1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at http://curl.haxx.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 ***************************************************************************/
22
23 #include "curl_setup.h"
24
25 #if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
26 defined(NTLM_WB_ENABLED)
27
28 /*
29 * NTLM details:
30 *
31 * http://davenport.sourceforge.net/ntlm.html
32 * http://www.innovation.ch/java/ntlm.html
33 */
34
35 #define DEBUG_ME 0
36
37 #ifdef HAVE_SYS_WAIT_H
38 #include <sys/wait.h>
39 #endif
40 #ifdef HAVE_SIGNAL_H
41 #include <signal.h>
42 #endif
43 #ifdef HAVE_PWD_H
44 #include <pwd.h>
45 #endif
46
47 #include "urldata.h"
48 #include "sendf.h"
49 #include "select.h"
50 #include "curl_ntlm_msgs.h"
51 #include "curl_ntlm_wb.h"
52 #include "url.h"
53 #include "strerror.h"
54 #include "curl_printf.h"
55
56 /* The last #include files should be: */
57 #include "curl_memory.h"
58 #include "memdebug.h"
59
60 #if DEBUG_ME
61 # define DEBUG_OUT(x) x
62 #else
63 # define DEBUG_OUT(x) Curl_nop_stmt
64 #endif
65
66 /* Portable 'sclose_nolog' used only in child process instead of 'sclose'
67 to avoid fooling the socket leak detector */
68 #if defined(HAVE_CLOSESOCKET)
69 # define sclose_nolog(x) closesocket((x))
70 #elif defined(HAVE_CLOSESOCKET_CAMEL)
71 # define sclose_nolog(x) CloseSocket((x))
72 #else
73 # define sclose_nolog(x) close((x))
74 #endif
75
Curl_ntlm_wb_cleanup(struct connectdata * conn)76 void Curl_ntlm_wb_cleanup(struct connectdata *conn)
77 {
78 if(conn->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD) {
79 sclose(conn->ntlm_auth_hlpr_socket);
80 conn->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
81 }
82
83 if(conn->ntlm_auth_hlpr_pid) {
84 int i;
85 for(i = 0; i < 4; i++) {
86 pid_t ret = waitpid(conn->ntlm_auth_hlpr_pid, NULL, WNOHANG);
87 if(ret == conn->ntlm_auth_hlpr_pid || errno == ECHILD)
88 break;
89 switch(i) {
90 case 0:
91 kill(conn->ntlm_auth_hlpr_pid, SIGTERM);
92 break;
93 case 1:
94 /* Give the process another moment to shut down cleanly before
95 bringing down the axe */
96 Curl_wait_ms(1);
97 break;
98 case 2:
99 kill(conn->ntlm_auth_hlpr_pid, SIGKILL);
100 break;
101 case 3:
102 break;
103 }
104 }
105 conn->ntlm_auth_hlpr_pid = 0;
106 }
107
108 free(conn->challenge_header);
109 conn->challenge_header = NULL;
110 free(conn->response_header);
111 conn->response_header = NULL;
112 }
113
ntlm_wb_init(struct connectdata * conn,const char * userp)114 static CURLcode ntlm_wb_init(struct connectdata *conn, const char *userp)
115 {
116 curl_socket_t sockfds[2];
117 pid_t child_pid;
118 const char *username;
119 char *slash, *domain = NULL;
120 const char *ntlm_auth = NULL;
121 char *ntlm_auth_alloc = NULL;
122 #if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
123 struct passwd pw, *pw_res;
124 char pwbuf[1024];
125 #endif
126 int error;
127
128 /* Return if communication with ntlm_auth already set up */
129 if(conn->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD ||
130 conn->ntlm_auth_hlpr_pid)
131 return CURLE_OK;
132
133 username = userp;
134 /* The real ntlm_auth really doesn't like being invoked with an
135 empty username. It won't make inferences for itself, and expects
136 the client to do so (mostly because it's really designed for
137 servers like squid to use for auth, and client support is an
138 afterthought for it). So try hard to provide a suitable username
139 if we don't already have one. But if we can't, provide the
140 empty one anyway. Perhaps they have an implementation of the
141 ntlm_auth helper which *doesn't* need it so we might as well try */
142 if(!username || !username[0]) {
143 username = getenv("NTLMUSER");
144 if(!username || !username[0])
145 username = getenv("LOGNAME");
146 if(!username || !username[0])
147 username = getenv("USER");
148 #if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
149 if((!username || !username[0]) &&
150 !getpwuid_r(geteuid(), &pw, pwbuf, sizeof(pwbuf), &pw_res) &&
151 pw_res) {
152 username = pw.pw_name;
153 }
154 #endif
155 if(!username || !username[0])
156 username = userp;
157 }
158 slash = strpbrk(username, "\\/");
159 if(slash) {
160 if((domain = strdup(username)) == NULL)
161 return CURLE_OUT_OF_MEMORY;
162 slash = domain + (slash - username);
163 *slash = '\0';
164 username = username + (slash - domain) + 1;
165 }
166
167 /* For testing purposes, when DEBUGBUILD is defined and environment
168 variable CURL_NTLM_WB_FILE is set a fake_ntlm is used to perform
169 NTLM challenge/response which only accepts commands and output
170 strings pre-written in test case definitions */
171 #ifdef DEBUGBUILD
172 ntlm_auth_alloc = curl_getenv("CURL_NTLM_WB_FILE");
173 if(ntlm_auth_alloc)
174 ntlm_auth = ntlm_auth_alloc;
175 else
176 #endif
177 ntlm_auth = NTLM_WB_FILE;
178
179 if(access(ntlm_auth, X_OK) != 0) {
180 error = ERRNO;
181 failf(conn->data, "Could not access ntlm_auth: %s errno %d: %s",
182 ntlm_auth, error, Curl_strerror(conn, error));
183 goto done;
184 }
185
186 if(socketpair(AF_UNIX, SOCK_STREAM, 0, sockfds)) {
187 error = ERRNO;
188 failf(conn->data, "Could not open socket pair. errno %d: %s",
189 error, Curl_strerror(conn, error));
190 goto done;
191 }
192
193 child_pid = fork();
194 if(child_pid == -1) {
195 error = ERRNO;
196 sclose(sockfds[0]);
197 sclose(sockfds[1]);
198 failf(conn->data, "Could not fork. errno %d: %s",
199 error, Curl_strerror(conn, error));
200 goto done;
201 }
202 else if(!child_pid) {
203 /*
204 * child process
205 */
206
207 /* Don't use sclose in the child since it fools the socket leak detector */
208 sclose_nolog(sockfds[0]);
209 if(dup2(sockfds[1], STDIN_FILENO) == -1) {
210 error = ERRNO;
211 failf(conn->data, "Could not redirect child stdin. errno %d: %s",
212 error, Curl_strerror(conn, error));
213 exit(1);
214 }
215
216 if(dup2(sockfds[1], STDOUT_FILENO) == -1) {
217 error = ERRNO;
218 failf(conn->data, "Could not redirect child stdout. errno %d: %s",
219 error, Curl_strerror(conn, error));
220 exit(1);
221 }
222
223 if(domain)
224 execl(ntlm_auth, ntlm_auth,
225 "--helper-protocol", "ntlmssp-client-1",
226 "--use-cached-creds",
227 "--username", username,
228 "--domain", domain,
229 NULL);
230 else
231 execl(ntlm_auth, ntlm_auth,
232 "--helper-protocol", "ntlmssp-client-1",
233 "--use-cached-creds",
234 "--username", username,
235 NULL);
236
237 error = ERRNO;
238 sclose_nolog(sockfds[1]);
239 failf(conn->data, "Could not execl(). errno %d: %s",
240 error, Curl_strerror(conn, error));
241 exit(1);
242 }
243
244 sclose(sockfds[1]);
245 conn->ntlm_auth_hlpr_socket = sockfds[0];
246 conn->ntlm_auth_hlpr_pid = child_pid;
247 free(domain);
248 free(ntlm_auth_alloc);
249 return CURLE_OK;
250
251 done:
252 free(domain);
253 free(ntlm_auth_alloc);
254 return CURLE_REMOTE_ACCESS_DENIED;
255 }
256
ntlm_wb_response(struct connectdata * conn,const char * input,curlntlm state)257 static CURLcode ntlm_wb_response(struct connectdata *conn,
258 const char *input, curlntlm state)
259 {
260 char *buf = malloc(NTLM_BUFSIZE);
261 size_t len_in = strlen(input), len_out = 0;
262
263 if(!buf)
264 return CURLE_OUT_OF_MEMORY;
265
266 while(len_in > 0) {
267 ssize_t written = swrite(conn->ntlm_auth_hlpr_socket, input, len_in);
268 if(written == -1) {
269 /* Interrupted by a signal, retry it */
270 if(errno == EINTR)
271 continue;
272 /* write failed if other errors happen */
273 goto done;
274 }
275 input += written;
276 len_in -= written;
277 }
278 /* Read one line */
279 while(1) {
280 ssize_t size;
281 char *newbuf;
282
283 size = sread(conn->ntlm_auth_hlpr_socket, buf + len_out, NTLM_BUFSIZE);
284 if(size == -1) {
285 if(errno == EINTR)
286 continue;
287 goto done;
288 }
289 else if(size == 0)
290 goto done;
291
292 len_out += size;
293 if(buf[len_out - 1] == '\n') {
294 buf[len_out - 1] = '\0';
295 break;
296 }
297 newbuf = realloc(buf, len_out + NTLM_BUFSIZE);
298 if(!newbuf) {
299 free(buf);
300 return CURLE_OUT_OF_MEMORY;
301 }
302 buf = newbuf;
303 }
304
305 /* Samba/winbind installed but not configured */
306 if(state == NTLMSTATE_TYPE1 &&
307 len_out == 3 &&
308 buf[0] == 'P' && buf[1] == 'W')
309 return CURLE_REMOTE_ACCESS_DENIED;
310 /* invalid response */
311 if(len_out < 4)
312 goto done;
313 if(state == NTLMSTATE_TYPE1 &&
314 (buf[0]!='Y' || buf[1]!='R' || buf[2]!=' '))
315 goto done;
316 if(state == NTLMSTATE_TYPE2 &&
317 (buf[0]!='K' || buf[1]!='K' || buf[2]!=' ') &&
318 (buf[0]!='A' || buf[1]!='F' || buf[2]!=' '))
319 goto done;
320
321 conn->response_header = aprintf("NTLM %.*s", len_out - 4, buf + 3);
322 free(buf);
323 return CURLE_OK;
324 done:
325 free(buf);
326 return CURLE_REMOTE_ACCESS_DENIED;
327 }
328
329 /*
330 * This is for creating ntlm header output by delegating challenge/response
331 * to Samba's winbind daemon helper ntlm_auth.
