NTLM_WB: drop support

The feature has not worked for months and has been marked as DEPRECATED for six+ months. Closes #13249
2024-03-31 16:54:28 +02:00 · 2024-03-31 16:54:28 +02:00 · 50def7c881
commit 50def7c881
parent 9e848439d8
21 changed files with 25 additions and 723 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -1559,9 +1559,6 @@ if(NOT CURL_DISABLE_INSTALL)
                          (HAVE_GSSAPI OR USE_WINDOWS_SSPI))
  _add_if("NTLM"          NOT (CURL_DISABLE_NTLM) AND
                          (use_curl_ntlm_core OR USE_WINDOWS_SSPI))
  _add_if("NTLM_WB"       NOT (CURL_DISABLE_NTLM) AND
                          (use_curl_ntlm_core OR USE_WINDOWS_SSPI) AND
                          NOT CURL_DISABLE_HTTP AND NTLM_WB_ENABLED)
  _add_if("TLS-SRP"       USE_TLS_SRP)
  _add_if("HTTP2"         USE_NGHTTP2)
  _add_if("HTTP3"         USE_NGTCP2 OR USE_QUICHE OR USE_OPENSSL_QUIC)
--- a/configure.ac
+++ b/configure.ac
@ -4179,10 +4179,6 @@ AS_HELP_STRING([--disable-ntlm],[Disable NTLM support]),
       AC_MSG_RESULT(yes)
 )
 CURL_CHECK_OPTION_NTLM_WB
 CURL_CHECK_NTLM_WB
 dnl ************************************************************
 dnl disable TLS-SRP authentication
 dnl
@ -4729,11 +4725,6 @@ if test "x$CURL_DISABLE_NTLM" != "x1"; then
  if test "x$use_curl_ntlm_core" = "xyes" \
      -o "x$USE_WINDOWS_SSPI" = "x1"; then
    SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM"
    if test "x$CURL_DISABLE_HTTP" != "x1" -a \
        "x$NTLM_WB_ENABLED" = "x1"; then
      SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM_WB"
    fi
  fi
 fi
--- a/docs/DEPRECATE.md
+++ b/docs/DEPRECATE.md
@ -12,21 +12,6 @@ email the
 as soon as possible and explain to us why this is a problem for you and
 how your use case cannot be satisfied properly using a workaround.
 ## NTLM_WB auth
 This NTLM authentication method is powered by a separate tool,
 `ntlm_auth`. Barely anyone uses this method. It was always a quirky
 implementation (including fork + exec), it has limited portability and we do
 not test it in the test suite and CI.
 We keep the native NTLM implementation.
 Due to a mistake, the `NTLM_WB` functionality is missing in builds since 8.4.0
 (October 2023). It needs to be manually patched to work. See [PR
 12479](https://github.com/curl/curl/pull/12479).
 curl removes the support for NTLM_WB auth in April 2024.
 ## space-separated `NOPROXY` patterns
 When specifying patterns/domain names for curl that should *not* go through a
@ -56,3 +41,4 @@ curl removes the support for space-separated names in July 2024.
 - NSS
 - gskit
 - mingw v1
 - NTLM_WB
--- a/docs/cmdline-opts/ntlm-wb.md
+++ b/docs/cmdline-opts/ntlm-wb.md
@ -16,5 +16,7 @@ Example:
 # `--ntlm-wb`
-Enables NTLM much in the style --ntlm does, but hand over the authentication
+Deprecated option (added in 8.8.0).
-to the separate binary `ntlmauth` application that is executed when needed.
+
 Enabled NTLM much in the style --ntlm does, but handed over the authentication
 to a separate executable that was executed when needed.
--- a/docs/libcurl/curl_version_info.md
+++ b/docs/libcurl/curl_version_info.md
@ -267,7 +267,7 @@ supports HTTP NTLM (added in 7.10.6)
 *features* mask bit: CURL_VERSION_NTLM_WB
 libcurl was built with support for NTLM delegation to a winbind helper.
-(Added in 7.22.0)
+(Added in 7.22.0) This feature was removed from curl in 8.8.0.
 ## PSL
--- a/docs/libcurl/opts/CURLOPT_HTTPAUTH.md
+++ b/docs/libcurl/opts/CURLOPT_HTTPAUTH.md
@ -84,6 +84,8 @@ option to work, or build libcurl on Windows with SSPI support.
 ## CURLAUTH_NTLM_WB
 Support for this is removed since libcurl 8.8.0.
 NTLM delegating to winbind helper. Authentication is performed by a separate
 binary application that is executed when needed. The name of the application
 is specified at compile time but is typically **/usr/bin/ntlm_auth**.
--- a/docs/libcurl/opts/CURLOPT_NOSIGNAL.md
+++ b/docs/libcurl/opts/CURLOPT_NOSIGNAL.md
@ -40,9 +40,7 @@ ignore SIGPIPE signals, which otherwise are sent by the system when trying to
 send data to a socket which is closed in the other end. libcurl makes an
 effort to never cause such SIGPIPE signals to trigger, but some operating
 systems have no way to avoid them and even on those that have there are some
-corner cases when they may still happen, contrary to our desire. In addition,
+corner cases when they may still happen, contrary to our desire.
 using *CURLAUTH_NTLM_WB* authentication could cause a SIGCHLD signal to be
 raised.
 # DEFAULT
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@ -811,7 +811,10 @@ typedef enum {
 #define CURLAUTH_GSSAPI CURLAUTH_NEGOTIATE
 #define CURLAUTH_NTLM         (((unsigned long)1)<<3)
 #define CURLAUTH_DIGEST_IE    (((unsigned long)1)<<4)
 #ifndef CURL_NO_OLDIES
  /* functionality removed since 8.8.0 */
 #define CURLAUTH_NTLM_WB      (((unsigned long)1)<<5)
 #endif
 #define CURLAUTH_BEARER       (((unsigned long)1)<<6)
 #define CURLAUTH_AWS_SIGV4    (((unsigned long)1)<<7)
 #define CURLAUTH_ONLY         (((unsigned long)1)<<31)
--- a/lib/Makefile.inc
+++ b/lib/Makefile.inc
@ -129,7 +129,6 @@ LIB_CFILES =         \
  curl_memrchr.c     \
  curl_multibyte.c   \
  curl_ntlm_core.c   \
  curl_ntlm_wb.c     \
  curl_path.c        \
  curl_range.c       \
  curl_rtmp.c        \
@ -271,7 +270,6 @@ LIB_HFILES =         \
  curl_memrchr.h     \
  curl_multibyte.h   \
  curl_ntlm_core.h   \
  curl_ntlm_wb.h     \
  curl_path.h        \
  curl_printf.h      \
  curl_range.h       \
--- a/lib/curl_ntlm_wb.c
+++ b/lib/curl_ntlm_wb.c
@ -1,500 +0,0 @@
 /***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * SPDX-License-Identifier: curl
 *
 ***************************************************************************/
 #include "curl_setup.h"
 #if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
    defined(NTLM_WB_ENABLED)
 /*
 * NTLM details:
 *
 * https://davenport.sourceforge.net/ntlm.html
 * https://www.innovation.ch/java/ntlm.html
 */
 #define DEBUG_ME 0
 #ifdef HAVE_SYS_WAIT_H
 #include <sys/wait.h>
 #endif
 #include <signal.h>
 #ifdef HAVE_PWD_H
 #include <pwd.h>
 #endif
 #include "urldata.h"
 #include "sendf.h"
 #include "select.h"
 #include "vauth/ntlm.h"
 #include "curl_ntlm_core.h"
 #include "curl_ntlm_wb.h"
 #include "url.h"
 #include "strerror.h"
 #include "strdup.h"
 #include "strcase.h"
 /* The last 3 #include files should be in this order */
 #include "curl_printf.h"
 #include "curl_memory.h"
 #include "memdebug.h"
 #if DEBUG_ME
 # define DEBUG_OUT(x) x
 #else
 # define DEBUG_OUT(x) Curl_nop_stmt
 #endif
 /* Portable 'sclose_nolog' used only in child process instead of 'sclose'
   to avoid fooling the socket leak detector */
 #ifdef HAVE_PIPE
 #  define sclose_nolog(x)  close((x))
 #elif defined(HAVE_CLOSESOCKET)
 #  define sclose_nolog(x)  closesocket((x))
 #elif defined(HAVE_CLOSESOCKET_CAMEL)
 #  define sclose_nolog(x)  CloseSocket((x))
 #else
 #  define sclose_nolog(x)  close((x))
 #endif
 static void ntlm_wb_cleanup(struct ntlmdata *ntlm)
 {
  if(ntlm->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD) {
    sclose(ntlm->ntlm_auth_hlpr_socket);
    ntlm->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
  }
  if(ntlm->ntlm_auth_hlpr_pid) {
    int i;
    for(i = 0; i < 4; i++) {
      pid_t ret = waitpid(ntlm->ntlm_auth_hlpr_pid, NULL, WNOHANG);
      if(ret == ntlm->ntlm_auth_hlpr_pid || errno == ECHILD)
        break;
      switch(i) {
      case 0:
        kill(ntlm->ntlm_auth_hlpr_pid, SIGTERM);
        break;
      case 1:
        /* Give the process another moment to shut down cleanly before
           bringing down the axe */
        Curl_wait_ms(1);
        break;
      case 2:
        kill(ntlm->ntlm_auth_hlpr_pid, SIGKILL);
        break;
      case 3:
        break;
      }
    }
