http_negotiate.c 7.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
  26. #include "urldata.h"
  27. #include "sendf.h"
  28. #include "http_negotiate.h"
  29. #include "vauth/vauth.h"
  30. #include "vtls/vtls.h"
  31. /* The last 3 #include files should be in this order */
  32. #include "curl_printf.h"
  33. #include "curl_memory.h"
  34. #include "memdebug.h"
  35. CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
  36. bool proxy, const char *header)
  37. {
  38. CURLcode result;
  39. size_t len;
  40. /* Point to the username, password, service and host */
  41. const char *userp;
  42. const char *passwdp;
  43. const char *service;
  44. const char *host;
  45. /* Point to the correct struct with this */
  46. struct negotiatedata *neg_ctx;
  47. curlnegotiate state;
  48. if(proxy) {
  49. #ifndef CURL_DISABLE_PROXY
  50. userp = conn->http_proxy.user;
  51. passwdp = conn->http_proxy.passwd;
  52. service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
  53. data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
  54. host = conn->http_proxy.host.name;
  55. neg_ctx = &conn->proxyneg;
  56. state = conn->proxy_negotiate_state;
  57. #else
  58. return CURLE_NOT_BUILT_IN;
  59. #endif
  60. }
  61. else {
  62. userp = conn->user;
  63. passwdp = conn->passwd;
  64. service = data->set.str[STRING_SERVICE_NAME] ?
  65. data->set.str[STRING_SERVICE_NAME] : "HTTP";
  66. host = conn->host.name;
  67. neg_ctx = &conn->negotiate;
  68. state = conn->http_negotiate_state;
  69. }
  70. /* Not set means empty */
  71. if(!userp)
  72. userp = "";
  73. if(!passwdp)
  74. passwdp = "";
  75. /* Obtain the input token, if any */
  76. header += strlen("Negotiate");
  77. while(*header && ISBLANK(*header))
  78. header++;
  79. len = strlen(header);
  80. neg_ctx->havenegdata = len != 0;
  81. if(!len) {
  82. if(state == GSS_AUTHSUCC) {
  83. infof(data, "Negotiate auth restarted");
  84. Curl_http_auth_cleanup_negotiate(conn);
  85. }
  86. else if(state != GSS_AUTHNONE) {
  87. /* The server rejected our authentication and has not supplied any more
  88. negotiation mechanisms */
  89. Curl_http_auth_cleanup_negotiate(conn);
  90. return CURLE_LOGIN_DENIED;
  91. }
  92. }
  93. /* Supports SSL channel binding for Windows ISS extended protection */
  94. #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
  95. neg_ctx->sslContext = conn->sslContext;
  96. #endif
  97. /* Check if the connection is using SSL and get the channel binding data */
  98. #ifdef HAVE_GSSAPI
  99. if(conn->handler->flags & PROTOPT_SSL) {
  100. Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE);
  101. result = Curl_ssl_get_channel_binding(
  102. data, FIRSTSOCKET, &neg_ctx->channel_binding_data);
  103. if(result) {
  104. Curl_http_auth_cleanup_negotiate(conn);
  105. return result;
  106. }
  107. }
  108. #endif
  109. /* Initialize the security context and decode our challenge */
  110. result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
  111. host, header, neg_ctx);
  112. #ifdef HAVE_GSSAPI
  113. Curl_dyn_free(&neg_ctx->channel_binding_data);
  114. #endif
  115. if(result)
  116. Curl_http_auth_cleanup_negotiate(conn);
  117. return result;
  118. }
  119. CURLcode Curl_output_negotiate(struct Curl_easy *data,
  120. struct connectdata *conn, bool proxy)
  121. {
  122. struct negotiatedata *neg_ctx;
  123. struct auth *authp;
  124. curlnegotiate *state;
  125. char *base64 = NULL;
  126. size_t len = 0;
  127. char *userp;
  128. CURLcode result;
  129. if(proxy) {
  130. #ifndef CURL_DISABLE_PROXY
  131. neg_ctx = &conn->proxyneg;
  132. authp = &data->state.authproxy;
  133. state = &conn->proxy_negotiate_state;
  134. #else
  135. return CURLE_NOT_BUILT_IN;
  136. #endif
  137. }
  138. else {
  139. neg_ctx = &conn->negotiate;
  140. authp = &data->state.authhost;
  141. state = &conn->http_negotiate_state;
  142. }
  143. authp->done = FALSE;
  144. if(*state == GSS_AUTHRECV) {
  145. if(neg_ctx->havenegdata) {
  146. neg_ctx->havemultiplerequests = TRUE;
  147. }
  148. }
  149. else if(*state == GSS_AUTHSUCC) {
  150. if(!neg_ctx->havenoauthpersist) {
  151. neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
  152. }
  153. }
  154. if(neg_ctx->noauthpersist ||
  155. (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
  156. if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
  157. infof(data, "Curl_output_negotiate, "
  158. "no persistent authentication: cleanup existing context");
  159. Curl_http_auth_cleanup_negotiate(conn);
  160. }
  161. if(!neg_ctx->context) {
  162. result = Curl_input_negotiate(data, conn, proxy, "Negotiate");
  163. if(result == CURLE_AUTH_ERROR) {
  164. /* negotiate auth failed, let's continue unauthenticated to stay
  165. * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
  166. authp->done = TRUE;
  167. return CURLE_OK;
  168. }
  169. else if(result)
  170. return result;
  171. }
  172. result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len);
  173. if(result)
  174. return result;
  175. userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
  176. base64);
  177. if(proxy) {
  178. #ifndef CURL_DISABLE_PROXY
  179. Curl_safefree(data->state.aptr.proxyuserpwd);
  180. data->state.aptr.proxyuserpwd = userp;
  181. #endif
  182. }
  183. else {
  184. Curl_safefree(data->state.aptr.userpwd);
  185. data->state.aptr.userpwd = userp;
  186. }
  187. free(base64);
  188. if(!userp) {
  189. return CURLE_OUT_OF_MEMORY;
  190. }
  191. *state = GSS_AUTHSENT;
  192. #ifdef HAVE_GSSAPI
  193. if(neg_ctx->status == GSS_S_COMPLETE ||
  194. neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
  195. *state = GSS_AUTHDONE;
  196. }
  197. #else
  198. #ifdef USE_WINDOWS_SSPI
  199. if(neg_ctx->status == SEC_E_OK ||
  200. neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
  201. *state = GSS_AUTHDONE;
  202. }
  203. #endif
  204. #endif
  205. }
  206. if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
  207. /* connection is already authenticated,
  208. * do not send a header in future requests */
  209. authp->done = TRUE;
  210. }
  211. neg_ctx->havenegdata = FALSE;
  212. return CURLE_OK;
  213. }
  214. void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
  215. {
  216. conn->http_negotiate_state = GSS_AUTHNONE;
  217. conn->proxy_negotiate_state = GSS_AUTHNONE;
  218. Curl_auth_cleanup_spnego(&conn->negotiate);
  219. Curl_auth_cleanup_spnego(&conn->proxyneg);
  220. }
  221. #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */