2
0

http_negotiate.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at http://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. ***************************************************************************/
  22. #include "curl_setup.h"
  23. #ifdef HAVE_GSSAPI
  24. #ifdef HAVE_OLD_GSSMIT
  25. #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
  26. #define NCOMPAT 1
  27. #endif
  28. #ifndef CURL_DISABLE_HTTP
  29. #include "urldata.h"
  30. #include "sendf.h"
  31. #include "curl_gssapi.h"
  32. #include "rawstr.h"
  33. #include "curl_base64.h"
  34. #include "http_negotiate.h"
  35. #include "curl_memory.h"
  36. #include "url.h"
  37. #ifdef HAVE_SPNEGO
  38. # include <spnegohelp.h>
  39. # ifdef USE_SSLEAY
  40. # ifdef USE_OPENSSL
  41. # include <openssl/objects.h>
  42. # else
  43. # include <objects.h>
  44. # endif
  45. # else
  46. # error "Can't compile SPNEGO support without OpenSSL."
  47. # endif
  48. #endif
  49. #define _MPRINTF_REPLACE /* use our functions only */
  50. #include <curl/mprintf.h>
  51. /* The last #include file should be: */
  52. #include "memdebug.h"
  53. static int
  54. get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server)
  55. {
  56. struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg:
  57. &conn->data->state.negotiate;
  58. OM_uint32 major_status, minor_status;
  59. gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
  60. char name[2048];
  61. const char* service;
  62. /* GSSAPI implementation by Globus (known as GSI) requires the name to be
  63. of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
  64. of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
  65. Change following lines if you want to use GSI */
  66. /* IIS uses the <service>@<fqdn> form but uses 'http' as the service name */
  67. if(neg_ctx->gss)
  68. service = "KHTTP";
  69. else
  70. service = "HTTP";
  71. token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
  72. conn->host.name) + 1;
  73. if(token.length + 1 > sizeof(name))
  74. return EMSGSIZE;
  75. snprintf(name, sizeof(name), "%s@%s", service, proxy ? conn->proxy.name :
  76. conn->host.name);
  77. token.value = (void *) name;
  78. major_status = gss_import_name(&minor_status,
  79. &token,
  80. GSS_C_NT_HOSTBASED_SERVICE,
  81. server);
  82. return GSS_ERROR(major_status) ? -1 : 0;
  83. }
  84. static void
  85. log_gss_error(struct connectdata *conn, OM_uint32 error_status,
  86. const char *prefix)
  87. {
  88. OM_uint32 maj_stat, min_stat;
  89. OM_uint32 msg_ctx = 0;
  90. gss_buffer_desc status_string;
  91. char buf[1024];
  92. size_t len;
  93. snprintf(buf, sizeof(buf), "%s", prefix);
  94. len = strlen(buf);
  95. do {
  96. maj_stat = gss_display_status(&min_stat,
  97. error_status,
  98. GSS_C_MECH_CODE,
  99. GSS_C_NO_OID,
  100. &msg_ctx,
  101. &status_string);
  102. if(sizeof(buf) > len + status_string.length + 1) {
  103. snprintf(buf + len, sizeof(buf) - len,
  104. ": %s", (char*) status_string.value);
  105. len += status_string.length;
  106. }
  107. gss_release_buffer(&min_stat, &status_string);
  108. } while(!GSS_ERROR(maj_stat) && msg_ctx != 0);
  109. infof(conn->data, "%s\n", buf);
  110. }
  111. /* returning zero (0) means success, everything else is treated as "failure"
  112. with no care exactly what the failure was */
  113. int Curl_input_negotiate(struct connectdata *conn, bool proxy,
  114. const char *header)
  115. {
  116. struct SessionHandle *data = conn->data;
  117. struct negotiatedata *neg_ctx = proxy?&data->state.proxyneg:
  118. &data->state.negotiate;
  119. OM_uint32 major_status, minor_status, discard_st;
  120. gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  121. gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
  122. int ret;
  123. size_t len;
  124. size_t rawlen = 0;
  125. bool gss;
  126. const char* protocol;
  127. CURLcode error;
  128. if(checkprefix("GSS-Negotiate", header)) {
  129. protocol = "GSS-Negotiate";
  130. gss = TRUE;
  131. }
  132. else if(checkprefix("Negotiate", header)) {
  133. protocol = "Negotiate";
  134. gss = FALSE;
  135. }
  136. else
  137. return -1;
  138. if(neg_ctx->context) {
  139. if(neg_ctx->gss != gss) {
  140. return -1;
  141. }
  142. }
  143. else {
  144. neg_ctx->protocol = protocol;
  145. neg_ctx->gss = gss;
  146. }
  147. if(neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) {
  148. /* We finished successfully our part of authentication, but server
  149. * rejected it (since we're again here). Exit with an error since we
  150. * can't invent anything better */
  151. Curl_cleanup_negotiate(data);
  152. return -1;
  153. }
  154. if(neg_ctx->server_name == NULL &&
  155. (ret = get_gss_name(conn, proxy, &neg_ctx->server_name)))
  156. return ret;
  157. header += strlen(neg_ctx->protocol);
  158. while(*header && ISSPACE(*header))
  159. header++;
  160. len = strlen(header);
  161. if(len > 0) {
  162. error = Curl_base64_decode(header,
  163. (unsigned char **)&input_token.value, &rawlen);
  164. if(error || rawlen == 0)
  165. return -1;
  166. input_token.length = rawlen;
  167. DEBUGASSERT(input_token.value != NULL);
  168. #ifdef HAVE_SPNEGO /* Handle SPNEGO */
  169. if(checkprefix("Negotiate", header)) {
  170. unsigned char *spnegoToken = NULL;
  171. size_t spnegoTokenLength = 0;
  172. gss_buffer_desc mechToken = GSS_C_EMPTY_BUFFER;
  173. spnegoToken = malloc(input_token.length);
  174. if(spnegoToken == NULL) {
  175. Curl_safefree(input_token.value);
  176. return CURLE_OUT_OF_MEMORY;
  177. }
  178. memcpy(spnegoToken, input_token.value, input_token.length);
  179. spnegoTokenLength = input_token.length;
  180. if(!parseSpnegoTargetToken(spnegoToken,
  181. spnegoTokenLength,
  182. NULL,
  183. NULL,
  184. (unsigned char**)&mechToken.value,
  185. &mechToken.length,
  186. NULL,
  187. NULL)) {
  188. Curl_safefree(spnegoToken);
  189. infof(data, "Parse SPNEGO Target Token failed\n");
  190. }
  191. else if(!mechToken.value || !mechToken.length) {
  192. Curl_safefree(spnegoToken);
  193. if(mechToken.value)
  194. gss_release_buffer(&discard_st, &mechToken);
  195. infof(data, "Parse SPNEGO Target Token succeeded (NULL token)\n");
  196. }
  197. else {
  198. Curl_safefree(spnegoToken);
  199. Curl_safefree(input_token.value);
  200. input_token.value = malloc(mechToken.length);
  201. if(input_token.value == NULL) {
  202. gss_release_buffer(&discard_st, &mechToken);
  203. return CURLE_OUT_OF_MEMORY;
  204. }
  205. memcpy(input_token.value, mechToken.value, mechToken.length);
  206. input_token.length = mechToken.length;
  207. gss_release_buffer(&discard_st, &mechToken);
  208. infof(data, "Parse SPNEGO Target Token succeeded\n");
  209. }
  210. }
  211. #endif
  212. }
  213. major_status = Curl_gss_init_sec_context(data,
  214. &minor_status,
  215. &neg_ctx->context,
  216. neg_ctx->server_name,
  217. GSS_C_NO_CHANNEL_BINDINGS,
  218. &input_token,
  219. &output_token,
  220. NULL);
  221. Curl_safefree(input_token.value);
  222. neg_ctx->status = major_status;
  223. if(GSS_ERROR(major_status)) {
  224. if(output_token.value)
  225. gss_release_buffer(&discard_st, &output_token);
  226. log_gss_error(conn, minor_status, "gss_init_sec_context() failed: ");
  227. return -1;
  228. }
  229. if(!output_token.value || !output_token.length) {
  230. if(output_token.value)
  231. gss_release_buffer(&discard_st, &output_token);
  232. return -1;
  233. }
  234. neg_ctx->output_token = output_token;
  235. return 0;
  236. }
  237. CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
  238. {
  239. struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg:
  240. &conn->data->state.negotiate;
  241. char *encoded = NULL;
  242. size_t len = 0;
  243. char *userp;
  244. CURLcode error;
  245. OM_uint32 discard_st;
  246. #ifdef HAVE_SPNEGO /* Handle SPNEGO */
  247. if(checkprefix("Negotiate", neg_ctx->protocol)) {
  248. ASN1_OBJECT *object = NULL;
  249. unsigned char *responseToken = NULL;
  250. size_t responseTokenLength = 0;
  251. gss_buffer_desc spnegoToken = GSS_C_EMPTY_BUFFER;
  252. responseToken = malloc(neg_ctx->output_token.length);
  253. if(responseToken == NULL)
  254. return CURLE_OUT_OF_MEMORY;
  255. memcpy(responseToken, neg_ctx->output_token.value,
  256. neg_ctx->output_token.length);
  257. responseTokenLength = neg_ctx->output_token.length;
  258. object = OBJ_txt2obj("1.2.840.113554.1.2.2", 1);
  259. if(!object) {
  260. Curl_safefree(responseToken);
  261. return CURLE_OUT_OF_MEMORY;
  262. }
  263. if(!makeSpnegoInitialToken(object,
  264. responseToken,
  265. responseTokenLength,
  266. (unsigned char**)&spnegoToken.value,
  267. &spnegoToken.length)) {
  268. Curl_safefree(responseToken);
  269. ASN1_OBJECT_free(object);
  270. infof(conn->data, "Make SPNEGO Initial Token failed\n");
  271. }
  272. else if(!spnegoToken.value || !spnegoToken.length) {
  273. Curl_safefree(responseToken);
  274. ASN1_OBJECT_free(object);
  275. if(spnegoToken.value)
  276. gss_release_buffer(&discard_st, &spnegoToken);
  277. infof(conn->data, "Make SPNEGO Initial Token succeeded (NULL token)\n");
  278. }
  279. else {
  280. Curl_safefree(responseToken);
  281. ASN1_OBJECT_free(object);
  282. gss_release_buffer(&discard_st, &neg_ctx->output_token);
  283. neg_ctx->output_token.value = spnegoToken.value;
  284. neg_ctx->output_token.length = spnegoToken.length;
  285. infof(conn->data, "Make SPNEGO Initial Token succeeded\n");
  286. }
  287. }
  288. #endif
  289. error = Curl_base64_encode(conn->data,
  290. neg_ctx->output_token.value,
  291. neg_ctx->output_token.length,
  292. &encoded, &len);
  293. if(error) {
  294. gss_release_buffer(&discard_st, &neg_ctx->output_token);
  295. neg_ctx->output_token.value = NULL;
  296. neg_ctx->output_token.length = 0;
  297. return error;
  298. }
  299. if(!encoded || !len) {
  300. gss_release_buffer(&discard_st, &neg_ctx->output_token);
  301. neg_ctx->output_token.value = NULL;
  302. neg_ctx->output_token.length = 0;
  303. return CURLE_REMOTE_ACCESS_DENIED;
  304. }
  305. userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "",
  306. neg_ctx->protocol, encoded);
  307. if(proxy) {
  308. Curl_safefree(conn->allocptr.proxyuserpwd);
  309. conn->allocptr.proxyuserpwd = userp;
  310. }
  311. else {
  312. Curl_safefree(conn->allocptr.userpwd);
  313. conn->allocptr.userpwd = userp;
  314. }
  315. Curl_safefree(encoded);
  316. Curl_cleanup_negotiate(conn->data);
  317. return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
  318. }
  319. static void cleanup(struct negotiatedata *neg_ctx)
  320. {
  321. OM_uint32 minor_status;
  322. if(neg_ctx->context != GSS_C_NO_CONTEXT)
  323. gss_delete_sec_context(&minor_status, &neg_ctx->context, GSS_C_NO_BUFFER);
  324. if(neg_ctx->output_token.value)
  325. gss_release_buffer(&minor_status, &neg_ctx->output_token);
  326. if(neg_ctx->server_name != GSS_C_NO_NAME)
  327. gss_release_name(&minor_status, &neg_ctx->server_name);
  328. memset(neg_ctx, 0, sizeof(*neg_ctx));
  329. }
  330. void Curl_cleanup_negotiate(struct SessionHandle *data)
  331. {
  332. cleanup(&data->state.negotiate);
  333. cleanup(&data->state.proxyneg);
  334. }
  335. #endif
  336. #endif