http_ntlm: Move the NTLM state out of the ntlmdata structure (85bef18c) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

lib/curl_ntlm_wb.c

+7 −8

Original line number	Original line	Diff line number	Diff line
	@@ -345,8 +345,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
	char **allocuserpwd;		char **allocuserpwd;
	/* point to the name and password for this */		/* point to the name and password for this */
	const char *userp;		const char *userp;
	/* point to the correct struct with this */		curlntlm *state;
	struct ntlmdata *ntlm;
	struct auth *authp;		struct auth *authp;

	CURLcode res = CURLE_OK;		CURLcode res = CURLE_OK;
	@@ -358,13 +357,13 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
	if(proxy) {		if(proxy) {
	allocuserpwd = &conn->allocptr.proxyuserpwd;		allocuserpwd = &conn->allocptr.proxyuserpwd;
	userp = conn->http_proxy.user;		userp = conn->http_proxy.user;
	ntlm = &conn->proxyntlm;		state = &conn->proxy_ntlm_state;
	authp = &conn->data->state.authproxy;		authp = &conn->data->state.authproxy;
	}		}
	else {		else {
	allocuserpwd = &conn->allocptr.userpwd;		allocuserpwd = &conn->allocptr.userpwd;
	userp = conn->user;		userp = conn->user;
	ntlm = &conn->ntlm;		state = &conn->http_ntlm_state;
	authp = &conn->data->state.authhost;		authp = &conn->data->state.authhost;
	}		}
	authp->done = FALSE;		authp->done = FALSE;
	@@ -373,7 +372,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
	if(!userp)		if(!userp)
	userp = "";		userp = "";

	switch(ntlm->state) {		switch(*state) {
	case NTLMSTATE_TYPE1:		case NTLMSTATE_TYPE1:
	default:		default:
	/* Use Samba's 'winbind' daemon to support NTLM authentication,		/* Use Samba's 'winbind' daemon to support NTLM authentication,
	@@ -392,7 +391,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
	res = ntlm_wb_init(conn, userp);		res = ntlm_wb_init(conn, userp);
	if(res)		if(res)
	return res;		return res;
	res = ntlm_wb_response(conn, "YR\n", ntlm->state);		res = ntlm_wb_response(conn, "YR\n", *state);
	if(res)		if(res)
	return res;		return res;

	@@ -410,7 +409,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
	input = aprintf("TT %s\n", conn->challenge_header);		input = aprintf("TT %s\n", conn->challenge_header);
	if(!input)		if(!input)
	return CURLE_OUT_OF_MEMORY;		return CURLE_OUT_OF_MEMORY;
	res = ntlm_wb_response(conn, input, ntlm->state);		res = ntlm_wb_response(conn, input, *state);
	free(input);		free(input);
	input = NULL;		input = NULL;
	if(res)		if(res)
	@@ -421,7 +420,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
	proxy ? "Proxy-" : "",		proxy ? "Proxy-" : "",
	conn->response_header);		conn->response_header);
	DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));		DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));
	ntlm->state = NTLMSTATE_TYPE3; /* we sent a type-3 */		state = NTLMSTATE_TYPE3; / we sent a type-3 */
	authp->done = TRUE;		authp->done = TRUE;
	Curl_http_auth_cleanup_ntlm_wb(conn);		Curl_http_auth_cleanup_ntlm_wb(conn);
	if(!*allocuserpwd)		if(!*allocuserpwd)

lib/http.c

+4 −4

Original line number	Original line	Diff line number	Diff line
	@@ -466,8 +466,8 @@ static CURLcode http_perhapsrewind(struct connectdata *conn)
	(data->state.authproxy.picked == CURLAUTH_NTLM_WB) \|\|		(data->state.authproxy.picked == CURLAUTH_NTLM_WB) \|\|
	(data->state.authhost.picked == CURLAUTH_NTLM_WB)) {		(data->state.authhost.picked == CURLAUTH_NTLM_WB)) {
	if(((expectsend - bytessent) < 2000) \|\|		if(((expectsend - bytessent) < 2000) \|\|
	(conn->ntlm.state != NTLMSTATE_NONE) \|\|		(conn->http_ntlm_state != NTLMSTATE_NONE) \|\|
	(conn->proxyntlm.state != NTLMSTATE_NONE)) {		(conn->proxy_ntlm_state != NTLMSTATE_NONE)) {
	/* The NTLM-negotiation has started OR there is just a little (<2K)		/* The NTLM-negotiation has started OR there is just a little (<2K)
	data left to send, keep on sending. */		data left to send, keep on sending. */

