http_ntlm: Move the NTLM state out of the ntlmdata structure (85bef18c) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

lib/curl_ntlm_wb.c

+7 −8

Original line number	Diff line number	Diff line
		@@ -345,8 +345,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
		char **allocuserpwd;
		/* point to the name and password for this */
		const char *userp;
		/* point to the correct struct with this */
		struct ntlmdata *ntlm;
		curlntlm *state;
		struct auth *authp;

		CURLcode res = CURLE_OK;
		@@ -358,13 +357,13 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
		if(proxy) {
		allocuserpwd = &conn->allocptr.proxyuserpwd;
		userp = conn->http_proxy.user;
		ntlm = &conn->proxyntlm;
		state = &conn->proxy_ntlm_state;
		authp = &conn->data->state.authproxy;
		}
		else {
		allocuserpwd = &conn->allocptr.userpwd;
		userp = conn->user;
		ntlm = &conn->ntlm;
		state = &conn->http_ntlm_state;
		authp = &conn->data->state.authhost;
		}
		authp->done = FALSE;
		@@ -373,7 +372,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
		if(!userp)
		userp = "";

		switch(ntlm->state) {
		switch(*state) {
		case NTLMSTATE_TYPE1:
		default:
		/* Use Samba's 'winbind' daemon to support NTLM authentication,
		@@ -392,7 +391,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
		res = ntlm_wb_init(conn, userp);
		if(res)
		return res;
		res = ntlm_wb_response(conn, "YR\n", ntlm->state);
		res = ntlm_wb_response(conn, "YR\n", *state);
		if(res)
		return res;

		@@ -410,7 +409,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
		input = aprintf("TT %s\n", conn->challenge_header);
		if(!input)
		return CURLE_OUT_OF_MEMORY;
		res = ntlm_wb_response(conn, input, ntlm->state);
		res = ntlm_wb_response(conn, input, *state);
		free(input);
		input = NULL;
		if(res)
		@@ -421,7 +420,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
		proxy ? "Proxy-" : "",
		conn->response_header);
		DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));
		ntlm->state = NTLMSTATE_TYPE3; /* we sent a type-3 */
		state = NTLMSTATE_TYPE3; / we sent a type-3 */
		authp->done = TRUE;
		Curl_http_auth_cleanup_ntlm_wb(conn);
		if(!*allocuserpwd)

lib/http.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -466,8 +466,8 @@ static CURLcode http_perhapsrewind(struct connectdata *conn)
		(data->state.authproxy.picked == CURLAUTH_NTLM_WB) \|\|
		(data->state.authhost.picked == CURLAUTH_NTLM_WB)) {
		if(((expectsend - bytessent) < 2000) \|\|
		(conn->ntlm.state != NTLMSTATE_NONE) \|\|
		(conn->proxyntlm.state != NTLMSTATE_NONE)) {
		(conn->http_ntlm_state != NTLMSTATE_NONE) \|\|
		(conn->proxy_ntlm_state != NTLMSTATE_NONE)) {
		/* The NTLM-negotiation has started OR there is just a little (<2K)
		data left to send, keep on sending. */

		@@ -3422,9 +3422,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
		#if defined(USE_NTLM)
		if(conn->bits.close &&
		(((data->req.httpcode == 401) &&
		(conn->ntlm.state == NTLMSTATE_TYPE2)) \|\|
		(conn->http_ntlm_state == NTLMSTATE_TYPE2)) \|\|
		((data->req.httpcode == 407) &&
		(conn->proxyntlm.state == NTLMSTATE_TYPE2)))) {
		(conn->proxy_ntlm_state == NTLMSTATE_TYPE2)))) {
		infof(data, "Connection closure while negotiating auth (HTTP 1.0?)\n");
		data->state.authproblem = TRUE;
		}

lib/http_ntlm.c

+14 −9

Original line number	Diff line number	Diff line
		@@ -68,9 +68,11 @@ CURLcode Curl_input_ntlm(struct connectdata *conn,
		{
		/* point to the correct struct with this */
		struct ntlmdata *ntlm;
		curlntlm *state;
		CURLcode result = CURLE_OK;

		ntlm = proxy ? &conn->proxyntlm : &conn->ntlm;
		state = proxy ? &conn->proxy_ntlm_state : &conn->http_ntlm_state;

		if(checkprefix("NTLM", header)) {
		header += strlen("NTLM");
		@@ -83,25 +85,25 @@ CURLcode Curl_input_ntlm(struct connectdata *conn,
		if(result)
		return result;

