--- src/ne_auth.c 2010-10-14 17:00:53.000000000 +0200 +++ src/ne_auth.c 2011-02-03 10:31:22.000000000 +0100 @@ -367,7 +367,7 @@ static int get_credentials(auth_session *sess, ne_buffer **errmsg, int attempt, struct auth_challenge *chall, char *pwbuf) { - if (chall->handler->creds(chall->handler->userdata, sess->realm, + if (chall->handler->creds(chall->handler->userdata, chall->protocol->name, sess->realm, chall->handler->attempt++, sess->username, pwbuf) == 0) { return 0; } else { @@ -385,15 +385,19 @@ { char *tmp, password[NE_ABUFSIZ]; +#if 0 /* Workaround - IIS sends challenge without realm. */ + /* Verify challenge... must have a realm */ if (parms->realm == NULL) { challenge_error(errmsg, _("missing realm in Basic challenge")); return -1; } +#endif clean_session(sess); - sess->realm = ne_strdup(parms->realm); + if (parms->realm != NULL) + sess->realm = ne_strdup(parms->realm); if (get_credentials(sess, errmsg, attempt, parms, password)) { /* Failed to get credentials */ @@ -610,10 +614,12 @@ return NULL; } -static int continue_sspi(auth_session *sess, int ntlm, const char *hdr) +static int continue_sspi(auth_session *sess, int ntlm, const char *hdr, + int attempt, struct auth_challenge *parms, ne_buffer **errmsg) { int status; char *response = NULL; + char password[NE_ABUFSIZ]; NE_DEBUG(NE_DBG_HTTPAUTH, "auth: SSPI challenge.\n"); @@ -630,8 +636,17 @@ return status; } } - - status = ne_sspi_authenticate(sess->sspi_context, hdr, &response); + + /* Authentification needs more than one http request. + * As long as authentification in progress use the existing credentials. + * Otherwise get new credentials.*/ + if (!hdr) + if (get_credentials(sess, errmsg, attempt, parms, password)) { + /* Failed to get credentials */ + return -1; + } + + status = ne_sspi_authenticate(sess->sspi_context, hdr, &response, sess->username, password); if (status) { return status; } @@ -651,7 +666,7 @@ { int ntlm = ne_strcasecmp(parms->protocol->name, "NTLM") == 0; - return continue_sspi(sess, ntlm, parms->opaque); + return continue_sspi(sess, ntlm, parms->opaque, attempt, parms, errmsg); } static int verify_sspi(struct auth_request *req, auth_session *sess, @@ -674,7 +689,7 @@ return NE_OK; } - return continue_sspi(sess, ntlm, ptr); + return continue_sspi(sess, ntlm, ptr, 0, NULL, NULL); } #endif --- src/ne_auth.h 2009-09-01 22:13:12.000000000 +0200 +++ src/ne_auth.h 2011-02-03 10:26:20.000000000 +0100 @@ -47,8 +47,8 @@ * Hint: if you just wish to attempt authentication just once (even if * the user gets the username/password wrong), have the callback * function use 'attempt' value as the function return value. */ -typedef int (*ne_auth_creds)(void *userdata, const char *realm, int attempt, - char *username, char *password); +typedef int (*ne_auth_creds)(void *userdata, const char * auth_protocol, + const char *realm, int attempt, char *username, char *password); /* Set callbacks to provide credentials for server and proxy * authentication, using the default set of authentication protocols. --- src/ne_locks.c 2007-02-05 11:09:27.000000000 +0100 +++ src/ne_locks.c 2011-02-03 10:26:21.000000000 +0100 @@ -579,6 +579,23 @@ const char *token = ne_get_response_header(ctx->req, "Lock-Token"); /* at the root element; retrieve the Lock-Token header, * and bail if it wasn't given. */ +#ifdef IIS_LOCK_BUG_WORKAROUND + /* MS IIS violates RFC 2518/4918. It does not send a Lock-Token response + header upon successful creation of a new lock. As a workaround, we + will try to pick the lock token from the response body (although + this is not 100% safe in case of multiple activelocks). */ + if (token == NULL) + NE_DEBUG(NE_DBG_LOCKS, + "Ignoring missing LOCK response Lock-Token header\n"); + + if (token != NULL) { + if (token[0] == '<') token++; + ctx->token = ne_strdup(token); + ne_shave(ctx->token, ">"); + NE_DEBUG(NE_DBG_LOCKS, "lk_startelm: Finding token %s\n", + ctx->token); + } +#else if (token == NULL) { ne_xml_set_error(ctx->parser, _("LOCK response missing Lock-Token header")); @@ -590,12 +607,28 @@ ne_shave(ctx->token, ">"); NE_DEBUG(NE_DBG_LOCKS, "lk_startelm: Finding token %s\n", ctx->token); +#endif } /* TODO: only accept 'prop' as root for LOCK response */ if (!can_accept(parent, id)) return NE_XML_DECLINE; +#ifdef IIS_LOCK_BUG_WORKAROUND + if (id == ELM_activelock && ctx->found) { + /* Found another activelock... */ + const char *token = ne_get_response_header(ctx->req, "Lock-Token"); + if (token == NULL) { + /* Response contains more than one activelock and no Lock-Token + * response header. We are doomed. No safe workaround for IIS + * lock bug possible. */ + ne_xml_set_error(ctx->parser, + _("LOCK