	@@ -3422,9 +3422,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
	#if defined(USE_NTLM)		#if defined(USE_NTLM)
	if(conn->bits.close &&		if(conn->bits.close &&
	(((data->req.httpcode == 401) &&		(((data->req.httpcode == 401) &&
	(conn->ntlm.state == NTLMSTATE_TYPE2)) \|\|		(conn->http_ntlm_state == NTLMSTATE_TYPE2)) \|\|
	((data->req.httpcode == 407) &&		((data->req.httpcode == 407) &&
	(conn->proxyntlm.state == NTLMSTATE_TYPE2)))) {		(conn->proxy_ntlm_state == NTLMSTATE_TYPE2)))) {
	infof(data, "Connection closure while negotiating auth (HTTP 1.0?)\n");		infof(data, "Connection closure while negotiating auth (HTTP 1.0?)\n");
	data->state.authproblem = TRUE;		data->state.authproblem = TRUE;
	}		}

lib/http_ntlm.c

+14 −9

Original line number	Original line	Diff line number	Diff line
	@@ -68,9 +68,11 @@ CURLcode Curl_input_ntlm(struct connectdata *conn,
	{		{
	/* point to the correct struct with this */		/* point to the correct struct with this */
	struct ntlmdata *ntlm;		struct ntlmdata *ntlm;
			curlntlm *state;
	CURLcode result = CURLE_OK;		CURLcode result = CURLE_OK;

	ntlm = proxy ? &conn->proxyntlm : &conn->ntlm;		ntlm = proxy ? &conn->proxyntlm : &conn->ntlm;
			state = proxy ? &conn->proxy_ntlm_state : &conn->http_ntlm_state;

	if(checkprefix("NTLM", header)) {		if(checkprefix("NTLM", header)) {
	header += strlen("NTLM");		header += strlen("NTLM");
	@@ -83,25 +85,25 @@ CURLcode Curl_input_ntlm(struct connectdata *conn,
	if(result)		if(result)
	return result;		return result;

	ntlm->state = NTLMSTATE_TYPE2; /* We got a type-2 message */		state = NTLMSTATE_TYPE2; / We got a type-2 message */
	}		}
	else {		else {
	if(ntlm->state == NTLMSTATE_LAST) {		if(*state == NTLMSTATE_LAST) {
	infof(conn->data, "NTLM auth restarted\n");		infof(conn->data, "NTLM auth restarted\n");
	Curl_http_auth_cleanup_ntlm(conn);		Curl_http_auth_cleanup_ntlm(conn);
	}		}
	else if(ntlm->state == NTLMSTATE_TYPE3) {		else if(*state == NTLMSTATE_TYPE3) {
	infof(conn->data, "NTLM handshake rejected\n");		infof(conn->data, "NTLM handshake rejected\n");
	Curl_http_auth_cleanup_ntlm(conn);		Curl_http_auth_cleanup_ntlm(conn);
	ntlm->state = NTLMSTATE_NONE;		*state = NTLMSTATE_NONE;
	return CURLE_REMOTE_ACCESS_DENIED;		return CURLE_REMOTE_ACCESS_DENIED;
	}		}
	else if(ntlm->state >= NTLMSTATE_TYPE1) {		else if(*state >= NTLMSTATE_TYPE1) {
	infof(conn->data, "NTLM handshake failure (internal error)\n");		infof(conn->data, "NTLM handshake failure (internal error)\n");
	return CURLE_REMOTE_ACCESS_DENIED;		return CURLE_REMOTE_ACCESS_DENIED;
	}		}

	ntlm->state = NTLMSTATE_TYPE1; /* We should send away a type-1 */		state = NTLMSTATE_TYPE1; / We should send away a type-1 */
	}		}
	}		}

	@@ -129,6 +131,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)

	/* point to the correct struct with this */		/* point to the correct struct with this */
	struct ntlmdata *ntlm;		struct ntlmdata *ntlm;
			curlntlm *state;
	struct auth *authp;		struct auth *authp;

