office-gobmx/external/neon/neon.patch
Jan-Marek Glogowski 07379e0eb2 neon: upgrade to release 0.31.1
Drops some of the LO patches upstreamed since 0.31.0.

Version 0.31.0 introduced an new session flag for MS SharePoint
compatibility, NE_SESSFLAG_SHAREPOINT, which enables a few
workarounds, where SharePoint breaks the WebDAV RFCs.

In 0.31.1 a compiler warning and the MD5 ABI break introduced in
0.31.0 are fixed, so LO can now update neon.

Change-Id: Ia79ce530271664c0e6bab30a5e2516319da328d8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/91070
Tested-by: Jenkins
Reviewed-by: Jan-Marek Glogowski <glogow@fbihome.de>
2020-05-31 11:50:42 +02:00

311 lines
10 KiB
Diff

--- src/ne_auth.c 2010-10-14 17:00:53.000000000 +0200
+++ src/ne_auth.c 2011-02-03 10:31:22.000000000 +0100
@@ -367,7 +367,7 @@
static int get_credentials(auth_session *sess, ne_buffer **errmsg, int attempt,
struct auth_challenge *chall, char *pwbuf)
{
- if (chall->handler->creds(chall->handler->userdata, sess->realm,
+ if (chall->handler->creds(chall->handler->userdata, chall->protocol->name, sess->realm,
chall->handler->attempt++, sess->username, pwbuf) == 0) {
return 0;
} else {
@@ -385,15 +385,19 @@
{
char *tmp, password[NE_ABUFSIZ];
+#if 0 /* Workaround - IIS sends challenge without realm. */
+
/* Verify challenge... must have a realm */
if (parms->realm == NULL) {
challenge_error(errmsg, _("missing realm in Basic challenge"));
return -1;
}
+#endif
clean_session(sess);
- sess->realm = ne_strdup(parms->realm);
+ if (parms->realm != NULL)
+ sess->realm = ne_strdup(parms->realm);
if (get_credentials(sess, errmsg, attempt, parms, password)) {
/* Failed to get credentials */
@@ -610,10 +614,12 @@
return NULL;
}
-static int continue_sspi(auth_session *sess, int ntlm, const char *hdr)
+static int continue_sspi(auth_session *sess, int ntlm, const char *hdr,
+ int attempt, struct auth_challenge *parms, ne_buffer **errmsg)
{
int status;
char *response = NULL;
+ char password[NE_ABUFSIZ];
NE_DEBUG(NE_DBG_HTTPAUTH, "auth: SSPI challenge.\n");
@@ -630,8 +636,17 @@
return status;
}
}
-
- status = ne_sspi_authenticate(sess->sspi_context, hdr, &response);
+
+ /* Authentification needs more than one http request.
+ * As long as authentification in progress use the existing credentials.
+ * Otherwise get new credentials.*/
+ if (!hdr)
+ if (get_credentials(sess, errmsg, attempt, parms, password)) {
+ /* Failed to get credentials */
+ return -1;
+ }
+
+ status = ne_sspi_authenticate(sess->sspi_context, hdr, &response, sess->username, password);
if (status) {
return status;
}
@@ -651,7 +666,7 @@
{
int ntlm = ne_strcasecmp(parms->protocol->name, "NTLM") == 0;
- return continue_sspi(sess, ntlm, parms->opaque);
+ return continue_sspi(sess, ntlm, parms->opaque, attempt, parms, errmsg);
}
static int verify_sspi(struct auth_request *req, auth_session *sess,
@@ -674,7 +689,7 @@
return NE_OK;
}
- return continue_sspi(sess, ntlm, ptr);
+ return continue_sspi(sess, ntlm, ptr, 0, NULL, NULL);
}
#endif
--- src/ne_auth.h 2009-09-01 22:13:12.000000000 +0200
+++ src/ne_auth.h 2011-02-03 10:26:20.000000000 +0100
@@ -47,8 +47,8 @@
* Hint: if you just wish to attempt authentication just once (even if
* the user gets the username/password wrong), have the callback
* function use 'attempt' value as the function return value. */
-typedef int (*ne_auth_creds)(void *userdata, const char *realm, int attempt,
- char *username, char *password);
+typedef int (*ne_auth_creds)(void *userdata, const char * auth_protocol,
+ const char *realm, int attempt, char *username, char *password);
/* Set callbacks to provide credentials for server and proxy
* authentication, using the default set of authentication protocols.
--- src/ne_locks.c 2007-02-05 11:09:27.000000000 +0100
+++ src/ne_locks.c 2011-02-03 10:26:21.000000000 +0100
@@ -579,6 +579,23 @@
const char *token = ne_get_response_header(ctx->req, "Lock-Token");
/* at the root element; retrieve the Lock-Token header,
* and bail if it wasn't given. */
+#ifdef IIS_LOCK_BUG_WORKAROUND
+ /* MS IIS violates RFC 2518/4918. It does not send a Lock-Token response
+ header upon successful creation of a new lock. As a workaround, we
+ will try to pick the lock token from the response body (although
+ this is not 100% safe in case of multiple activelocks). */
+ if (token == NULL)
+ NE_DEBUG(NE_DBG_LOCKS,
+ "Ignoring missing LOCK response Lock-Token header\n");
+
+ if (token != NULL) {
+ if (token[0] == '<') token++;
+ ctx->token = ne_strdup(token);
+ ne_shave(ctx->token, ">");
+ NE_DEBUG(NE_DBG_LOCKS, "lk_startelm: Finding token %s\n",
+ ctx->token);
+ }
+#else
if (token == NULL) {
ne_xml_set_error(ctx->parser,
_("LOCK response missing Lock-Token header"));
@@ -590,12 +607,28 @@
ne_shave(ctx->token, ">");
NE_DEBUG(NE_DBG_LOCKS, "lk_startelm: Finding token %s\n",
ctx->token);
+#endif
}
/* TODO: only accept 'prop' as root for LOCK response */
if (!can_accept(parent, id))
return NE_XML_DECLINE;
+#ifdef IIS_LOCK_BUG_WORKAROUND
+ if (id == ELM_activelock && ctx->found) {
+ /* Found another activelock... */
+ const char *token = ne_get_response_header(ctx->req, "Lock-Token");
+ if (token == NULL) {
+ /* Response contains more than one activelock and no Lock-Token
+ * response header. We are doomed. No safe workaround for IIS
+ * lock bug possible. */
+ ne_xml_set_error(ctx->parser,
+ _("LOCK response missing Lock-Token header and more than one activelock"));
+ return NE_XML_ABORT;
+ }
+ }
+#endif
+
if (id == ELM_activelock && !ctx->found) {
/* a new activelock */
ne_lock_free(&ctx->active);
@@ -621,7 +654,12 @@
return -1;
if (state == ELM_activelock) {
+#ifdef IIS_LOCK_BUG_WORKAROUND
+ if (ctx->active.token) {
+ ctx->token = ne_strdup(ctx->active.token);
+#else
if (ctx->active.token && strcmp(ctx->active.token, ctx->token) == 0) {
+#endif
ctx->found = 1;
}
}
--- src/ne_sspi.c 2007-08-10 17:26:08.000000000 +0200
+++ src/ne_sspi.c 2011-02-03 10:26:21.000000000 +0100
@@ -206,6 +206,45 @@
}
/*
+ * Simplification wrapper arround AcquireCredentialsHandle as most of
+ * the parameters do not change.
+ */
+static int acquireCredentialsHandleForUsername(CredHandle * credentials, char *package, const char *username, const char *password)
+{
+ SECURITY_STATUS status;
+ TimeStamp timestamp;
+
+ const char *domain = "";
+
+ int rc, rcISC;
+ SecPkgInfo *secPackInfo;
+ SEC_WINNT_AUTH_IDENTITY *nameAndPwd = NULL;
+ int bytesReceived = 0, bytesSent = 0;
+
+ nameAndPwd = (SEC_WINNT_AUTH_IDENTITY *) malloc( sizeof(SEC_WINNT_AUTH_IDENTITY) );
+ memset( nameAndPwd, '\0', sizeof (*nameAndPwd) );
+ nameAndPwd->Domain = (unsigned char *) _strdup( domain? domain: "" );
+ nameAndPwd->DomainLength = domain? strlen( domain ): 0;
