cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH]Add NTLM single-sign-on support by using /usr/bin/ntlm_auth

From: Wu, Mandy <mandy.wu_at_intel.com>
Date: Tue, 28 Jun 2011 00:02:14 +0800

On Mon, 2011-06-20 at 23:36 +0800, Wu, Mandy wrote:
> Hi, I am working on adding NTLM single-sign-on support by using Samba's 'winbind' helper ntlm_auth.
>
> When using Samba's 'winbind' daemon, NTLM single-sign-on is supported by delegating the NTLM challenge/response protocol to a helper in /usr/bin/ntlm_auth.
> And there's a really simple test hack at http://david.woodhou.se/ntlm_auth_v2.c.

I have worked out a complete patch to implement this.
And I also modified previous design to only do single-sign-on for NTLM
authentication when client does not provide a password (conn->passwd is
empty). It is up to the client to try to authenticate itself agian with
a password when single-sign-on failed.
I already tested with curl command. Please help review it, and any
feedbacks is appreciated. Thanks in advance.

diff --git a/configure.ac b/configure.ac
index e9b49c7..128789c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2686,6 +2686,24 @@ then
   USE_MANUAL="no";
fi

+dnl **********************************************************
+dnl path of NTLM single-sign-on helper ntlm_auth
+dnl
+AC_ARG_WITH(ntlm-auth,
+AC_HELP_STRING([--with-ntlm-auth=PATH],[Where to look for ntlm_auth,
path points to ntlm_auth installation (default: /usr/bin/ntlm_auth);])
+AC_HELP_STRING([--without-ntlm-auth], [disable ntlm single-sign-on by
using ntlm_auth]),
+ntlm_auth="$withval",
+[if test "$ac_cv_native_windows" = "yes"; then ntlm_auth="no"; else
ntlm_auth="/usr/bin/ntlm_auth"; fi])
+if test "$ntlm_auth" != "no"; then
+ AC_DEFINE(USE_NTLM_AUTH, 1, [Whether or not use Samba's 'winbind'
daemon helper 'ntlm_auth' for NTLM single-sign-on])
+ if test "$ntlm_auth" = "yes"; then
+ dnl --with-ntlm-auth (without path) used, use default path
+ ntlm_auth="/usr/bin/ntlm_auth"
+ fi
+fi
+AC_SUBST(ntlm_auth)
+AC_DEFINE_UNQUOTED(NTLM_AUTH, "$ntlm_auth", [Samba's 'winbind' daemon
helper 'ntlm_auth' which can be used for NTLM single-sign-on])
+
dnl
*************************************************************************
dnl If the manual variable still is set, then we go with providing a
built-in
dnl manual
diff --git a/docs/examples/Makefile.example
b/docs/examples/Makefile.example
index dfd1178..df46680 100644
--- a/docs/examples/Makefile.example
+++ b/docs/examples/Makefile.example
@@ -24,7 +24,7 @@
TARGET = example

# Which object files that the executable consists of
-OBJS= ftpget.o
+OBJS= http-post.o

# What compiler to use
CC = gcc
@@ -36,7 +36,7 @@ CFLAGS = -c -g
# in the system's standard lib dir
# We also set a -L to include the directory where we have the openssl
# libraries
-LDFLAGS = -L/home/dast/lib -L/usr/local/ssl/lib
+LDFLAGS = -L/home/xwu1/libcurl/curl/lib/.libs -L/usr/lib

# We need -lcurl for the curl stuff
# We need -lsocket and -lnsl when on Solaris
@@ -49,5 +49,5 @@ $(TARGET) : $(OBJS)
         $(CC) -o $(TARGET) $(OBJS) $(LDFLAGS) $(LIBS)

