http_negotiate.c 6.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. ***************************************************************************/
  22. #include "curl_setup.h"
  23. #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
  24. #include "urldata.h"
  25. #include "sendf.h"
  26. #include "http_negotiate.h"
  27. #include "vauth/vauth.h"
  28. /* The last 3 #include files should be in this order */
  29. #include "curl_printf.h"
  30. #include "curl_memory.h"
  31. #include "memdebug.h"
  32. CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
  33. const char *header)
  34. {
  35. CURLcode result;
  36. struct Curl_easy *data = conn->data;
  37. size_t len;
  38. /* Point to the username, password, service and host */
  39. const char *userp;
  40. const char *passwdp;
  41. const char *service;
  42. const char *host;
  43. /* Point to the correct struct with this */
  44. struct negotiatedata *neg_ctx;
  45. curlnegotiate state;
  46. if(proxy) {
  47. #ifndef CURL_DISABLE_PROXY
  48. userp = conn->http_proxy.user;
  49. passwdp = conn->http_proxy.passwd;
  50. service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
  51. data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
  52. host = conn->http_proxy.host.name;
  53. neg_ctx = &conn->proxyneg;
  54. state = conn->proxy_negotiate_state;
  55. #else
  56. return CURLE_NOT_BUILT_IN;
  57. #endif
  58. }
  59. else {
  60. userp = conn->user;
  61. passwdp = conn->passwd;
  62. service = data->set.str[STRING_SERVICE_NAME] ?
  63. data->set.str[STRING_SERVICE_NAME] : "HTTP";
  64. host = conn->host.name;
  65. neg_ctx = &conn->negotiate;
  66. state = conn->http_negotiate_state;
  67. }
  68. /* Not set means empty */
  69. if(!userp)
  70. userp = "";
  71. if(!passwdp)
  72. passwdp = "";
  73. /* Obtain the input token, if any */
  74. header += strlen("Negotiate");
  75. while(*header && ISSPACE(*header))
  76. header++;
  77. len = strlen(header);
  78. neg_ctx->havenegdata = len != 0;
  79. if(!len) {
  80. if(state == GSS_AUTHSUCC) {
  81. infof(conn->data, "Negotiate auth restarted\n");
  82. Curl_http_auth_cleanup_negotiate(conn);
  83. }
  84. else if(state != GSS_AUTHNONE) {
  85. /* The server rejected our authentication and hasn't supplied any more
  86. negotiation mechanisms */
  87. Curl_http_auth_cleanup_negotiate(conn);
  88. return CURLE_LOGIN_DENIED;
  89. }
  90. }
  91. /* Supports SSL channel binding for Windows ISS extended protection */
  92. #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
  93. neg_ctx->sslContext = conn->sslContext;
  94. #endif
  95. /* Initialize the security context and decode our challenge */
  96. result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
  97. host, header, neg_ctx);
  98. if(result)
  99. Curl_http_auth_cleanup_negotiate(conn);
  100. return result;
  101. }
  102. CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
  103. {
  104. struct negotiatedata *neg_ctx = proxy ? &conn->proxyneg :
  105. &conn->negotiate;
  106. struct auth *authp = proxy ? &conn->data->state.authproxy :
  107. &conn->data->state.authhost;
  108. curlnegotiate *state = proxy ? &conn->proxy_negotiate_state :
  109. &conn->http_negotiate_state;
  110. struct Curl_easy *data = conn->data;
  111. char *base64 = NULL;
  112. size_t len = 0;
  113. char *userp;
  114. CURLcode result;
  115. authp->done = FALSE;
  116. if(*state == GSS_AUTHRECV) {
  117. if(neg_ctx->havenegdata) {
  118. neg_ctx->havemultiplerequests = TRUE;
  119. }
  120. }
  121. else if(*state == GSS_AUTHSUCC) {
  122. if(!neg_ctx->havenoauthpersist) {
  123. neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
  124. }
  125. }
  126. if(neg_ctx->noauthpersist ||
  127. (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
  128. if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
  129. infof(conn->data, "Curl_output_negotiate, "
  130. "no persistent authentication: cleanup existing context");
  131. Curl_http_auth_cleanup_negotiate(conn);
  132. }
  133. if(!neg_ctx->context) {
  134. result = Curl_input_negotiate(conn, proxy, "Negotiate");
  135. if(result == CURLE_AUTH_ERROR) {
  136. /* negotiate auth failed, let's continue unauthenticated to stay
  137. * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
  138. authp->done = TRUE;
  139. return CURLE_OK;
  140. }
  141. else if(result)
  142. return result;
  143. }
  144. result = Curl_auth_create_spnego_message(conn->data,
  145. neg_ctx, &base64, &len);
  146. if(result)
  147. return result;
  148. userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
  149. base64);
  150. if(proxy) {
  151. Curl_safefree(data->state.aptr.proxyuserpwd);
  152. data->state.aptr.proxyuserpwd = userp;
  153. }
  154. else {
  155. Curl_safefree(data->state.aptr.userpwd);
  156. data->state.aptr.userpwd = userp;
  157. }
  158. free(base64);
  159. if(userp == NULL) {
  160. return CURLE_OUT_OF_MEMORY;
  161. }
  162. *state = GSS_AUTHSENT;
  163. #ifdef HAVE_GSSAPI
  164. if(neg_ctx->status == GSS_S_COMPLETE ||
  165. neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
  166. *state = GSS_AUTHDONE;
  167. }
  168. #else
  169. #ifdef USE_WINDOWS_SSPI
  170. if(neg_ctx->status == SEC_E_OK ||
  171. neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
  172. *state = GSS_AUTHDONE;
  173. }
  174. #endif
  175. #endif
  176. }
  177. if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
  178. /* connection is already authenticated,
  179. * don't send a header in future requests */
  180. authp->done = TRUE;
  181. }
  182. neg_ctx->havenegdata = FALSE;
  183. return CURLE_OK;
  184. }
  185. void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
  186. {
  187. conn->http_negotiate_state = GSS_AUTHNONE;
  188. conn->proxy_negotiate_state = GSS_AUTHNONE;
  189. Curl_auth_cleanup_spnego(&conn->negotiate);
  190. Curl_auth_cleanup_spnego(&conn->proxyneg);
  191. }
  192. #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */