Merge pull request libgit2#5052 from libgit2/ethomson/netrefactor

Add NTLM support for HTTP(s) servers and proxies

Author: ethomson

CMakeLists.txt

@@ -67,6 +67,10 @@ OPTION(USE_BUNDLED_ZLIB    		"Use the bundled version of zlib"			OFF)
 OPTION(DEPRECATE_HARD			"Do not include deprecated functions in the library"	OFF)
    SET(REGEX_BACKEND			"" CACHE STRING "Regular expression implementation. One of regcomp_l, pcre2, pcre, regcomp, or builtin.")
 
+IF (UNIX)
+	OPTION(USE_NTLMCLIENT		"Enable NTLM support on Unix."				ON )
+ENDIF()
+
 IF (UNIX AND NOT APPLE)
 	OPTION(ENABLE_REPRODUCIBLE_BUILDS "Enable reproducible builds"				OFF)
 ENDIF()

ci/test.ps1

@@ -38,18 +38,25 @@ Write-Host "## Configuring test environment"
 Write-Host "##############################################################################"
 
 if (-not $Env:SKIP_PROXY_TESTS) {
+	Invoke-WebRequest -Method GET -Uri https://github.com/ethomson/poxyproxy/releases/download/v0.7.0/poxyproxy-0.7.0.jar -OutFile poxyproxy.jar
+
+	Write-Host ""
+	Write-Host "Starting HTTP proxy (Basic)..."
+	javaw -jar poxyproxy.jar --port 8080 --credentials foo:bar --auth-type basic --quiet
+
 	Write-Host ""
-	Write-Host "Starting HTTP proxy..."
-	Invoke-WebRequest -Method GET -Uri https://github.com/ethomson/poxyproxy/releases/download/v0.4.0/poxyproxy-0.4.0.jar -OutFile poxyproxy.jar
-	javaw -jar poxyproxy.jar -d --port 8080 --credentials foo:bar --quiet
+	Write-Host "Starting HTTP proxy (NTLM)..."
+	javaw -jar poxyproxy.jar --port 8090 --credentials foo:bar --auth-type ntlm --quiet
 }
 
-Write-Host ""
-Write-Host "##############################################################################"
-Write-Host "## Running (offline) tests"
-Write-Host "##############################################################################"
+if (-not $Env:SKIP_OFFLINE_TESTS) {
+	Write-Host ""
+	Write-Host "##############################################################################"
+	Write-Host "## Running (offline) tests"
+	Write-Host "##############################################################################"
 
-run_test offline
+	run_test offline
+}
 
 if ($Env:RUN_INVASIVE_TESTS) {
 	Write-Host ""
@@ -76,14 +83,24 @@ if (-not $Env:SKIP_ONLINE_TESTS) {
 }
 
 if (-not $Env:SKIP_PROXY_TESTS) {
+	# Test HTTP Basic authentication
 	Write-Host ""
-	Write-Host "Running proxy tests"
+	Write-Host "Running proxy tests (Basic authentication)"
 	Write-Host ""
 
 	$Env:GITTEST_REMOTE_PROXY_HOST="localhost:8080"
 	$Env:GITTEST_REMOTE_PROXY_USER="foo"
 	$Env:GITTEST_REMOTE_PROXY_PASS="bar"
+	run_test proxy
 
+	# Test NTLM authentication
+	Write-Host ""
+	Write-Host "Running proxy tests (NTLM authentication)"
+	Write-Host ""
+
+	$Env:GITTEST_REMOTE_PROXY_HOST="localhost:8090"
+	$Env:GITTEST_REMOTE_PROXY_USER="foo"
+	$Env:GITTEST_REMOTE_PROXY_PASS="bar"
 	run_test proxy
 
 	$Env:GITTEST_REMOTE_PROXY_HOST=$null

ci/test.sh

@@ -78,9 +78,15 @@ if [ -z "$SKIP_GITDAEMON_TESTS" ]; then
 fi
 
 if [ -z "$SKIP_PROXY_TESTS" ]; then
-	echo "Starting HTTP proxy..."
-	curl -L https://github.com/ethomson/poxyproxy/releases/download/v0.4.0/poxyproxy-0.4.0.jar >poxyproxy.jar
-	java -jar poxyproxy.jar -d --address 127.0.0.1 --port 8080 --credentials foo:bar --quiet &
+	curl -L https://github.com/ethomson/poxyproxy/releases/download/v0.7.0/poxyproxy-0.7.0.jar >poxyproxy.jar
+
+	echo ""
+	echo "Starting HTTP proxy (Basic)..."
+	java -jar poxyproxy.jar --address 127.0.0.1 --port 8080 --credentials foo:bar --auth-type basic --quiet &
+
+	echo ""
+	echo "Starting HTTP proxy (NTLM)..."
+	java -jar poxyproxy.jar --address 127.0.0.1 --port 8090 --credentials foo:bar --auth-type ntlm --quiet &
 fi
 
