On 25.04.2015 21:30, Daniel Stenberg wrote:
> On Thu, 23 Apr 2015, LRN wrote:
>
>> The only hunk that needed to change was the one that adds #include "rawstr.h"
>> Even without this hunk the code compiles, albeit with warnings (implicit
>> declarations of raw string functions).
>> Even with this hunk i still get *some* warnings:
>
> Sorry, I don't mean to be annoying, but since you provided this fine update,
> could I also bother you to fix the remaining warnings? It'd get the the patch
> merge ready, and will make the process smoother... I'd be grateful!
>
Here it is.
Fixed a typo in the docs ("a the" -> "the").
Added the prototype to sspi.h. Fits there well enough.
Added a cast to (const char*).Patch should apply to 7.42.0 with small offset. Note that i've hacked the patch together manually, it's not from git format-patch. -- O< ascii ribbon - stop html email! - www.asciiribbon.org
From a69b2a723dcd03cdf74a836b77abc9e9b59bd907 Mon Sep 17 00:00:00 2001
From: Grant Pannell <gr...@pannell.net.au>
Date: Sat, 21 Feb 2015 17:12:11 +1030
Subject: [PATCH] sasl_sspi: Populate the domain from the realm in the
challenge message if the user does not specify DOMAIN\User format
---
lib/curl_sasl.c | 12 +++++----
lib/curl_sasl.h | 11 ++++++++
lib/curl_sasl_sspi.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 93 insertions(+), 6 deletions(-)
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index 4591edb..2ce94d3 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -78,9 +78,6 @@ const struct {
#define DIGEST_QOP_VALUE_STRING_AUTH_INT "auth-int"
#define DIGEST_QOP_VALUE_STRING_AUTH_CONF "auth-conf"
-#define DIGEST_MAX_VALUE_LENGTH 256
-#define DIGEST_MAX_CONTENT_LENGTH 1024
-
/* The CURL_OUTPUT_DIGEST_CONV macro below is for non-ASCII machines.
It converts digest text to ASCII so the MD5 will be correct for
what ultimately goes over the network.
@@ -92,13 +89,16 @@ const struct {
return result; \
}
+#endif
+
+#if !defined(CURL_DISABLE_CRYPTO_AUTH)
/*
* Returns 0 on success and then the buffers are filled in fine.
*
* Non-zero means failure to parse.
*/
-static int sasl_digest_get_pair(const char *str, char *value, char *content,
- const char **endptr)
+int sasl_digest_get_pair(const char *str, char *value, char *content,
+ const char **endptr)
{
int c;
bool starts_with_quote = FALSE;
@@ -159,7 +159,9 @@ static int sasl_digest_get_pair(const char *str, char
*value, char *content,
return 0; /* all is fine! */
}
+#endif
+#if !defined(CURL_DISABLE_CRYPTO_AUTH) && !defined(USE_WINDOWS_SSPI)
/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string*/
static void sasl_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */
unsigned char *dest) /* 33 bytes */
diff --git a/lib/curl_sasl.h b/lib/curl_sasl.h
index 0dc7377..88c04ee 100644
--- a/lib/curl_sasl.h
+++ b/lib/curl_sasl.h
@@ -65,6 +65,11 @@ struct kerberos5data;
#define SASL_MECH_STRING_NTLM "NTLM"
#define SASL_MECH_STRING_XOAUTH2 "XOAUTH2"
+#if !defined(CURL_DISABLE_CRYPTO_AUTH)
+#define DIGEST_MAX_VALUE_LENGTH 256
+#define DIGEST_MAX_CONTENT_LENGTH 1024
+#endif
+
enum {
CURLDIGESTALGO_MD5,
CURLDIGESTALGO_MD5SESS
@@ -136,6 +141,12 @@ char *Curl_sasl_build_spn(const char *service, const char
*instance);
TCHAR *Curl_sasl_build_spn(const char *service, const char *instance);
#endif
+#if defined(USE_WINDOWS_SSPI)
+/* This is used to extract the realm from a challenge message */
+int sasl_digest_get_pair(const char *str, char *value, char *content,
+ const char **endptr);
+#endif