response missing Lock-Token header and more than one activelock")); + return NE_XML_ABORT; + } + } +#endif + if (id == ELM_activelock && !ctx->found) { /* a new activelock */ ne_lock_free(&ctx->active); @@ -621,7 +654,12 @@ return -1; if (state == ELM_activelock) { +#ifdef IIS_LOCK_BUG_WORKAROUND + if (ctx->active.token) { + ctx->token = ne_strdup(ctx->active.token); +#else if (ctx->active.token && strcmp(ctx->active.token, ctx->token) == 0) { +#endif ctx->found = 1; } } --- src/ne_sspi.c 2007-08-10 17:26:08.000000000 +0200 +++ src/ne_sspi.c 2011-02-03 10:26:21.000000000 +0100 @@ -206,6 +206,45 @@ } /* + * Simplification wrapper arround AcquireCredentialsHandle as most of + * the parameters do not change. + */ +static int acquireCredentialsHandleForUsername(CredHandle * credentials, char *package, const char *username, const char *password) +{ + SECURITY_STATUS status; + TimeStamp timestamp; + + const char *domain = ""; + + int rc, rcISC; + SecPkgInfo *secPackInfo; + SEC_WINNT_AUTH_IDENTITY *nameAndPwd = NULL; + int bytesReceived = 0, bytesSent = 0; + + nameAndPwd = (SEC_WINNT_AUTH_IDENTITY *) malloc( sizeof(SEC_WINNT_AUTH_IDENTITY) ); + memset( nameAndPwd, '\0', sizeof (*nameAndPwd) ); + nameAndPwd->Domain = (unsigned char *) _strdup( domain? domain: "" ); + nameAndPwd->DomainLength = domain? strlen( domain ): 0; + nameAndPwd->User = (unsigned char *) _strdup( username? username: "" ); + nameAndPwd->UserLength = username? strlen( username ): 0; + nameAndPwd->Password = (unsigned char *) _strdup( password? password: "" ); + nameAndPwd->PasswordLength = password? strlen( password ): 0; + nameAndPwd->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; + + status = pSFT->AcquireCredentialsHandle( NULL, package, SECPKG_CRED_OUTBOUND, + NULL, nameAndPwd, NULL, NULL, credentials, ×tamp ); + + if (status != SEC_E_OK) { + NE_DEBUG(NE_DBG_HTTPAUTH, + "sspi: AcquireCredentialsHandle [fail] [%x].\n", status); + return -1; + } + + return 0; +} + + +/* * Wrapper arround initializeSecurityContext. Supplies several * default parameters as well as logging in case of errors. */ @@ -483,7 +522,7 @@ * Processes received authentication tokens as well as supplies the * response token. */ -int ne_sspi_authenticate(void *context, const char *base64Token, char **responseToken) +int ne_sspi_authenticate(void *context, const char *base64Token, char **responseToken, const char* username, const char* password) { SecBufferDesc outBufferDesc; SecBuffer outBuffer; @@ -561,13 +600,22 @@ /* Reset any existing context since we are starting over */ resetContext(sspiContext); - if (acquireCredentialsHandle - (&sspiContext->credentials, sspiContext->mechanism) != SEC_E_OK) { - freeBuffer(&outBufferDesc); - NE_DEBUG(NE_DBG_HTTPAUTH, - "sspi: acquireCredentialsHandle failed.\n"); - return -1; - } + if (strlen(username) != 0) { + if (acquireCredentialsHandleForUsername + (&sspiContext->credentials, sspiContext->mechanism, username, password) != SEC_E_OK) { + freeBuffer(&outBufferDesc); + NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: acquireCredentialsHandleForUsername failed.\n"); + return -1; + } + } else { + if (acquireCredentialsHandle + (&sspiContext->credentials, sspiContext->mechanism) != SEC_E_OK) { + freeBuffer(&outBufferDesc); + NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: acquireCredentialsHandle failed.\n"); + return -1; + } + } + securityStatus = initializeSecurityContext(&sspiContext->credentials, NULL, --- src/ne_sspi.h 2006-02-12 13:05:14.000000000 +0100 +++ src/ne_sspi.h 2011-02-03 10:26:21.000000000 +0100 @@ -41,7 +41,7 @@ int ne_sspi_clear_context(void *context); int ne_sspi_authenticate(void *context, const char *base64Token, - char **responseToken); + char **responseToken, const char* username, const char* password); #endif /* HAVE_SSPI */ --- src/ne_openssl.c +++ src/ne_openssl.c @@ -43,6 +43,13 @@ #endif #endif +#ifdef _WIN32 +#define X509_NAME WIN32_X509_NAME +#include +#include +#undef X509_NAME +#endif + #include "ne_ssl.h" #include "ne_string.h" #include "ne_session.h" @@ -798,6 +805,31 @@ X509_STORE_load_locations(store, NE_SSL_CA_BUNDLE, NULL); #else X509_STORE_set_default_paths(store); +#ifdef _WIN32 + { + HCERTSTORE hStore; + PCCERT_CONTEXT pContext = NULL; + X509 *x509; + + hStore = CertOpenSystemStore(0, "ROOT"); + if (hStore) + { + while (pContext = CertEnumCertificatesInStore(hStore, pContext)) + { + x509 = d2i_X509(NULL, &pContext->pbCertEncoded, pContext->cbCertEncoded); + if (x509) + { + X509_STORE_add_cert(store, x509); + X509_free(x509); + } + } + } + + CertFreeCertificateContext(pContext); + CertCloseStore(hStore, 0); + } +#endif + #endif }