    ntlm->ntlm_auth_hlpr_pid = 0;
  }
  Curl_safefree(ntlm->challenge);
  Curl_safefree(ntlm->response);
 }
 static CURLcode ntlm_wb_init(struct Curl_easy *data, struct ntlmdata *ntlm,
                             const char *userp)
 {
  curl_socket_t sockfds[2];
  pid_t child_pid;
  const char *username;
  char *slash, *domain = NULL;
  const char *ntlm_auth = NULL;
  char *ntlm_auth_alloc = NULL;
 #if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
  struct passwd pw, *pw_res;
  char pwbuf[1024];
 #endif
  char buffer[STRERROR_LEN];
 #if defined(CURL_DISABLE_VERBOSE_STRINGS)
  (void) data;
 #endif
  /* Return if communication with ntlm_auth already set up */
  if(ntlm->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD ||
     ntlm->ntlm_auth_hlpr_pid)
    return CURLE_OK;
  username = userp;
  /* The real ntlm_auth really doesn't like being invoked with an
     empty username. It won't make inferences for itself, and expects
     the client to do so (mostly because it's really designed for
     servers like squid to use for auth, and client support is an
     afterthought for it). So try hard to provide a suitable username
     if we don't already have one. But if we can't, provide the
     empty one anyway. Perhaps they have an implementation of the
     ntlm_auth helper which *doesn't* need it so we might as well try */
  if(!username || !username[0]) {
    username = getenv("NTLMUSER");
    if(!username || !username[0])
      username = getenv("LOGNAME");
    if(!username || !username[0])
      username = getenv("USER");
 #if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
    if((!username || !username[0]) &&
       !getpwuid_r(geteuid(), &pw, pwbuf, sizeof(pwbuf), &pw_res) &&
       pw_res) {
      username = pw.pw_name;
    }
 #endif
    if(!username || !username[0])
      username = userp;
  }
  slash = strpbrk(username, "\\/");
  if(slash) {
    domain = strdup(username);
    if(!domain)
      return CURLE_OUT_OF_MEMORY;
    slash = domain + (slash - username);
    *slash = '\0';
    username = username + (slash - domain) + 1;
  }
  /* For testing purposes, when DEBUGBUILD is defined and environment
     variable CURL_NTLM_WB_FILE is set a fake_ntlm is used to perform
     NTLM challenge/response which only accepts commands and output
     strings pre-written in test case definitions */
 #ifdef DEBUGBUILD
  ntlm_auth_alloc = curl_getenv("CURL_NTLM_WB_FILE");
  if(ntlm_auth_alloc)
    ntlm_auth = ntlm_auth_alloc;
  else
 #endif
    ntlm_auth = NTLM_WB_FILE;
  if(access(ntlm_auth, X_OK) != 0) {
    failf(data, "Could not access ntlm_auth: %s errno %d: %s",
          ntlm_auth, errno, Curl_strerror(errno, buffer, sizeof(buffer)));
    goto done;
  }
  if(wakeup_create(sockfds)) {
    failf(data, "Could not open socket pair. errno %d: %s",
          errno, Curl_strerror(errno, buffer, sizeof(buffer)));
    goto done;
  }
  child_pid = fork();
  if(child_pid == -1) {
    wakeup_close(sockfds[0]);
    wakeup_close(sockfds[1]);
    failf(data, "Could not fork. errno %d: %s",
          errno, Curl_strerror(errno, buffer, sizeof(buffer)));
    goto done;
  }
  else if(!child_pid) {
    /*
     * child process
     */
    /* Don't use sclose in the child since it fools the socket leak detector */
    sclose_nolog(sockfds[0]);
    if(dup2(sockfds[1], STDIN_FILENO) == -1) {
      failf(data, "Could not redirect child stdin. errno %d: %s",
            errno, Curl_strerror(errno, buffer, sizeof(buffer)));
      exit(1);
    }
    if(dup2(sockfds[1], STDOUT_FILENO) == -1) {
      failf(data, "Could not redirect child stdout. errno %d: %s",
            errno, Curl_strerror(errno, buffer, sizeof(buffer)));
      exit(1);
    }
    if(domain)
      execl(ntlm_auth, ntlm_auth,
            "--helper-protocol", "ntlmssp-client-1",
            "--use-cached-creds",
            "--username", username,
            "--domain", domain,
            NULL);
    else
      execl(ntlm_auth, ntlm_auth,
            "--helper-protocol", "ntlmssp-client-1",
            "--use-cached-creds",
            "--username", username,
            NULL);
    sclose_nolog(sockfds[1]);
    failf(data, "Could not execl(). errno %d: %s",
          errno, Curl_strerror(errno, buffer, sizeof(buffer)));
    exit(1);
  }
  sclose(sockfds[1]);
  ntlm->ntlm_auth_hlpr_socket = sockfds[0];
  ntlm->ntlm_auth_hlpr_pid = child_pid;
  free(domain);
  free(ntlm_auth_alloc);
  return CURLE_OK;
 done:
  free(domain);
  free(ntlm_auth_alloc);
  return CURLE_REMOTE_ACCESS_DENIED;
 }
 /* if larger than this, something is seriously wrong */
 #define MAX_NTLM_WB_RESPONSE 100000
 static CURLcode ntlm_wb_response(struct Curl_easy *data, struct ntlmdata *ntlm,
                                 const char *input, curlntlm state)
 {
  size_t len_in = strlen(input), len_out = 0;
  struct dynbuf b;
  char *ptr = NULL;
  unsigned char buf[1024];
  Curl_dyn_init(&b, MAX_NTLM_WB_RESPONSE);
  while(len_in > 0) {
    ssize_t written = wakeup_write(ntlm->ntlm_auth_hlpr_socket, input, len_in);
    if(written == -1) {
      /* Interrupted by a signal, retry it */
      if(errno == EINTR)
        continue;
      /* write failed if other errors happen */
      goto done;
    }
    input += written;
    len_in -= written;
  }
  /* Read one line */
  while(1) {
    ssize_t size =
      wakeup_read(ntlm->ntlm_auth_hlpr_socket, buf, sizeof(buf));
    if(size == -1) {
      if(errno == EINTR)
        continue;
      goto done;
    }
    else if(size == 0)
      goto done;
    if(Curl_dyn_addn(&b, buf, size))
      goto done;
    len_out = Curl_dyn_len(&b);
    ptr = Curl_dyn_ptr(&b);
    if(len_out && ptr[len_out - 1] == '\n') {
      ptr[len_out - 1] = '\0';
      break; /* done! */
    }
    /* loop */
  }
  /* Samba/winbind installed but not configured */
  if(state == NTLMSTATE_TYPE1 &&
     len_out == 3 &&
     ptr[0] == 'P' && ptr[1] == 'W')
    goto done;
  /* invalid response */
  if(len_out < 4)
    goto done;
  if(state == NTLMSTATE_TYPE1 &&
     (ptr[0]!='Y' || ptr[1]!='R' || ptr[2]!=' '))
    goto done;
  if(state == NTLMSTATE_TYPE2 &&
     (ptr[0]!='K' || ptr[1]!='K' || ptr[2]!=' ') &&
     (ptr[0]!='A' || ptr[1]!='F' || ptr[2]!=' '))
    goto done;
  ntlm->response = strdup(ptr + 3);
  Curl_dyn_free(&b);
  if(!ntlm->response)
    return CURLE_OUT_OF_MEMORY;
  return CURLE_OK;
 done:
  Curl_dyn_free(&b);
  return CURLE_REMOTE_ACCESS_DENIED;
 }
 CURLcode Curl_input_ntlm_wb(struct Curl_easy *data,
                            struct connectdata *conn,
                            bool proxy,
                            const char *header)
 {
  struct ntlmdata *ntlm = proxy ? &conn->proxyntlm : &conn->ntlm;
  curlntlm *state = proxy ? &conn->proxy_ntlm_state : &conn->http_ntlm_state;
  (void) data;  /* In case it gets unused by nop log macros. */
  if(!checkprefix("NTLM", header))
    return CURLE_BAD_CONTENT_ENCODING;
  header += strlen("NTLM");
  while(*header && ISSPACE(*header))
    header++;
  if(*header) {
    ntlm->challenge = strdup(header);
    if(!ntlm->challenge)
      return CURLE_OUT_OF_MEMORY;
    *state = NTLMSTATE_TYPE2; /* We got a type-2 message */
  }
  else {
    if(*state == NTLMSTATE_LAST) {
      infof(data, "NTLM auth restarted");
      Curl_http_auth_cleanup_ntlm_wb(conn);
    }
    else if(*state == NTLMSTATE_TYPE3) {
      infof(data, "NTLM handshake rejected");
      Curl_http_auth_cleanup_ntlm_wb(conn);
      *state = NTLMSTATE_NONE;
      return CURLE_REMOTE_ACCESS_DENIED;
    }
    else if(*state >= NTLMSTATE_TYPE1) {
      infof(data, "NTLM handshake failure (internal error)");
      return CURLE_REMOTE_ACCESS_DENIED;
    }
    *state = NTLMSTATE_TYPE1; /* We should send away a type-1 */
  }
  return CURLE_OK;
 }
 /*
 * This is for creating ntlm header output by delegating challenge/response
 * to Samba's winbind daemon helper ntlm_auth.
 */
 CURLcode Curl_output_ntlm_wb(struct Curl_easy *data, struct connectdata *conn,
                             bool proxy)
 {
  /* point to the address of the pointer that holds the string to send to the
     server, which is for a plain host or for an HTTP proxy */
  char **allocuserpwd;
  /* point to the name and password for this */
  const char *userp;
  struct ntlmdata *ntlm;
  curlntlm *state;
  struct auth *authp;
  CURLcode res = CURLE_OK;
  DEBUGASSERT(conn);
  DEBUGASSERT(data);
  if(proxy) {
 #ifndef CURL_DISABLE_PROXY
    allocuserpwd = &data->state.aptr.proxyuserpwd;
    userp = conn->http_proxy.user;
    ntlm = &conn->proxyntlm;
    state = &conn->proxy_ntlm_state;
    authp = &data->state.authproxy;
 #else
    return CURLE_NOT_BUILT_IN;
 #endif
  }
  else {
    allocuserpwd = &data->state.aptr.userpwd;
    userp = conn->user;
    ntlm = &conn->ntlm;
    state = &conn->http_ntlm_state;
    authp = &data->state.authhost;
  }
  authp->done = FALSE;
  /* not set means empty */
  if(!userp)
    userp = "";
  switch(*state) {
  case NTLMSTATE_TYPE1:
  default:
    /* Use Samba's 'winbind' daemon to support NTLM authentication,
     * by delegating the NTLM challenge/response protocol to a helper
     * in ntlm_auth.
     * https://web.archive.org/web/20190925164737
     * /devel.squid-cache.org/ntlm/squid_helper_protocol.html
     * https://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html
     * https://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html
     * Preprocessor symbol 'NTLM_WB_ENABLED' is defined when this
     * feature is enabled and 'NTLM_WB_FILE' symbol holds absolute
     * filename of ntlm_auth helper.
     * If NTLM authentication using winbind fails, go back to original
     * request handling process.
     */
    /* Create communication with ntlm_auth */
    res = ntlm_wb_init(data, ntlm, userp);
    if(res)
      return res;
    res = ntlm_wb_response(data, ntlm, "YR\n", *state);
    if(res)
      return res;
    free(*allocuserpwd);
    *allocuserpwd = aprintf("%sAuthorization: NTLM %s\r\n",
                            proxy ? "Proxy-" : "",
                            ntlm->response);
    DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
    Curl_safefree(ntlm->response);
    if(!*allocuserpwd)
      return CURLE_OUT_OF_MEMORY;
    break;
  case NTLMSTATE_TYPE2: {
    char *input = aprintf("TT %s\n", ntlm->challenge);
    if(!input)
      return CURLE_OUT_OF_MEMORY;
    res = ntlm_wb_response(data, ntlm, input, *state);
    free(input);
    if(res)
      return res;
    free(*allocuserpwd);
    *allocuserpwd = aprintf("%sAuthorization: NTLM %s\r\n",
                            proxy ? "Proxy-" : "",
                            ntlm->response);
    DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));
    *state = NTLMSTATE_TYPE3; /* we sent a type-3 */
    authp->done = TRUE;
    Curl_http_auth_cleanup_ntlm_wb(conn);
    if(!*allocuserpwd)
      return CURLE_OUT_OF_MEMORY;
    break;
  }
  case NTLMSTATE_TYPE3:
    /* connection is already authenticated,
     * don't send a header in future requests */
    *state = NTLMSTATE_LAST;
    FALLTHROUGH();
  case NTLMSTATE_LAST:
    Curl_safefree(*allocuserpwd);
    authp->done = TRUE;
    break;
  }
  return CURLE_OK;
 }
 void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn)
 {
  ntlm_wb_cleanup(&conn->ntlm);
  ntlm_wb_cleanup(&conn->proxyntlm);
 }
 #endif /* !CURL_DISABLE_HTTP && USE_NTLM && NTLM_WB_ENABLED */
--- a/lib/curl_ntlm_wb.h
+++ b/lib/curl_ntlm_wb.h
@ -1,45 +0,0 @@
 #ifndef HEADER_CURL_NTLM_WB_H
 #define HEADER_CURL_NTLM_WB_H
 /***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * SPDX-License-Identifier: curl
 *
 ***************************************************************************/
 #include "curl_setup.h"
 #if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
    defined(NTLM_WB_ENABLED)
 /* this is for ntlm header input */
 CURLcode Curl_input_ntlm_wb(struct Curl_easy *data,
                            struct connectdata *conn, bool proxy,
                            const char *header);
 /* this is for creating ntlm header output */
 CURLcode Curl_output_ntlm_wb(struct Curl_easy *data, struct connectdata *conn,
                             bool proxy);
 void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn);
 #endif /* !CURL_DISABLE_HTTP && USE_NTLM && NTLM_WB_ENABLED */
 #endif /* HEADER_CURL_NTLM_WB_H */
--- a/lib/http.c
+++ b/lib/http.c
@ -65,7 +65,6 @@
 #include "vquic/vquic.h"
 #include "http_digest.h"
 #include "http_ntlm.h"
 #include "curl_ntlm_wb.h"
 #include "http_negotiate.h"
 #include "http_aws_sigv4.h"
 #include "url.h"
@ -386,8 +385,6 @@ static bool pickoneauth(struct auth *pick, unsigned long mask)
 #endif
  else if(avail & CURLAUTH_NTLM)
    pick->picked = CURLAUTH_NTLM;
  else if(avail & CURLAUTH_NTLM_WB)
    pick->picked = CURLAUTH_NTLM_WB;
 #ifndef CURL_DISABLE_BASIC_AUTH
  else if(avail & CURLAUTH_BASIC)
    pick->picked = CURLAUTH_BASIC;
@ -446,9 +443,7 @@ static CURLcode http_perhapsrewind(struct Curl_easy *data,
    /* We'd like to abort the upload - but should we? */
 #if defined(USE_NTLM)
    if((data->state.authproxy.picked == CURLAUTH_NTLM) ||
-       (data->state.authhost.picked == CURLAUTH_NTLM) ||
+       (data->state.authhost.picked == CURLAUTH_NTLM)) {
       (data->state.authproxy.picked == CURLAUTH_NTLM_WB) ||
       (data->state.authhost.picked == CURLAUTH_NTLM_WB)) {
      ongoing_auth = "NTML";
      if((conn->http_ntlm_state != NTLMSTATE_NONE) ||
         (conn->proxy_ntlm_state != NTLMSTATE_NONE)) {
@ -627,15 +622,6 @@ output_auth_headers(struct Curl_easy *data,
  }
  else
 #endif
 #if defined(USE_NTLM) && defined(NTLM_WB_ENABLED)
  if(authstatus->picked == CURLAUTH_NTLM_WB) {
    auth = "NTLM_WB";
    result = Curl_output_ntlm_wb(data, conn, proxy);
    if(result)
      return result;
  }
  else
 #endif
 #ifndef CURL_DISABLE_DIGEST_AUTH
  if(authstatus->picked == CURLAUTH_DIGEST) {
    auth = "Digest";
@ -925,31 +911,15 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy,
      /* NTLM support requires the SSL crypto libs */
      if(checkprefix("NTLM", auth) && is_valid_auth_separator(auth[4])) {
        if((authp->avail & CURLAUTH_NTLM) ||
           (authp->avail & CURLAUTH_NTLM_WB) ||
           Curl_auth_is_ntlm_supported()) {
          *availp |= CURLAUTH_NTLM;
          authp->avail |= CURLAUTH_NTLM;
-          if(authp->picked == CURLAUTH_NTLM ||
+          if(authp->picked == CURLAUTH_NTLM) {
             authp->picked == CURLAUTH_NTLM_WB) {
            /* NTLM authentication is picked and activated */
            CURLcode result = Curl_input_ntlm(data, proxy, auth);
            if(!result) {
              data->state.authproblem = FALSE;
 #ifdef NTLM_WB_ENABLED
              if(authp->picked == CURLAUTH_NTLM_WB) {
                *availp &= ~CURLAUTH_NTLM;
                authp->avail &= ~CURLAUTH_NTLM;
                *availp |= CURLAUTH_NTLM_WB;
                authp->avail |= CURLAUTH_NTLM_WB;
                result = Curl_input_ntlm_wb(data, conn, proxy, auth);
                if(result) {
                  infof(data, "Authentication problem. Ignoring this.");
                  data->state.authproblem = TRUE;
                }
              }
 #endif
            }
            else {
              infof(data, "Authentication problem. Ignoring this.");
--- a/lib/http_ntlm.c
+++ b/lib/http_ntlm.c
@ -40,7 +40,6 @@
 #include "strcase.h"
 #include "http_ntlm.h"
 #include "curl_ntlm_core.h"
 #include "curl_ntlm_wb.h"
 #include "curl_base64.h"
 #include "vauth/vauth.h"
 #include "url.h"
@ -266,10 +265,6 @@ void Curl_http_auth_cleanup_ntlm(struct connectdata *conn)
 {
  Curl_auth_cleanup_ntlm(&conn->ntlm);
  Curl_auth_cleanup_ntlm(&conn->proxyntlm);
 #if defined(NTLM_WB_ENABLED)
  Curl_http_auth_cleanup_ntlm_wb(conn);
 #endif
 }
 #endif /* !CURL_DISABLE_HTTP && USE_NTLM */
--- a/lib/setopt.c
+++ b/lib/setopt.c
@ -1024,9 +1024,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
    /* switch off bits we can't support */
 #ifndef USE_NTLM
    auth &= ~CURLAUTH_NTLM;    /* no NTLM support */
    auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
 #elif !defined(NTLM_WB_ENABLED)
    auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
 #endif
