krb5_gssapi.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 2014 - 2019, Steve Holme, <steve_holme@hotmail.com>.
  9. * Copyright (C) 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
  10. *
  11. * This software is licensed as described in the file COPYING, which
  12. * you should have received as part of this distribution. The terms
  13. * are also available at https://curl.haxx.se/docs/copyright.html.
  14. *
  15. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  16. * copies of the Software, and permit persons to whom the Software is
  17. * furnished to do so, under the terms of the COPYING file.
  18. *
  19. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  20. * KIND, either express or implied.
  21. *
  22. * RFC4752 The Kerberos V5 ("GSSAPI") SASL Mechanism
  23. *
  24. ***************************************************************************/
  25. #include "curl_setup.h"
  26. #if defined(HAVE_GSSAPI) && defined(USE_KERBEROS5)
  27. #include <curl/curl.h>
  28. #include "vauth/vauth.h"
  29. #include "curl_sasl.h"
  30. #include "urldata.h"
  31. #include "curl_base64.h"
  32. #include "curl_gssapi.h"
  33. #include "sendf.h"
  34. #include "curl_printf.h"
  35. /* The last #include files should be: */
  36. #include "curl_memory.h"
  37. #include "memdebug.h"
  38. /*
  39. * Curl_auth_is_gssapi_supported()
  40. *
  41. * This is used to evaluate if GSSAPI (Kerberos V5) is supported.
  42. *
  43. * Parameters: None
  44. *
  45. * Returns TRUE if Kerberos V5 is supported by the GSS-API library.
  46. */
  47. bool Curl_auth_is_gssapi_supported(void)
  48. {
  49. return TRUE;
  50. }
  51. /*
  52. * Curl_auth_create_gssapi_user_message()
  53. *
  54. * This is used to generate an already encoded GSSAPI (Kerberos V5) user token
  55. * message ready for sending to the recipient.
  56. *
  57. * Parameters:
  58. *
  59. * data [in] - The session handle.
  60. * userp [in] - The user name.
  61. * passwdp [in] - The user's password.
  62. * service [in] - The service type such as http, smtp, pop or imap.
  63. * host [in[ - The host name.
  64. * mutual_auth [in] - Flag specifying whether or not mutual authentication
  65. * is enabled.
  66. * chlg64 [in] - Pointer to the optional base64 encoded challenge
  67. * message.
  68. * krb5 [in/out] - The Kerberos 5 data struct being used and modified.
  69. * outptr [in/out] - The address where a pointer to newly allocated memory
  70. * holding the result will be stored upon completion.
  71. * outlen [out] - The length of the output message.
  72. *
  73. * Returns CURLE_OK on success.
  74. */
  75. CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
  76. const char *userp,
  77. const char *passwdp,
  78. const char *service,
  79. const char *host,
  80. const bool mutual_auth,
  81. const char *chlg64,
  82. struct kerberos5data *krb5,
  83. char **outptr, size_t *outlen)
  84. {
  85. CURLcode result = CURLE_OK;
  86. size_t chlglen = 0;
  87. unsigned char *chlg = NULL;
  88. OM_uint32 major_status;
  89. OM_uint32 minor_status;
  90. OM_uint32 unused_status;
  91. gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER;
  92. gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  93. gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
  94. (void) userp;
  95. (void) passwdp;
  96. if(!krb5->spn) {
  97. /* Generate our SPN */
  98. char *spn = Curl_auth_build_spn(service, NULL, host);
  99. if(!spn)
  100. return CURLE_OUT_OF_MEMORY;
  101. /* Populate the SPN structure */
  102. spn_token.value = spn;
  103. spn_token.length = strlen(spn);
  104. /* Import the SPN */
  105. major_status = gss_import_name(&minor_status, &spn_token,
  106. GSS_C_NT_HOSTBASED_SERVICE, &krb5->spn);
  107. if(GSS_ERROR(major_status)) {
  108. Curl_gss_log_error(data, "gss_import_name() failed: ",
  109. major_status, minor_status);
  110. free(spn);
  111. return CURLE_AUTH_ERROR;
  112. }
  113. free(spn);
  114. }
  115. if(chlg64 && *chlg64) {
  116. /* Decode the base-64 encoded challenge message */
  117. if(*chlg64 != '=') {
  118. result = Curl_base64_decode(chlg64, &chlg, &chlglen);
  119. if(result)
  120. return result;
  121. }