		ntlm->state = NTLMSTATE_TYPE2; /* We got a type-2 message */
		state = NTLMSTATE_TYPE2; / We got a type-2 message */
		}
		else {
		if(ntlm->state == NTLMSTATE_LAST) {
		if(*state == NTLMSTATE_LAST) {
		infof(conn->data, "NTLM auth restarted\n");
		Curl_http_auth_cleanup_ntlm(conn);
		}
		else if(ntlm->state == NTLMSTATE_TYPE3) {
		else if(*state == NTLMSTATE_TYPE3) {
		infof(conn->data, "NTLM handshake rejected\n");
		Curl_http_auth_cleanup_ntlm(conn);
		ntlm->state = NTLMSTATE_NONE;
		*state = NTLMSTATE_NONE;
		return CURLE_REMOTE_ACCESS_DENIED;
		}
		else if(ntlm->state >= NTLMSTATE_TYPE1) {
		else if(*state >= NTLMSTATE_TYPE1) {
		infof(conn->data, "NTLM handshake failure (internal error)\n");
		return CURLE_REMOTE_ACCESS_DENIED;
		}

		ntlm->state = NTLMSTATE_TYPE1; /* We should send away a type-1 */
		state = NTLMSTATE_TYPE1; / We should send away a type-1 */
		}
		}

		@@ -129,6 +131,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)

		/* point to the correct struct with this */
		struct ntlmdata *ntlm;
		curlntlm *state;
		struct auth *authp;

		DEBUGASSERT(conn);
		@@ -147,6 +150,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)
		conn->data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
		hostname = conn->http_proxy.host.name;
		ntlm = &conn->proxyntlm;
		state = &conn->proxy_ntlm_state;
		authp = &conn->data->state.authproxy;
		}
		else {
		@@ -157,6 +161,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)
		conn->data->set.str[STRING_SERVICE_NAME] : "HTTP";
		hostname = conn->host.name;
		ntlm = &conn->ntlm;
		state = &conn->http_ntlm_state;
		authp = &conn->data->state.authhost;
		}
		authp->done = FALSE;
		@@ -180,7 +185,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)
		#endif
		#endif

		switch(ntlm->state) {
		switch(*state) {
		case NTLMSTATE_TYPE1:
		default: /* for the weird cases we (re)start here */
		/* Create a type-1 message */
		@@ -222,7 +227,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)

		DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));

		ntlm->state = NTLMSTATE_TYPE3; /* we send a type-3 */
		state = NTLMSTATE_TYPE3; / we send a type-3 */
		authp->done = TRUE;
		}
		break;
		@@ -230,7 +235,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)
		case NTLMSTATE_TYPE3:
		/* connection is already authenticated,
		* don't send a header in future requests */
		ntlm->state = NTLMSTATE_LAST;
		*state = NTLMSTATE_LAST;
		/* FALLTHROUGH */
		case NTLMSTATE_LAST:
		Curl_safefree(*allocuserpwd);

lib/multi.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -588,8 +588,8 @@ static CURLcode multi_done(struct Curl_easy *data,

		if((data->set.reuse_forbid
		#if defined(USE_NTLM)
		&& !(conn->ntlm.state == NTLMSTATE_TYPE2 \|\|
		conn->proxyntlm.state == NTLMSTATE_TYPE2)
		&& !(conn->http_ntlm_state == NTLMSTATE_TYPE2 \|\|
		conn->proxy_ntlm_state == NTLMSTATE_TYPE2)
		#endif
		#if defined(USE_SPNEGO)
		&& !(conn->negotiate.state == GSS_AUTHRECV \|\|

lib/url.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -1278,7 +1278,7 @@ ConnectionExists(struct Curl_easy *data,
		strcmp(needle->passwd, check->passwd))
		continue;
		}
		else if(check->ntlm.state != NTLMSTATE_NONE) {
		else if(check->http_ntlm_state != NTLMSTATE_NONE) {
		/* Connection is using NTLM auth but we don't want NTLM */
		continue;
		}
		@@ -1294,7 +1294,7 @@ ConnectionExists(struct Curl_easy *data,
		strcmp(needle->http_proxy.passwd, check->http_proxy.passwd))
		continue;
		}
		else if(check->proxyntlm.state != NTLMSTATE_NONE) {
		else if(check->proxy_ntlm_state != NTLMSTATE_NONE) {
		/* Proxy connection is using NTLM auth but we don't want NTLM */
		continue;
		}
		@@ -1304,9 +1304,9 @@ ConnectionExists(struct Curl_easy *data,
		chosen = check;

		if((wantNTLMhttp &&
		(check->ntlm.state != NTLMSTATE_NONE)) \|\|
		(check->http_ntlm_state != NTLMSTATE_NONE)) \|\|
		(wantProxyNTLMhttp &&
		(check->proxyntlm.state != NTLMSTATE_NONE))) {
		(check->proxy_ntlm_state != NTLMSTATE_NONE))) {
		/* We must use this connection, no other */
		*force_reuse = TRUE;
		break;