 #ifndef USE_SPNEGO
    auth &= ~CURLAUTH_NEGOTIATE; /* no Negotiate (SPNEGO) auth without
@ -1105,9 +1102,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
    /* switch off bits we can't support */
 #ifndef USE_NTLM
    auth &= ~CURLAUTH_NTLM;    /* no NTLM support */
    auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
 #elif !defined(NTLM_WB_ENABLED)
    auth &= ~CURLAUTH_NTLM_WB; /* no NTLM_WB support */
 #endif
 #ifndef USE_SPNEGO
    auth &= ~CURLAUTH_NEGOTIATE; /* no Negotiate (SPNEGO) auth without
--- a/lib/url.c
+++ b/lib/url.c
@ -937,13 +937,12 @@ ConnectionExists(struct Curl_easy *data,
  struct Curl_llist_element *curr;
 #ifdef USE_NTLM
-  bool wantNTLMhttp = ((data->state.authhost.want &
+  bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) &&
                        (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
                       (needle->handler->protocol & PROTO_FAMILY_HTTP));
 #ifndef CURL_DISABLE_PROXY
  bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd &&
                            ((data->state.authproxy.want &
-                              (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
+                              CURLAUTH_NTLM) &&
                             (needle->handler->protocol & PROTO_FAMILY_HTTP)));
 #else
  bool wantProxyNTLMhttp = FALSE;
@ -1415,12 +1414,6 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
  conn->connect_only = data->set.connect_only;
  conn->transport = TRNSPRT_TCP; /* most of them are TCP streams */
 #if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
    defined(NTLM_WB_ENABLED)
  conn->ntlm.ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
  conn->proxyntlm.ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
 #endif
  /* Initialize the easy handle list */
  Curl_llist_init(&conn->easyq, NULL);
@ -3752,14 +3745,14 @@ static CURLcode create_conn(struct Curl_easy *data,
    /* If NTLM is requested in a part of this connection, make sure we don't
       assume the state is fine as this is a fresh connection and NTLM is
       connection based. */
-    if((data->state.authhost.picked & (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
+    if((data->state.authhost.picked & CURLAUTH_NTLM) &&
       data->state.authhost.done) {
      infof(data, "NTLM picked AND auth done set, clear picked");
      data->state.authhost.picked = CURLAUTH_NONE;
      data->state.authhost.done = FALSE;
    }
-    if((data->state.authproxy.picked & (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
+    if((data->state.authproxy.picked & CURLAUTH_NTLM) &&
       data->state.authproxy.done) {
      infof(data, "NTLM-proxy picked AND auth done set, clear picked");
      data->state.authproxy.picked = CURLAUTH_NONE;
--- a/lib/urldata.h
+++ b/lib/urldata.h
@ -444,14 +444,6 @@ struct ntlmdata {
  unsigned char nonce[8];
  unsigned int target_info_len;
  void *target_info; /* TargetInfo received in the ntlm type-2 message */
 #if defined(NTLM_WB_ENABLED)
  /* used for communication with Samba's winbind daemon helper ntlm_auth */
  curl_socket_t ntlm_auth_hlpr_socket;
  pid_t ntlm_auth_hlpr_pid;
  char *challenge; /* The received base64 encoded ntlm type-2 message */
  char *response;  /* The generated base64 ntlm type-1/type-3 message */
 #endif
 #endif
 };
 #endif
--- a/lib/version.c
+++ b/lib/version.c
@ -497,10 +497,6 @@ static const struct feat features_table[] = {
 #ifdef USE_NTLM
  FEATURE("NTLM",        NULL,                CURL_VERSION_NTLM),
 #endif
 #if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
  defined(NTLM_WB_ENABLED)
  FEATURE("NTLM_WB",     NULL,                CURL_VERSION_NTLM_WB),
 #endif
 #if defined(USE_LIBPSL)
  FEATURE("PSL",         NULL,                CURL_VERSION_PSL),
 #endif
--- a/m4/curl-confopts.m4
+++ b/m4/curl-confopts.m4
@ -568,70 +568,6 @@ AC_DEFUN([CURL_CHECK_LIB_ARES], [
  fi
 ])
 dnl CURL_CHECK_OPTION_NTLM_WB
 dnl -------------------------------------------------
 dnl Verify if configure has been invoked with option
 dnl --enable-ntlm-wb or --disable-ntlm-wb, and set
 dnl shell variable want_ntlm_wb and want_ntlm_wb_file
 dnl as appropriate.