 if [ -z "$SKIP_SSH_TESTS" ]; then
@@ -175,7 +181,7 @@ fi
 
 if [ -z "$SKIP_PROXY_TESTS" ]; then
 	echo ""
-	echo "Running proxy tests"
+	echo "Running proxy tests (Basic authentication)"
 	echo ""
 
 	export GITTEST_REMOTE_PROXY_HOST="localhost:8080"
@@ -185,6 +191,18 @@ if [ -z "$SKIP_PROXY_TESTS" ]; then
 	unset GITTEST_REMOTE_PROXY_HOST
 	unset GITTEST_REMOTE_PROXY_USER
 	unset GITTEST_REMOTE_PROXY_PASS
+
+	echo ""
+	echo "Running proxy tests (NTLM authentication)"
+	echo ""
+
+	export GITTEST_REMOTE_PROXY_HOST="localhost:8090"
+	export GITTEST_REMOTE_PROXY_USER="foo"
+	export GITTEST_REMOTE_PROXY_PASS="bar"
+	run_test proxy
+	unset GITTEST_REMOTE_PROXY_HOST
+	unset GITTEST_REMOTE_PROXY_USER
+	unset GITTEST_REMOTE_PROXY_PASS
 fi
 
 if [ -z "$SKIP_SSH_TESTS" ]; then

deps/ntlmclient/CMakeLists.txt

@@ -0,0 +1,18 @@
+FILE(GLOB SRC_NTLMCLIENT "ntlm.c" "unicode_builtin.c" "util.c")
+
+ADD_DEFINITIONS(-DNTLM_STATIC=1)
+
+IF (HTTPS_BACKEND STREQUAL "SecureTransport")
+	ADD_DEFINITIONS(-DCRYPT_COMMONCRYPTO)
+	SET(SRC_NTLMCLIENT_CRYPTO "crypt_commoncrypto.c")
+ELSEIF (HTTPS_BACKEND STREQUAL "OpenSSL")
+	ADD_DEFINITIONS(-DCRYPT_OPENSSL)
+	SET(SRC_NTLMCLIENT_CRYPTO "crypt_openssl.c")
+ELSEIF (HTTPS_BACKEND STREQUAL "mbedTLS")
+	ADD_DEFINITIONS(-DCRYPT_MBEDTLS)
+	SET(SRC_NTLMCLIENT_CRYPTO "crypt_mbedtls.c")
+ELSE ()
+	MESSAGE(FATAL_ERROR "Unable to use libgit2's HTTPS backend (${HTTPS_BACKEND}) for NTLM crypto")
+ENDIF()
+
+ADD_LIBRARY(ntlmclient OBJECT ${SRC_NTLMCLIENT} ${SRC_NTLMCLIENT_CRYPTO})

deps/ntlmclient/compat.h

@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) Edward Thomson.  All rights reserved.
+ *
+ * This file is part of ntlmclient, distributed under the MIT license.
+ * For full terms and copyright information, and for third-party
+ * copyright information, see the included LICENSE.txt file.
+ */
+
+#ifndef PRIVATE_COMPAT_H__
+#define PRIVATE_COMPAT_H__
+
+#if defined (_MSC_VER)
+ typedef unsigned char bool;
+# ifndef true
+#  define true 1
+# endif
+# ifndef false
+#  define false 0
+# endif
+#else
+# include <stdbool.h>
+#endif
+
+#ifdef __linux__
+# include <endian.h>
+# define htonll htobe64
+#endif
+
+#ifndef MIN
+# define MIN(x, y) (((x) < (y)) ? (x) : (y))
+#endif
+
+#endif /* PRIVATE_COMPAT_H__ */

deps/ntlmclient/crypt.h

@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) Edward Thomson.  All rights reserved.
+ *
+ * This file is part of ntlmclient, distributed under the MIT license.
+ * For full terms and copyright information, and for third-party
+ * copyright information, see the included LICENSE.txt file.
+ */
+
+#ifndef PRIVATE_CRYPT_COMMON_H__
+#define PRIVATE_CRYPT_COMMON_H__
+
+#if defined(CRYPT_OPENSSL)
+# include "crypt_openssl.h"
+#elif defined(CRYPT_MBEDTLS)
+# include "crypt_mbedtls.h"
+#elif defined(CRYPT_COMMONCRYPTO)
+# include "crypt_commoncrypto.h"
+#else
+# error "no crypto support"
+#endif
+
+#define CRYPT_DES_BLOCKSIZE 8
+#define CRYPT_MD4_DIGESTSIZE 16
+#define CRYPT_MD5_DIGESTSIZE 16
+
+typedef unsigned char ntlm_des_block[CRYPT_DES_BLOCKSIZE];
+
+extern bool ntlm_random_bytes(
+	ntlm_client *ntlm,
+	unsigned char *out,
+	size_t len);
+
+extern bool ntlm_des_encrypt(
+	ntlm_des_block *out,
+	ntlm_des_block *plaintext,
+	ntlm_des_block *key);
+
+extern bool ntlm_md4_digest(
+	unsigned char out[CRYPT_MD4_DIGESTSIZE],
+	const unsigned char *in,
+	size_t in_len);
+
+extern ntlm_hmac_ctx *ntlm_hmac_ctx_init(void);
+
+extern bool ntlm_hmac_ctx_reset(ntlm_hmac_ctx *ctx);
+
+extern bool ntlm_hmac_md5_init(
+	ntlm_hmac_ctx *ctx,
+	const unsigned char *key,
+	size_t key_len);
+
+extern bool ntlm_hmac_md5_update(
+	ntlm_hmac_ctx *ctx,
+	const unsigned char *data,
+	size_t data_len);
+
+extern bool ntlm_hmac_md5_final(
+	unsigned char *out,
+	size_t *out_len,
+	ntlm_hmac_ctx *ctx);
+
+extern void ntlm_hmac_ctx_free(ntlm_hmac_ctx *ctx);
+
+#endif /* PRIVATE_CRYPT_COMMON_H__ */

deps/ntlmclient/crypt_commoncrypto.c

@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) Edward Thomson.  All rights reserved.
+ *
+ * This file is part of ntlmclient, distributed under the MIT license.
+ * For full terms and copyright information, and for third-party
+ * copyright information, see the included LICENSE.txt file.
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <CommonCrypto/CommonCrypto.h>
+
+#include "ntlm.h"
+#include "crypt.h"
+
+bool ntlm_random_bytes(
+	ntlm_client *ntlm,
+	unsigned char *out,
+	size_t len)
+{
+	int fd, ret;
+	size_t total = 0;
+
+	if ((fd = open("/dev/urandom", O_RDONLY)) < 0) {
+		ntlm_client_set_errmsg(ntlm, strerror(errno));
+		return false;
+	}
+
+	while (total < len) {
+		if ((ret = read(fd, out, (len - total))) < 0) {
+			ntlm_client_set_errmsg(ntlm, strerror(errno));
+			return false;
+		} else if (ret == 0) {
+			ntlm_client_set_errmsg(ntlm, "unexpected eof on random device");
+			return false;
+		}
+
+		total += ret;
+	}
+
+	close(fd);
+	return true;
+}
+
+bool ntlm_des_encrypt(
+	ntlm_des_block *out,
+	ntlm_des_block *plaintext,
+	ntlm_des_block *key)
+{
+	size_t written;
+
+	CCCryptorStatus result = CCCrypt(kCCEncrypt,
+		kCCAlgorithmDES, kCCOptionECBMode,
+		key, sizeof(ntlm_des_block), NULL,
+		plaintext, sizeof(ntlm_des_block),
+		out, sizeof(ntlm_des_block), &written);
+
+	return (result == kCCSuccess) ? true : false;
+}
+
+bool ntlm_md4_digest(
+	unsigned char out[CRYPT_MD4_DIGESTSIZE],
+	const unsigned char *in,
+	size_t in_len)
+{
+	return !!CC_MD4(in, in_len, out);
+}
+
+ntlm_hmac_ctx *ntlm_hmac_ctx_init(void)
+{
+	return calloc(1, sizeof(ntlm_hmac_ctx));
+}
+
+bool ntlm_hmac_ctx_reset(ntlm_hmac_ctx *ctx)
+{
+	memset(ctx, 0, sizeof(ntlm_hmac_ctx));
+	return true;
+}
+
+bool ntlm_hmac_md5_init(
+	ntlm_hmac_ctx *ctx,
+	const unsigned char *key,
+	size_t key_len)
+{
+	CCHmacInit(&ctx->native, kCCHmacAlgMD5, key, key_len);
+	return true;
+}
+
+bool ntlm_hmac_md5_update(
+	ntlm_hmac_ctx *ctx,
+	const unsigned char *data,
+	size_t data_len)
+{
+	CCHmacUpdate(&ctx->native, data, data_len);
+	return true;
+}
+
+bool ntlm_hmac_md5_final(
+	unsigned char *out,
+	size_t *out_len,
+	ntlm_hmac_ctx *ctx)
+{
+	if (*out_len < CRYPT_MD5_DIGESTSIZE)
+		return false;
+
+	CCHmacFinal(&ctx->native, out);
+
+	*out_len = CRYPT_MD5_DIGESTSIZE;
+	return true;
+}
+
+void ntlm_hmac_ctx_free(ntlm_hmac_ctx *ctx)
+{
+	free(ctx);
+}

deps/ntlmclient/crypt_commoncrypto.h

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) Edward Thomson.  All rights reserved.
+ *
+ * This file is part of ntlmclient, distributed under the MIT license.
+ * For full terms and copyright information, and for third-party
+ * copyright information, see the included LICENSE.txt file.
+ */
+
+#ifndef PRIVATE_CRYPT_COMMONCRYPTO_H__
+#define PRIVATE_CRYPT_COMMONCRYPTO_H__
+
+#include <CommonCrypto/CommonCrypto.h>
+
+typedef struct {
+	CCHmacContext native;
+} ntlm_hmac_ctx;
+
+#endif /* PRIVATE_CRYPT_COMMONCRYPTO_H__ */