# Compile the source files into object files
-ftpget.o : ftpget.c
+http-post.o : http-post.c
         $(CC) $(CFLAGS) $<
diff --git a/docs/examples/http-post.c b/docs/examples/http-post.c
index 22de628..a57d5a9 100644
--- a/docs/examples/http-post.c
+++ b/docs/examples/http-post.c
@@ -32,12 +32,35 @@ int main(void)
     /* First set the URL that is about to receive our POST. This URL
can
        just as well be a https:// URL if that is what should receive
the
        data. */
- curl_easy_setopt(curl, CURLOPT_URL,
"http://postit.example.com/moo.cgi");
+ struct curl_slist *headers=NULL;
+ struct curl_httppost *post=NULL;
+ struct curl_httppost *last=NULL;
+
+ printf ("easy handler created\n");
+
+ curl_easy_setopt(curl, CURLOPT_URL,
"https://shsmsx601.ccr.corp.intel.com/EWS/Exchange.asmx");
+ curl_easy_setopt(curl, CURLOPT_USERPWD, "CCR\\xwu1:evan_at_1980");
+ curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_NTLM);
+ curl_easy_setopt(curl, CURLOPT_HTTPGET, 1L);
+
     /* Now specify the POST data */
- curl_easy_setopt(curl, CURLOPT_POSTFIELDS,
"name=daniel&project=curl");
+ headers = curl_slist_append(headers, "Content-Type: text/xml");
+
+ curl_formadd(&post, &last,
+ CURLFORM_COPYNAME, "logotype-image",
+ CURLFORM_FILECONTENT, "/home/xwu1/getitem.xml",
+ CURLFORM_CONTENTHEADER, headers,
+ CURLFORM_END);
+
+ curl_easy_setopt(curl, CURLOPT_HTTPPOST, post);

     /* Perform the request, res will get the return code */
+ printf ("easy handler perfoming\n");
     res = curl_easy_perform(curl);
+ printf ("easy handler return %d\n", res);
+
+ curl_formfree(post);
+ curl_slist_free_all(headers); /* free the header list */

     /* always cleanup */
     curl_easy_cleanup(curl);
diff --git a/lib/http_ntlm.c b/lib/http_ntlm.c
index c3ceadc..4a24aef 100644
--- a/lib/http_ntlm.c
+++ b/lib/http_ntlm.c
@@ -43,6 +43,15 @@
#include <unistd.h>
#endif

+#ifdef USE_NTLM_SSO
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <signal.h>
+#include <errno.h>
+#endif
+
#if (defined(NETWARE) && !defined(__NOVELL_LIBC__))
#include <netdb.h>
#endif
@@ -321,6 +330,10 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn,
       ntlm->flags = readint_le(&buffer[20]);
       memcpy(ntlm->nonce, &buffer[24], 8);

+#ifdef USE_NTLM_SSO
+ conn->challenge_header = strdup(header);
+#endif
+
       DEBUG_OUT({
         fprintf(stderr, "**** TYPE2 header flags=0x%08.8lx ",
ntlm->flags);
         print_flags(stderr, ntlm->flags);
@@ -674,6 +687,157 @@ static void unicodecpy(unsigned char *dest,
}
#endif