  122. /* Ensure we have a valid challenge message */
  123. if(!chlg) {
  124. infof(data, "GSSAPI handshake failure (empty challenge message)\n");
  125. return CURLE_BAD_CONTENT_ENCODING;
  126. }
  127. /* Setup the challenge "input" security buffer */
  128. input_token.value = chlg;
  129. input_token.length = chlglen;
  130. }
  131. major_status = Curl_gss_init_sec_context(data,
  132. &minor_status,
  133. &krb5->context,
  134. krb5->spn,
  135. &Curl_krb5_mech_oid,
  136. GSS_C_NO_CHANNEL_BINDINGS,
  137. &input_token,
  138. &output_token,
  139. mutual_auth,
  140. NULL);
  141. /* Free the decoded challenge as it is not required anymore */
  142. free(input_token.value);
  143. if(GSS_ERROR(major_status)) {
  144. if(output_token.value)
  145. gss_release_buffer(&unused_status, &output_token);
  146. Curl_gss_log_error(data, "gss_init_sec_context() failed: ",
  147. major_status, minor_status);
  148. return CURLE_AUTH_ERROR;
  149. }
  150. if(output_token.value && output_token.length) {
  151. /* Base64 encode the response */
  152. result = Curl_base64_encode(data, (char *) output_token.value,
  153. output_token.length, outptr, outlen);
  154. gss_release_buffer(&unused_status, &output_token);
  155. }
  156. else if(mutual_auth) {
  157. *outptr = strdup("");
  158. if(!*outptr)
  159. result = CURLE_OUT_OF_MEMORY;
  160. }
  161. return result;
  162. }
  163. /*
  164. * Curl_auth_create_gssapi_security_message()
  165. *
  166. * This is used to generate an already encoded GSSAPI (Kerberos V5) security
  167. * token message ready for sending to the recipient.
  168. *
  169. * Parameters:
  170. *
  171. * data [in] - The session handle.
  172. * chlg64 [in] - Pointer to the optional base64 encoded challenge message.
  173. * krb5 [in/out] - The Kerberos 5 data struct being used and modified.
  174. * outptr [in/out] - The address where a pointer to newly allocated memory
  175. * holding the result will be stored upon completion.
  176. * outlen [out] - The length of the output message.
  177. *
  178. * Returns CURLE_OK on success.
  179. */
  180. CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
  181. const char *chlg64,
  182. struct kerberos5data *krb5,
  183. char **outptr,
  184. size_t *outlen)
  185. {
  186. CURLcode result = CURLE_OK;
  187. size_t chlglen = 0;
  188. size_t messagelen = 0;
  189. unsigned char *chlg = NULL;
  190. unsigned char *message = NULL;
  191. OM_uint32 major_status;
  192. OM_uint32 minor_status;
  193. OM_uint32 unused_status;
  194. gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  195. gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
  196. unsigned int indata = 0;
  197. unsigned int outdata = 0;
  198. gss_qop_t qop = GSS_C_QOP_DEFAULT;
  199. unsigned int sec_layer = 0;
  200. unsigned int max_size = 0;
  201. gss_name_t username = GSS_C_NO_NAME;
  202. gss_buffer_desc username_token;
  203. /* Decode the base-64 encoded input message */
  204. if(strlen(chlg64) && *chlg64 != '=') {
  205. result = Curl_base64_decode(chlg64, &chlg, &chlglen);
  206. if(result)
  207. return result;
  208. }
  209. /* Ensure we have a valid challenge message */
  210. if(!chlg) {
  211. infof(data, "GSSAPI handshake failure (empty security message)\n");
  212. return CURLE_BAD_CONTENT_ENCODING;
  213. }
  214. /* Get the fully qualified username back from the context */
  215. major_status = gss_inquire_context(&minor_status, krb5->context,
  216. &username, NULL, NULL, NULL, NULL,
  217. NULL, NULL);
  218. if(GSS_ERROR(major_status)) {
  219. Curl_gss_log_error(data, "gss_inquire_context() failed: ",
  220. major_status, minor_status);
  221. free(chlg);
  222. return CURLE_AUTH_ERROR;
  223. }
  224. /* Convert the username from internal format to a displayable token */
  225. major_status = gss_display_name(&minor_status, username,
  226. &username_token, NULL);
  227. if(GSS_ERROR(major_status)) {
  228. Curl_gss_log_error(data, "gss_display_name() failed: ",
  229. major_status, minor_status);
  230. free(chlg);
  231. return CURLE_AUTH_ERROR;
  232. }
  233. /* Setup the challenge "input" security buffer */
  234. input_token.value = chlg;
  235. input_token.length = chlglen;