	DEBUGASSERT(conn);		DEBUGASSERT(conn);
	@@ -147,6 +150,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)
	conn->data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";		conn->data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
	hostname = conn->http_proxy.host.name;		hostname = conn->http_proxy.host.name;
	ntlm = &conn->proxyntlm;		ntlm = &conn->proxyntlm;
			state = &conn->proxy_ntlm_state;
	authp = &conn->data->state.authproxy;		authp = &conn->data->state.authproxy;
	}		}
	else {		else {
	@@ -157,6 +161,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)
	conn->data->set.str[STRING_SERVICE_NAME] : "HTTP";		conn->data->set.str[STRING_SERVICE_NAME] : "HTTP";
	hostname = conn->host.name;		hostname = conn->host.name;
	ntlm = &conn->ntlm;		ntlm = &conn->ntlm;
			state = &conn->http_ntlm_state;
	authp = &conn->data->state.authhost;		authp = &conn->data->state.authhost;
	}		}
	authp->done = FALSE;		authp->done = FALSE;
	@@ -180,7 +185,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)
	#endif		#endif
	#endif		#endif

	switch(ntlm->state) {		switch(*state) {
	case NTLMSTATE_TYPE1:		case NTLMSTATE_TYPE1:
	default: /* for the weird cases we (re)start here */		default: /* for the weird cases we (re)start here */
	/* Create a type-1 message */		/* Create a type-1 message */
	@@ -222,7 +227,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)

	DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));		DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));

	ntlm->state = NTLMSTATE_TYPE3; /* we send a type-3 */		state = NTLMSTATE_TYPE3; / we send a type-3 */
	authp->done = TRUE;		authp->done = TRUE;
	}		}
	break;		break;
	@@ -230,7 +235,7 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)
	case NTLMSTATE_TYPE3:		case NTLMSTATE_TYPE3:
	/* connection is already authenticated,		/* connection is already authenticated,
	* don't send a header in future requests */		* don't send a header in future requests */
	ntlm->state = NTLMSTATE_LAST;		*state = NTLMSTATE_LAST;
	/* FALLTHROUGH */		/* FALLTHROUGH */
	case NTLMSTATE_LAST:		case NTLMSTATE_LAST:
	Curl_safefree(*allocuserpwd);		Curl_safefree(*allocuserpwd);

lib/multi.c

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -588,8 +588,8 @@ static CURLcode multi_done(struct Curl_easy *data,

	if((data->set.reuse_forbid		if((data->set.reuse_forbid
	#if defined(USE_NTLM)		#if defined(USE_NTLM)
	&& !(conn->ntlm.state == NTLMSTATE_TYPE2 \|\|		&& !(conn->http_ntlm_state == NTLMSTATE_TYPE2 \|\|
	conn->proxyntlm.state == NTLMSTATE_TYPE2)		conn->proxy_ntlm_state == NTLMSTATE_TYPE2)
	#endif		#endif
	#if defined(USE_SPNEGO)		#if defined(USE_SPNEGO)
	&& !(conn->negotiate.state == GSS_AUTHRECV \|\|		&& !(conn->negotiate.state == GSS_AUTHRECV \|\|

lib/url.c

+4 −4

Original line number	Original line	Diff line number	Diff line
	@@ -1278,7 +1278,7 @@ ConnectionExists(struct Curl_easy *data,
	strcmp(needle->passwd, check->passwd))		strcmp(needle->passwd, check->passwd))
	continue;		continue;
	}		}
	else if(check->ntlm.state != NTLMSTATE_NONE) {		else if(check->http_ntlm_state != NTLMSTATE_NONE) {
	/* Connection is using NTLM auth but we don't want NTLM */		/* Connection is using NTLM auth but we don't want NTLM */
	continue;		continue;
	}		}
	@@ -1294,7 +1294,7 @@ ConnectionExists(struct Curl_easy *data,
	strcmp(needle->http_proxy.passwd, check->http_proxy.passwd))		strcmp(needle->http_proxy.passwd, check->http_proxy.passwd))
	continue;		continue;
	}		}
	else if(check->proxyntlm.state != NTLMSTATE_NONE) {		else if(check->proxy_ntlm_state != NTLMSTATE_NONE) {
	/* Proxy connection is using NTLM auth but we don't want NTLM */		/* Proxy connection is using NTLM auth but we don't want NTLM */
	continue;		continue;
	}		}
	@@ -1304,9 +1304,9 @@ ConnectionExists(struct Curl_easy *data,
	chosen = check;		chosen = check;

	if((wantNTLMhttp &&		if((wantNTLMhttp &&
	(check->ntlm.state != NTLMSTATE_NONE)) \|\|		(check->http_ntlm_state != NTLMSTATE_NONE)) \|\|
	(wantProxyNTLMhttp &&		(wantProxyNTLMhttp &&
	(check->proxyntlm.state != NTLMSTATE_NONE))) {		(check->proxy_ntlm_state != NTLMSTATE_NONE))) {
	/* We must use this connection, no other */		/* We must use this connection, no other */
	*force_reuse = TRUE;		*force_reuse = TRUE;
	break;		break;

Admin message