http_negotiate.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at http://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. ***************************************************************************/
  22. #include "setup.h"
  23. #ifdef HAVE_GSSAPI
  24. #ifdef HAVE_OLD_GSSMIT
  25. #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
  26. #define NCOMPAT 1
  27. #endif
  28. #ifndef CURL_DISABLE_HTTP
  29. #include "urldata.h"
  30. #include "sendf.h"
  31. #include "curl_gssapi.h"
  32. #include "rawstr.h"
  33. #include "curl_base64.h"
  34. #include "http_negotiate.h"
  35. #include "curl_memory.h"
  36. #include "url.h"
  37. #ifdef HAVE_SPNEGO
  38. # include <spnegohelp.h>
  39. # ifdef USE_SSLEAY
  40. # ifdef USE_OPENSSL
  41. # include <openssl/objects.h>
  42. # else
  43. # include <objects.h>
  44. # endif
  45. # else
  46. # error "Can't compile SPNEGO support without OpenSSL."
  47. # endif
  48. #endif
  49. #define _MPRINTF_REPLACE /* use our functions only */
  50. #include <curl/mprintf.h>
  51. /* The last #include file should be: */
  52. #include "memdebug.h"
  53. static int
  54. get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server)
  55. {
  56. struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg:
  57. &conn->data->state.negotiate;
  58. OM_uint32 major_status, minor_status;
  59. gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
  60. char name[2048];
  61. const char* service;
  62. /* GSSAPI implementation by Globus (known as GSI) requires the name to be
  63. of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
  64. of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
  65. Change following lines if you want to use GSI */
  66. /* IIS uses the <service>@<fqdn> form but uses 'http' as the service name */
  67. if(neg_ctx->gss)
  68. service = "KHTTP";
  69. else
  70. service = "HTTP";
  71. token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
  72. conn->host.name) + 1;
  73. if(token.length + 1 > sizeof(name))
  74. return EMSGSIZE;
  75. snprintf(name, sizeof(name), "%s@%s", service, proxy ? conn->proxy.name :
  76. conn->host.name);
  77. token.value = (void *) name;
  78. major_status = gss_import_name(&minor_status,
  79. &token,
  80. GSS_C_NT_HOSTBASED_SERVICE,
  81. server);
  82. return GSS_ERROR(major_status) ? -1 : 0;
  83. }
  84. static void
  85. log_gss_error(struct connectdata *conn, OM_uint32 error_status,
  86. const char *prefix)
  87. {
  88. OM_uint32 maj_stat, min_stat;
  89. OM_uint32 msg_ctx = 0;
  90. gss_buffer_desc status_string;
  91. char buf[1024];
  92. size_t len;
  93. snprintf(buf, sizeof(buf), "%s", prefix);
  94. len = strlen(buf);
  95. do {
  96. maj_stat = gss_display_status(&min_stat,
  97. error_status,
  98. GSS_C_MECH_CODE,
  99. GSS_C_NO_OID,
  100. &msg_ctx,
  101. &status_string);
  102. if(sizeof(buf) > len + status_string.length + 1) {
  103. snprintf(buf + len, sizeof(buf) - len,
  104. ": %s", (char*) status_string.value);
  105. len += status_string.length;
  106. }
  107. gss_release_buffer(&min_stat, &status_string);
  108. } while(!GSS_ERROR(maj_stat) && msg_ctx != 0);
  109. infof(conn->data, "%s\n", buf);
  110. }
  111. /* returning zero (0) means success, everything else is treated as "failure"
  112. with no care exactly what the failure was */
  113. int Curl_input_negotiate(struct connectdata *conn, bool proxy,
  114. const char *header)
  115. {
  116. struct SessionHandle *data = conn->data;
  117. struct negotiatedata *neg_ctx = proxy?&data->state.proxyneg:
  118. &data->state.negotiate;
  119. OM_uint32 major_status, minor_status, minor_status2;
  120. gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  121. gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
  122. int ret;
  123. size_t len;
  124. size_t rawlen = 0;
  125. bool gss;
  126. const char* protocol;
  127. CURLcode error;
  128. while(*header && ISSPACE(*header))
  129. header++;
  130. if(checkprefix("GSS-Negotiate", header)) {
  131. protocol = "GSS-Negotiate";
  132. gss = TRUE;
  133. }
  134. else if(checkprefix("Negotiate", header)) {
  135. protocol = "Negotiate";
  136. gss = FALSE;
  137. }
  138. else
  139. return -1;
  140. if(neg_ctx->context) {
  141. if(neg_ctx->gss != gss) {
  142. return -1;
  143. }
  144. }
  145. else {
  146. neg_ctx->protocol = protocol;
  147. neg_ctx->gss = gss;
  148. }
  149. if(neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) {
  150. /* We finished successfully our part of authentication, but server
  151. * rejected it (since we're again here). Exit with an error since we
  152. * can't invent anything better */
  153. Curl_cleanup_negotiate(data);
  154. return -1;
  155. }
  156. if(neg_ctx->server_name == NULL &&
  157. (ret = get_gss_name(conn, proxy, &neg_ctx->server_name)))
  158. return ret;
  159. header += strlen(neg_ctx->protocol);
  160. while(*header && ISSPACE(*header))
  161. header++;
  162. len = strlen(header);
  163. if(len > 0) {
  164. error = Curl_base64_decode(header,
  165. (unsigned char **)&input_token.value, &rawlen);
  166. if(error || rawlen == 0)
  167. return -1;
  168. input_token.length = rawlen;
  169. #ifdef HAVE_SPNEGO /* Handle SPNEGO */
  170. if(checkprefix("Negotiate", header)) {
  171. ASN1_OBJECT * object = NULL;
  172. int rc = 1;
  173. unsigned char * spnegoToken = NULL;
  174. size_t spnegoTokenLength = 0;
  175. unsigned char * mechToken = NULL;
  176. size_t mechTokenLength = 0;
  177. if(input_token.value == NULL)
  178. return CURLE_OUT_OF_MEMORY;
  179. spnegoToken = malloc(input_token.length);
  180. if(spnegoToken == NULL)
  181. return CURLE_OUT_OF_MEMORY;
  182. spnegoTokenLength = input_token.length;
  183. object = OBJ_txt2obj ("1.2.840.113554.1.2.2", 1);
  184. if(!parseSpnegoTargetToken(spnegoToken,
  185. spnegoTokenLength,
  186. NULL,
  187. NULL,
  188. &mechToken,
  189. &mechTokenLength,
  190. NULL,
  191. NULL)) {
  192. free(spnegoToken);
  193. spnegoToken = NULL;
  194. infof(data, "Parse SPNEGO Target Token failed\n");
  195. }
  196. else {
  197. free(input_token.value);
  198. input_token.value = malloc(mechTokenLength);
  199. if(input_token.value == NULL)
  200. return CURLE_OUT_OF_MEMORY;
  201. memcpy(input_token.value, mechToken,mechTokenLength);
  202. input_token.length = mechTokenLength;
  203. free(mechToken);
  204. mechToken = NULL;
  205. infof(data, "Parse SPNEGO Target Token succeeded\n");
  206. }
  207. }
  208. #endif
  209. }
  210. major_status = Curl_gss_init_sec_context(data,
  211. &minor_status,
  212. &neg_ctx->context,
  213. neg_ctx->server_name,
  214. GSS_C_NO_CHANNEL_BINDINGS,
  215. &input_token,
  216. &output_token,
  217. NULL);
  218. if(input_token.length > 0)
  219. gss_release_buffer(&minor_status2, &input_token);
  220. neg_ctx->status = major_status;
  221. if(GSS_ERROR(major_status)) {
  222. /* Curl_cleanup_negotiate(data) ??? */
  223. log_gss_error(conn, minor_status,
  224. "gss_init_sec_context() failed: ");
  225. return -1;
  226. }
  227. if(output_token.length == 0) {
  228. return -1;
  229. }
  230. neg_ctx->output_token = output_token;
  231. /* conn->bits.close = FALSE; */
  232. return 0;
  233. }
  234. CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
  235. {
  236. struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg:
  237. &conn->data->state.negotiate;
  238. char *encoded = NULL;
  239. size_t len = 0;
  240. char *userp;
  241. CURLcode error;
  242. #ifdef HAVE_SPNEGO /* Handle SPNEGO */
  243. if(checkprefix("Negotiate", neg_ctx->protocol)) {
  244. ASN1_OBJECT * object = NULL;
  245. int rc = 1;
  246. unsigned char * spnegoToken = NULL;
  247. size_t spnegoTokenLength = 0;
  248. unsigned char * responseToken = NULL;
  249. size_t responseTokenLength = 0;
  250. responseToken = malloc(neg_ctx->output_token.length);
  251. if(responseToken == NULL)
  252. return CURLE_OUT_OF_MEMORY;
  253. memcpy(responseToken, neg_ctx->output_token.value,
  254. neg_ctx->output_token.length);
  255. responseTokenLength = neg_ctx->output_token.length;
  256. object=OBJ_txt2obj ("1.2.840.113554.1.2.2", 1);
  257. if(!makeSpnegoInitialToken (object,
  258. responseToken,
  259. responseTokenLength,
  260. &spnegoToken,
  261. &spnegoTokenLength)) {
  262. free(responseToken);
  263. responseToken = NULL;
  264. infof(conn->data, "Make SPNEGO Initial Token failed\n");
  265. }
  266. else {
  267. free(responseToken);
  268. responseToken = NULL;
  269. free(neg_ctx->output_token.value);
  270. neg_ctx->output_token.value = malloc(spnegoTokenLength);
  271. if(neg_ctx->output_token.value == NULL) {
  272. free(spnegoToken);
  273. spnegoToken = NULL;
  274. return CURLE_OUT_OF_MEMORY;
  275. }
  276. memcpy(neg_ctx->output_token.value, spnegoToken,spnegoTokenLength);
  277. neg_ctx->output_token.length = spnegoTokenLength;
  278. free(spnegoToken);
  279. spnegoToken = NULL;
  280. infof(conn->data, "Make SPNEGO Initial Token succeeded\n");
  281. }
  282. }
  283. #endif
  284. error = Curl_base64_encode(conn->data,
  285. neg_ctx->output_token.value,
  286. neg_ctx->output_token.length,
  287. &encoded, &len);
  288. if(error) {
  289. Curl_safefree(neg_ctx->output_token.value);
  290. neg_ctx->output_token.value = NULL;
  291. return error;
  292. }
  293. if(len == 0) {
  294. Curl_safefree(neg_ctx->output_token.value);
  295. neg_ctx->output_token.value = NULL;
  296. return CURLE_REMOTE_ACCESS_DENIED;
  297. }
  298. userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "",
  299. neg_ctx->protocol, encoded);
  300. if(proxy)
  301. conn->allocptr.proxyuserpwd = userp;
  302. else
  303. conn->allocptr.userpwd = userp;
  304. free(encoded);
  305. Curl_cleanup_negotiate (conn->data);
  306. return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
  307. }
  308. static void cleanup(struct negotiatedata *neg_ctx)
  309. {
  310. OM_uint32 minor_status;
  311. if(neg_ctx->context != GSS_C_NO_CONTEXT)
  312. gss_delete_sec_context(&minor_status, &neg_ctx->context, GSS_C_NO_BUFFER);
  313. if(neg_ctx->output_token.length != 0)
  314. gss_release_buffer(&minor_status, &neg_ctx->output_token);
  315. if(neg_ctx->server_name != GSS_C_NO_NAME)
  316. gss_release_name(&minor_status, &neg_ctx->server_name);
  317. memset(neg_ctx, 0, sizeof(*neg_ctx));
  318. }
  319. void Curl_cleanup_negotiate(struct SessionHandle *data)
  320. {
  321. cleanup(&data->state.negotiate);
  322. cleanup(&data->state.proxyneg);
  323. }
  324. #endif
  325. #endif