,
- G_CALLBACK (requeue_if_proxy_authenticated), manager);
+ G_CALLBACK (proxy_auth_got_body), manager);
}
static void
@@ -566,9 +662,13 @@ soup_auth_manager_request_started (SoupSessionFeature *feature,
SoupAuthManagerPrivate *priv = SOUP_AUTH_MANAGER_GET_PRIVATE (manager);
SoupAuth *auth;
+ set_socket_for_msg (priv, msg, socket);
auth = lookup_auth (priv, msg);
- if (!auth || !authenticate_auth (manager, auth, msg, FALSE, FALSE, FALSE))
- auth = NULL;
+ if (auth) {
+ if (!authenticate_auth (manager, auth, msg, FALSE, FALSE, FALSE))
+ auth = NULL;
+ } else
+ auth = get_connauth (priv, socket);
soup_message_set_auth (msg, auth);
auth = priv->proxy_auth;
diff --git a/libsoup/soup-auth-manager.h b/libsoup/soup-auth-manager.h
index d82fbb1..a4ee316 100644
--- a/libsoup/soup-auth-manager.h
+++ b/libsoup/soup-auth-manager.h
@@ -32,14 +32,6 @@ typedef struct {
GType soup_auth_manager_get_type (void);
-void soup_auth_manager_emit_authenticate (SoupAuthManager *manager,
- SoupMessage *msg,
- SoupAuth *auth,
- gboolean retrying);
-
-char *soup_auth_manager_extract_challenge (const char *challenges,
- const char *scheme);
-
G_END_DECLS
#endif /* SOUP_AUTH_MANAGER_H */
diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c
index dc24d51..11b7568 100644
--- a/libsoup/soup-auth-ntlm.c
+++ b/libsoup/soup-auth-ntlm.c
@@ -9,16 +9,71 @@
#include <config.h>
#endif
+#include <errno.h>
+#include <stdlib.h>
#include <string.h>
+#include <glib.h>
#include "soup-auth-ntlm.h"
#include "soup.h"
+#include "soup-message-private.h"
+
+static void soup_ntlm_lanmanager_hash (const char *password,
+ guchar hash[21]);
+static void soup_ntlm_nt_hash (const char *password,
+ guchar hash[21]);
+static char *soup_ntlm_request (void);
+static gboolean soup_ntlm_parse_challenge (const char *challenge,
+ char **nonce,
+ char **default_domain);
+static char *soup_ntlm_response (const char *nonce,
+ const char *user,
+ guchar nt_hash[21],
+ guchar lm_hash[21],
+ const char *host,
+ const char *domain);
+
+typedef enum {
+ SOUP_NTLM_NEW,
+#ifdef USE_NTLM_AUTH
+ SOUP_NTLM_SENT_SSO_REQUEST,
+ SOUP_NTLM_RECEIVED_SSO_CHALLENGE,
+ SOUP_NTLM_SENT_SSO_RESPONSE,
+ SOUP_NTLM_SSO_UNAVAILABLE,
+ SOUP_NTLM_SSO_FAILED,
+#endif
+ SOUP_NTLM_SENT_REQUEST,
+ SOUP_NTLM_RECEIVED_CHALLENGE,
+ SOUP_NTLM_SENT_RESPONSE,
+ SOUP_NTLM_FAILED
+} SoupNTLMState;
typedef struct {
- char *username, *password;
+ SoupNTLMState state;
+ char *username;
+ guchar nt_hash[21], lm_hash[21];
+ char *nonce, *domain;
+ char *response_header;
+
+#ifdef USE_NTLM_AUTH
+ /* Use Samba's 'winbind' daemon to support NTLM single-sign-on,
+ * by delegating the NTLM challenge/response protocal to a helper
+ * in ntlm_auth.
+ * http://devel.squid-cache.org/ntlm/squid_helper_protocol.html
+ * http://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html
+ * http://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html
+ */
+ int fd_in;
+ int fd_out;
+#endif
} SoupAuthNTLMPrivate;
#define SOUP_AUTH_NTLM_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), SOUP_TYPE_AUTH_NTLM, SoupAuthNTLMPrivate))
+#ifdef USE_NTLM_AUTH
+static gboolean ntlm_auth_available, ntlm_auth_debug;
+static void sso_ntlm_close (SoupAuthNTLMPrivate *priv);
+#endif
+
/**
* SOUP_TYPE_AUTH_NTLM:
*
@@ -35,6 +90,30 @@ G_DEFINE_TYPE (SoupAuthNTLM, soup_auth_ntlm, SOUP_TYPE_AUTH)
static void
soup_auth_ntlm_init (SoupAuthNTLM *ntlm)
{
+ SoupAuthNTLMPrivate *priv = SOUP_AUTH_NTLM_GET_PRIVATE (ntlm);
+#ifdef USE_NTLM_AUTH
+ const char *username = NULL, *slash;
+#endif
+
+ priv->state = SOUP_NTLM_NEW;
+
+#ifdef USE_NTLM_AUTH
+ priv->fd_in = -1;
+ priv->fd_out = -1;
+
+ username = getenv ("NTLMUSER");
+ if (!username)
+ username = g_get_user_name ();
+
+ slash = strpbrk (username, "\\/");
+ if (slash) {
+ priv->username = g_strdup (slash + 1);
+ priv->domain = g_strndup (username, slash - username);
+ } else {
+ priv->username = g_strdup (username);
+ priv->domain = NULL;
+ }
+#endif
}
static void
@@ -43,31 +122,212 @@ soup_auth_ntlm_finalize (GObject *object)
SoupAuthNTLMPrivate *priv = SOUP_AUTH_NTLM_GET_PRIVATE (object);
g_free (priv->username);
- if (priv->password) {
- memset (priv->password, 0, strlen (priv->password));
- g_free (priv->password);
- }
+ g_free (priv->domain);
+
+ memset (priv->nt_hash, 0, sizeof (priv->nt_hash));
+ memset (priv->lm_hash, 0, sizeof (priv->lm_hash));
+
+ g_free (priv->nonce);
+ g_free (priv->response_header);
+
+#ifdef USE_NTLM_AUTH
+ sso_ntlm_close (priv);
+#endif
G_OBJECT_CLASS (soup_auth_ntlm_parent_class)->finalize (object);
}
-SoupAuth *
-soup_auth_ntlm_new (const char *realm, const char *host)
+#ifdef USE_NTLM_AUTH
+static void
+sso_ntlm_close (SoupAuthNTLMPrivate *priv)
{
- SoupAuth *auth;
+ if (priv->fd_in != -1) {
+ close (priv->fd_in);
+ priv->fd_in = -1;
+ }
- auth = g_object_new (SOUP_TYPE_AUTH_NTLM,
- SOUP_AUTH_REALM, realm,
- SOUP_AUTH_HOST, host,
- NULL);
- return auth;
+ if (priv->fd_out != -1) {
+ close (priv->fd_out);
+ priv->fd_out = -1;
+ }
}
static gboolean
+sso_ntlm_initiate (SoupAuthNTLMPrivate *priv)
+{
+ char *argv[9];
+ gboolean ret;
+
+ if (!ntlm_auth_available && !ntlm_auth_debug)
+ return FALSE;
+
+ /* Return if ntlm_auth execution process exist already */
+ if (priv->fd_in != -1 && priv->fd_out != -1)
+ return TRUE;
+ else {
+ /* Clean all sso data before re-initiate */
+ sso_ntlm_close (priv);
+ }
+
+ if (ntlm_auth_debug) {
+ argv[0] = (char *) g_getenv ("SOUP_NTLM_AUTH_DEBUG");
+ if (!*argv[0])
+ return FALSE;
+ } else
+ argv[0] = NTLM_AUTH;
+ argv[1] = "--helper-protocol";
+ argv[2] = "ntlmssp-client-1";
+ argv[3] = "--use-cached-creds";
+ argv[4] = "--username";
+ argv[5] = priv->username;
+ argv[6] = priv->domain ? "--domain" : NULL;
+ argv[7] = priv->domain;
+ argv[8] = NULL;
+
+ ret = g_spawn_async_with_pipes (NULL, argv, NULL,
+ G_SPAWN_STDERR_TO_DEV_NULL,
+ NULL, NULL,
+ NULL, &priv->fd_in, &priv->fd_out,
+ NULL, NULL);
+ return ret;
+}
+
+static char *
+sso_ntlm_response (SoupAuthNTLMPrivate *priv, const char *input, SoupNTLMState conn_state)
+{
+ ssize_t size;
+ char buf[1024];
+ char *tmpbuf = buf;
+ size_t len_in = strlen (input), len_out = sizeof (buf);
+
+ while (len_in > 0) {
+ int written = write (priv->fd_in, input, len_in);
+ if (written == -1) {
+ if (errno == EINTR)
+ continue;
+ /* write failed if other errors happen */
+ return NULL;
+ }
+ input += written;
+ len_in -= written;
+ }
+ /* Read one line */
+ while (len_out > 0) {
+ size = read (priv->fd_out, tmpbuf, len_out);
+ if (size == -1) {
+ if (errno == EINTR)
+ continue;
+ return NULL;
+ } else if (size == 0)
+ return NULL;
+ else if (tmpbuf[size - 1] == '\n') {
+ tmpbuf[size - 1] = '\0';
+ goto wrfinish;
+ }
+ tmpbuf += size;
+ len_out -= size;
+ }
+ return NULL;
+
+wrfinish:
+ if (g_ascii_strcasecmp (buf, "PW") == 0) {
+ /* Samba/winbind installed but not configured */
+ return g_strdup ("PW");
+ }
+ if (conn_state == SOUP_NTLM_NEW &&
+ g_ascii_strncasecmp (buf, "YR ", 3) != 0) {
+ /* invalid response for type 1 message */
+ return NULL;
+ }
+ if (conn_state == SOUP_NTLM_RECEIVED_SSO_CHALLENGE &&
+ g_ascii_strncasecmp (buf, "KK ", 3) != 0 &&
+ g_ascii_strncasecmp (buf, "AF ", 3) != 0) {
+ /* invalid response for type 3 message */
+ return NULL;
+ }
+
+ return g_strdup_printf ("NTLM %.*s", (int)(size - 4), buf + 3);
+}
+#endif /* USE_NTLM_AUTH */
+
+static gboolean
soup_auth_ntlm_update (SoupAuth *auth, SoupMessage *msg,
GHashTable *auth_params)
{
- g_return_val_if_reached (FALSE);
+ SoupAuthNTLMPrivate *priv = SOUP_AUTH_NTLM_GET_PRIVATE (auth);
+ GHashTableIter iter;
+ gpointer key, value;
+ char *header;
+ gboolean success = TRUE;
+
+ if (priv->state > SOUP_NTLM_SENT_REQUEST) {
+ /* We already authenticated, but then got another 401.
+ * That means "permission denied", so don't try to
+ * authenticate again.
+ */
+ priv->state = SOUP_NTLM_FAILED;
+ return FALSE;
+ }
+
+ /* The header will be something like "NTLM blahblahblah===",
+ * which soup_auth_update() will parse as
+ * "blahblahblah" = "==". Undo that.
+ */
+ g_hash_table_iter_init (&iter, auth_params);
+ if (!g_hash_table_iter_next (&iter, &key, &value))
+ return FALSE;
+ if (value)
+ header = g_strdup_printf ("%s=%s", (char *)key, (char *)value);
+ else
+ header = g_strdup (key);
+
+ if (!soup_ntlm_parse_challenge (header, &priv->nonce, &priv->domain)) {
+ g_free (header);
+ priv->state = SOUP_NTLM_FAILED;
+ return FALSE;
+ }
+
+#ifdef USE_NTLM_AUTH
+ if (priv->state == SOUP_NTLM_SENT_SSO_REQUEST) {
+ char *input, *response;
+
+ /* Re-Initiate ntlm_auth process in case it was closed/killed abnormally */
+ if (!sso_ntlm_initiate (priv)) {
+ priv->state = SOUP_NTLM_SSO_FAILED;
+ success = FALSE;
+ goto out;
+ }
+
+ input = g_strdup_printf ("TT %s\n", header);
+ response = sso_ntlm_response (priv, input, priv->state);
+ sso_ntlm_close (priv);
+ g_free (input);
+
+ if (!response) {
+ priv->state = SOUP_NTLM_SSO_FAILED;
+ success = FALSE;
+ } else if (!g_ascii_strcasecmp (header, "PW")) {
+ priv->state = SOUP_NTLM_SSO_UNAVAILABLE;
+ g_free (response);
+ success = FALSE;
+ } else {
+ priv->state = SOUP_NTLM_RECEIVED_SSO_CHALLENGE;
+ priv->response_header = response;
+ }
+ }
+ out:
+#endif
+
+ g_free (header);
+
+ if (priv->state == SOUP_NTLM_SENT_REQUEST)
+ priv->state = SOUP_NTLM_RECEIVED_CHALLENGE;
+
+ g_object_set (G_OBJECT (auth),
+ SOUP_AUTH_REALM, priv->domain,
+ SOUP_AUTH_HOST, soup_message_get_uri (msg)->host,
+ NULL);
+ return success;
}
static GSList *
@@ -81,24 +341,99 @@ soup_auth_ntlm_authenticate (SoupAuth *auth, const char *username,
const char *password)
{
SoupAuthNTLMPrivate *priv = SOUP_AUTH_NTLM_GET_PRIVATE (auth);
+ const char *slash, *domain;
g_return_if_fail (username != NULL);
g_return_if_fail (password != NULL);
+ g_return_if_fail (priv->nonce != NULL);
+
+ slash = strpbrk (username, "\\/");
+ if (slash) {
+ if (priv->domain)
+ g_free (priv->domain);
+ domain = priv->domain = g_strndup (username, slash - username);
+ priv->username = g_strdup (slash + 1);
+ } else {
+ domain = "";
+ priv->username = g_strdup (username);
+ }
+
+ soup_ntlm_nt_hash (password, priv->nt_hash);
+ soup_ntlm_lanmanager_hash (password, priv->lm_hash);
+
+ priv->response_header = soup_ntlm_response (priv->nonce,
+ priv->username,
+ priv->nt_hash,
+ priv->lm_hash,
+ NULL,
+ domain);
- priv->username = g_strdup (username);
- priv->password = g_strdup (password);
+ g_free (priv->nonce);
+ priv->nonce = NULL;
}
static gboolean
soup_auth_ntlm_is_authenticated (SoupAuth *auth)
{
- return SOUP_AUTH_NTLM_GET_PRIVATE (auth)->password != NULL;
+ return SOUP_AUTH_NTLM_GET_PRIVATE (auth)->username != NULL &&
+ SOUP_AUTH_NTLM_GET_PRIVATE (auth)->response_header != NULL;
}
static char *
soup_auth_ntlm_get_authorization (SoupAuth *auth, SoupMessage *msg)
{
- g_return_val_if_reached (NULL);
+ SoupAuthNTLMPrivate *priv =
+ SOUP_AUTH_NTLM_GET_PRIVATE (auth);
+ char *header = NULL;
+
+ switch (priv->state) {
+ case SOUP_NTLM_NEW:
+#ifdef USE_NTLM_AUTH
+ if (sso_ntlm_initiate (priv)) {
+ header = sso_ntlm_response (priv, "YR\n", priv->state);
+ if (header) {
+ if (g_ascii_strcasecmp (header, "PW") != 0) {
+ priv->state = SOUP_NTLM_SENT_SSO_REQUEST;
+ break;
+ } else {
+ g_free (header);
+ header = NULL;
+ }
+ } else {
+ g_warning ("NTLM single-sign-on by using %s failed", NTLM_AUTH);
+ }
+ }
+ /* If NTLM single-sign-on fails, go back to original
+ * request handling process.
+ */
+ case SOUP_NTLM_SSO_UNAVAILABLE:
+#endif
+ header = soup_ntlm_request ();
+ priv->state = SOUP_NTLM_SENT_REQUEST;
+ break;
+#ifdef USE_NTLM_AUTH
+ case SOUP_NTLM_RECEIVED_SSO_CHALLENGE:
+ header = priv->response_header;
+ priv->response_header = NULL;
+ priv->state = SOUP_NTLM_SENT_SSO_RESPONSE;
+ break;
+ case SOUP_NTLM_SSO_FAILED:
+ /* Restart request without SSO */
+ g_warning ("NTLM single-sign-on by using %s failed", NTLM_AUTH);
+ header = soup_ntlm_request ();
+ priv->state = SOUP_NTLM_SENT_REQUEST;
+ break;
+#endif
+ case SOUP_NTLM_RECEIVED_CHALLENGE:
+ header = priv->response_header;
+ priv->response_header = NULL;
+ priv->state = SOUP_NTLM_SENT_RESPONSE;
+ break;
+ default:
+ break;
+ }
+
+ return header;
}
static void
@@ -119,20 +454,710 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
auth_class->get_authorization = soup_auth_ntlm_get_authorization;
object_class->finalize = soup_auth_ntlm_finalize;
+
+#ifdef USE_NTLM_AUTH
+ ntlm_auth_available = g_file_test (NTLM_AUTH, G_FILE_TEST_IS_EXECUTABLE);
+ ntlm_auth_debug = (g_getenv ("SOUP_NTLM_AUTH_DEBUG") != NULL);
+#endif
}
-const char *
-soup_auth_ntlm_get_username (SoupAuth *auth)
+static void md4sum (const unsigned char *in,
+ int nbytes,
+ unsigned char digest[16]);
+
+typedef guint32 DES_KS[16][2]; /* Single-key DES key schedule */
+
+static void deskey (DES_KS, unsigned char *, int);
+
+static void des (DES_KS, unsigned char *);
+
+static void setup_schedule (const guchar *key_56, DES_KS ks);
+
+static void calc_response (const guchar *key,
+ const guchar *plaintext,
+ guchar *results);
+
+#define LM_PASSWORD_MAGIC "\x4B\x47\x53\x21\x40\x23\x24\x25" \
+ "\x4B\x47\x53\x21\x40\x23\x24\x25" \
+ "\x00\x00\x00\x00\x00"
+
+static void
+soup_ntlm_lanmanager_hash (const char *password, guchar hash[21])
{
- SoupAuthNTLMPrivate *priv = SOUP_AUTH_NTLM_GET_PRIVATE (auth);
+ guchar lm_password [15];
+ DES_KS ks;
+ int i;
+
+ for (i = 0; i < 14 && password [i]; i++)
+ lm_password [i] = g_ascii_toupper ((unsigned char) password [i]);
- return priv->username;
+ for (; i < 15; i++)
+ lm_password [i] = '\0';
+
+ memcpy (hash, LM_PASSWORD_MAGIC, 21);
+
+ setup_schedule (lm_password, ks);
+ des (ks, hash);
+
+ setup_schedule (lm_password + 7, ks);
+ des (ks, hash + 8);
}
-const char *
-soup_auth_ntlm_get_password (SoupAuth *auth)
+static void
+soup_ntlm_nt_hash (const char *password, guchar hash[21])
{
- SoupAuthNTLMPrivate *priv = SOUP_AUTH_NTLM_GET_PRIVATE (auth);
+ unsigned char *buf, *p;
+
+ p = buf = g_malloc (strlen (password) * 2);
+
+ while (*password) {
+ *p++ = *password++;
+ *p++ = '\0';
+ }
+
+ md4sum (buf, p - buf, hash);
+ memset (hash + 16, 0, 5);
+
+ g_free (buf);
+}
+
+typedef struct {
+ guint16 length;
+ guint16 length2;
+ guint16 offset;
+ guchar zero_pad[2];
+} NTLMString;
+
+#define NTLM_CHALLENGE_NONCE_OFFSET 24
+#define NTLM_CHALLENGE_NONCE_LENGTH 8
+#define NTLM_CHALLENGE_DOMAIN_STRING_OFFSET 12
+
+#define NTLM_RESPONSE_HEADER "NTLMSSP\x00\x03\x00\x00\x00"
+#define NTLM_RESPONSE_FLAGS 0x8201
+
+typedef struct {
+ guchar header[12];
+
+ NTLMString lm_resp;
+ NTLMString nt_resp;
+ NTLMString domain;
+ NTLMString user;
+ NTLMString host;
+ NTLMString session_key;
- return priv->password;
+ guint32 flags;
+} NTLMResponse;
+
+static void
+ntlm_set_string (NTLMString *string, int *offset, int len)
+{
+ string->offset = GUINT16_TO_LE (*offset);
+ string->length = string->length2 = GUINT16_TO_LE (len);
+ *offset += len;
+}
+
+static char *
+soup_ntlm_request (void)
+{
+ return g_strdup ("NTLM TlRMTVNTUAABAAAABYIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAAwAAAA");
+}
+
+static gboolean
+soup_ntlm_parse_challenge (const char *challenge,
+ char **nonce,
+ char **default_domain)
+{
+ gsize clen;
+ NTLMString domain;
+ guchar *chall;
+
+ chall = g_base64_decode (challenge, &clen);
+ if (clen < NTLM_CHALLENGE_DOMAIN_STRING_OFFSET ||
+ clen < NTLM_CHALLENGE_NONCE_OFFSET + NTLM_CHALLENGE_NONCE_LENGTH) {
+ g_free (chall);
+ return FALSE;
+ }
+
+ if (default_domain) {
+ memcpy (&domain, chall + NTLM_CHALLENGE_DOMAIN_STRING_OFFSET, sizeof (domain));
+ domain.length = GUINT16_FROM_LE (domain.length);
+ domain.offset = GUINT16_FROM_LE (domain.offset);
+
+ if (clen < domain.length + domain.offset) {
+ g_free (chall);
+ return FALSE;
+ }
+
+ *default_domain = g_convert ((char *)chall + domain.offset,
+ domain.length, "UTF-8", "UCS-2LE",
+ NULL, NULL, NULL);
+ }
+
+ if (nonce) {
+ *nonce = g_memdup (chall + NTLM_CHALLENGE_NONCE_OFFSET,
+ NTLM_CHALLENGE_NONCE_LENGTH);
+ }
+
+ g_free (chall);
+ return TRUE;
+}
+
+static char *
+soup_ntlm_response (const char *nonce,
+ const char *user,
+ guchar nt_hash[21],
+ guchar lm_hash[21],
+ const char *host,
+ const char *domain)
+{
+ int offset;
+ gsize hlen, dlen, ulen;
+ guchar lm_resp[24], nt_resp[24];
+ char *user_conv, *host_conv, *domain_conv;
+ NTLMResponse resp;
+ char *out, *p;
+ int state, save;
+
+ calc_response (nt_hash, (guchar *)nonce, nt_resp);
+ calc_response (lm_hash, (guchar *)nonce, lm_resp);
+
+ memset (&resp, 0, sizeof (resp));
+ memcpy (resp.header, NTLM_RESPONSE_HEADER, sizeof (resp.header));
+ resp.flags = GUINT32_TO_LE (NTLM_RESPONSE_FLAGS);
+
+ offset = sizeof (resp);
+
+ if (!host)
+ host = "UNKNOWN";
+
+ domain_conv = g_convert (domain, -1, "UCS-2LE", "UTF-8", NULL, &dlen, NULL);
+ user_conv = g_convert (user, -1, "UCS-2LE", "UTF-8", NULL, &ulen, NULL);
+ host_conv = g_convert (host, -1, "UCS-2LE", "UTF-8", NULL, &hlen, NULL);
+
+ ntlm_set_string (&resp.domain, &offset, dlen);
+ ntlm_set_string (&resp.user, &offset, ulen);
+ ntlm_set_string (&resp.host, &offset, hlen);
+ ntlm_set_string (&resp.lm_resp, &offset, sizeof (lm_resp));
+ ntlm_set_string (&resp.nt_resp, &offset, sizeof (nt_resp));
+
+ out = g_malloc (((offset + 3) * 4) / 3 + 6);
+ strncpy (out, "NTLM ", 5);
+ p = out + 5;
+
+ state = save = 0;
+
+ p += g_base64_encode_step ((const guchar *) &resp, sizeof (resp),
+ FALSE, p, &state, &save);
+ p += g_base64_encode_step ((const guchar *) domain_conv, dlen,
+ FALSE, p, &state, &save);
+ p += g_base64_encode_step ((const guchar *) user_conv, ulen,
+ FALSE, p, &state, &save);
+ p += g_base64_encode_step ((const guchar *) host_conv, hlen,
+ FALSE, p, &state, &save);
+ p += g_base64_encode_step (lm_resp, sizeof (lm_resp),
+ FALSE, p, &state, &save);
+ p += g_base64_encode_step (nt_resp, sizeof (nt_resp),
+ FALSE, p, &state, &save);
+ p += g_base64_encode_close (FALSE, p, &state, &save);
+ *p = '\0';
+
+ g_free (domain_conv);
+ g_free (user_conv);
+ g_free (host_conv);
+
+ return out;
+}
+
+/* DES utils */
+/* Set up a key schedule based on a 56bit key */
+static void
+setup_schedule (const guchar *key_56, DES_KS ks)
+{
+ guchar key[8];
+ int i, c, bit;
+
+ key[0] = (key_56[0]) ;
+ key[1] = (key_56[1] >> 1) | ((key_56[0] << 7) & 0xFF);
+ key[2] = (key_56[2] >> 2) | ((key_56[1] << 6) & 0xFF);
+ key[3] = (key_56[3] >> 3) | ((key_56[2] << 5) & 0xFF);
+ key[4] = (key_56[4] >> 4) | ((key_56[3] << 4) & 0xFF);
+ key[5] = (key_56[5] >> 5) | ((key_56[4] << 3) & 0xFF);
+ key[6] = (key_56[6] >> 6) | ((key_56[5] << 2) & 0xFF);
+ key[7] = ((key_56[6] << 1) & 0xFF);
+
+ /* Fix parity */
+ for (i = 0; i < 8; i++) {
+ for (c = bit = 0; bit < 8; bit++)
+ if (key[i] & (1 << bit))
+ c++;
+ if (!(c & 1))
+ key[i] ^= 0x01;
+ }
+
+ deskey (ks, key, 0);
+}
+
+static void
+calc_response (const guchar *key, const guchar *plaintext, guchar *results)
+{
+ DES_KS ks;
+
+ memcpy (results, plaintext, 8);
+ memcpy (results + 8, plaintext, 8);
+ memcpy (results + 16, plaintext, 8);
+
+ setup_schedule (key, ks);
+ des (ks, results);
+
+ setup_schedule (key + 7, ks);
+ des (ks, results + 8);
+
+ setup_schedule (key + 14, ks);
+ des (ks, results + 16);
+}
+
+
+/*
+ * MD4 encoder. (The one everyone else uses is not GPL-compatible;
+ * this is a reimplementation from spec.) This doesn't need to be
+ * efficient for our purposes, although it would be nice to fix
+ * it to not malloc()...
