| blob | fa0c1938d4aa06a41b6009254aece362738ff098 |
1 --- src/ne_auth.c 2010-10-14 17:00:53.000000000 +0200
2 +++ src/ne_auth.c 2011-02-03 10:31:22.000000000 +0100
3 @@ -367,7 +367,7 @@
4 static int get_credentials(auth_session *sess, ne_buffer **errmsg, int attempt,
5 struct auth_challenge *chall, char *pwbuf)
6 {
7 - if (chall->handler->creds(chall->handler->userdata, sess->realm,
8 + if (chall->handler->creds(chall->handler->userdata, chall->protocol->name, sess->realm,
9 chall->handler->attempt++, sess->username, pwbuf) == 0) {
10 return 0;
11 } else {
12 @@ -385,15 +385,19 @@
13 {
14 char *tmp, password[NE_ABUFSIZ];
16 +#if 0 /* Workaround - IIS sends challenge without realm. */
17 +
18 /* Verify challenge... must have a realm */
19 if (parms->realm == NULL) {
20 challenge_error(errmsg, _("missing realm in Basic challenge"));
21 return -1;
22 }
23 +#endif
25 clean_session(sess);
27 - sess->realm = ne_strdup(parms->realm);
28 + if (parms->realm != NULL)
29 + sess->realm = ne_strdup(parms->realm);
31 if (get_credentials(sess, errmsg, attempt, parms, password)) {
32 /* Failed to get credentials */
33 @@ -610,10 +614,12 @@
34 return NULL;
35 }
37 -static int continue_sspi(auth_session *sess, int ntlm, const char *hdr)
38 +static int continue_sspi(auth_session *sess, int ntlm, const char *hdr,
39 + int attempt, struct auth_challenge *parms, ne_buffer **errmsg)
40 {
41 int status;
42 char *response = NULL;
43 + char password[NE_ABUFSIZ];
45 NE_DEBUG(NE_DBG_HTTPAUTH, "auth: SSPI challenge.\n");
47 @@ -630,8 +636,17 @@
48 return status;
49 }
50 }
51 -
52 - status = ne_sspi_authenticate(sess->sspi_context, hdr, &response);
53 +
54 + /* Authentification needs more than one http request.
55 + * As long as authentification in progress use the existing credentials.
56 + * Otherwise get new credentials.*/
57 + if (!hdr)
58 + if (get_credentials(sess, errmsg, attempt, parms, password)) {
59 + /* Failed to get credentials */
60 + return -1;
61 + }
62 +
63 + status = ne_sspi_authenticate(sess->sspi_context, hdr, &response, sess->username, password);
64 if (status) {
65 return status;
66 }
67 @@ -651,7 +666,7 @@
68 {
69 int ntlm = ne_strcasecmp(parms->protocol->name, "NTLM") == 0;
71 - return continue_sspi(sess, ntlm, parms->opaque);
72 + return continue_sspi(sess, ntlm, parms->opaque, attempt, parms, errmsg);
73 }
75 static int verify_sspi(struct auth_request *req, auth_session *sess,
76 @@ -674,7 +689,7 @@
77 return NE_OK;
78 }
80 - return continue_sspi(sess, ntlm, ptr);
81 + return continue_sspi(sess, ntlm, ptr, 0, NULL, NULL);
82 }
84 #endif
85 --- src/ne_auth.h 2009-09-01 22:13:12.000000000 +0200
86 +++ src/ne_auth.h 2011-02-03 10:26:20.000000000 +0100
87 @@ -47,8 +47,8 @@
88 * Hint: if you just wish to attempt authentication just once (even if
89 * the user gets the username/password wrong), have the callback
90 * function use 'attempt' value as the function return value. */
91 -typedef int (*ne_auth_creds)(void *userdata, const char *realm, int attempt,
92 - char *username, char *password);
93 +typedef int (*ne_auth_creds)(void *userdata, const char * auth_protocol,
94 + const char *realm, int attempt, char *username, char *password);
96 /* Set callbacks to provide credentials for server and proxy
97 * authentication, using the default set of authentication protocols.
98 --- src/ne_locks.c 2007-02-05 11:09:27.000000000 +0100
99 +++ src/ne_locks.c 2011-02-03 10:26:21.000000000 +0100
100 @@ -579,6 +579,23 @@
101 const char *token = ne_get_response_header(ctx->req, "Lock-Token");
102 /* at the root element; retrieve the Lock-Token header,
103 * and bail if it wasn't given. */
104 +#ifdef IIS_LOCK_BUG_WORKAROUND
105 + /* MS IIS violates RFC 2518/4918. It does not send a Lock-Token response
106 + header upon successful creation of a new lock. As a workaround, we
107 + will try to pick the lock token from the response body (although
108 + this is not 100% safe in case of multiple activelocks). */
109 + if (token == NULL)
110 + NE_DEBUG(NE_DBG_LOCKS,
111 + "Ignoring missing LOCK response Lock-Token header\n");
112 +
113 + if (token != NULL) {
114 + if (token[0] == '<') token++;
115 + ctx->token = ne_strdup(token);
116 + ne_shave(ctx->token, ">");
117 + NE_DEBUG(NE_DBG_LOCKS, "lk_startelm: Finding token %s\n",
118 + ctx->token);
119 + }
120 +#else
121 if (token == NULL) {
122 ne_xml_set_error(ctx->parser,
123 _("LOCK response missing Lock-Token header"));
124 @@ -590,12 +607,28 @@
125 ne_shave(ctx->token, ">");
126 NE_DEBUG(NE_DBG_LOCKS, "lk_startelm: Finding token %s\n",
127 ctx->token);
128 +#endif
129 }
131 /* TODO: only accept 'prop' as root for LOCK response */
132 if (!can_accept(parent, id))
133 return NE_XML_DECLINE;
135 +#ifdef IIS_LOCK_BUG_WORKAROUND
136 + if (id == ELM_activelock && ctx->found) {
137 + /* Found another activelock... */
138 + const char *token = ne_get_response_header(ctx->req, "Lock-Token");
139 + if (token == NULL) {
140 + /* Response contains more than one activelock and no Lock-Token
141 + * response header. We are doomed. No safe workaround for IIS
142 + * lock bug possible. */
143 + ne_xml_set_error(ctx->parser,
144 + _("LOCK response missing Lock-Token header and more than one activelock"));
145 + return NE_XML_ABORT;
146 + }
147 + }
148 +#endif
149 +
150 if (id == ELM_activelock && !ctx->found) {
151 /* a new activelock */
152 ne_lock_free(&ctx->active);
153 @@ -621,7 +654,12 @@
154 return -1;
156 if (state == ELM_activelock) {
157 +#ifdef IIS_LOCK_BUG_WORKAROUND
158 + if (ctx->active.token) {
159 + ctx->token = ne_strdup(ctx->active.token);
160 +#else
161 if (ctx->active.token && strcmp(ctx->active.token, ctx->token) == 0) {
162 +#endif
163 ctx->found = 1;
164 }
165 }
166 --- src/ne_sspi.c 2007-08-10 17:26:08.000000000 +0200
167 +++ src/ne_sspi.c 2011-02-03 10:26:21.000000000 +0100
168 @@ -206,6 +206,45 @@
169 }
171 /*
172 + * Simplification wrapper arround AcquireCredentialsHandle as most of
173 + * the parameters do not change.
174 + */
175 +static int acquireCredentialsHandleForUsername(CredHandle * credentials, char *package, const char *username, const char *password)
176 +{
177 + SECURITY_STATUS status;
178 + TimeStamp timestamp;
179 +
180 + const char *domain = "";
181 +
182 + int rc, rcISC;
183 + SecPkgInfo *secPackInfo;
184 + SEC_WINNT_AUTH_IDENTITY *nameAndPwd = NULL;
185 + int bytesReceived = 0, bytesSent = 0;
186 +
187 + nameAndPwd = (SEC_WINNT_AUTH_IDENTITY *) malloc( sizeof(SEC_WINNT_AUTH_IDENTITY) );
188 + memset( nameAndPwd, '\0', sizeof (*nameAndPwd) );
189 + nameAndPwd->Domain = (unsigned char *) _strdup( domain? domain: "" );
190 + nameAndPwd->DomainLength = domain? strlen( domain ): 0;
191 + nameAndPwd->User = (unsigned char *) _strdup( username? username: "" );
192 + nameAndPwd->UserLength = username? strlen( username ): 0;
193 + nameAndPwd->Password = (unsigned char *) _strdup( password? password: "" );
194 + nameAndPwd->PasswordLength = password? strlen( password ): 0;
195 + nameAndPwd->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
196 +
197 + status = pSFT->AcquireCredentialsHandle( NULL, package, SECPKG_CRED_OUTBOUND,
198 + NULL, nameAndPwd, NULL, NULL, credentials, ×tamp );
199 +
200 + if (status != SEC_E_OK) {
201 + NE_DEBUG(NE_DBG_HTTPAUTH,
202 + "sspi: AcquireCredentialsHandle [fail] [%x].\n", status);
203 + return -1;
204 + }
205 +
206 + return 0;
207 +}
208 +
209 +
210 +/*
211 * Wrapper arround initializeSecurityContext. Supplies several
212 * default parameters as well as logging in case of errors.
213 */
214 @@ -483,7 +522,7 @@
215 * Processes received authentication tokens as well as supplies the
216 * response token.
217 */
218 -int ne_sspi_authenticate(void *context, const char *base64Token, char **responseToken)
219 +int ne_sspi_authenticate(void *context, const char *base64Token, char **responseToken, const char* username, const char* password)
220 {
221 SecBufferDesc outBufferDesc;
222 SecBuffer outBuffer;
223 @@ -561,13 +600,22 @@
224 /* Reset any existing context since we are starting over */
225 resetContext(sspiContext);
227 - if (acquireCredentialsHandle
228 - (&sspiContext->credentials, sspiContext->mechanism) != SEC_E_OK) {
229 - freeBuffer(&outBufferDesc);
230 - NE_DEBUG(NE_DBG_HTTPAUTH,
231 - "sspi: acquireCredentialsHandle failed.\n");
232 - return -1;
233 - }
234 + if (strlen(username) != 0) {
235 + if (acquireCredentialsHandleForUsername
236 + (&sspiContext->credentials, sspiContext->mechanism, username, password) != SEC_E_OK) {
237 + freeBuffer(&outBufferDesc);
238 + NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: acquireCredentialsHandleForUsername failed.\n");
239 + return -1;
240 + }
241 + } else {
242 + if (acquireCredentialsHandle
243 + (&sspiContext->credentials, sspiContext->mechanism) != SEC_E_OK) {
244 + freeBuffer(&outBufferDesc);
245 + NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: acquireCredentialsHandle failed.\n");
246 + return -1;
247 + }
248 + }
249 +
251 securityStatus =
252 initializeSecurityContext(&sspiContext->credentials, NULL,
253 --- src/ne_sspi.h 2006-02-12 13:05:14.000000000 +0100
254 +++ src/ne_sspi.h 2011-02-03 10:26:21.000000000 +0100
255 @@ -41,7 +41,7 @@
256 int ne_sspi_clear_context(void *context);
