curl_sasl_gssapi.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 2014 - 2015, Steve Holme, <steve_holme@hotmail.com>.
  9. * Copyright (C) 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
  10. *
  11. * This software is licensed as described in the file COPYING, which
  12. * you should have received as part of this distribution. The terms
  13. * are also available at http://curl.haxx.se/docs/copyright.html.
  14. *
  15. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  16. * copies of the Software, and permit persons to whom the Software is
  17. * furnished to do so, under the terms of the COPYING file.
  18. *
  19. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  20. * KIND, either express or implied.
  21. *
  22. * RFC4752 The Kerberos V5 ("GSSAPI") SASL Mechanism
  23. *
  24. ***************************************************************************/
  25. #include "curl_setup.h"
  26. #if defined(HAVE_GSSAPI) && defined(USE_KERBEROS5)
  27. #include <curl/curl.h>
  28. #include "curl_sasl.h"
  29. #include "urldata.h"
  30. #include "curl_base64.h"
  31. #include "curl_gssapi.h"
  32. #include "curl_memory.h"
  33. #include "sendf.h"
  34. #define _MPRINTF_REPLACE /* use our functions only */
  35. #include <curl/mprintf.h>
  36. /* The last #include file should be: */
  37. #include "memdebug.h"
  38. /*
  39. * Curl_sasl_build_gssapi_spn()
  40. *
  41. * This is used to build a SPN string in the format service@host.
  42. *
  43. * Parameters:
  44. *
  45. * serivce [in] - The service type such as www, smtp, pop or imap.
  46. * host [in] - The host name or realm.
  47. *
  48. * Returns a pointer to the newly allocated SPN.
  49. */
  50. static char *Curl_sasl_build_gssapi_spn(const char *service, const char *host)
  51. {
  52. /* Generate and return our SPN */
  53. return aprintf("%s@%s", service, host);
  54. }
  55. /*
  56. * Curl_sasl_create_gssapi_user_message()
  57. *
  58. * This is used to generate an already encoded GSSAPI (Kerberos V5) user token
  59. * message ready for sending to the recipient.
  60. *
  61. * Parameters:
  62. *
  63. * data [in] - The session handle.
  64. * userp [in] - The user name.
  65. * passdwp [in] - The user's password.
  66. * service [in] - The service type such as www, smtp, pop or imap.
  67. * mutual_auth [in] - Flag specifing whether or not mutual authentication
  68. * is enabled.
  69. * chlg64 [in] - Pointer to the optional base64 encoded challenge
  70. * message.
  71. * krb5 [in/out] - The gssapi data struct being used and modified.
  72. * outptr [in/out] - The address where a pointer to newly allocated memory
  73. * holding the result will be stored upon completion.
  74. * outlen [out] - The length of the output message.
  75. *
  76. * Returns CURLE_OK on success.
  77. */
  78. CURLcode Curl_sasl_create_gssapi_user_message(struct SessionHandle *data,
  79. const char *userp,
  80. const char *passwdp,
  81. const char *service,
  82. const bool mutual_auth,
  83. const char *chlg64,
  84. struct kerberos5data *krb5,
  85. char **outptr, size_t *outlen)
  86. {
  87. CURLcode result = CURLE_OK;
  88. size_t chlglen = 0;
  89. unsigned char *chlg = NULL;
  90. OM_uint32 gss_status;
  91. OM_uint32 gss_major_status;
  92. OM_uint32 gss_minor_status;
  93. gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER;
  94. gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  95. gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
  96. (void) userp;
  97. (void) passwdp;
  98. if(krb5->context == GSS_C_NO_CONTEXT) {
  99. /* Generate our SPN */
  100. char *spn = Curl_sasl_build_gssapi_spn(service,
  101. data->easy_conn->host.name);
  102. if(!spn)
  103. return CURLE_OUT_OF_MEMORY;
  104. /* Populate the SPN structure */
  105. spn_token.value = spn;
  106. spn_token.length = strlen(spn);
  107. /* Import the SPN */
  108. gss_major_status = gss_import_name(&gss_minor_status, &spn_token,
  109. GSS_C_NT_HOSTBASED_SERVICE, &krb5->spn);
  110. if(GSS_ERROR(gss_major_status)) {
  111. Curl_gss_log_error(data, gss_minor_status, "gss_import_name() failed: ");
  112. return CURLE_OUT_OF_MEMORY;
  113. }
  114. }
  115. else {
  116. /* Decode the base-64 encoded challenge message */