 AC_DEFUN([CURL_CHECK_OPTION_NTLM_WB], [
  AC_BEFORE([$0],[CURL_CHECK_NTLM_WB])dnl
  OPT_NTLM_WB="default"
  AC_ARG_ENABLE(ntlm-wb,
 AS_HELP_STRING([--enable-ntlm-wb@<:@=FILE@:>@],[Enable NTLM delegation to winbind's ntlm_auth helper, where FILE is ntlm_auth's absolute filename (default: /usr/bin/ntlm_auth)])
 AS_HELP_STRING([--disable-ntlm-wb],[Disable NTLM delegation to winbind's ntlm_auth helper]),
  OPT_NTLM_WB=$enableval)
  want_ntlm_wb_file="/usr/bin/ntlm_auth"
  case "$OPT_NTLM_WB" in
    no)
      dnl --disable-ntlm-wb option used
      want_ntlm_wb="no"
      ;;
    default)
      dnl configure option not specified
      want_ntlm_wb="yes"
      ;;
    *)
      dnl --enable-ntlm-wb option used
      want_ntlm_wb="yes"
      if test -n "$enableval" && test "$enableval" != "yes"; then
        want_ntlm_wb_file="$enableval"
      fi
      ;;
  esac
 ])
 dnl CURL_CHECK_NTLM_WB
 dnl -------------------------------------------------
 dnl Check if support for NTLM delegation to winbind's
 dnl ntlm_auth helper will finally be enabled depending
 dnl on given configure options and target platform.
 AC_DEFUN([CURL_CHECK_NTLM_WB], [
  AC_REQUIRE([CURL_CHECK_OPTION_NTLM_WB])dnl
  AC_REQUIRE([CURL_CHECK_NATIVE_WINDOWS])dnl
  AC_MSG_CHECKING([whether to enable NTLM delegation to winbind's helper])
  if test "$curl_cv_native_windows" = "yes" ||
    test "x$SSL_ENABLED" = "x"; then
    want_ntlm_wb_file=""
    want_ntlm_wb="no"
  elif test "x$ac_cv_func_fork" != "xyes"; then
    dnl ntlm_wb requires fork
    want_ntlm_wb="no"
  fi
  AC_MSG_RESULT([$want_ntlm_wb])
  if test "$want_ntlm_wb" = "yes"; then
    AC_DEFINE(NTLM_WB_ENABLED, 1,
      [Define to enable NTLM delegation to winbind's ntlm_auth helper.])
    AC_DEFINE_UNQUOTED(NTLM_WB_FILE, "$want_ntlm_wb_file",
      [Define absolute filename for winbind's ntlm_auth helper.])
    NTLM_WB_ENABLED=1
  fi
 ])
 dnl CURL_CHECK_OPTION_ECH
 dnl -----------------------------------------------------
 dnl Verify whether configure has been invoked with option
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@ -1356,6 +1356,12 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
      nextarg = (char *)"";
    switch(cmd) {
    case C_RANDOM_FILE: /* --random-file */
    case C_EGD_FILE: /* --egd-file */
    case C_NTLM_WB: /* --ntlm-wb */
      warnf(global, "--%s is deprecated and has no function anymore",
            a->lname);
      break;
    case C_DNS_IPV4_ADDR: /* --dns-ipv4-addr */
      if(!curlinfo->ares_num) /* c-ares is needed for this */
        err = PARAM_LIBCURL_DOESNT_SUPPORT;
@ -1370,10 +1376,6 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
        /* addr in dot notation */
        err = getstr(&config->dns_ipv6_addr, nextarg, DENY_BLANK);
      break;
    case C_RANDOM_FILE: /* --random-file */
      break;
    case C_EGD_FILE: /* --egd-file */
      break;
    case C_OAUTH2_BEARER: /* --oauth2-bearer */
      err = getstr(&config->oauth_bearer, nextarg, DENY_BLANK);
      if(!err) {
@ -1480,14 +1482,6 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
      else
        err = PARAM_LIBCURL_DOESNT_SUPPORT;
      break;
    case C_NTLM_WB: /* --ntlm-wb */
      if(!toggle)
        config->authtype &= ~CURLAUTH_NTLM_WB;
      else if(feature_ntlm_wb)
        config->authtype |= CURLAUTH_NTLM_WB;
      else
        err = PARAM_LIBCURL_DOESNT_SUPPORT;
      break;
    case C_BASIC: /* --basic */
      if(toggle)
        config->authtype |= CURLAUTH_BASIC;
--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
@ -78,7 +78,6 @@ const struct NameValueUnsigned setopt_nv_CURLAUTH[] = {
  NV(CURLAUTH_GSSNEGOTIATE),
  NV(CURLAUTH_NTLM),
  NV(CURLAUTH_DIGEST_IE),
  NV(CURLAUTH_NTLM_WB),
  NV(CURLAUTH_ONLY),
  NV(CURLAUTH_NONE),
  NVEND,
--- a/tests/test1177.pl
+++ b/tests/test1177.pl
@ -65,6 +65,7 @@ while(<$s>) {
    }
 }
 close($s);
 $sourcename{'NTLM_WB'}++; # deprecated, fake its presence in code
 for my $h (keys %headerversion) {
    if(!$manversion{$h}) {