+ nameAndPwd->User = (unsigned char *) _strdup( username? username: "" );
+ nameAndPwd->UserLength = username? strlen( username ): 0;
+ nameAndPwd->Password = (unsigned char *) _strdup( password? password: "" );
+ nameAndPwd->PasswordLength = password? strlen( password ): 0;
+ nameAndPwd->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
+
+ status = pSFT->AcquireCredentialsHandle( NULL, package, SECPKG_CRED_OUTBOUND,
+ NULL, nameAndPwd, NULL, NULL, credentials, &timestamp );
+
+ if (status != SEC_E_OK) {
+ NE_DEBUG(NE_DBG_HTTPAUTH,
+ "sspi: AcquireCredentialsHandle [fail] [%x].\n", status);
+ return -1;
+ }
+
+ return 0;
+}
+
+
+/*
* Wrapper around initializeSecurityContext. Supplies several
* default parameters as well as logging in case of errors.
*/
@@ -483,7 +522,7 @@
* Processes received authentication tokens as well as supplies the
* response token.
*/
-int ne_sspi_authenticate(void *context, const char *base64Token, char **responseToken)
+int ne_sspi_authenticate(void *context, const char *base64Token, char **responseToken, const char* username, const char* password)
{
SecBufferDesc outBufferDesc;
SecBuffer outBuffer;
@@ -561,13 +600,22 @@
/* Reset any existing context since we are starting over */
resetContext(sspiContext);
- if (acquireCredentialsHandle
- (&sspiContext->credentials, sspiContext->mechanism) != SEC_E_OK) {
- freeBuffer(&outBufferDesc);
- NE_DEBUG(NE_DBG_HTTPAUTH,
- "sspi: acquireCredentialsHandle failed.\n");
- return -1;
- }
+ if (strlen(username) != 0) {
+ if (acquireCredentialsHandleForUsername
+ (&sspiContext->credentials, sspiContext->mechanism, username, password) != SEC_E_OK) {
+ freeBuffer(&outBufferDesc);
+ NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: acquireCredentialsHandleForUsername failed.\n");
+ return -1;
+ }
+ } else {
+ if (acquireCredentialsHandle
+ (&sspiContext->credentials, sspiContext->mechanism) != SEC_E_OK) {
+ freeBuffer(&outBufferDesc);
+ NE_DEBUG(NE_DBG_HTTPAUTH, "sspi: acquireCredentialsHandle failed.\n");
+ return -1;
+ }
+ }
+
securityStatus =
initializeSecurityContext(&sspiContext->credentials, NULL,
--- src/ne_sspi.h 2006-02-12 13:05:14.000000000 +0100
+++ src/ne_sspi.h 2011-02-03 10:26:21.000000000 +0100
@@ -41,7 +41,7 @@
int ne_sspi_clear_context(void *context);
int ne_sspi_authenticate(void *context, const char *base64Token,
- char **responseToken);
+ char **responseToken, const char* username, const char* password);
#endif /* HAVE_SSPI */
--- src/ne_openssl.c
+++ src/ne_openssl.c
@@ -43,6 +43,13 @@
#endif
#endif
+#ifdef _WIN32
+#define X509_NAME WIN32_X509_NAME
+#include <windows.h>
+#include <wincrypt.h>
+#undef X509_NAME
+#endif
+
#include "ne_ssl.h"
#include "ne_string.h"
#include "ne_session.h"
@@ -798,6 +805,31 @@
X509_STORE_load_locations(store, NE_SSL_CA_BUNDLE, NULL);
#else
X509_STORE_set_default_paths(store);
+#ifdef _WIN32
+ {
+ HCERTSTORE hStore;
+ PCCERT_CONTEXT pContext = NULL;
+ X509 *x509;
+
+ hStore = CertOpenSystemStore(0, "ROOT");
+ if (hStore)
+ {
+ while (pContext = CertEnumCertificatesInStore(hStore, pContext))
+ {
+ x509 = d2i_X509(NULL, &pContext->pbCertEncoded, pContext->cbCertEncoded);
+ if (x509)
+ {
+ X509_STORE_add_cert(store, x509);
+ X509_free(x509);
+ }
+ }
+ }
+
+ CertFreeCertificateContext(pContext);
+ CertCloseStore(hStore, 0);
+ }
+#endif
+
#endif
}