+#ifdef USE_NTLM_SSO
+static void sso_ntlm_close(struct connectdata *conn)
+{
+ if(conn->fd_helper != -1) {
+ close(conn->fd_helper);
+ conn->fd_helper = -1;
+ }
+
+ if(conn->pid) {
+ int ret, i;
+ for(i = 0; i < 4; i++) {
+ ret = waitpid(conn->pid, NULL, WNOHANG);
+ if(ret == conn->pid || errno == ECHILD)
+ break;
+ switch(i) {
+ case 0:
+ kill(conn->pid, SIGTERM);
+ break;
+ case 2:
+ kill(conn->pid, SIGKILL);
+ break;
+ case 1:
+ case 3:
+ break;
+ }
+ }
+ conn->pid = 0;
+ }
+
+ Curl_safefree(conn->challenge_header);
+ conn->challenge_header = NULL;
+}
+
+static bool sso_ntlm_initiate(struct connectdata *conn, const char
*user)
+{
+ int sockfds[2];
+ pid_t pid;
+ char *username = NULL, *slash, *domain = NULL;
+
+ /* Return if communication with ntlm_auth already set up */
+ if(conn->fd_helper != -1 || conn->pid) {
+ return TRUE;
+ }
+
+ username = strdup(user);
+ slash = strpbrk(username, "\\/");
+ if(slash) {
+ domain = strdup(username);
+ slash = domain + (slash - username);
+ *slash = '\0';
+ username = slash + 1;
+ }
+
+ if(access(NTLM_AUTH, X_OK) != 0)
+ goto done;
+
+ if(socketpair(AF_UNIX, SOCK_STREAM, 0, sockfds))
+ goto done;
+
+ pid = fork();
+ if(!pid) {
+ /* child process */
+ if(dup2(sockfds[1], 0) == -1 || dup2(sockfds[1], 1) == -1)
+ exit(1);
+
+ execl(NTLM_AUTH, "--helper-protocol", "ntlmssp-client-1",
+ "--use-cached-creds", "--username", username,
+ domain?"--domain":NULL, domain, NULL);
+ exit(1);
+ }
+ else if(pid == -1) {
+ close(sockfds[0]);
+ close(sockfds[1]);
+ goto done;
+ }
+
+ close(sockfds[1]);
+ conn->fd_helper = sockfds[0];
+ conn->pid = pid;
+ Curl_safefree(domain);
+ return TRUE;
+
+done:
+ Curl_safefree(domain);
+ return FALSE;
+}
+
+static char *sso_ntlm_response(struct connectdata *conn,
+ const char *input, curlntlm state)
+{
+ ssize_t size;
+ char buf[1024], *response = NULL;
+ char *tmpbuf = buf;
+ size_t len_in = strlen(input), len_out = sizeof(buf);
+
+ while(len_in > 0) {
+ int written = write(conn->fd_helper, input, len_in);
+ if(written == -1) {
+ /* Interrupted by a signal, retry it */
+ if(errno == EINTR)
+ continue;
+ /* write failed if other errors happen */
+ goto done;
+ }
+ input += written;
+ len_in -= written;
+ }
+ /* Read one line */
+ while(len_out > 0) {
+ size = read(conn->fd_helper, tmpbuf, len_out);
+ if(size == -1) {
+ if(errno == EINTR)
+ continue;
+ goto done;
+ }
+ else if(size == 0)
+ goto done;
+ else if(tmpbuf[size - 1] == '\n') {
+ tmpbuf[size - 1] = '\0';
+ goto wrfinish;
+ }
+ tmpbuf += size;
+ len_out -= size;
+ }
+ goto done;
+wrfinish:
+ /* Samba/winbind installed but not configured */
+ if(state == NTLMSTATE_TYPE1 &&
+ size == 3 &&
+ buf[0] == 'P' && buf[1] == 'W') {
+ response = strdup("PW");
+ goto done;
+ }
+ /* invalid response */
+ if(size < 4)
+ goto done;
+ if(state == NTLMSTATE_TYPE1 &&
+ (buf[0]!='Y' || buf[1]!='R' || buf[2]!=' '))
+ goto done;
+ if(state == NTLMSTATE_TYPE2 &&
+ (buf[0]!='K' || buf[1]!='K' || buf[2]!=' ') &&
+ (buf[0]!='A' || buf[1]!='F' || buf[2]!=' '))
+ goto done;
+
+ response = aprintf("NTLM %.*s", size - 4, buf + 3);
+ goto done;
+done:
+ return response;
+}
+#endif /* USE_NTLM_AUTH */
+
/* this is for creating ntlm header output */
CURLcode Curl_output_ntlm(struct connectdata *conn,
                           bool proxy)
@@ -832,6 +996,53 @@ CURLcode Curl_output_ntlm(struct connectdata *conn,
     size = buf.cbBuffer;
   }
#else
+
+#ifdef USE_NTLM_SSO
+ /* Use Samba's 'winbind' daemon to support NTLM single-sign-on,
+ * by delegating the NTLM challenge/response protocal to a helper
+ * in ntlm_auth.
+ * http://devel.squid-cache.org/ntlm/squid_helper_protocol.html
+ * http://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html
+ * http://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html
+ * The preprocessor variable 'USE_NTLM_AUTH' indicates whether
+ * this feature is enabled. Another one 'NTLM_AUTH' contains
absolute
+ * path of it.
+ * If NTLM single-sign-on fails, go back to original request
+ * handling process.
+ */
+ /* Do NTLM single-sign-on when password is empty,
+ * otherwise, follow normal NTLM authentication.
+ */
+ if(Curl_raw_equal(passwdp, "")) {
+ /* Clean data before using them */
+ conn->fd_helper = -1;
+ conn->pid = 0;
+ conn->challenge_header = NULL;
+ /* Create communication with ntlm_auth */
+ if(sso_ntlm_initiate(conn, userp)) {
+ char *header;
+ header = sso_ntlm_response(conn, "YR\n", ntlm->state);
+ if(!header)
+ /* invalid response */
+ goto ssofailure_type1;
+ if(Curl_raw_equal(header, "PW")) {
+ /* ntml_auth ask for password */
+ Curl_safefree(header);
+ goto ssofailure_type1;
+ }
+ Curl_safefree(*allocuserpwd);
+ *allocuserpwd = aprintf("%sAuthorization: %s\r\n",
+ proxy?"Proxy-":"",
+ header);
+ DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
+ Curl_safefree(header);
+ break;
+ }
+ssofailure_type1:
+ DEBUG_OUT(fprintf(stderr, "**** ntlm_auth failed on type1\n"));
+ }
+#endif
+
     hostoff = 0;
     domoff = hostoff + hostlen; /* This is 0: remember that host and
domain
                                    are empty */
@@ -998,6 +1209,33 @@ CURLcode Curl_output_ntlm(struct connectdata
*conn,
     size_t userlen;
     CURLcode res;