  117. if(strlen(chlg64) && *chlg64 != '=') {
  118. result = Curl_base64_decode(chlg64, &chlg, &chlglen);
  119. if(result)
  120. return result;
  121. }
  122. /* Ensure we have a valid challenge message */
  123. if(!chlg) {
  124. infof(data, "GSSAPI handshake failure (empty challenge message)\n");
  125. return CURLE_BAD_CONTENT_ENCODING;
  126. }
  127. /* Setup the challenge "input" security buffer */
  128. input_token.value = chlg;
  129. input_token.length = chlglen;
  130. }
  131. gss_major_status = Curl_gss_init_sec_context(data,
  132. &gss_minor_status,
  133. &krb5->context,
  134. krb5->spn,
  135. &Curl_krb5_mech_oid,
  136. GSS_C_NO_CHANNEL_BINDINGS,
  137. &input_token,
  138. &output_token,
  139. mutual_auth,
  140. NULL);
  141. Curl_safefree(input_token.value);
  142. if(GSS_ERROR(gss_major_status)) {
  143. if(output_token.value)
  144. gss_release_buffer(&gss_status, &output_token);
  145. Curl_gss_log_error(data, gss_minor_status,
  146. "gss_init_sec_context() failed: ");
  147. return CURLE_RECV_ERROR;
  148. }
  149. if(output_token.value && output_token.length) {
  150. /* Base64 encode the response */
  151. result = Curl_base64_encode(data, (char *) output_token.value,
  152. output_token.length, outptr, outlen);
  153. gss_release_buffer(&gss_status, &output_token);
  154. }
  155. return result;
  156. }
  157. /*
  158. * Curl_sasl_create_gssapi_security_message()
  159. *
  160. * This is used to generate an already encoded GSSAPI (Kerberos V5) security
  161. * token message ready for sending to the recipient.
  162. *
  163. * Parameters:
  164. *
  165. * data [in] - The session handle.
  166. * chlg64 [in] - Pointer to the optional base64 encoded challenge message.
  167. * krb5 [in/out] - The gssapi data struct being used and modified.
  168. * outptr [in/out] - The address where a pointer to newly allocated memory
  169. * holding the result will be stored upon completion.
  170. * outlen [out] - The length of the output message.
  171. *
  172. * Returns CURLE_OK on success.
  173. */
  174. CURLcode Curl_sasl_create_gssapi_security_message(struct SessionHandle *data,
  175. const char *chlg64,
  176. struct kerberos5data *krb5,
  177. char **outptr,
  178. size_t *outlen)
  179. {
  180. CURLcode result = CURLE_OK;
  181. size_t chlglen = 0;
  182. size_t messagelen = 0;
  183. unsigned char *chlg = NULL;
  184. unsigned char *message = NULL;
  185. OM_uint32 gss_status;
  186. OM_uint32 gss_major_status;
  187. OM_uint32 gss_minor_status;
  188. gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  189. gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
  190. unsigned int indata = 0;
  191. unsigned int outdata = 0;
  192. gss_qop_t qop = GSS_C_QOP_DEFAULT;
  193. unsigned int sec_layer = 0;
  194. unsigned int max_size = 0;
  195. gss_name_t username = GSS_C_NO_NAME;
  196. gss_buffer_desc username_token;
  197. /* Decode the base-64 encoded input message */
  198. if(strlen(chlg64) && *chlg64 != '=') {
  199. result = Curl_base64_decode(chlg64, &chlg, &chlglen);
  200. if(result)
  201. return result;
  202. }
  203. /* Ensure we have a valid challenge message */
  204. if(!chlg) {
  205. infof(data, "GSSAPI handshake failure (empty security message)\n");
  206. return CURLE_BAD_CONTENT_ENCODING;
  207. }
  208. /* Get the fully qualified username back from the context */
  209. gss_major_status = gss_inquire_context(&gss_minor_status, krb5->context,
  210. &username, NULL, NULL, NULL, NULL,
  211. NULL, NULL);
  212. if(GSS_ERROR(gss_major_status)) {
  213. Curl_gss_log_error(data, gss_minor_status,
  214. "gss_inquire_context() failed: ");
  215. Curl_safefree(chlg);
  216. return CURLE_OUT_OF_MEMORY;
  217. }
  218. /* Convert the username from internal format to a displayable token */
  219. gss_major_status = gss_display_name(&gss_minor_status, username,
  220. &username_token, NULL);
  221. if(GSS_ERROR(gss_major_status)) {
  222. Curl_gss_log_error(data, gss_minor_status, "gss_display_name() failed: ");
  223. Curl_safefree(chlg);
  224. return CURLE_OUT_OF_MEMORY;
  225. }
  226. /* Setup the challenge "input" security buffer */
  227. input_token.value = chlg;
  228. input_token.length = chlglen;