258 int ne_sspi_authenticate(void *context, const char *base64Token,
259 - char **responseToken);
260 + char **responseToken, const char* username, const char* password);
262 #endif /* HAVE_SSPI */
264 --- src/ne_uri.c 2007-12-05 12:04:47.000000000 +0100
265 +++ src/ne_uri.c 2011-02-03 10:26:21.000000000 +0100
266 @@ -42,7 +42,7 @@
267 #include "ne_alloc.h"
268 #include "ne_uri.h"
270 -/* URI ABNF from RFC 3986: */
271 +/* URI ABNF from RFC 3986: (TKR: SharePoint is contradictory to this RFC. So I fix it here. )*/
273 #define PS (0x0001) /* "+" */
274 #define PC (0x0002) /* "%" */
275 @@ -67,6 +67,9 @@
277 #define OT (0x4000) /* others */
279 +/* TKR new symbol */
280 +#define WS (0x8000) /* Whitespaces ( Space, Tab ) */
281 +
282 #define URI_ALPHA (AL)
283 #define URI_DIGIT (DG)
285 @@ -83,20 +86,21 @@
286 /* pchar = unreserved / pct-encoded / sub-delims / ":" / "@" */
287 #define URI_PCHAR (URI_UNRESERVED | PC | URI_SUBDELIM | CL | AT)
288 /* invented: segchar = pchar / "/" */
289 -#define URI_SEGCHAR (URI_PCHAR | FS)
290 +/* (TKR) WS added */
291 +#define URI_SEGCHAR (URI_PCHAR | FS | WS)
292 /* query = *( pchar / "/" / "?" ) */
293 #define URI_QUERY (URI_PCHAR | FS | QU)
294 /* fragment == query */
295 #define URI_FRAGMENT URI_QUERY
297 /* any characters which should be path-escaped: */
298 -#define URI_ESCAPE ((URI_GENDELIM & ~(FS)) | URI_SUBDELIM | OT | PC)
299 +#define URI_ESCAPE ((URI_GENDELIM & ~(FS)) | URI_SUBDELIM | OT | WS | PC)
301 static const unsigned int uri_chars[256] = {
302 /* 0xXX x0 x2 x4 x6 x8 xA xC xE */
303 -/* 0x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
304 +/* 0x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, WS, OT, OT, OT, OT, OT, OT,
305 /* 1x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
306 -/* 2x */ OT, SD, OT, GD, SD, PC, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
307 +/* 2x */ WS, SD, OT, GD, SD, PC, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
308 /* 3x */ DG, DG, DG, DG, DG, DG, DG, DG, DG, DG, CL, SD, OT, SD, OT, QU,
309 /* 4x */ AT, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL,
310 /* 5x */ AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, GD, OT, GD, OT, US,
311 --- src/ne_openssl.c
312 +++ src/ne_openssl.c
313 @@ -43,6 +43,13 @@
314 #endif
315 #endif
317 +#ifdef _WIN32
318 +#define X509_NAME WIN32_X509_NAME
319 +#include <windows.h>
320 +#include <wincrypt.h>
321 +#undef X509_NAME
322 +#endif
323 +
324 #include "ne_ssl.h"
325 #include "ne_string.h"
326 #include "ne_session.h"
327 @@ -798,6 +805,31 @@
328 X509_STORE_load_locations(store, NE_SSL_CA_BUNDLE, NULL);
329 #else
330 X509_STORE_set_default_paths(store);
331 +#ifdef _WIN32
332 + {
333 + HCERTSTORE hStore;
334 + PCCERT_CONTEXT pContext = NULL;
335 + X509 *x509;
336 +
337 + hStore = CertOpenSystemStore(0, "ROOT");
338 + if (hStore)
339 + {
340 + while (pContext = CertEnumCertificatesInStore(hStore, pContext))
341 + {
342 + x509 = d2i_X509(NULL, &pContext->pbCertEncoded, pContext->cbCertEncoded);
343 + if (x509)
344 + {
345 + X509_STORE_add_cert(store, x509);
346 + X509_free(x509);
347 + }
348 + }
349 + }
350 +
351 + CertFreeCertificateContext(pContext);
352 + CertCloseStore(hStore, 0);
353 + }
354 +#endif
355 +
356 #endif
357 }