| blob | 23aef0d0fe85122433409b0f241e1817a403eef4 |
1 --- src/ne_auth.c 2010-10-14 17:00:53.000000000 +0200
2 +++ src/ne_auth.c 2011-02-03 10:31:22.000000000 +0100
3 @@ -367,7 +367,7 @@
4 static int get_credentials(auth_session *sess, ne_buffer **errmsg, int attempt,
5 struct auth_challenge *chall, char *pwbuf)
6 {
7 - if (chall->handler->creds(chall->handler->userdata, sess->realm,
8 + if (chall->handler->creds(chall->handler->userdata, chall->protocol->name, sess->realm,
9 chall->handler->attempt++, sess->username, pwbuf) == 0) {
10 return 0;
11 } else {
12 @@ -385,15 +385,19 @@
13 {
14 char *tmp, password[NE_ABUFSIZ];
16 +#if 0 /* Workaround - IIS sends challenge without realm. */
17 +
18 /* Verify challenge... must have a realm */
19 if (parms->realm == NULL) {
20 challenge_error(errmsg, _("missing realm in Basic challenge"));
21 return -1;
22 }
23 +#endif
25 clean_session(sess);
27 - sess->realm = ne_strdup(parms->realm);
28 + if (parms->realm != NULL)
29 + sess->realm = ne_strdup(parms->realm);
31 if (get_credentials(sess, errmsg, attempt, parms, password)) {
32 /* Failed to get credentials */
33 @@ -610,10 +614,12 @@
34 return NULL;
35 }
37 -static int continue_sspi(auth_session *sess, int ntlm, const char *hdr)
38 +static int continue_sspi(auth_session *sess, int ntlm, const char *hdr,
39 + int attempt, struct auth_challenge *parms, ne_buffer **errmsg)
40 {
41 int status;
42 char *response = NULL;
43 + char password[NE_ABUFSIZ];
45 NE_DEBUG(NE_DBG_HTTPAUTH, "auth: SSPI challenge.\n");
47 @@ -630,8 +636,17 @@
48 return status;
49 }
50 }
51 -
52 - status = ne_sspi_authenticate(sess->sspi_context, hdr, &response);
53 +
54 + /* Authentification needs more than one http request.
55 + * As long as authentification in progress use the existing credentials.
56 + * Otherwise get new credentials.*/
57 + if (!hdr)
58 + if (get_credentials(sess, errmsg, attempt, parms, password)) {
59 + /* Failed to get credentials */
60 + return -1;
61 + }
62 +
63 + status = ne_sspi_authenticate(sess->sspi_context, hdr, &response, sess->username, password);
64 if (status) {
65 return status;
66 }
67 @@ -651,7 +666,7 @@
68 {
69 int ntlm = ne_strcasecmp(parms->protocol->name, "NTLM") == 0;
71 - return continue_sspi(sess, ntlm, parms->opaque);
72 + return continue_sspi(sess, ntlm, parms->opaque, attempt, parms, errmsg);
73 }
75 static int verify_sspi(struct auth_request *req, auth_session *sess,
76 @@ -674,7 +689,7 @@
77 return NE_OK;
78 }
80 - return continue_sspi(sess, ntlm, ptr);
81 + return continue_sspi(sess, ntlm, ptr, 0, NULL, NULL);
82 }
84 #endif
85 --- src/ne_auth.h 2009-09-01 22:13:12.000000000 +0200
86 +++ src/ne_auth.h 2011-02-03 10:26:20.000000000 +0100
87 @@ -47,8 +47,8 @@
88 * Hint: if you just wish to attempt authentication just once (even if
89 * the user gets the username/password wrong), have the callback
90 * function use 'attempt' value as the function return value. */
91 -typedef int (*ne_auth_creds)(void *userdata, const char *realm, int attempt,
92 - char *username, char *password);
93 +typedef int (*ne_auth_creds)(void *userdata, const char * auth_protocol,
94 + const char *realm, int attempt, char *username, char *password);
96 /* Set callbacks to provide credentials for server and proxy
97 * authentication, using the default set of authentication protocols.
98 --- src/ne_locks.c 2007-02-05 11:09:27.000000000 +0100
99 +++ src/ne_locks.c 2011-02-03 10:26:21.000000000 +0100
100 @@ -579,6 +579,23 @@
101 const char *token = ne_get_response_header(ctx->req, "Lock-Token");
102 /* at the root element; retrieve the Lock-Token header,
103 * and bail if it wasn't given. */
104 +#ifdef IIS_LOCK_BUG_WORKAROUND
105 + /* MS IIS violates RFC 2518/4918. It does not send a Lock-Token response
106 + header upon successful creation of a new lock. As a workaround, we
107 + will try to pick the lock token from the response body (although
108 + this is not 100% safe in case of multiple activelocks). */
109 + if (token == NULL)
110 + NE_DEBUG(NE_DBG_LOCKS,
111 + "Ignoring missing LOCK response Lock-Token header\n");
112 +
113 + if (token != NULL) {
114 + if (token[0] == '<') token++;
115 + ctx->token = ne_strdup(token);
116 + ne_shave(ctx->token, ">");
117 + NE_DEBUG(NE_DBG_LOCKS, "lk_startelm: Finding token %s\n",
118 + ctx->token);
119 + }
120 +#else
121 if (token == NULL) {
122 ne_xml_set_error(ctx->parser,
123 _("LOCK response missing Lock-Token header"));
124 @@ -590,12 +607,28 @@
125 ne_shave(ctx->token, ">");
126 NE_DEBUG(NE_DBG_LOCKS, "lk_startelm: Finding token %s\n",
127 ctx->token);
128 +#endif
129 }
131 /* TODO: only accept 'prop' as root for LOCK response */
132 if (!can_accept(parent, id))
133 return NE_XML_DECLINE;
135 +#ifdef IIS_LOCK_BUG_WORKAROUND
136 + if (id == ELM_activelock && ctx->found) {
137 + /* Found another activelock... */
138 + const char *token = ne_get_response_header(ctx->req, "Lock-Token");
139 + if (token == NULL) {
140 + /* Response contains more than one activelock and no Lock-Token
141 + * response header. We are doomed. No safe workaround for IIS
142 + * lock bug possible. */
143 + ne_xml_set_error(ctx->parser,
144 + _("LOCK response missing Lock-Token header and more than one activelock"));
145 + return NE_XML_ABORT;
146 + }
147 + }
148 +#endif
149 +
150 if (id == ELM_activelock && !ctx->found) {
151 /* a new activelock */
152 ne_lock_free(&ctx->active);
153 @@ -621,7 +654,12 @@
154 return -1;
156 if (state == ELM_activelock) {
157 +#ifdef IIS_LOCK_BUG_WORKAROUND
158 + if (ctx->active.token) {
159 + ctx->token = ne_strdup(ctx->active.token);
160 +#else
161 if (ctx->active.token && strcmp(ctx->active.token, ctx->token) == 0) {
162 +#endif
163 ctx->found = 1;
164 }
165 }
166 --- src/ne_sspi.c 2007-08-10 17:26:08.000000000 +0200
167 +++ src/ne_sspi.c 2011-02-03 10:26:21.000000000 +0100
168 @@ -206,6 +206,45 @@
169 }
171 /*
172 + * Simplification wrapper arround AcquireCredentialsHandle as most of
173 + * the parameters do not change.
174 + */
175 +static int acquireCredentialsHandleForUsername(CredHandle * credentials, char *package, const char *username, const char *password)
176 +{
177 + SECURITY_STATUS status;
178 + TimeStamp timestamp;
179 +
180 + const char *domain = "";
181 +
182 + int rc, rcISC;
183 + SecPkgInfo *secPackInfo;
184 + SEC_WINNT_AUTH_IDENTITY *nameAndPwd = NULL;
185 + int bytesReceived = 0, bytesSent = 0;
186 +
187 + nameAndPwd = (SEC_WINNT_AUTH_IDENTITY *) malloc( sizeof(SEC_WINNT_AUTH_IDENTITY) );
188 + memset( nameAndPwd, '\0', sizeof (*nameAndPwd) );
189 + nameAndPwd->Domain = (unsigned char *) _strdup( domain? domain: "" );
190 + nameAndPwd->DomainLength = domain? strlen( domain ): 0;
191 + nameAndPwd->User = (unsigned char *) _strdup( username? username: "" );
192 + nameAndPwd->UserLength = username? strlen( username ): 0;
193 + nameAndPwd->Password = (unsigned char *) _strdup( password? password: "" );
194 + nameAndPwd->PasswordLength = password? strlen( password ): 0;
195 + nameAndPwd->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
196 +
197 + status = pSFT->AcquireCredentialsHandle( NULL, package, SECPKG_CRED_OUTBOUND,
198 + NULL, nameAndPwd, NULL, NULL, credentials, ×tamp );
199 +
200 + if (status != SEC_E_OK) {
201 + NE_DEBUG(NE_DBG_HTTPAUTH,
202 + "sspi: AcquireCredentialsHandle [fail] [%x].\n", status);
203 + return -1;
204 + }
205 +
206 + return 0;
207 +}
208 +
209 +
210 +/*
211 * Wrapper around initializeSecurityContext. Supplies several
212 * default parameters as well as logging in case of errors.