+ */
+
+#define F(X,Y,Z) ( ((X)&(Y)) | ((~(X))&(Z)) )
+#define G(X,Y,Z) ( ((X)&(Y)) | ((X)&(Z)) | ((Y)&(Z)) )
+#define H(X,Y,Z) ( (X)^(Y)^(Z) )
+#define ROT(val, n) ( ((val) << (n)) | ((val) >> (32 - (n))) )
+
+static void
+md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
+{
+ unsigned char *M;
+ guint32 A, B, C, D, AA, BB, CC, DD, X[16];
+ int pbytes, nbits = nbytes * 8, i, j;
+
+ pbytes = (120 - (nbytes % 64)) % 64;
+ M = alloca (nbytes + pbytes + 8);
+ memcpy (M, in, nbytes);
+ memset (M + nbytes, 0, pbytes + 8);
+ M[nbytes] = 0x80;
+ M[nbytes + pbytes] = nbits & 0xFF;
+ M[nbytes + pbytes + 1] = (nbits >> 8) & 0xFF;
+ M[nbytes + pbytes + 2] = (nbits >> 16) & 0xFF;
+ M[nbytes + pbytes + 3] = (nbits >> 24) & 0xFF;
+
+ A = 0x67452301;
+ B = 0xEFCDAB89;
+ C = 0x98BADCFE;
+ D = 0x10325476;
+
+ for (i = 0; i < nbytes + pbytes + 8; i += 64) {
+ for (j = 0; j < 16; j++) {
+ X[j] = (M[i + j*4]) |
+ (M[i + j*4 + 1] << 8) |
+ (M[i + j*4 + 2] << 16) |
+ (M[i + j*4 + 3] << 24);
+ }
+
+ AA = A;
+ BB = B;
+ CC = C;
+ DD = D;
+
+ A = ROT (A + F(B, C, D) + X[0], 3);
+ D = ROT (D + F(A, B, C) + X[1], 7);
+ C = ROT (C + F(D, A, B) + X[2], 11);
+ B = ROT (B + F(C, D, A) + X[3], 19);
+ A = ROT (A + F(B, C, D) + X[4], 3);
+ D = ROT (D + F(A, B, C) + X[5], 7);
+ C = ROT (C + F(D, A, B) + X[6], 11);
+ B = ROT (B + F(C, D, A) + X[7], 19);
+ A = ROT (A + F(B, C, D) + X[8], 3);
+ D = ROT (D + F(A, B, C) + X[9], 7);
+ C = ROT (C + F(D, A, B) + X[10], 11);
+ B = ROT (B + F(C, D, A) + X[11], 19);
+ A = ROT (A + F(B, C, D) + X[12], 3);
+ D = ROT (D + F(A, B, C) + X[13], 7);
+ C = ROT (C + F(D, A, B) + X[14], 11);
+ B = ROT (B + F(C, D, A) + X[15], 19);
+
+ A = ROT (A + G(B, C, D) + X[0] + 0x5A827999, 3);
+ D = ROT (D + G(A, B, C) + X[4] + 0x5A827999, 5);
+ C = ROT (C + G(D, A, B) + X[8] + 0x5A827999, 9);
+ B = ROT (B + G(C, D, A) + X[12] + 0x5A827999, 13);
+ A = ROT (A + G(B, C, D) + X[1] + 0x5A827999, 3);
+ D = ROT (D + G(A, B, C) + X[5] + 0x5A827999, 5);
+ C = ROT (C + G(D, A, B) + X[9] + 0x5A827999, 9);
+ B = ROT (B + G(C, D, A) + X[13] + 0x5A827999, 13);
+ A = ROT (A + G(B, C, D) + X[2] + 0x5A827999, 3);
+ D = ROT (D + G(A, B, C) + X[6] + 0x5A827999, 5);
+ C = ROT (C + G(D, A, B) + X[10] + 0x5A827999, 9);
+ B = ROT (B + G(C, D, A) + X[14] + 0x5A827999, 13);
+ A = ROT (A + G(B, C, D) + X[3] + 0x5A827999, 3);
+ D = ROT (D + G(A, B, C) + X[7] + 0x5A827999, 5);
+ C = ROT (C + G(D, A, B) + X[11] + 0x5A827999, 9);
+ B = ROT (B + G(C, D, A) + X[15] + 0x5A827999, 13);
+
+ A = ROT (A + H(B, C, D) + X[0] + 0x6ED9EBA1, 3);
+ D = ROT (D + H(A, B, C) + X[8] + 0x6ED9EBA1, 9);
+ C = ROT (C + H(D, A, B) + X[4] + 0x6ED9EBA1, 11);
+ B = ROT (B + H(C, D, A) + X[12] + 0x6ED9EBA1, 15);
+ A = ROT (A + H(B, C, D) + X[2] + 0x6ED9EBA1, 3);
+ D = ROT (D + H(A, B, C) + X[10] + 0x6ED9EBA1, 9);
+ C = ROT (C + H(D, A, B) + X[6] + 0x6ED9EBA1, 11);
+ B = ROT (B + H(C, D, A) + X[14] + 0x6ED9EBA1, 15);
+ A = ROT (A + H(B, C, D) + X[1] + 0x6ED9EBA1, 3);
+ D = ROT (D + H(A, B, C) + X[9] + 0x6ED9EBA1, 9);
+ C = ROT (C + H(D, A, B) + X[5] + 0x6ED9EBA1, 11);
+ B = ROT (B + H(C, D, A) + X[13] + 0x6ED9EBA1, 15);
+ A = ROT (A + H(B, C, D) + X[3] + 0x6ED9EBA1, 3);
+ D = ROT (D + H(A, B, C) + X[11] + 0x6ED9EBA1, 9);
+ C = ROT (C + H(D, A, B) + X[7] + 0x6ED9EBA1, 11);
+ B = ROT (B + H(C, D, A) + X[15] + 0x6ED9EBA1, 15);
+
+ A += AA;
+ B += BB;
+ C += CC;
+ D += DD;
+ }
+
+ digest[0] = A & 0xFF;
+ digest[1] = (A >> 8) & 0xFF;
+ digest[2] = (A >> 16) & 0xFF;
+ digest[3] = (A >> 24) & 0xFF;
+ digest[4] = B & 0xFF;
+ digest[5] = (B >> 8) & 0xFF;
+ digest[6] = (B >> 16) & 0xFF;
+ digest[7] = (B >> 24) & 0xFF;
+ digest[8] = C & 0xFF;
+ digest[9] = (C >> 8) & 0xFF;
+ digest[10] = (C >> 16) & 0xFF;
+ digest[11] = (C >> 24) & 0xFF;
+ digest[12] = D & 0xFF;
+ digest[13] = (D >> 8) & 0xFF;
+ digest[14] = (D >> 16) & 0xFF;
+ digest[15] = (D >> 24) & 0xFF;
+}
+
+
+/* Public domain DES implementation from Phil Karn */
+static const guint32 Spbox[8][64] = {
+ { 0x01010400,0x00000000,0x00010000,0x01010404,
+ 0x01010004,0x00010404,0x00000004,0x00010000,
+ 0x00000400,0x01010400,0x01010404,0x00000400,
+ 0x01000404,0x01010004,0x01000000,0x00000004,
+ 0x00000404,0x01000400,0x01000400,0x00010400,
+ 0x00010400,0x01010000,0x01010000,0x01000404,
+ 0x00010004,0x01000004,0x01000004,0x00010004,
+ 0x00000000,0x00000404,0x00010404,0x01000000,
+ 0x00010000,0x01010404,0x00000004,0x01010000,
+ 0x01010400,0x01000000,0x01000000,0x00000400,
+ 0x01010004,0x00010000,0x00010400,0x01000004,
+ 0x00000400,0x00000004,0x01000404,0x00010404,
+ 0x01010404,0x00010004,0x01010000,0x01000404,
+ 0x01000004,0x00000404,0x00010404,0x01010400,
+ 0x00000404,0x01000400,0x01000400,0x00000000,
+ 0x00010004,0x00010400,0x00000000,0x01010004 },
+ { 0x80108020,0x80008000,0x00008000,0x00108020,
+ 0x00100000,0x00000020,0x80100020,0x80008020,
+ 0x80000020,0x80108020,0x80108000,0x80000000,
+ 0x80008000,0x00100000,0x00000020,0x80100020,
+ 0x00108000,0x00100020,0x80008020,0x00000000,
+ 0x80000000,0x00008000,0x00108020,0x80100000,
+ 0x00100020,0x80000020,0x00000000,0x00108000,
+ 0x00008020,0x80108000,0x80100000,0x00008020,
+ 0x00000000,0x00108020,0x80100020,0x00100000,
+ 0x80008020,0x80100000,0x80108000,0x00008000,
+ 0x80100000,0x80008000,0x00000020,0x80108020,
+ 0x00108020,0x00000020,0x00008000,0x80000000,
+ 0x00008020,0x80108000,0x00100000,0x80000020,
+ 0x00100020,0x80008020,0x80000020,0x00100020,
