| blob | de52043d3dc1d5225cfb5eeff383f4b39d540a8b |
1 --- src/ne_auth.c 2010-10-14 17:00:53.000000000 +0200
2 +++ src/ne_auth.c 2011-02-03 10:31:22.000000000 +0100
3 @@ -367,7 +367,7 @@
4 static int get_credentials(auth_session *sess, ne_buffer **errmsg, int attempt,
5 struct auth_challenge *chall, char *pwbuf)
6 {
7 - if (chall->handler->creds(chall->handler->userdata, sess->realm,
8 + if (chall->handler->creds(chall->handler->userdata, chall->protocol->name, sess->realm,
9 chall->handler->attempt++, sess->username, pwbuf) == 0) {
10 return 0;
11 } else {
12 @@ -385,15 +385,19 @@
13 {
14 char *tmp, password[NE_ABUFSIZ];
16 +#if 0 /* Workaround - IIS sends challenge without realm. */
17 +
18 /* Verify challenge... must have a realm */
19 if (parms->realm == NULL) {
20 challenge_error(errmsg, _("missing realm in Basic challenge"));
21 return -1;
22 }
23 +#endif
25 clean_session(sess);
27 - sess->realm = ne_strdup(parms->realm);
28 + if (parms->realm != NULL)
29 + sess->realm = ne_strdup(parms->realm);
31 if (get_credentials(sess, errmsg, attempt, parms, password)) {
32 /* Failed to get credentials */
33 @@ -610,10 +614,12 @@
34 return NULL;
35 }
37 -static int continue_sspi(auth_session *sess, int ntlm, const char *hdr)
38 +static int continue_sspi(auth_session *sess, int ntlm, const char *hdr,
39 + int attempt, struct auth_challenge *parms, ne_buffer **errmsg)
40 {
41 int status;
42 char *response = NULL;
43 + char password[NE_ABUFSIZ];
45 NE_DEBUG(NE_DBG_HTTPAUTH, "auth: SSPI challenge.\n");
47 @@ -630,8 +636,17 @@
48 return status;
49 }
50 }
51 -
52 - status = ne_sspi_authenticate(sess->sspi_context, hdr, &response);
53 +
54 + /* Authentification needs more than one http request.
55 + * As long as authentification in progress use the existing credentials.
56 + * Otherwise get new credentials.*/
57 + if (!hdr)
58 + if (get_credentials(sess, errmsg, attempt, parms, password)) {
59 + /* Failed to get credentials */
60 + return -1;
61 + }
62 +
63 + status = ne_sspi_authenticate(sess->sspi_context, hdr, &response, sess->username, password);
64 if (status) {
65 return status;
66 }
67 @@ -651,7 +666,7 @@
68 {
69 int ntlm = ne_strcasecmp(parms->protocol->name, "NTLM") == 0;
71 - return continue_sspi(sess, ntlm, parms->opaque);
72 + return continue_sspi(sess, ntlm, parms->opaque, attempt, parms, errmsg);
73 }
75 static int verify_sspi(struct auth_request *req, auth_session *sess,
76 @@ -674,7 +689,7 @@
77 return NE_OK;
78 }
80 - return continue_sspi(sess, ntlm, ptr);
81 + return continue_sspi(sess, ntlm, ptr, 0, NULL, NULL);
82 }
84 #endif
85 --- src/ne_auth.h 2009-09-01 22:13:12.000000000 +0200
86 +++ src/ne_auth.h 2011-02-03 10:26:20.000000000 +0100
87 @@ -47,8 +47,8 @@
88 * Hint: if you just wish to attempt authentication just once (even if
89 * the user gets the username/password wrong), have the callback
90 * function use 'attempt' value as the function return value. */
91 -typedef int (*ne_auth_creds)(void *userdata, const char *realm, int attempt,
92 - char *username, char *password);
93 +typedef int (*ne_auth_creds)(void *userdata, const char * auth_protocol,
94 + const char *realm, int attempt, char *username, char *password);
96 /* Set callbacks to provide credentials for server and proxy
97 * authentication, using the default set of authentication protocols.
