krb5_sspi.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 2014 - 2020, Steve Holme, <steve_holme@hotmail.com>.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * RFC4752 The Kerberos V5 ("GSSAPI") SASL Mechanism
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #if defined(USE_WINDOWS_SSPI) && defined(USE_KERBEROS5)
  26. #include <curl/curl.h>
  27. #include "vauth/vauth.h"
  28. #include "urldata.h"
  29. #include "curl_base64.h"
  30. #include "warnless.h"
  31. #include "curl_multibyte.h"
  32. #include "sendf.h"
  33. /* The last #include files should be: */
  34. #include "curl_memory.h"
  35. #include "memdebug.h"
  36. /*
  37. * Curl_auth_is_gssapi_supported()
  38. *
  39. * This is used to evaluate if GSSAPI (Kerberos V5) is supported.
  40. *
  41. * Parameters: None
  42. *
  43. * Returns TRUE if Kerberos V5 is supported by Windows SSPI.
  44. */
  45. bool Curl_auth_is_gssapi_supported(void)
  46. {
  47. PSecPkgInfo SecurityPackage;
  48. SECURITY_STATUS status;
  49. /* Query the security package for Kerberos */
  50. status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
  51. TEXT(SP_NAME_KERBEROS),
  52. &SecurityPackage);
  53. /* Release the package buffer as it is not required anymore */
  54. if(status == SEC_E_OK) {
  55. s_pSecFn->FreeContextBuffer(SecurityPackage);
  56. }
  57. return (status == SEC_E_OK ? TRUE : FALSE);
  58. }
  59. /*
  60. * Curl_auth_create_gssapi_user_message()
  61. *
  62. * This is used to generate an already encoded GSSAPI (Kerberos V5) user token
  63. * message ready for sending to the recipient.
  64. *
  65. * Parameters:
  66. *
  67. * data [in] - The session handle.
  68. * userp [in] - The user name in the format User or Domain\User.
  69. * passwdp [in] - The user's password.
  70. * service [in] - The service type such as http, smtp, pop or imap.
  71. * host [in] - The host name.
  72. * mutual_auth [in] - Flag specifying whether or not mutual authentication
  73. * is enabled.
  74. * chlg64 [in] - The optional base64 encoded challenge message.
  75. * krb5 [in/out] - The Kerberos 5 data struct being used and modified.
  76. * outptr [in/out] - The address where a pointer to newly allocated memory
  77. * holding the result will be stored upon completion.
  78. * outlen [out] - The length of the output message.
  79. *
  80. * Returns CURLE_OK on success.
  81. */
  82. CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
  83. const char *userp,
  84. const char *passwdp,
  85. const char *service,
  86. const char *host,
  87. const bool mutual_auth,
  88. const char *chlg64,
  89. struct kerberos5data *krb5,
  90. char **outptr, size_t *outlen)
  91. {
  92. CURLcode result = CURLE_OK;
  93. size_t chlglen = 0;
  94. unsigned char *chlg = NULL;
  95. CtxtHandle context;
  96. PSecPkgInfo SecurityPackage;
  97. SecBuffer chlg_buf;
  98. SecBuffer resp_buf;
  99. SecBufferDesc chlg_desc;
  100. SecBufferDesc resp_desc;
  101. SECURITY_STATUS status;
  102. unsigned long attrs;
  103. TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
  104. if(!krb5->spn) {
  105. /* Generate our SPN */
  106. krb5->spn = Curl_auth_build_spn(service, host, NULL);
  107. if(!krb5->spn)
  108. return CURLE_OUT_OF_MEMORY;
  109. }
  110. if(!krb5->output_token) {
  111. /* Query the security package for Kerberos */
  112. status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
  113. TEXT(SP_NAME_KERBEROS),
  114. &SecurityPackage);
  115. if(status != SEC_E_OK) {
  116. failf(data, "SSPI: couldn't get auth info");
  117. return CURLE_AUTH_ERROR;
  118. }
  119. krb5->token_max = SecurityPackage->cbMaxToken;
  120. /* Release the package buffer as it is not required anymore */
  121. s_pSecFn->FreeContextBuffer(SecurityPackage);
  122. /* Allocate our response buffer */
  123. krb5->output_token = malloc(krb5->token_max);
  124. if(!krb5->output_token)
  125. return CURLE_OUT_OF_MEMORY;
  126. }
  127. if(!krb5->credentials) {
  128. /* Do we have credentials to use or are we using single sign-on? */
  129. if(userp && *userp) {
  130. /* Populate our identity structure */
  131. result = Curl_create_sspi_identity(userp, passwdp, &krb5->identity);
  132. if(result)
  133. return result;
  134. /* Allow proper cleanup of the identity structure */
  135. krb5->p_identity = &krb5->identity;
  136. }
  137. else
  138. /* Use the current Windows user */
  139. krb5->p_identity = NULL;
  140. /* Allocate our credentials handle */
  141. krb5->credentials = calloc(1, sizeof(CredHandle));
  142. if(!krb5->credentials)
  143. return CURLE_OUT_OF_MEMORY;
  144. /* Acquire our credentials handle */
  145. status = s_pSecFn->AcquireCredentialsHandle(NULL,
  146. (TCHAR *)
  147. TEXT(SP_NAME_KERBEROS),
  148. SECPKG_CRED_OUTBOUND, NULL,
  149. krb5->p_identity, NULL, NULL,
  150. krb5->credentials, &expiry);
  151. if(status != SEC_E_OK)
  152. return CURLE_LOGIN_DENIED;
  153. /* Allocate our new context handle */
  154. krb5->context = calloc(1, sizeof(CtxtHandle));
  155. if(!krb5->context)
  156. return CURLE_OUT_OF_MEMORY;
  157. }
  158. if(chlg64 && *chlg64) {
  159. /* Decode the base-64 encoded challenge message */
  160. if(*chlg64 != '=') {
  161. result = Curl_base64_decode(chlg64, &chlg, &chlglen);
  162. if(result)
  163. return result;
  164. }
  165. /* Ensure we have a valid challenge message */
  166. if(!chlg) {
  167. infof(data, "GSSAPI handshake failure (empty challenge message)\n");
  168. return CURLE_BAD_CONTENT_ENCODING;
  169. }
  170. /* Setup the challenge "input" security buffer */
  171. chlg_desc.ulVersion = SECBUFFER_VERSION;
  172. chlg_desc.cBuffers = 1;
  173. chlg_desc.pBuffers = &chlg_buf;
  174. chlg_buf.BufferType = SECBUFFER_TOKEN;
  175. chlg_buf.pvBuffer = chlg;
  176. chlg_buf.cbBuffer = curlx_uztoul(chlglen);
  177. }
  178. /* Setup the response "output" security buffer */
  179. resp_desc.ulVersion = SECBUFFER_VERSION;
  180. resp_desc.cBuffers = 1;
  181. resp_desc.pBuffers = &resp_buf;
  182. resp_buf.BufferType = SECBUFFER_TOKEN;
  183. resp_buf.pvBuffer = krb5->output_token;
  184. resp_buf.cbBuffer = curlx_uztoul(krb5->token_max);
  185. /* Generate our challenge-response message */
  186. status = s_pSecFn->InitializeSecurityContext(krb5->credentials,
  187. chlg ? krb5->context : NULL,
  188. krb5->spn,
  189. (mutual_auth ?
  190. ISC_REQ_MUTUAL_AUTH : 0),
  191. 0, SECURITY_NATIVE_DREP,
  192. chlg ? &chlg_desc : NULL, 0,
  193. &context,
  194. &resp_desc, &attrs,
  195. &expiry);
  196. /* Free the decoded challenge as it is not required anymore */
  197. free(chlg);
  198. if(status == SEC_E_INSUFFICIENT_MEMORY) {
  199. return CURLE_OUT_OF_MEMORY;
  200. }
  201. if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED) {
  202. return CURLE_AUTH_ERROR;
  203. }
  204. if(memcmp(&context, krb5->context, sizeof(context))) {
  205. s_pSecFn->DeleteSecurityContext(krb5->context);
  206. memcpy(krb5->context, &context, sizeof(context));
  207. }
  208. if(resp_buf.cbBuffer) {
  209. /* Base64 encode the response */
  210. result = Curl_base64_encode(data, (char *) resp_buf.pvBuffer,
  211. resp_buf.cbBuffer, outptr, outlen);
  212. }
  213. else if(mutual_auth) {
  214. *outptr = strdup("");
  215. if(!*outptr)
  216. result = CURLE_OUT_OF_MEMORY;
  217. }
  218. return result;
  219. }
  220. /*
  221. * Curl_auth_create_gssapi_security_message()
  222. *
  223. * This is used to generate an already encoded GSSAPI (Kerberos V5) security
  224. * token message ready for sending to the recipient.
  225. *
  226. * Parameters:
  227. *
  228. * data [in] - The session handle.
  229. * chlg64 [in] - The optional base64 encoded challenge message.
  230. * krb5 [in/out] - The Kerberos 5 data struct being used and modified.
  231. * outptr [in/out] - The address where a pointer to newly allocated memory
  232. * holding the result will be stored upon completion.
  233. * outlen [out] - The length of the output message.
  234. *
  235. * Returns CURLE_OK on success.
  236. */
  237. CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
  238. const char *chlg64,
  239. struct kerberos5data *krb5,
  240. char **outptr,
  241. size_t *outlen)
  242. {
  243. CURLcode result = CURLE_OK;
  244. size_t offset = 0;
  245. size_t chlglen = 0;
  246. size_t messagelen = 0;
  247. size_t appdatalen = 0;
  248. unsigned char *chlg = NULL;
  249. unsigned char *trailer = NULL;
  250. unsigned char *message = NULL;
  251. unsigned char *padding = NULL;
  252. unsigned char *appdata = NULL;
  253. SecBuffer input_buf[2];
  254. SecBuffer wrap_buf[3];
  255. SecBufferDesc input_desc;
  256. SecBufferDesc wrap_desc;
  257. unsigned long indata = 0;
  258. unsigned long outdata = 0;
  259. unsigned long qop = 0;
  260. unsigned long sec_layer = 0;
  261. unsigned long max_size = 0;
  262. SecPkgContext_Sizes sizes;
  263. SecPkgCredentials_Names names;
  264. SECURITY_STATUS status;
  265. char *user_name;
  266. /* Decode the base-64 encoded input message */
  267. if(strlen(chlg64) && *chlg64 != '=') {
  268. result = Curl_base64_decode(chlg64, &chlg, &chlglen);
  269. if(result)
  270. return result;
  271. }
  272. /* Ensure we have a valid challenge message */
  273. if(!chlg) {
  274. infof(data, "GSSAPI handshake failure (empty security message)\n");
  275. return CURLE_BAD_CONTENT_ENCODING;
  276. }
  277. /* Get our response size information */
  278. status = s_pSecFn->QueryContextAttributes(krb5->context,
  279. SECPKG_ATTR_SIZES,
  280. &sizes);
  281. if(status != SEC_E_OK) {
  282. free(chlg);
  283. if(status == SEC_E_INSUFFICIENT_MEMORY)