+ 0x00108000,0x00000000,0x80008000,0x00008020,
+ 0x80000000,0x80100020,0x80108020,0x00108000 },
+ { 0x00000208,0x08020200,0x00000000,0x08020008,
+ 0x08000200,0x00000000,0x00020208,0x08000200,
+ 0x00020008,0x08000008,0x08000008,0x00020000,
+ 0x08020208,0x00020008,0x08020000,0x00000208,
+ 0x08000000,0x00000008,0x08020200,0x00000200,
+ 0x00020200,0x08020000,0x08020008,0x00020208,
+ 0x08000208,0x00020200,0x00020000,0x08000208,
+ 0x00000008,0x08020208,0x00000200,0x08000000,
+ 0x08020200,0x08000000,0x00020008,0x00000208,
+ 0x00020000,0x08020200,0x08000200,0x00000000,
+ 0x00000200,0x00020008,0x08020208,0x08000200,
+ 0x08000008,0x00000200,0x00000000,0x08020008,
+ 0x08000208,0x00020000,0x08000000,0x08020208,
+ 0x00000008,0x00020208,0x00020200,0x08000008,
+ 0x08020000,0x08000208,0x00000208,0x08020000,
+ 0x00020208,0x00000008,0x08020008,0x00020200 },
+ { 0x00802001,0x00002081,0x00002081,0x00000080,
+ 0x00802080,0x00800081,0x00800001,0x00002001,
+ 0x00000000,0x00802000,0x00802000,0x00802081,
+ 0x00000081,0x00000000,0x00800080,0x00800001,
+ 0x00000001,0x00002000,0x00800000,0x00802001,
+ 0x00000080,0x00800000,0x00002001,0x00002080,
+ 0x00800081,0x00000001,0x00002080,0x00800080,
+ 0x00002000,0x00802080,0x00802081,0x00000081,
+ 0x00800080,0x00800001,0x00802000,0x00802081,
+ 0x00000081,0x00000000,0x00000000,0x00802000,
+ 0x00002080,0x00800080,0x00800081,0x00000001,
+ 0x00802001,0x00002081,0x00002081,0x00000080,
+ 0x00802081,0x00000081,0x00000001,0x00002000,
+ 0x00800001,0x00002001,0x00802080,0x00800081,
+ 0x00002001,0x00002080,0x00800000,0x00802001,
+ 0x00000080,0x00800000,0x00002000,0x00802080 },
+ { 0x00000100,0x02080100,0x02080000,0x42000100,
+ 0x00080000,0x00000100,0x40000000,0x02080000,
+ 0x40080100,0x00080000,0x02000100,0x40080100,
+ 0x42000100,0x42080000,0x00080100,0x40000000,
+ 0x02000000,0x40080000,0x40080000,0x00000000,
+ 0x40000100,0x42080100,0x42080100,0x02000100,
+ 0x42080000,0x40000100,0x00000000,0x42000000,
+ 0x02080100,0x02000000,0x42000000,0x00080100,
+ 0x00080000,0x42000100,0x00000100,0x02000000,
+ 0x40000000,0x02080000,0x42000100,0x40080100,
+ 0x02000100,0x40000000,0x42080000,0x02080100,
+ 0x40080100,0x00000100,0x02000000,0x42080000,
+ 0x42080100,0x00080100,0x42000000,0x42080100,
+ 0x02080000,0x00000000,0x40080000,0x42000000,
+ 0x00080100,0x02000100,0x40000100,0x00080000,
+ 0x00000000,0x40080000,0x02080100,0x40000100 },
+ { 0x20000010,0x20400000,0x00004000,0x20404010,
+ 0x20400000,0x00000010,0x20404010,0x00400000,
+ 0x20004000,0x00404010,0x00400000,0x20000010,
+ 0x00400010,0x20004000,0x20000000,0x00004010,
+ 0x00000000,0x00400010,0x20004010,0x00004000,
+ 0x00404000,0x20004010,0x00000010,0x20400010,
+ 0x20400010,0x00000000,0x00404010,0x20404000,
+ 0x00004010,0x00404000,0x20404000,0x20000000,
+ 0x20004000,0x00000010,0x20400010,0x00404000,
+ 0x20404010,0x00400000,0x00004010,0x20000010,
+ 0x00400000,0x20004000,0x20000000,0x00004010,
+ 0x20000010,0x20404010,0x00404000,0x20400000,
+ 0x00404010,0x20404000,0x00000000,0x20400010,
+ 0x00000010,0x00004000,0x20400000,0x00404010,
+ 0x00004000,0x00400010,0x20004010,0x00000000,
+ 0x20404000,0x20000000,0x00400010,0x20004010 },
+ { 0x00200000,0x04200002,0x04000802,0x00000000,
+ 0x00000800,0x04000802,0x00200802,0x04200800,
+ 0x04200802,0x00200000,0x00000000,0x04000002,
+ 0x00000002,0x04000000,0x04200002,0x00000802,
+ 0x04000800,0x00200802,0x00200002,0x04000800,
+ 0x04000002,0x04200000,0x04200800,0x00200002,
+ 0x04200000,0x00000800,0x00000802,0x04200802,
+ 0x00200800,0x00000002,0x04000000,0x00200800,
+ 0x04000000,0x00200800,0x00200000,0x04000802,
+ 0x04000802,0x04200002,0x04200002,0x00000002,
+ 0x00200002,0x04000000,0x04000800,0x00200000,
+ 0x04200800,0x00000802,0x00200802,0x04200800,
+ 0x00000802,0x04000002,0x04200802,0x04200000,
+ 0x00200800,0x00000000,0x00000002,0x04200802,
+ 0x00000000,0x00200802,0x04200000,0x00000800,
+ 0x04000002,0x04000800,0x00000800,0x00200002 },
+ { 0x10001040,0x00001000,0x00040000,0x10041040,
+ 0x10000000,0x10001040,0x00000040,0x10000000,
+ 0x00040040,0x10040000,0x10041040,0x00041000,
+ 0x10041000,0x00041040,0x00001000,0x00000040,
+ 0x10040000,0x10000040,0x10001000,0x00001040,
+ 0x00041000,0x00040040,0x10040040,0x10041000,
+ 0x00001040,0x00000000,0x00000000,0x10040040,
+ 0x10000040,0x10001000,0x00041040,0x00040000,
+ 0x00041040,0x00040000,0x10041000,0x00001000,
+ 0x00000040,0x10040040,0x00001000,0x00041040,
+ 0x10001000,0x00000040,0x10000040,0x10040000,
+ 0x10040040,0x10000000,0x00040000,0x10001040,
+ 0x00000000,0x10041040,0x00040040,0x10000040,
+ 0x10040000,0x10001000,0x10001040,0x00000000,
+ 0x10041040,0x00041000,0x00041000,0x00001040,
+ 0x00001040,0x00040040,0x10000000,0x10041000 }
+};
+
+#undef F
+#define F(l,r,key){\
+ work = ((r >> 4) | (r << 28)) ^ key[0];\
+ l ^= Spbox[6][work & 0x3f];\
+ l ^= Spbox[4][(work >> 8) & 0x3f];\
+ l ^= Spbox[2][(work >> 16) & 0x3f];\
+ l ^= Spbox[0][(work >> 24) & 0x3f];\
+ work = r ^ key[1];\
+ l ^= Spbox[7][work & 0x3f];\
+ l ^= Spbox[5][(work >> 8) & 0x3f];\
+ l ^= Spbox[3][(work >> 16) & 0x3f];\
+ l ^= Spbox[1][(work >> 24) & 0x3f];\
+}
+/* Encrypt or decrypt a block of data in ECB mode */
+static void
+des (guint32 ks[16][2], unsigned char block[8])
+{
+ guint32 left,right,work;
+
+ /* Read input block and place in left/right in big-endian order */
+ left = ((guint32)block[0] << 24)
+ | ((guint32)block[1] << 16)
+ | ((guint32)block[2] << 8)
+ | (guint32)block[3];
+ right = ((guint32)block[4] << 24)
+ | ((guint32)block[5] << 16)
+ | ((guint32)block[6] << 8)
+ | (guint32)block[7];
+
+ /* Hoey's clever initial permutation algorithm, from Outerbridge
+ * (see Schneier p 478)
+ *
+ * The convention here is the same as Outerbridge: rotate each
+ * register left by 1 bit, i.e., so that "left" contains permuted
+ * input bits 2, 3, 4, ... 1 and "right" contains 33, 34, 35, ... 32
+ * (using origin-1 numbering as in the FIPS). This allows us to avoid
+ * one of the two rotates that would otherwise be required in each of
+ * the 16 rounds.
+ */
+ work = ((left >> 4) ^ right) & 0x0f0f0f0f;
+ right ^= work;
+ left ^= work << 4;
+ work = ((left >> 16) ^ right) & 0xffff;
+ right ^= work;
+ left ^= work << 16;
+ work = ((right >> 2) ^ left) & 0x33333333;
+ left ^= work;
+ right ^= (work << 2);
+ work = ((right >> 8) ^ left) & 0xff00ff;
+ left ^= work;
+ right ^= (work << 8);
+ right = (right << 1) | (right >> 31);
+ work = (left ^ right) & 0xaaaaaaaa;
+ left ^= work;
+ right ^= work;
+ left = (left << 1) | (left >> 31);
+
+ /* Now do the 16 rounds */
+ F(left,right,ks[0]);
+ F(right,left,ks[1]);
+ F(left,right,ks[2]);
+ F(right,left,ks[3]);
+ F(left,right,ks[4]);
+ F(right,left,ks[5]);
+ F(left,right,ks[6]);
+ F(right,left,ks[7]);
+ F(left,right,ks[8]);
+ F(right,left,ks[9]);
+ F(left,right,ks[10]);
+ F(right,left,ks[11]);
+ F(left,right,ks[12]);
+ F(right,left,ks[13]);
+ F(left,right,ks[14]);
+ F(right,left,ks[15]);
+
+ /* Inverse permutation, also from Hoey via Outerbridge and Schneier */
+ right = (right << 31) | (right >> 1);
+ work = (left ^ right) & 0xaaaaaaaa;
+ left ^= work;
+ right ^= work;
+ left = (left >> 1) | (left << 31);
+ work = ((left >> 8) ^ right) & 0xff00ff;
+ right ^= work;
+ left ^= work << 8;
+ work = ((left >> 2) ^ right) & 0x33333333;
+ right ^= work;
+ left ^= work << 2;
+ work = ((right >> 16) ^ left) & 0xffff;
+ left ^= work;
+ right ^= work << 16;
+ work = ((right >> 4) ^ left) & 0x0f0f0f0f;
+ left ^= work;
+ right ^= work << 4;
+
+ /* Put the block back into the user's buffer with final swap */
+ block[0] = right >> 24;
+ block[1] = right >> 16;
+ block[2] = right >> 8;
+ block[3] = right;
+ block[4] = left >> 24;
+ block[5] = left >> 16;
+ block[6] = left >> 8;
+ block[7] = left;
+}
+
+/* Key schedule-related tables from FIPS-46 */
+
+/* permuted choice table (key) */
+static const unsigned char pc1[] = {
+ 57, 49, 41, 33, 25, 17, 9,
+ 1, 58, 50, 42, 34, 26, 18,
+ 10, 2, 59, 51, 43, 35, 27,
+ 19, 11, 3, 60, 52, 44, 36,
+
+ 63, 55, 47, 39, 31, 23, 15,
+ 7, 62, 54, 46, 38, 30, 22,
+ 14, 6, 61, 53, 45, 37, 29,
+ 21, 13, 5, 28, 20, 12, 4
+};
+
+/* number left rotations of pc1 */
+static const unsigned char totrot[] = {
+ 1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28
+};
+
+/* permuted choice key (table) */
+static const unsigned char pc2[] = {
+ 14, 17, 11, 24, 1, 5,
+ 3, 28, 15, 6, 21, 10,
+ 23, 19, 12, 4, 26, 8,
+ 16, 7, 27, 20, 13, 2,
+ 41, 52, 31, 37, 47, 55,
+ 30, 40, 51, 45, 33, 48,
+ 44, 49, 39, 56, 34, 53,
+ 46, 42, 50, 36, 29, 32
+};
+
+/* End of DES-defined tables */
+
+
+/* bit 0 is left-most in byte */
+static const int bytebit[] = {
+ 0200,0100,040,020,010,04,02,01
+};
+
+
+/* Generate key schedule for encryption or decryption
+ * depending on the value of "decrypt"
+ */
+static void
+deskey (DES_KS k, unsigned char *key, int decrypt)
+{
+ unsigned char pc1m[56]; /* place to modify pc1 into */
+ unsigned char pcr[56]; /* place to rotate pc1 into */
+ register int i,j,l;
+ int m;
+ unsigned char ks[8];
+
+ for (j=0; j<56; j++) { /* convert pc1 to bits of key */
+ l=pc1[j]-1; /* integer bit location */
+ m = l & 07; /* find bit */
+ pc1m[j]=(key[l>>3] & /* find which key byte l is in */
+ bytebit[m]) /* and which bit of that byte */
+ ? 1 : 0; /* and store 1-bit result */
+ }
+ for (i=0; i<16; i++) { /* key chunk for each iteration */
+ memset(ks,0,sizeof(ks)); /* Clear key schedule */
+ for (j=0; j<56; j++) /* rotate pc1 the right amount */
+ pcr[j] = pc1m[(l=j+totrot[decrypt? 15-i : i])<(j<28? 28 : 56) ? l: l-28];
+ /* rotate left and right halves independently */
+ for (j=0; j<48; j++){ /* select bits individually */
+ /* check bit that goes to ks[j] */
+ if (pcr[pc2[j]-1]){
+ /* mask it in if it's there */
+ l= j % 6;
+ ks[j/6] |= bytebit[l] >> 2;
+ }
+ }
+ /* Now convert to packed odd/even interleaved form */
+ k[i][0] = ((guint32)ks[0] << 24)
+ | ((guint32)ks[2] << 16)
+ | ((guint32)ks[4] << 8)
+ | ((guint32)ks[6]);
+ k[i][1] = ((guint32)ks[1] << 24)
+ | ((guint32)ks[3] << 16)
+ | ((guint32)ks[5] << 8)
+ | ((guint32)ks[7]);
+ }
}
diff --git a/libsoup/soup-auth-ntlm.h b/libsoup/soup-auth-ntlm.h
index 1f56976..7ed9bd3 100644
--- a/libsoup/soup-auth-ntlm.h
+++ b/libsoup/soup-auth-ntlm.h
@@ -24,9 +24,4 @@ typedef struct {
} SoupAuthNTLMClass;
-SoupAuth *soup_auth_ntlm_new (const char *realm,
- const char *host);
-const char *soup_auth_ntlm_get_username (SoupAuth *auth);
-const char *soup_auth_ntlm_get_password (SoupAuth *auth);
-
#endif /* SOUP_AUTH_NTLM_H */
diff --git a/libsoup/soup-auth.c b/libsoup/soup-auth.c
index bb6f3b4..77fb45e 100644
--- a/libsoup/soup-auth.c
+++ b/libsoup/soup-auth.c
@@ -107,9 +107,13 @@ soup_auth_get_property (GObject *object, guint prop_id,
g_value_set_string (value, soup_auth_get_scheme_name (auth));
break;
case PROP_REALM:
+ if (auth->realm)
+ g_free (auth->realm);
g_value_set_string (value, soup_auth_get_realm (auth));
break;
case PROP_HOST:
+ if (priv->host)
+ g_free (priv->host);
g_value_set_string (value, soup_auth_get_host (auth));
break;
case PROP_IS_FOR_PROXY:
@@ -162,7 +166,7 @@ soup_auth_class_init (SoupAuthClass *auth_class)
"Realm",
"Authentication realm",
NULL,
- G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
+ G_PARAM_READWRITE));
/**
* SOUP_AUTH_HOST:
*
@@ -175,7 +179,7 @@ soup_auth_class_init (SoupAuthClass *auth_class)
"Host",
"Authentication host",
NULL,
- G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
+ G_PARAM_READWRITE));
/**
* SOUP_AUTH_IS_FOR_PROXY:
*
@@ -188,7 +192,7 @@ soup_auth_class_init (SoupAuthClass *auth_class)
"For Proxy",
"Whether or not the auth is for a proxy server",
FALSE,
- G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
+ G_PARAM_READWRITE));
/**
* SOUP_AUTH_IS_AUTHENTICATED:
*
@@ -242,19 +246,12 @@ soup_auth_new (GType type, SoupMessage *msg, const char *auth_header)
}
params = soup_header_parse_param_list (auth_header + strlen (scheme));
- if (!params) {
- g_object_unref (auth);
- return NULL;
- }
+ if (!params)
+ params = g_hash_table_new (NULL, NULL);
realm = g_hash_table_lookup (params, "realm");
- if (!realm) {
- soup_header_free_param_list (params);
- g_object_unref (auth);
- return NULL;
- }
-
- auth->realm = g_strdup (realm);
+ if (realm)
+ auth->realm = g_strdup (realm);
if (!SOUP_AUTH_GET_CLASS (auth)->update (auth, msg, params)) {
g_object_unref (auth);
@@ -295,10 +292,10 @@ soup_auth_update (SoupAuth *auth, SoupMessage *msg, const char *auth_header)
params = soup_header_parse_param_list (auth_header + strlen (scheme));
if (!params)
- return FALSE;
+ params = g_hash_table_new (NULL, NULL);
realm = g_hash_table_lookup (params, "realm");
- if (!realm || strcmp (realm, auth->realm) != 0) {
+ if (realm && auth->realm && strcmp (realm, auth->realm) != 0) {
soup_header_free_param_list (params);
return FALSE;
}
diff --git a/libsoup/soup-message.c b/libsoup/soup-message.c
index badcd16..7fe6db8 100644
--- a/libsoup/soup-message.c
+++ b/libsoup/soup-message.c
@@ -1196,7 +1196,6 @@ soup_message_set_auth (SoupMessage *msg, SoupAuth *auth)
g_return_if_fail (SOUP_IS_MESSAGE (msg));
g_return_if_fail (auth == NULL || SOUP_IS_AUTH (auth));
- g_return_if_fail (auth == NULL || soup_auth_is_authenticated (auth));
priv = SOUP_MESSAGE_GET_PRIVATE (msg);
@@ -1211,9 +1210,11 @@ soup_message_set_auth (SoupMessage *msg, SoupAuth *auth)
g_object_ref (priv->auth);
token = soup_auth_get_authorization (auth, msg);
- soup_message_headers_replace (msg->request_headers,
- "Authorization", token);
- g_free (token);
+ if (token) {
+ soup_message_headers_replace (msg->request_headers,
+ "Authorization", token);
+ g_free (token);
+ }
}
SoupAuth *
@@ -1232,7 +1233,6 @@ soup_message_set_proxy_auth (SoupMessage *msg, SoupAuth *auth)
g_return_if_fail (SOUP_IS_MESSAGE (msg));
g_return_if_fail (auth == NULL || SOUP_IS_AUTH (auth));
- g_return_if_fail (auth == NULL || soup_auth_is_authenticated (auth));
priv = SOUP_MESSAGE_GET_PRIVATE (msg);
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index 0a86630..63e90b3 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -13,7 +13,7 @@
#include "soup-session.h"
#include "soup.h"
-#include "soup-auth-manager-ntlm.h"
+#include "soup-auth-manager.h"
#include "soup-cache-private.h"
#include "soup-connection.h"
#include "soup-marshal.h"
@@ -219,7 +219,7 @@ soup_session_init (SoupSession *session)
priv->features_cache = g_hash_table_new (NULL, NULL);
- auth_manager = g_object_new (SOUP_TYPE_AUTH_MANAGER_NTLM, NULL);
+ auth_manager = g_object_new (SOUP_TYPE_AUTH_MANAGER, NULL);
g_signal_connect (auth_manager, "authenticate",
G_CALLBACK (auth_manager_authenticate), session);
soup_session_feature_add_feature (SOUP_SESSION_FEATURE (auth_manager),
@@ -573,7 +573,7 @@ G_GNUC_END_IGNORE_DEPRECATIONS
break;
case PROP_USE_NTLM:
g_return_if_fail (!SOUP_IS_PLAIN_SESSION (session));
- feature = soup_session_get_feature (session, SOUP_TYPE_AUTH_MANAGER_NTLM);
+ feature = soup_session_get_feature (session, SOUP_TYPE_AUTH_MANAGER);
if (feature) {
if (g_value_get_boolean (value))
soup_session_feature_add_feature (feature, SOUP_TYPE_AUTH_NTLM);
@@ -698,7 +698,7 @@ soup_session_get_property (GObject *object, guint prop_id,
g_value_set_int (value, priv->max_conns_per_host);
break;
case PROP_USE_NTLM:
- feature = soup_session_get_feature (session, SOUP_TYPE_AUTH_MANAGER_NTLM);
+ feature = soup_session_get_feature (session, SOUP_TYPE_AUTH_MANAGER);
if (feature)
g_value_set_boolean (value, soup_session_feature_has_feature (feature, SOUP_TYPE_AUTH_NTLM));
else
diff --git a/tests/Makefile.am b/tests/Makefile.am
index fdd2c3d..7af3975 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1,6 +1,7 @@
INCLUDES = \
-I$(top_srcdir) \
-DSRCDIR=\""$(abs_srcdir)"\" \
+ -DBUILDDIR=\""$(builddir)"\" \
$(SOUP_MAINTAINER_FLAGS) \
$(XML_CFLAGS) \
$(GLIB_CFLAGS)
@@ -25,6 +26,7 @@ noinst_PROGRAMS = \
header-parsing \
misc-test \
multipart-test \
+ ntlm-test-helper \
ntlm-test \
redirect-test \
requester-test \
diff --git a/tests/ntlm-test-helper.c b/tests/ntlm-test-helper.c
new file mode 100644
index 0000000..60dd049
--- /dev/null
+++ b/tests/ntlm-test-helper.c
@@ -0,0 +1,103 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
+/*
+ * Copyright 2012 Red Hat, Inc.
+ */
+
+#include <locale.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <glib.h>
+#include "libsoup/soup.h"
+
+const char *helper_protocol, *username, *domain;
+gboolean use_cached_creds;
+
+static GOptionEntry entries[] = {
+ { "helper-protocol", 0, 0,
+ G_OPTION_ARG_STRING, &helper_protocol,
+ NULL, NULL },
+ { "use-cached-creds", 0, 0,
+ G_OPTION_ARG_NONE, &use_cached_creds,
+ NULL, NULL },
+ { "username", 0, 0,
+ G_OPTION_ARG_STRING, &username,
+ NULL, NULL },
+ { "domain", 0, 0,
+ G_OPTION_ARG_STRING, &domain,
+ NULL, NULL },
+ { NULL }
+};
+
+int
+main (int argc, char **argv)
+{
+ GOptionContext *opts;
+ char buf[256], *header;
+ SoupMessage *msg;
+ SoupAuth *auth;
+
+ /* Don't recurse */
+ g_unsetenv ("SOUP_NTLM_AUTH_DEBUG");
+
+ setlocale (LC_ALL, "");
+
+ opts = g_option_context_new (NULL);
+ g_option_context_add_main_entries (opts, entries, NULL);
+ if (!g_option_context_parse (opts, &argc, &argv, NULL)) {
+ g_printerr ("Bad arguments\n");
+ exit (1);
+ }
+ g_option_context_free (opts);
+
+ if (!username || !use_cached_creds || !helper_protocol ||
+ !g_str_equal (helper_protocol, "ntlmssp-client-1")) {
+ g_printerr ("Wrong arguments; this program is only intended for use by ntlm-test\n");
+ exit (1);
+ }
+
+ msg = soup_message_new ("GET", "http://localhost/");
+ auth = NULL;
+
+ while (fgets (buf, sizeof (buf), stdin)) {
+ if (strchr (buf, '\n'))
+ *strchr (buf, '\n') = '\0';
+ if (!strcmp (buf, "YR")) {
+ if (g_getenv ("SOUP_NTLM_AUTH_DEBUG_NOCREDS")) {
+ g_print ("PW\n");
+ continue;
+ }
+
+ g_clear_object (&auth);
+ auth = g_object_new (SOUP_TYPE_AUTH_NTLM, NULL);
+ header = soup_auth_get_authorization (auth, msg);
+ g_print ("YR %s\n", header + 5);
+ g_free (header);
+ } else if (g_str_has_prefix (buf, "TT ")) {
+ header = g_strdup_printf ("NTLM %s\n", buf + 3);
+ if (!soup_auth_update (auth, msg, header)) {
+ g_printerr ("Bad challenge\n");
+ exit (1);
+ }
+ g_free (header);
+
+ soup_auth_authenticate (auth, username, "password");
+ header = soup_auth_get_authorization (auth, msg);
+ if (!header) {
+ g_printerr ("Internal authentication failure\n");
+ exit (1);
+ }
+ g_print ("KK %s\n", header + 5);
+ g_free (header);
+ } else {
+ g_printerr ("Unexpected command\n");
+ exit (1);
+ }
+ }
+
+ g_object_unref (msg);
+ g_clear_object (&auth);
+
+ return 0;
+}
diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
index e473ba6..ce08f99 100644
--- a/tests/ntlm-test.c
+++ b/tests/ntlm-test.c
@@ -19,6 +19,10 @@ typedef enum {
NTLM_AUTHENTICATED_BOB
} NTLMServerState;
+static const char *state_name[] = {
+ "unauth", "recv", "sent", "alice", "bob"
+};
+
#define NTLM_REQUEST_START "TlRMTVNTUAABAAAA"
#define NTLM_RESPONSE_START "TlRMTVNTUAADAAAA"
@@ -134,16 +138,22 @@ server_callback (SoupServer *server, SoupMessage *msg,
}
}
+ debug_printf (2, " (S:%s)", state_name[state]);
g_hash_table_insert (connections, socket, GINT_TO_POINTER (state));
g_object_weak_ref (G_OBJECT (socket), clear_state, connections);
}
+static gboolean authenticated_ntlm = FALSE;
+
static void
authenticate (SoupSession *session, SoupMessage *msg,
SoupAuth *auth, gboolean retrying, gpointer user)
{
- if (!retrying)
+ if (!retrying) {
soup_auth_authenticate (auth, user, "password");
+ if (g_str_equal (soup_auth_get_scheme_name (auth), "NTLM"))
+ authenticated_ntlm = TRUE;
+ }
}
typedef struct {
@@ -313,7 +323,8 @@ do_message (SoupSession *session, SoupURI *base_uri, const char *path,
}
static void
-do_ntlm_round (SoupURI *base_uri, gboolean use_ntlm, const char *user)
+do_ntlm_round (SoupURI *base_uri, gboolean use_ntlm,
+ const char *user, gboolean use_builtin_ntlm)
{
SoupSession *session;
gboolean alice = !g_strcmp0 (user, "alice");
@@ -329,6 +340,8 @@ do_ntlm_round (SoupURI *base_uri, gboolean use_ntlm, const char *user)
if (user) {
g_signal_connect (session, "authenticate",
G_CALLBACK (authenticate), (char *)user);
+ if (use_ntlm && !use_builtin_ntlm)
+ g_setenv ("NTLMUSER", user, TRUE);
}
/* 1. Server doesn't request auth, so both get_ntlm_prompt and
@@ -336,11 +349,19 @@ do_ntlm_round (SoupURI *base_uri, gboolean use_ntlm, const char *user)
* if we're using NTLM we'll try that even without the server
* asking.
*/
+ authenticated_ntlm = FALSE;
do_message (session, base_uri, "/noauth",
FALSE, use_ntlm,
FALSE, FALSE,
SOUP_STATUS_OK);
+ if (authenticated_ntlm != (use_ntlm && use_builtin_ntlm)) {
+ debug_printf (1, " ERROR: %s built-in NTLM support, but authenticate signal %s emitted\n",
+ use_builtin_ntlm ? "Using" : "Not using",
+ authenticated_ntlm ? "was" : "wasn't");
+ errors++;
+ }
+
/* 2. Server requires auth as Alice, so it will request that
* if we didn't already authenticate the connection to her in
* the previous step. If we authenticated as Bob in the
@@ -422,16 +443,16 @@ do_ntlm_round (SoupURI *base_uri, gboolean use_ntlm, const char *user)
}
static void
-do_ntlm_tests (SoupURI *base_uri)
+do_ntlm_tests (SoupURI *base_uri, gboolean use_builtin_ntlm)
{
debug_printf (1, "Round 1: Non-NTLM Connection, no auth\n");
- do_ntlm_round (base_uri, FALSE, NULL);
+ do_ntlm_round (base_uri, FALSE, NULL, use_builtin_ntlm);
debug_printf (1, "Round 2: NTLM Connection, user=alice\n");
- do_ntlm_round (base_uri, TRUE, "alice");
+ do_ntlm_round (base_uri, TRUE, "alice", use_builtin_ntlm);
debug_printf (1, "Round 3: NTLM Connection, user=bob\n");
- do_ntlm_round (base_uri, TRUE, "bob");
+ do_ntlm_round (base_uri, TRUE, "bob", use_builtin_ntlm);
debug_printf (1, "Round 4: Non-NTLM Connection, user=alice\n");
- do_ntlm_round (base_uri, FALSE, "alice");
+ do_ntlm_round (base_uri, FALSE, "alice", use_builtin_ntlm);
}
int
@@ -453,7 +474,30 @@ main (int argc, char **argv)
uri = soup_uri_new ("http://127.0.0.1/");
soup_uri_set_port (uri, soup_server_get_port (server));
- do_ntlm_tests (uri);
+
+ /* Built-in NTLM auth support. (We set SOUP_NTLM_AUTH_DEBUG to
+ * an empty string to ensure that the built-in support is
+ * being used, even if /usr/bin/ntlm_auth is available.)
+ */
+ g_setenv ("SOUP_NTLM_AUTH_DEBUG", "", TRUE);
+ debug_printf (1, "Built-in NTLM support\n");
+ do_ntlm_tests (uri, TRUE);
+
+ /* Samba winbind /usr/bin/ntlm_auth helper support (via a
+ * helper program that emulate's its interface).
+ */
+ g_setenv ("SOUP_NTLM_AUTH_DEBUG", BUILDDIR "/ntlm-test-helper", TRUE);
+ debug_printf (1, "\nExternal helper support\n");
+ do_ntlm_tests (uri, FALSE);
+
+ /* Support for when ntlm_auth is installed, but the user has
+ * no cached credentials (and thus we have to fall back to
+ * libsoup's built-in NTLM support).
+ */
+ g_setenv ("SOUP_NTLM_AUTH_DEBUG_NOCREDS", "1", TRUE);
+ debug_printf (1, "\nExternal -> fallback support\n");
+ do_ntlm_tests (uri, TRUE);
+
soup_uri_free (uri);
g_main_loop_unref (loop);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]