1 ;;; url-http-ntlm.el --- NTLM authentication for the url library
3 ;; Copyright (C) 2008, 2015 Free Software Foundation, Inc.
5 ;; Author: Tom Schutzer-Weissmann <tom.weissmann@gmail.com>
6 ;; Maintainer: Thomas Fitzsimmons <fitzsim@fitzsim.org>
7 ;; Keywords: comm, data, processes, hypermedia
9 ;; This program is free software; you can redistribute it and/or modify
10 ;; it under the terms of the GNU General Public License as published by
11 ;; the Free Software Foundation, either version 3 of the License, or
12 ;; (at your option) any later version.
14 ;; This program is distributed in the hope that it will be useful,
15 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
16 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 ;; GNU General Public License for more details.
19 ;; You should have received a copy of the GNU General Public License
20 ;; along with this program. If not, see <http://www.gnu.org/licenses/>.
24 ;; This package provides a NTLM handler for the URL package.
25 ;; It supports one username and password per server.
29 ;; M-x package-install RET url-http-ntlm RET
33 ;; Taro Kawagishi <tarok@transpulse.org> wrote ntlm.el and md4.el,
34 ;; which are parts of FLIM (Faithful Library about Internet Message).
36 ;; http://stuff.mit.edu/afs/sipb/contrib/emacs/packages/flim-1.14.7/ntlm.el
37 ;; http://stuff.mit.edu/afs/sipb/contrib/emacs/packages/flim-1.14.7/md4.el
47 ;;; Private variables.
48 (defvar url-http-ntlm--auth-storage nil
49 "Authentication storage.
50 An alist that maps a server name to a pair of \(<username> <ntlm
53 The hashes are built using `ntlm-get-password-hashes'.
54 The username can contain the domain name, in the form \"user@domain\".
56 Note that for any server, only one user and password is ever stored.")
58 (defvar url-http-ntlm--last-args nil
59 "Stores the last `url-http-ntlm--get-stage' arguments and return value.
60 This is used to detect multiple calls.")
61 (make-variable-buffer-local 'url-http-ntlm--last-args)
64 ;;; Private functions.
65 (defun url-http-ntlm--ensure-keepalive ()
66 "Report an error if `url-http-attempt-keepalives' is not set."
67 (cl-assert url-http-attempt-keepalives
69 (concat "NTLM authentication won't work unless"
70 " `url-http-attempt-keepalives' is set!")))
72 (defun url-http-ntlm--clean-headers ()
73 "Remove Authorization element from `url-http-extra-headers' alist."
74 (setq url-http-extra-headers
75 (url-http-ntlm--rmssoc "Authorization" url-http-extra-headers)))
77 (defun url-http-ntlm--get-stage (args)
78 "Determine what stage of the NTLM handshake we are at.
79 PROMPT and ARGS come from `url-ntlm-auth''s caller,
80 `url-get-authentication'. Their meaning depends on the current
81 implementation - this function is well and truly coupled.
83 url-get-authentication' calls `url-ntlm-auth' once when checking
84 what authentication schemes are supported (PROMPT and ARGS are
85 nil), and then twice for every stage of the handshake: the first
86 time PROMPT is nil, the second, t; ARGS contains the server
87 response's \"WWW-Authenticate\" header, munged by
89 (let* ((response-rxp "^NTLM TlRMTVNTUAADAAA")
90 (challenge-rxp "^TLRMTVNTUAACAAA")
91 (auth-header (assoc "Authorization" url-http-extra-headers))
94 (if (eq args (car url-http-ntlm--last-args))
95 ;; multiple calls, return the same argument we returned last time
96 (cdr url-http-ntlm--last-args)
98 (cond ((and auth-header (string-match response-rxp
101 ((and (= (length args) 2)
102 (cl-destructuring-bind (challenge ntlm) args
103 (and (string-equal "ntlm" (car ntlm))
104 (string-match challenge-rxp
109 (url-http-ntlm--clean-headers)
110 (setq url-http-ntlm--last-args (cons args stage))
113 (defun url-http-ntlm--authorisation (url &optional clear)
114 "Get or clear NTLM authentication details for URL.
115 If CLEAR is non-nil, clear any saved credentials for server.
116 Otherwise, return the credentials, prompting the user if
119 If URL contains a username and a password, they are used and
120 stored credentials are not affected.
122 Note that for any server, only one user and password is ever
124 (let* ((href (if (stringp url)
125 (url-generic-parse-url url)
127 (server (url-host href))
128 (user (url-user href))
129 (pass (url-password href))
130 (stored (assoc server url-http-ntlm--auth-storage))
131 (both (and user pass)))
135 (setq url-http-ntlm--auth-storage
136 (url-http-ntlm--rmssoc server url-http-ntlm--auth-storage))
140 (and stored user (not (equal user (cl-second stored))))
142 (let* ((user* (if both
144 (read-string (url-auth-user-prompt url realm)
145 (or user (user-real-login-name)))))
148 (read-passwd "Password: ")))
149 (entry `(,server . (,user*
150 ,(ntlm-get-password-hashes pass*)))))
152 (setq url-http-ntlm--auth-storage
154 (url-http-ntlm--rmssoc server
155 url-http-ntlm--auth-storage))))
159 (defun url-http-ntlm--get-challenge ()
160 "Return the NTLM Type-2 message in the WWW-Authenticate header, if present."
162 (mail-narrow-to-head)
163 (let ((www-authenticate (mail-fetch-field "www-authenticate")))
164 (when (string-match "NTLM\\s-+\\(\\S-+\\)"
166 (base64-decode-string (match-string 1 www-authenticate))))))
168 (defun url-http-ntlm--rmssoc (key alist)
169 "Remove all elements whose `car' match KEY from ALIST."
170 (cl-remove key alist :key 'car :test 'equal))
172 (defun url-http-ntlm--string (data)
173 "Return DATA encoded as an NTLM string."
174 (concat "NTLM " (base64-encode-string data :nobreak)))
177 ;;; Public function called by `url-get-authentication'.
178 (defun url-ntlm-auth (url &optional prompt overwrite realm args)
179 "Return an NTLM HTTP authorization header.
180 Get the contents of the Authorization header for a HTTP response
181 using NTLM authentication, to access URL. Because NTLM is a
182 two-step process, this function expects to be called twice, first
183 to generate the NTLM type 1 message (request), then to respond to
184 the server's type 2 message (challenge) with a suitable response.
186 PROMPT, OVERWRITE, and REALM are ignored.
188 ARGS is expected to contain the WWW-Authentication header from
189 the server's last response. These are used by
190 `url-http-get-stage' to determine what stage we are at."
191 (url-http-ntlm--ensure-keepalive)
192 (let ((stage (url-http-ntlm--get-stage args)))
194 ;; NTLM Type 1 message: the request
196 (cl-destructuring-bind (&optional server user hash)
197 (url-http-ntlm--authorisation url)
199 (url-http-ntlm--string
200 (ntlm-build-auth-request user server)))))
201 ;; NTLM Type 3 message: the response
203 (let ((challenge (url-http-ntlm--get-challenge)))
204 (cl-destructuring-bind (server user hash)
205 (url-http-ntlm--authorisation url)
206 (url-http-ntlm--string
207 (ntlm-build-auth-response challenge
211 (url-http-ntlm--authorisation url :clear)))))
214 ;;; Register `url-ntlm-auth' HTTP authentication method.
215 (url-register-auth-scheme "ntlm" nil 8)
217 (provide 'url-http-ntlm)
219 ;;; url-http-ntlm.el ends here