  284. return CURLE_OUT_OF_MEMORY;
  285. return CURLE_AUTH_ERROR;
  286. }
  287. /* Get the fully qualified username back from the context */
  288. status = s_pSecFn->QueryCredentialsAttributes(krb5->credentials,
  289. SECPKG_CRED_ATTR_NAMES,
  290. &names);
  291. if(status != SEC_E_OK) {
  292. free(chlg);
  293. if(status == SEC_E_INSUFFICIENT_MEMORY)
  294. return CURLE_OUT_OF_MEMORY;
  295. return CURLE_AUTH_ERROR;
  296. }
  297. /* Setup the "input" security buffer */
  298. input_desc.ulVersion = SECBUFFER_VERSION;
  299. input_desc.cBuffers = 2;
  300. input_desc.pBuffers = input_buf;
  301. input_buf[0].BufferType = SECBUFFER_STREAM;
  302. input_buf[0].pvBuffer = chlg;
  303. input_buf[0].cbBuffer = curlx_uztoul(chlglen);
  304. input_buf[1].BufferType = SECBUFFER_DATA;
  305. input_buf[1].pvBuffer = NULL;
  306. input_buf[1].cbBuffer = 0;
  307. /* Decrypt the inbound challenge and obtain the qop */
  308. status = s_pSecFn->DecryptMessage(krb5->context, &input_desc, 0, &qop);
  309. if(status != SEC_E_OK) {
  310. infof(data, "GSSAPI handshake failure (empty security message)\n");
  311. free(chlg);
  312. return CURLE_BAD_CONTENT_ENCODING;
  313. }
  314. /* Not 4 octets long so fail as per RFC4752 Section 3.1 */
  315. if(input_buf[1].cbBuffer != 4) {
  316. infof(data, "GSSAPI handshake failure (invalid security data)\n");
  317. free(chlg);
  318. return CURLE_BAD_CONTENT_ENCODING;
  319. }
  320. /* Copy the data out and free the challenge as it is not required anymore */
  321. memcpy(&indata, input_buf[1].pvBuffer, 4);
  322. s_pSecFn->FreeContextBuffer(input_buf[1].pvBuffer);
  323. free(chlg);
  324. /* Extract the security layer */
  325. sec_layer = indata & 0x000000FF;
  326. if(!(sec_layer & KERB_WRAP_NO_ENCRYPT)) {
  327. infof(data, "GSSAPI handshake failure (invalid security layer)\n");
  328. return CURLE_BAD_CONTENT_ENCODING;
  329. }
  330. /* Extract the maximum message size the server can receive */
  331. max_size = ntohl(indata & 0xFFFFFF00);
  332. if(max_size > 0) {
  333. /* The server has told us it supports a maximum receive buffer, however, as
  334. we don't require one unless we are encrypting data, we tell the server
  335. our receive buffer is zero. */
  336. max_size = 0;
  337. }
  338. /* Allocate the trailer */
  339. trailer = malloc(sizes.cbSecurityTrailer);
  340. if(!trailer)
  341. return CURLE_OUT_OF_MEMORY;
  342. /* Convert the user name to UTF8 when operating with Unicode */
  343. user_name = curlx_convert_tchar_to_UTF8(names.sUserName);
  344. if(!user_name) {
  345. free(trailer);
  346. return CURLE_OUT_OF_MEMORY;
  347. }
  348. /* Allocate our message */
  349. messagelen = sizeof(outdata) + strlen(user_name) + 1;
  350. message = malloc(messagelen);
  351. if(!message) {
  352. free(trailer);
  353. curlx_unicodefree(user_name);
  354. return CURLE_OUT_OF_MEMORY;
  355. }
  356. /* Populate the message with the security layer, client supported receive
  357. message size and authorization identity including the 0x00 based
  358. terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
  359. identity is not terminated with the zero-valued (%x00) octet." it seems
  360. necessary to include it. */
  361. outdata = htonl(max_size) | sec_layer;
  362. memcpy(message, &outdata, sizeof(outdata));