98 --- src/ne_defs.h 2010-01-11 23:57:34.000000000 +0100
99 +++ src/ne_defs.h 2011-02-03 10:26:20.000000000 +0100
100 @@ -41,7 +41,7 @@
101 #endif
103 /* define ssize_t for Win32 */
104 -#if defined(WIN32) && !defined(ssize_t)
105 +#if defined(WIN32) && !defined(ssize_t) && !defined(__MINGW32__)
106 #define ssize_t int
107 #endif
109 --- src/ne_locks.c 2007-02-05 11:09:27.000000000 +0100
110 +++ src/ne_locks.c 2011-02-03 10:26:21.000000000 +0100
111 @@ -579,6 +579,23 @@
112 const char *token = ne_get_response_header(ctx->req, "Lock-Token");
113 /* at the root element; retrieve the Lock-Token header,
114 * and bail if it wasn't given. */
115 +#ifdef IIS_LOCK_BUG_WORKAROUND
116 + /* MS IIS violates RFC 2518/4918. It does not send a Lock-Token response
117 + header upon successful creation of a new lock. As a workaround, we
118 + will try to pick the lock token from the response body (although
119 + this is not 100% safe in case of multiple activelocks). */
120 + if (token == NULL)
121 + NE_DEBUG(NE_DBG_LOCKS,
122 + "Ignoring missing LOCK response Lock-Token header\n");
123 +
124 + if (token != NULL) {
125 + if (token[0] == '<') token++;
126 + ctx->token = ne_strdup(token);
127 + ne_shave(ctx->token, ">");
128 + NE_DEBUG(NE_DBG_LOCKS, "lk_startelm: Finding token %s\n",
129 + ctx->token);
130 + }
131 +#else
132 if (token == NULL) {
133 ne_xml_set_error(ctx->parser,
134 _("LOCK response missing Lock-Token header"));
135 @@ -590,12 +607,28 @@
136 ne_shave(ctx->token, ">");
137 NE_DEBUG(NE_DBG_LOCKS, "lk_startelm: Finding token %s\n",
138 ctx->token);
139 +#endif
140 }
142 /* TODO: only accept 'prop' as root for LOCK response */
143 if (!can_accept(parent, id))
144 return NE_XML_DECLINE;
146 +#ifdef IIS_LOCK_BUG_WORKAROUND
147 + if (id == ELM_activelock && ctx->found) {
148 + /* Found another activelock... */
149 + const char *token = ne_get_response_header(ctx->req, "Lock-Token");
150 + if (token == NULL) {
151 + /* Response contains more than one activelock and no Lock-Token
152 + * response header. We are doomed. No safe workaround for IIS
153 + * lock bug possible. */
154 + ne_xml_set_error(ctx->parser,
155 + _("LOCK response missing Lock-Token header and more than one activelock"));
156 + return NE_XML_ABORT;
157 + }
158 + }
159 +#endif
160 +
161 if (id == ELM_activelock && !ctx->found) {
162 /* a new activelock */
163 ne_lock_free(&ctx->active);
164 @@ -621,7 +654,12 @@
165 return -1;
167 if (state == ELM_activelock) {
168 +#ifdef IIS_LOCK_BUG_WORKAROUND
169 + if (ctx->active.token) {
170 + ctx->token = ne_strdup(ctx->active.token);
171 +#else
172 if (ctx->active.token && strcmp(ctx->active.token, ctx->token) == 0) {
173 +#endif
174 ctx->found = 1;
175 }
176 }
177 --- src/ne_sspi.c 2007-08-10 17:26:08.000000000 +0200
178 +++ src/ne_sspi.c 2011-02-03 10:26:21.000000000 +0100
179 @@ -206,6 +206,45 @@
180 }
182 /*
183 + * Simplification wrapper arround AcquireCredentialsHandle as most of
184 + * the parameters do not change.
185 + */
186 +static int acquireCredentialsHandleForUsername(CredHandle * credentials, char *package, const char *username, const char *password)
187 +{
188 + SECURITY_STATUS status;
189 + TimeStamp timestamp;
190 +
191 + const char *domain = "";
192 +
193 + int rc, rcISC;
194 + SecPkgInfo *secPackInfo;
195 + SEC_WINNT_AUTH_IDENTITY *nameAndPwd = NULL;
196 + int bytesReceived = 0, bytesSent = 0;
197 +
198 + nameAndPwd = (SEC_WINNT_AUTH_IDENTITY *) malloc( sizeof(SEC_WINNT_AUTH_IDENTITY) );
199 + memset( nameAndPwd, '\0', sizeof (*nameAndPwd) );
200 + nameAndPwd->Domain = (unsigned char *) _strdup( domain? domain: "" );
201 + nameAndPwd->DomainLength = domain? strlen( domain ): 0;
202 + nameAndPwd->User = (unsigned char *) _strdup( username? username: "" );
203 + nameAndPwd->UserLength = username? strlen( username ): 0;
204 + nameAndPwd->Password = (unsigned char *) _strdup( password? password: "" );
205 + nameAndPwd->PasswordLength = password? strlen( password ): 0;
206 + nameAndPwd->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
207 +
208 + status = pSFT->AcquireCredentialsHandle( NULL, package, SECPKG_CRED_OUTBOUND,
209 + NULL, nameAndPwd, NULL, NULL, credentials, ×tamp );
210 +
211 + if (status != SEC_E_OK) {
212 + NE_DEBUG(NE_DBG_HTTPAUTH,
213 + "sspi: AcquireCredentialsHandle [fail] [%x].\n", status);
214 + return -1;
215 + }
216 +
217 + return 0;
218 +}
219 +
220 +
221 +/*
222 * Wrapper arround initializeSecurityContext. Supplies several
223 * default parameters as well as logging in case of errors.
