http: delete ntlm_program_helper config directive

Having `gss_program` is enough.

Author: jengelh

doc/http.8gx

@@ -109,13 +109,11 @@ Default: \fI10 minutes\fP
 \fBgss_program\fP
 The helper program to use for authenticating HTTP requests when
 Negotiate-SPNEGO headers are presented. The value is rudimentarily tokenized at
-whitespaces, so no special characters may be used. If necessary write your own
-wrapper. The special value "internal-gss" uses libgssapi directly.
+whitespaces, and no special characters may be used. If necessary, write your
+own wrapper. The special value "internal-gss" uses libgssapi directly.
 .br
 Default: \fIinternal\-gss\fP
 .br
-Example: \fI/usr/lib/squid/negotiate_kerberos_auth \-s GSS_C_NO_NAME\fP
-.br
 Example: \fI/usr/lib/squid/negotiate_wrapper_auth \-\-ntlm /usr/bin/ntlm_auth
 \-\-helper\-protocol=squid\-2.5\-ntlmssp \-\-kerberos
 /usr/lib/squid/negotiate_kerberos_auth \-s GSS_C_NO_NAME\fP
@@ -175,7 +173,10 @@ Default: \fIno\fP
 \fBhttp_krb_service_principal\fP
 Kerberos service principal to use when gss_program=internal-gss. The form is
 often something like \fIHTTP\fP\fB/\fP\fIfqdn\fP\fB@\fP\fIREALM\fP, but may
-vary.
+vary. When using an external GSS authentication helper,
+http_krb_service_principal has no effect, and any principal you want to use
+needs to be passed via the \fBgss_program\fP directive in some way.
+be
 .br
 Default: (empty)
 .TP

exch/http/http_parser.cpp

@@ -104,7 +104,7 @@ struct http_parser {
 
 	int auth_finalize(http_context &, const char *);
 	int auth_krb(http_context &ctx, const char *input, size_t isize, std::string &output);
-	int auth_exthelper(http_context &, const char *proc, const char *input, std::string &output);
+	int auth_exthelper(http_context &, const std::string &proc, const char *input, std::string &output);
 	tproc_status auth_spnego(http_context &ctx, const char *past_method);
 	tproc_status auth_basic(http_context *, const char *);
 	tproc_status auth(http_context &ctx);
@@ -138,7 +138,7 @@ struct http_parser {
 	std::unique_ptr<std::mutex[]> g_ssl_mutex_buf;
 	std::mutex g_vconnection_lock; /* protects g_vconnection_hash */
 	std::unordered_map<std::string, VIRTUAL_CONNECTION> g_vconnection_hash;
-	std::string gss_helper_program, ntlm_helper_program;
+	std::string gss_helper_program;
 };
 
 class VCONN_REF {
@@ -230,7 +230,6 @@ http_parser::http_parser(size_t context_num, time_duration timeout,
 		g_certificate_passwd.clear();
 	g_private_key_path = key_path;
 	gss_helper_program = g_config_file->get_value("gss_program");
-	ntlm_helper_program = g_config_file->get_value("ntlmssp_program");
 }
 
 #ifdef OLD_SSL
@@ -901,16 +900,14 @@ int http_parser::auth_finalize(http_context &ctx, const char *user)
 	return 1;
 }
 
-int http_parser::auth_exthelper(http_context &ctx, const char *prog,
+int http_parser::auth_exthelper(http_context &ctx, const std::string_view &prog,
     const char *encinput, std::string &gss_output)
 {
 	auto encsize = strlen(encinput);
 	auto &pinfo = ctx.ntlm_proc;
 	gss_output.clear();
 
 	if (pinfo.p_pid <= 0) {
-		if (prog == nullptr || *prog == '\0')
-			prog = "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp";
 		auto args = HX_split(prog, " ", nullptr, 0);
 		auto cl_0 = HX::make_scope_exit([=]() { HX_zvecfree(args); });
 		pinfo.p_flags = HXPROC_STDIN | HXPROC_STDOUT | HXPROC_STDERR;
@@ -1121,11 +1118,8 @@ int http_parser::auth_krb(http_context &ctx, const char *input, size_t isize,
 
 tproc_status http_parser::auth_spnego(http_context &ctx, const char *past_method)
 {
-	bool rq_ntlmssp = strncmp(past_method, "TlRMTVNT", 8) == 0;
-	const auto &the_helper = rq_ntlmssp ? ntlm_helper_program : gss_helper_program;
-
 	if (the_helper != "internal-gss") {
-		auto ret = auth_exthelper(ctx, the_helper.c_str(), past_method, ctx.last_gss_output);
+		auto ret = auth_exthelper(ctx, gss_helper_program, past_method, ctx.last_gss_output);
 		ctx.auth_status = ret <= 0 ? http_status::unauthorized : http_status::ok;
 		ctx.auth_method = auth_method::negotiate_b64;
 		if (ret <= 0 && ret != -99)