- Constantine Sapuntzakis filed bug report #2042430

Daniel Stenberg (11 Aug 2008)

- Constantine Sapuntzakis filed bug report #2042430

  (http://curl.haxx.se/bug/view.cgi?id=2042430) with a patch. "NTLM Windows

  SSPI code is not thread safe". This was due to libcurl using static

  variables to tell wether to load the necessary SSPI DLL, but now the loading

  has been moved to the more suitable curl_global_init() call.

- Constantine Sapuntzakis filed bug report #2042440

  (http://curl.haxx.se/bug/view.cgi?id=2042440) with a patch. He identified a

  problem when using NTLM over a proxy but the end-point does Basic, and then

 o HTTP PUT or POST with redirect could lead to hang

 o re-use of connections with failed SSL connects in the multi interface

 o NTLM over proxy state was wrongly cleared when host connection was closed

 o Windows SSPI DLL loading is now done in curl_global_init()

This release includes the following known bugs:

#include "easyif.h"

#include "select.h"

#include "sendf.h" /* for failf function prototype */

#include "http_ntlm.h"

#include "connect.h" /* for Curl_getconnectinfo */

#define _MPRINTF_REPLACE /* use our functions only */

/* The last #include file should be: */

#include "memdebug.h"

#ifdef USE_WINSOCK

/* win32_cleanup() is for win32 socket cleanup functionality, the opposite

   of win32_init() */

static void win32_cleanup(void)

{

#ifdef USE_WINSOCK

  WSACleanup();

#endif

#ifdef USE_WINDOWS_SSPI

  Curl_ntlm_global_cleanup();

#endif

}

/* win32_init() performs win32 socket initialization to properly setup the

   stack to allow networking */

static CURLcode win32_init(void)

{

#ifdef USE_WINSOCK

  WORD wVersionRequested;

  WSADATA wsaData;

  int err;

    return CURLE_FAILED_INIT;

  }

  /* The Windows Sockets DLL is acceptable. Proceed. */

  return CURLE_OK;

}

#endif

#else

/* These functions exist merely to prevent compiler warnings */

static CURLcode win32_init(void) { return CURLE_OK; }

static void win32_cleanup(void) { }

#ifdef USE_WINDOWS_SSPI

  {

    CURLcode err = Curl_ntlm_global_init();

    if (err != CURLE_OK)

      return err;

  }

#endif

  return CURLE_OK;

}

#ifdef USE_LIBIDN

/*

 * Initialise use of IDNA library.

 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms

    passwdp=(char *)"";

#ifdef USE_WINDOWS_SSPI

  /* If security interface is not yet initialized try to do this */

  if (s_hSecDll == NULL) {

    /* Determine Windows version. Security functions are located in

     * security.dll on WinNT 4.0 and in secur32.dll on Win9x. Win2K and XP

     * contain both these DLLs (security.dll just forwards calls to

     * secur32.dll)

     */

    OSVERSIONINFO osver;

    osver.dwOSVersionInfoSize = sizeof(osver);

    GetVersionEx(&osver);

    if(osver.dwPlatformId == VER_PLATFORM_WIN32_NT

      && osver.dwMajorVersion == 4)

      s_hSecDll = LoadLibrary("security.dll");

    else

      s_hSecDll = LoadLibrary("secur32.dll");

    if(s_hSecDll != NULL) {

      INIT_SECURITY_INTERFACE pInitSecurityInterface;

      pInitSecurityInterface =

        (INIT_SECURITY_INTERFACE)GetProcAddress(s_hSecDll,

                                                "InitSecurityInterfaceA");

      if(pInitSecurityInterface != NULL)

        s_pSecFn = pInitSecurityInterface();

    /* not thread safe and leaks - use curl_global_init() to avoid */

    CURLcode err = Curl_ntlm_global_init();

    if (s_hSecDll == NULL)

      return err;

  }

  }

  if(s_pSecFn == NULL)

    return CURLE_RECV_ERROR;

#endif

  switch(ntlm->state) {

#ifdef USE_WINDOWS_SSPI

  ntlm_sspi_cleanup(&conn->ntlm);

  ntlm_sspi_cleanup(&conn->proxyntlm);

#else

  (void)conn;

#endif

}

#ifdef USE_WINDOWS_SSPI

CURLcode Curl_ntlm_global_init()

{

  /* If security interface is not yet initialized try to do this */

  if(s_hSecDll == NULL) {

    /* Determine Windows version. Security functions are located in

     * security.dll on WinNT 4.0 and in secur32.dll on Win9x. Win2K and XP

     * contain both these DLLs (security.dll just forwards calls to

     * secur32.dll)

     */

    OSVERSIONINFO osver;

    osver.dwOSVersionInfoSize = sizeof(osver);

    GetVersionEx(&osver);

    if(osver.dwPlatformId == VER_PLATFORM_WIN32_NT

      && osver.dwMajorVersion == 4)

      s_hSecDll = LoadLibrary("security.dll");

    else

      s_hSecDll = LoadLibrary("secur32.dll");

    if(s_hSecDll != NULL) {

      INIT_SECURITY_INTERFACE pInitSecurityInterface;

      pInitSecurityInterface =

        (INIT_SECURITY_INTERFACE)GetProcAddress(s_hSecDll,

                                                "InitSecurityInterfaceA");

      if(pInitSecurityInterface != NULL)

        s_pSecFn = pInitSecurityInterface();

    }

  }

  if(s_pSecFn == NULL)

    return CURLE_RECV_ERROR;

  return CURLE_OK;

}

void Curl_ntlm_global_cleanup()

{

  if(s_hSecDll != NULL) {

    FreeLibrary(s_hSecDll);

    s_hSecDll = NULL;

    s_pSecFn = NULL;

  }

#else

  (void)conn;

#endif

}

#endif

#endif /* USE_NTLM */

#endif /* !CURL_DISABLE_HTTP */

 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms

#define Curl_ntlm_cleanup(x)

#endif

#ifdef USE_WINDOWS_SSPI

CURLcode Curl_ntlm_global_init();

void Curl_ntlm_global_cleanup();

#endif

/* Flag bits definitions based on http://davenport.sourceforge.net/ntlm.html */