  363. strcpy((char *) message + sizeof(outdata), user_name);
  364. curlx_unicodefree(user_name);
  365. /* Allocate the padding */
  366. padding = malloc(sizes.cbBlockSize);
  367. if(!padding) {
  368. free(message);
  369. free(trailer);
  370. return CURLE_OUT_OF_MEMORY;
  371. }
  372. /* Setup the "authentication data" security buffer */
  373. wrap_desc.ulVersion = SECBUFFER_VERSION;
  374. wrap_desc.cBuffers = 3;
  375. wrap_desc.pBuffers = wrap_buf;
  376. wrap_buf[0].BufferType = SECBUFFER_TOKEN;
  377. wrap_buf[0].pvBuffer = trailer;
  378. wrap_buf[0].cbBuffer = sizes.cbSecurityTrailer;
  379. wrap_buf[1].BufferType = SECBUFFER_DATA;
  380. wrap_buf[1].pvBuffer = message;
  381. wrap_buf[1].cbBuffer = curlx_uztoul(messagelen);
  382. wrap_buf[2].BufferType = SECBUFFER_PADDING;
  383. wrap_buf[2].pvBuffer = padding;
  384. wrap_buf[2].cbBuffer = sizes.cbBlockSize;
  385. /* Encrypt the data */
  386. status = s_pSecFn->EncryptMessage(krb5->context, KERB_WRAP_NO_ENCRYPT,
  387. &wrap_desc, 0);
  388. if(status != SEC_E_OK) {
  389. free(padding);
  390. free(message);
  391. free(trailer);
  392. if(status == SEC_E_INSUFFICIENT_MEMORY)
  393. return CURLE_OUT_OF_MEMORY;
  394. return CURLE_AUTH_ERROR;
  395. }
  396. /* Allocate the encryption (wrap) buffer */
  397. appdatalen = wrap_buf[0].cbBuffer + wrap_buf[1].cbBuffer +
  398. wrap_buf[2].cbBuffer;
  399. appdata = malloc(appdatalen);
  400. if(!appdata) {
  401. free(padding);
  402. free(message);
  403. free(trailer);
  404. return CURLE_OUT_OF_MEMORY;
  405. }
  406. /* Populate the encryption buffer */
  407. memcpy(appdata, wrap_buf[0].pvBuffer, wrap_buf[0].cbBuffer);
  408. offset += wrap_buf[0].cbBuffer;
  409. memcpy(appdata + offset, wrap_buf[1].pvBuffer, wrap_buf[1].cbBuffer);
  410. offset += wrap_buf[1].cbBuffer;
  411. memcpy(appdata + offset, wrap_buf[2].pvBuffer, wrap_buf[2].cbBuffer);
  412. /* Base64 encode the response */
  413. result = Curl_base64_encode(data, (char *) appdata, appdatalen, outptr,
  414. outlen);
  415. /* Free all of our local buffers */
  416. free(appdata);
  417. free(padding);
  418. free(message);
  419. free(trailer);
  420. return result;
  421. }
  422. /*
  423. * Curl_auth_cleanup_gssapi()
  424. *
  425. * This is used to clean up the GSSAPI (Kerberos V5) specific data.
  426. *
  427. * Parameters:
  428. *
  429. * krb5 [in/out] - The Kerberos 5 data struct being cleaned up.
  430. *
  431. */
  432. void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5)
  433. {
  434. /* Free our security context */
  435. if(krb5->context) {
  436. s_pSecFn->DeleteSecurityContext(krb5->context);
  437. free(krb5->context);
  438. krb5->context = NULL;
  439. }
  440. /* Free our credentials handle */
  441. if(krb5->credentials) {
  442. s_pSecFn->FreeCredentialsHandle(krb5->credentials);
  443. free(krb5->credentials);
  444. krb5->credentials = NULL;
  445. }
  446. /* Free our identity */
  447. Curl_sspi_free_identity(krb5->p_identity);
  448. krb5->p_identity = NULL;
  449. /* Free the SPN and output token */
  450. Curl_safefree(krb5->spn);
  451. Curl_safefree(krb5->output_token);
  452. /* Reset any variables */
  453. krb5->token_max = 0;
  454. }
  455. #endif /* USE_WINDOWS_SSPI && USE_KERBEROS5*/