  229. /* Decrypt the inbound challenge and obtain the qop */
  230. gss_major_status = gss_unwrap(&gss_minor_status, krb5->context, &input_token,
  231. &output_token, NULL, &qop);
  232. if(GSS_ERROR(gss_major_status)) {
  233. Curl_gss_log_error(data, gss_minor_status, "gss_unwrap() failed: ");
  234. gss_release_buffer(&gss_status, &username_token);
  235. Curl_safefree(chlg);
  236. return CURLE_BAD_CONTENT_ENCODING;
  237. }
  238. /* Not 4 octets long so fail as per RFC4752 Section 3.1 */
  239. if(output_token.length != 4) {
  240. infof(data, "GSSAPI handshake failure (invalid security data)\n");
  241. gss_release_buffer(&gss_status, &username_token);
  242. Curl_safefree(chlg);
  243. return CURLE_BAD_CONTENT_ENCODING;
  244. }
  245. /* Copy the data out and free the challenge as it is not required anymore */
  246. memcpy(&indata, output_token.value, 4);
  247. gss_release_buffer(&gss_status, &output_token);
  248. Curl_safefree(chlg);
  249. /* Extract the security layer */
  250. sec_layer = indata & 0x000000FF;
  251. if(!(sec_layer & GSSAUTH_P_NONE)) {
  252. infof(data, "GSSAPI handshake failure (invalid security layer)\n");
  253. gss_release_buffer(&gss_status, &username_token);
  254. return CURLE_BAD_CONTENT_ENCODING;
  255. }
  256. /* Extract the maximum message size the server can receive */
  257. max_size = ntohl(indata & 0xFFFFFF00);
  258. if(max_size > 0) {
  259. /* The server has told us it supports a maximum receive buffer, however, as
  260. we don't require one unless we are encrypting data, we tell the server
  261. our receive buffer is zero. */
  262. max_size = 0;
  263. }
  264. /* Allocate our message */
  265. messagelen = sizeof(outdata) + username_token.length + 1;
  266. message = malloc(messagelen);
  267. if(!message) {
  268. gss_release_buffer(&gss_status, &username_token);
  269. return CURLE_OUT_OF_MEMORY;
  270. }
  271. /* Populate the message with the security layer, client supported receive
  272. message size and authorization identity including the 0x00 based
  273. terminator. Note: Dispite RFC4752 Section 3.1 stating "The authorization
  274. identity is not terminated with the zero-valued (%x00) octet." it seems
  275. necessary to include it. */
  276. outdata = htonl(max_size) | sec_layer;
  277. memcpy(message, &outdata, sizeof(outdata));
  278. memcpy(message + sizeof(outdata), username_token.value,
  279. username_token.length);
  280. message[messagelen - 1] = '\0';
  281. /* Free the username token as it is not required anymore */
  282. gss_release_buffer(&gss_status, &username_token);
  283. /* Setup the "authentication data" security buffer */
  284. input_token.value = message;
  285. input_token.length = messagelen;
  286. /* Encrypt the data */
  287. gss_major_status = gss_wrap(&gss_minor_status, krb5->context, 0,
  288. GSS_C_QOP_DEFAULT, &input_token, NULL,
  289. &output_token);
  290. if(GSS_ERROR(gss_major_status)) {
  291. Curl_gss_log_error(data, gss_minor_status, "gss_wrap() failed: ");
  292. Curl_safefree(message);
  293. return CURLE_OUT_OF_MEMORY;
  294. }
  295. /* Base64 encode the response */
  296. result = Curl_base64_encode(data, (char *) output_token.value,
  297. output_token.length, outptr, outlen);
  298. /* Free the output buffer */
  299. gss_release_buffer(&gss_status, &output_token);
  300. /* Free the message buffer */
  301. Curl_safefree(message);
  302. return result;
  303. }
  304. /*
  305. * Curl_sasl_gssapi_cleanup()
  306. *
  307. * This is used to clean up the gssapi specific data.
  308. *
  309. * Parameters:
  310. *
  311. * krb5 [in/out] - The kerberos 5 data struct being cleaned up.
  312. *
  313. */
  314. void Curl_sasl_gssapi_cleanup(struct kerberos5data *krb5)
  315. {
  316. OM_uint32 minor_status;
  317. /* Free our security context */
  318. if(krb5->context != GSS_C_NO_CONTEXT) {
  319. gss_delete_sec_context(&minor_status, &krb5->context, GSS_C_NO_BUFFER);
  320. krb5->context = GSS_C_NO_CONTEXT;
  321. }
  322. /* Free the SPN */
  323. if(krb5->spn != GSS_C_NO_NAME) {
  324. gss_release_name(&minor_status, &krb5->spn);
  325. krb5->spn = GSS_C_NO_NAME;
  326. }
  327. }
  328. #endif /* HAVE_GSSAPI && USE_KERBEROS5 */