  236. /* Decrypt the inbound challenge and obtain the qop */
  237. major_status = gss_unwrap(&minor_status, krb5->context, &input_token,
  238. &output_token, NULL, &qop);
  239. if(GSS_ERROR(major_status)) {
  240. Curl_gss_log_error(data, "gss_unwrap() failed: ",
  241. major_status, minor_status);
  242. gss_release_buffer(&unused_status, &username_token);
  243. free(chlg);
  244. return CURLE_BAD_CONTENT_ENCODING;
  245. }
  246. /* Not 4 octets long so fail as per RFC4752 Section 3.1 */
  247. if(output_token.length != 4) {
  248. infof(data, "GSSAPI handshake failure (invalid security data)\n");
  249. gss_release_buffer(&unused_status, &username_token);
  250. free(chlg);
  251. return CURLE_BAD_CONTENT_ENCODING;
  252. }
  253. /* Copy the data out and free the challenge as it is not required anymore */
  254. memcpy(&indata, output_token.value, 4);
  255. gss_release_buffer(&unused_status, &output_token);
  256. free(chlg);
  257. /* Extract the security layer */
  258. sec_layer = indata & 0x000000FF;
  259. if(!(sec_layer & GSSAUTH_P_NONE)) {
  260. infof(data, "GSSAPI handshake failure (invalid security layer)\n");
  261. gss_release_buffer(&unused_status, &username_token);
  262. return CURLE_BAD_CONTENT_ENCODING;
  263. }
  264. /* Extract the maximum message size the server can receive */
  265. max_size = ntohl(indata & 0xFFFFFF00);
  266. if(max_size > 0) {
  267. /* The server has told us it supports a maximum receive buffer, however, as
  268. we don't require one unless we are encrypting data, we tell the server
  269. our receive buffer is zero. */
  270. max_size = 0;
  271. }
  272. /* Allocate our message */
  273. messagelen = sizeof(outdata) + username_token.length + 1;
  274. message = malloc(messagelen);
  275. if(!message) {
  276. gss_release_buffer(&unused_status, &username_token);
  277. return CURLE_OUT_OF_MEMORY;
  278. }
  279. /* Populate the message with the security layer, client supported receive
  280. message size and authorization identity including the 0x00 based
  281. terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
  282. identity is not terminated with the zero-valued (%x00) octet." it seems
  283. necessary to include it. */
  284. outdata = htonl(max_size) | sec_layer;
  285. memcpy(message, &outdata, sizeof(outdata));
  286. memcpy(message + sizeof(outdata), username_token.value,
  287. username_token.length);
  288. message[messagelen - 1] = '\0';
  289. /* Free the username token as it is not required anymore */
  290. gss_release_buffer(&unused_status, &username_token);
  291. /* Setup the "authentication data" security buffer */
  292. input_token.value = message;
  293. input_token.length = messagelen;
  294. /* Encrypt the data */
  295. major_status = gss_wrap(&minor_status, krb5->context, 0,
  296. GSS_C_QOP_DEFAULT, &input_token, NULL,
  297. &output_token);
  298. if(GSS_ERROR(major_status)) {
  299. Curl_gss_log_error(data, "gss_wrap() failed: ",
  300. major_status, minor_status);
  301. free(message);
  302. return CURLE_AUTH_ERROR;
  303. }
  304. /* Base64 encode the response */
  305. result = Curl_base64_encode(data, (char *) output_token.value,
  306. output_token.length, outptr, outlen);
  307. /* Free the output buffer */
  308. gss_release_buffer(&unused_status, &output_token);
  309. /* Free the message buffer */
  310. free(message);
  311. return result;
  312. }
  313. /*
  314. * Curl_auth_cleanup_gssapi()
  315. *
  316. * This is used to clean up the GSSAPI (Kerberos V5) specific data.
  317. *
  318. * Parameters:
  319. *
  320. * krb5 [in/out] - The Kerberos 5 data struct being cleaned up.
  321. *
  322. */
  323. void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5)
  324. {
  325. OM_uint32 minor_status;
  326. /* Free our security context */
  327. if(krb5->context != GSS_C_NO_CONTEXT) {
  328. gss_delete_sec_context(&minor_status, &krb5->context, GSS_C_NO_BUFFER);
  329. krb5->context = GSS_C_NO_CONTEXT;
  330. }
  331. /* Free the SPN */
  332. if(krb5->spn != GSS_C_NO_NAME) {
  333. gss_release_name(&minor_status, &krb5->spn);
  334. krb5->spn = GSS_C_NO_NAME;
  335. }
  336. }
  337. #endif /* HAVE_GSSAPI && USE_KERBEROS5 */