224 */
225 @@ -483,7 +522,7 @@
226 * Processes received authentication tokens as well as supplies the
227 * response token.
228 */
229 -int ne_sspi_authenticate(void *context, const char *base64Token, char **responseToken)
230 +int ne_sspi_authenticate(void *context, const char *base64Token, char **responseToken, const char* username, const char* password)
231 {
232 SecBufferDesc outBufferDesc;
233 SecBuffer outBuffer;
234 @@ -561,13 +600,22 @@
235 /* Reset any existing context since we are starting over */
236 resetContext(sspiContext);
238 - if (acquireCredentialsHandle
239 - (&sspiContext->credentials, sspiContext->mechanism) != SEC_E_OK) {
240 - freeBuffer(&outBufferDesc);
241 - NE_DEBUG(NE_DBG_HTTPAUTH,
242 - "sspi: acquireCredentialsHandle failed.\n");
243 - return -1;
244 - }
245 + if (strlen(username) != 0) {
246 + if (acquireCredentialsHandleForUsername
247 + (&sspiContext->credentials, sspiContext->mechanism, username, password) != SEC_E_OK) {
248 + freeBuffer(&outBufferDesc);
249 + NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: acquireCredentialsHandleForUsername failed.\n");
250 + return -1;
251 + }
252 + } else {
253 + if (acquireCredentialsHandle
254 + (&sspiContext->credentials, sspiContext->mechanism) != SEC_E_OK) {
255 + freeBuffer(&outBufferDesc);
256 + NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: acquireCredentialsHandle failed.\n");
257 + return -1;
258 + }
259 + }
260 +
262 securityStatus =
263 initializeSecurityContext(&sspiContext->credentials, NULL,
264 --- src/ne_sspi.h 2006-02-12 13:05:14.000000000 +0100
265 +++ src/ne_sspi.h 2011-02-03 10:26:21.000000000 +0100
266 @@ -41,7 +41,7 @@
267 int ne_sspi_clear_context(void *context);
269 int ne_sspi_authenticate(void *context, const char *base64Token,
270 - char **responseToken);
271 + char **responseToken, const char* username, const char* password);
273 #endif /* HAVE_SSPI */
275 --- src/ne_uri.c 2007-12-05 12:04:47.000000000 +0100
276 +++ src/ne_uri.c 2011-02-03 10:26:21.000000000 +0100
277 @@ -42,7 +42,7 @@
278 #include "ne_alloc.h"
279 #include "ne_uri.h"
281 -/* URI ABNF from RFC 3986: */
282 +/* URI ABNF from RFC 3986: (TKR: SharePoint is contradictory to this RFC. So I fix it here. )*/
284 #define PS (0x0001) /* "+" */
285 #define PC (0x0002) /* "%" */
286 @@ -67,6 +67,9 @@
288 #define OT (0x4000) /* others */
290 +/* TKR new symbol */
291 +#define WS (0x8000) /* Whitespaces ( Space, Tab ) */
292 +
293 #define URI_ALPHA (AL)
294 #define URI_DIGIT (DG)
296 @@ -83,20 +86,21 @@
297 /* pchar = unreserved / pct-encoded / sub-delims / ":" / "@" */
298 #define URI_PCHAR (URI_UNRESERVED | PC | URI_SUBDELIM | CL | AT)
299 /* invented: segchar = pchar / "/" */
300 -#define URI_SEGCHAR (URI_PCHAR | FS)
301 +/* (TKR) WS added */
302 +#define URI_SEGCHAR (URI_PCHAR | FS | WS)
303 /* query = *( pchar / "/" / "?" ) */
304 #define URI_QUERY (URI_PCHAR | FS | QU)
305 /* fragment == query */
306 #define URI_FRAGMENT URI_QUERY
308 /* any characters which should be path-escaped: */
309 -#define URI_ESCAPE ((URI_GENDELIM & ~(FS)) | URI_SUBDELIM | OT | PC)
310 +#define URI_ESCAPE ((URI_GENDELIM & ~(FS)) | URI_SUBDELIM | OT | WS | PC)
312 static const unsigned int uri_chars[256] = {
313 /* 0xXX x0 x2 x4 x6 x8 xA xC xE */
314 -/* 0x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
315 +/* 0x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, WS, OT, OT, OT, OT, OT, OT,
316 /* 1x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
317 -/* 2x */ OT, SD, OT, GD, SD, PC, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
318 +/* 2x */ WS, SD, OT, GD, SD, PC, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
319 /* 3x */ DG, DG, DG, DG, DG, DG, DG, DG, DG, DG, CL, SD, OT, SD, OT, QU,
320 /* 4x */ AT, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL,
321 /* 5x */ AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, GD, OT, GD, OT, US,
322 --- src/ne_utils.c 2006-03-07 10:36:43.000000000 +0100
323 +++ src/ne_utils.c 2011-02-03 10:26:21.000000000 +0100
324 @@ -118,6 +118,9 @@
325 #ifdef HAVE_GNUTLS
326 ", GNU TLS " LIBGNUTLS_VERSION
327 #endif /* HAVE_GNUTLS */
328 +#ifdef HAVE_SSPI
329 + ", SSPI"
330 +#endif /* HAVE_SSPI */
331 "."