+#ifdef USE_NTLM_SSO
+ if(Curl_raw_equal(passwdp, "")) {
+ char *input, *header;
+ input = aprintf("TT %s\n", conn->challenge_header);
+ header = sso_ntlm_response(conn,
+ input,
+ ntlm->state);
+ sso_ntlm_close(conn);
+ if(!header) {
+ Curl_safefree(input);
+ goto ssofailure_type2;
+ }
+ Curl_safefree(*allocuserpwd);
+ *allocuserpwd = aprintf("%sAuthorization: %s\r\n",
+ proxy?"Proxy-":"",
+ header);
+ DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));
+ ntlm->state = NTLMSTATE_TYPE3; /* we sent a type-3 */
+ authp->done = TRUE;
+ Curl_safefree(input);
+ Curl_safefree(header);
+ break;
+ssofailure_type2:
+ DEBUG_OUT(fprintf(stderr, "**** ntlm_auth failed on type2\n"));
+ }
+#endif
+
     user = strchr(userp, '\\');
     if(!user)
       user = strchr(userp, '/');
@@ -1320,6 +1558,9 @@ Curl_ntlm_cleanup(struct connectdata *conn)
   ntlm_sspi_cleanup(&conn->ntlm);
   ntlm_sspi_cleanup(&conn->proxyntlm);
#else
+#ifdef USE_NTLM_SSO
+ sso_ntlm_close(conn);
+#endif
   (void)conn;
#endif
}
diff --git a/lib/setup.h b/lib/setup.h
index 1e96c76..c742188 100644
--- a/lib/setup.h
+++ b/lib/setup.h
@@ -567,6 +567,11 @@ int netware_init(void);
#if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI) || \
    defined(USE_GNUTLS) || defined(USE_NSS)
#define USE_NTLM
+#if defined(USE_NTLM_AUTH)
+/* Support NTLM single-sign-on by using Samba's winbind daemon helper
+ 'ntlm_auth' */
+#define USE_NTLM_SSO
+#endif
#endif
#endif

diff --git a/lib/urldata.h b/lib/urldata.h
index d256968..e390b92 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -905,6 +905,14 @@ struct connectdata {
                                single requests! */
   struct ntlmdata proxyntlm; /* NTLM data for proxy */

+#ifdef USE_NTLM_SSO
+ /* data used for communication with Samba's winbind daemon helper
+ ntlm_auth */
+ int fd_helper;
+ pid_t pid;
+ char* challenge_header;
+#endif
+
   char syserr_buf [256]; /* buffer for Curl_strerror() */

#ifdef CURLRES_ASYNCH

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-06-27

This message: [ Message body ]
Next message: Wu, Mandy: "Re: [PATCH]Add NTLM single-sign-on support by using /usr/bin/ntlm_auth"
Previous message: Jim Hollinger: "Re: [PATCH] RTSP-Authentication"
In reply to: Wu, Mandy: "How to fall back to ask for a password when NTLM single-sign-on failed"
Next in thread: Wu, Mandy: "Re: [PATCH]Add NTLM single-sign-on support by using /usr/bin/ntlm_auth"
Reply: Wu, Mandy: "Re: [PATCH]Add NTLM single-sign-on support by using /usr/bin/ntlm_auth"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]