+
#if defined(HAVE_GSSAPI)
char *Curl_sasl_build_gssapi_spn(const char *service, const char *host);
#endif
diff --git a/lib/curl_sspi.h b/lib/curl_sspi.h
--- a/lib/curl_sspi.h
+++ b/lib/curl_sspi.h
@@ -43,6 +43,10 @@
CURLcode Curl_sspi_global_init(void);
void Curl_sspi_global_cleanup(void);
+/* This is used to populate the domain in a SSPI identity structure */
+CURLcode Curl_override_sspi_http_realm(const char *chlg,
+ SEC_WINNT_AUTH_IDENTITY *identity);
+
/* This is used to generate an SSPI identity structure */
CURLcode Curl_create_sspi_identity(const char *userp, const char *passwdp,
SEC_WINNT_AUTH_IDENTITY *identity);
diff --git a/lib/curl_sasl_sspi.c b/lib/curl_sasl_sspi.c
index 0509b75..698fff9 100644
--- a/lib/curl_sasl_sspi.c
+++ b/lib/curl_sasl_sspi.c
@@ -40,6 +40,7 @@
#include "sendf.h"
#include "strdup.h"
#include "curl_printf.h"
+#include "rawstr.h"
/* The last #include files should be: */
#include "curl_memory.h"
@@ -276,6 +277,75 @@ CURLcode Curl_sasl_create_digest_md5_message(struct
SessionHandle *data,
}
/*
+* Curl_override_sspi_http_realm()
+*
+* This is used to populate the domain in a SSPI identity structure
+* The realm is extracted from the challenge message and used as the
+* domain if it is not already explicitly set.
+*
+* Parameters:
+*
+* chlg [in] - The challenge message.
+* identity [in/out] - The identity structure.
+*
+* Returns CURLE_OK on success.
+*/
+CURLcode Curl_override_sspi_http_realm (const char *chlg,
+ SEC_WINNT_AUTH_IDENTITY *identity)
+{
+ xcharp_u domain, dup_domain;
+
+ /* If domain is blank or unset, check challenge message for realm */
+ if (!identity->Domain || !identity->DomainLength)
+ {
+ for (;;) {
+ char value[DIGEST_MAX_VALUE_LENGTH];
+ char content[DIGEST_MAX_CONTENT_LENGTH];
+
+ /* Pass all additional spaces here */
+ while (*chlg && ISSPACE(*chlg))
+ chlg++;
+
+ /* Extract a value=content pair */
+ if (!sasl_digest_get_pair(chlg, value, content, &chlg)) {
+ if (Curl_raw_equal(value, "realm")) {
+
+ /* Setup identity's domain and length */
+ domain.tchar_ptr = Curl_convert_UTF8_to_tchar((char *)content);
+ if (!domain.tchar_ptr)
+ return CURLE_OUT_OF_MEMORY;
+ dup_domain.tchar_ptr = _tcsdup(domain.tchar_ptr);
+ if (!dup_domain.tchar_ptr) {
+ Curl_unicodefree(domain.tchar_ptr);
+ return CURLE_OUT_OF_MEMORY;
+ }
+ identity->Domain = dup_domain.tbyte_ptr;
+ identity->DomainLength = curlx_uztoul(_tcslen(dup_domain.tchar_ptr));
+ dup_domain.tchar_ptr = NULL;
+
+ Curl_unicodefree(domain.tchar_ptr);
+ }
+ else {
+ /* unknown specifier, ignore it! */
+ }
+ }
+ else
+ break; /* we're done here */
+
+ /* Pass all additional spaces here */
+ while (*chlg && ISSPACE(*chlg))
+ chlg++;
+
+ /* Allow the list to be comma-separated */
+ if (',' == *chlg)
+ chlg++;
+ }
+ }
+
+ return CURLE_OK;
+}
+
+/*
* Curl_sasl_decode_digest_http_message()
*
* This is used to decode a HTTP DIGEST challenge message into the seperate
@@ -373,7 +443,12 @@ CURLcode Curl_sasl_create_digest_http_message(struct
SessionHandle *data,
if(userp && *userp) {
/* Populate our identity structure */
- if(Curl_create_sspi_identity(userp, passwdp, &identity))
+ if (Curl_create_sspi_identity(userp, passwdp, &identity))
+ return CURLE_OUT_OF_MEMORY;
+
+ /* Populate our identity domain */
+ if (Curl_override_sspi_http_realm((const char*)digest->input_token,
+ &identity))
return CURLE_OUT_OF_MEMORY;
/* Allow proper cleanup of the identity structure */
0x922360B0.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