332 ;
334 @@ -137,7 +140,7 @@
335 switch (feature) {
336 #if defined(NE_HAVE_SSL) || defined(NE_HAVE_ZLIB) || defined(NE_HAVE_IPV6) \
337 || defined(NE_HAVE_SOCKS) || defined(NE_HAVE_LFS) \
338 - || defined(NE_HAVE_TS_SSL) || defined(NE_HAVE_I18N)
339 + || defined(NE_HAVE_TS_SSL) || defined(NE_HAVE_I18N) || defined(HAVE_SSPI)
340 #ifdef NE_HAVE_SSL
341 case NE_FEATURE_SSL:
342 #endif
343 @@ -159,6 +162,9 @@
344 #ifdef NE_HAVE_I18N
345 case NE_FEATURE_I18N:
346 #endif
347 +#ifdef HAVE_SSPI
348 + case NE_FEATURE_SSPI:
349 +#endif
350 return 1;
351 #endif /* NE_HAVE_* */
352 default:
353 --- src/ne_utils.h 2007-07-16 08:54:57.000000000 +0200
354 +++ src/ne_utils.h 2011-02-03 10:26:21.000000000 +0100
355 @@ -54,6 +54,7 @@
356 #define NE_FEATURE_SOCKS (5) /* SOCKSv5 support */
357 #define NE_FEATURE_TS_SSL (6) /* Thread-safe SSL/TLS support */
358 #define NE_FEATURE_I18N (7) /* i18n error message support */
359 +#define NE_FEATURE_SSPI (8) /* NTLM/Negotiate authentication protocol via SSPI */
361 /* Returns non-zero if library is built with support for the given
362 * NE_FEATURE_* feature code 'code'. */
363 --- src/ne_openssl.c
364 +++ src/ne_openssl.c
365 @@ -41,6 +41,13 @@
366 #include <pthread.h>
367 #endif
369 +#ifdef WIN32
370 +#define X509_NAME WIN32_X509_NAME
371 +#include <windows.h>
372 +#include <wincrypt.h>
373 +#undef X509_NAME
374 +#endif
375 +
376 #include "ne_ssl.h"
377 #include "ne_string.h"
378 #include "ne_session.h"
379 @@ -798,6 +798,31 @@
380 X509_STORE_load_locations(store, NE_SSL_CA_BUNDLE, NULL);
381 #else
382 X509_STORE_set_default_paths(store);
383 +#ifdef WIN32
384 + {
385 + HCERTSTORE hStore;
386 + PCCERT_CONTEXT pContext = NULL;
387 + X509 *x509;
388 +
389 + hStore = CertOpenSystemStore(0, "ROOT");
390 + if (hStore)
391 + {
392 + while (pContext = CertEnumCertificatesInStore(hStore, pContext))
393 + {
394 + x509 = d2i_X509(NULL, &pContext->pbCertEncoded, pContext->cbCertEncoded);
395 + if (x509)
396 + {
397 + X509_STORE_add_cert(store, x509);
398 + X509_free(x509);
399 + }
400 + }
401 + }
402 +
403 + CertFreeCertificateContext(pContext);
404 + CertCloseStore(hStore, 0);
405 + }
406 +#endif
407 +
408 #endif
409 }