332 */
Curl_output_ntlm_wb(struct connectdata * conn,bool proxy)333 CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
334 bool proxy)
335 {
336 /* point to the address of the pointer that holds the string to send to the
337 server, which is for a plain host or for a HTTP proxy */
338 char **allocuserpwd;
339 /* point to the name and password for this */
340 const char *userp;
341 /* point to the correct struct with this */
342 struct ntlmdata *ntlm;
343 struct auth *authp;
344
345 CURLcode res = CURLE_OK;
346 char *input;
347
348 DEBUGASSERT(conn);
349 DEBUGASSERT(conn->data);
350
351 if(proxy) {
352 allocuserpwd = &conn->allocptr.proxyuserpwd;
353 userp = conn->proxyuser;
354 ntlm = &conn->proxyntlm;
355 authp = &conn->data->state.authproxy;
356 }
357 else {
358 allocuserpwd = &conn->allocptr.userpwd;
359 userp = conn->user;
360 ntlm = &conn->ntlm;
361 authp = &conn->data->state.authhost;
362 }
363 authp->done = FALSE;
364
365 /* not set means empty */
366 if(!userp)
367 userp="";
368
369 switch(ntlm->state) {
370 case NTLMSTATE_TYPE1:
371 default:
372 /* Use Samba's 'winbind' daemon to support NTLM authentication,
373 * by delegating the NTLM challenge/response protocal to a helper
374 * in ntlm_auth.
375 * http://devel.squid-cache.org/ntlm/squid_helper_protocol.html
376 * http://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html
377 * http://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html
378 * Preprocessor symbol 'NTLM_WB_ENABLED' is defined when this
379 * feature is enabled and 'NTLM_WB_FILE' symbol holds absolute
380 * filename of ntlm_auth helper.
381 * If NTLM authentication using winbind fails, go back to original
382 * request handling process.
383 */
384 /* Create communication with ntlm_auth */
385 res = ntlm_wb_init(conn, userp);
386 if(res)
387 return res;
388 res = ntlm_wb_response(conn, "YR\n", ntlm->state);
389 if(res)
390 return res;
391
392 free(*allocuserpwd);
393 *allocuserpwd = aprintf("%sAuthorization: %s\r\n",
394 proxy ? "Proxy-" : "",
395 conn->response_header);
396 DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
397 free(conn->response_header);
398 conn->response_header = NULL;
399 break;
400 case NTLMSTATE_TYPE2:
401 input = aprintf("TT %s\n", conn->challenge_header);
402 if(!input)
403 return CURLE_OUT_OF_MEMORY;
404 res = ntlm_wb_response(conn, input, ntlm->state);
405 free(input);
406 input = NULL;
407 if(res)
408 return res;
409
410 free(*allocuserpwd);
411 *allocuserpwd = aprintf("%sAuthorization: %s\r\n",
412 proxy ? "Proxy-" : "",
413 conn->response_header);
414 DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));
415 ntlm->state = NTLMSTATE_TYPE3; /* we sent a type-3 */
416 authp->done = TRUE;
417 Curl_ntlm_wb_cleanup(conn);
418 break;
419 case NTLMSTATE_TYPE3:
420 /* connection is already authenticated,
421 * don't send a header in future requests */
422 free(*allocuserpwd);
423 *allocuserpwd=NULL;
424 authp->done = TRUE;
425 break;
426 }
427
428 return CURLE_OK;
429 }
430
431 #endif /* !CURL_DISABLE_HTTP && USE_NTLM && NTLM_WB_ENABLED */
432