213 */
214 @@ -483,7 +522,7 @@
215 * Processes received authentication tokens as well as supplies the
216 * response token.
217 */
218 -int ne_sspi_authenticate(void *context, const char *base64Token, char **responseToken)
219 +int ne_sspi_authenticate(void *context, const char *base64Token, char **responseToken, const char* username, const char* password)
220 {
221 SecBufferDesc outBufferDesc;
222 SecBuffer outBuffer;
223 @@ -561,13 +600,22 @@
224 /* Reset any existing context since we are starting over */
225 resetContext(sspiContext);
227 - if (acquireCredentialsHandle
228 - (&sspiContext->credentials, sspiContext->mechanism) != SEC_E_OK) {
229 - freeBuffer(&outBufferDesc);
230 - NE_DEBUG(NE_DBG_HTTPAUTH,
231 - "sspi: acquireCredentialsHandle failed.\n");
232 - return -1;
233 - }
234 + if (strlen(username) != 0) {
235 + if (acquireCredentialsHandleForUsername
236 + (&sspiContext->credentials, sspiContext->mechanism, username, password) != SEC_E_OK) {
237 + freeBuffer(&outBufferDesc);
238 + NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: acquireCredentialsHandleForUsername failed.\n");
239 + return -1;
240 + }
241 + } else {
242 + if (acquireCredentialsHandle
243 + (&sspiContext->credentials, sspiContext->mechanism) != SEC_E_OK) {
244 + freeBuffer(&outBufferDesc);
245 + NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: acquireCredentialsHandle failed.\n");
246 + return -1;
247 + }
248 + }
249 +
251 securityStatus =
252 initializeSecurityContext(&sspiContext->credentials, NULL,
253 --- src/ne_sspi.h 2006-02-12 13:05:14.000000000 +0100
254 +++ src/ne_sspi.h 2011-02-03 10:26:21.000000000 +0100
255 @@ -41,7 +41,7 @@
256 int ne_sspi_clear_context(void *context);
258 int ne_sspi_authenticate(void *context, const char *base64Token,
259 - char **responseToken);
260 + char **responseToken, const char* username, const char* password);
262 #endif /* HAVE_SSPI */
264 --- src/ne_openssl.c
265 +++ src/ne_openssl.c
266 @@ -43,6 +43,13 @@
267 #endif
268 #endif
270 +#ifdef _WIN32
271 +#define X509_NAME WIN32_X509_NAME
272 +#include <windows.h>
273 +#include <wincrypt.h>
274 +#undef X509_NAME
275 +#endif
276 +
277 #include "ne_ssl.h"
278 #include "ne_string.h"
279 #include "ne_session.h"
280 @@ -798,6 +805,31 @@
281 X509_STORE_load_locations(store, NE_SSL_CA_BUNDLE, NULL);
282 #else
283 X509_STORE_set_default_paths(store);
284 +#ifdef _WIN32
285 + {
286 + HCERTSTORE hStore;
287 + PCCERT_CONTEXT pContext = NULL;
288 + X509 *x509;
289 +
290 + hStore = CertOpenSystemStore(0, "ROOT");
291 + if (hStore)
292 + {
293 + while (pContext = CertEnumCertificatesInStore(hStore, pContext))
294 + {
295 + x509 = d2i_X509(NULL, &pContext->pbCertEncoded, pContext->cbCertEncoded);
296 + if (x509)
297 + {
298 + X509_STORE_add_cert(store, x509);
299 + X509_free(x509);
300 + }
301 + }
302 + }
303 +
304 + CertFreeCertificateContext(pContext);
305 + CertCloseStore(hStore, 0);
306 + }
307 +#endif
308 +
309 #endif
310 }