krb5.c 8.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322
  1. /* GSSAPI/krb5 support for FTP - loosely based on old krb4.c
  2. *
  3. * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
  4. * (Royal Institute of Technology, Stockholm, Sweden).
  5. * Copyright (c) 2004 - 2009 Daniel Stenberg
  6. * All rights reserved.
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. *
  12. * 1. Redistributions of source code must retain the above copyright
  13. * notice, this list of conditions and the following disclaimer.
  14. *
  15. * 2. Redistributions in binary form must reproduce the above copyright
  16. * notice, this list of conditions and the following disclaimer in the
  17. * documentation and/or other materials provided with the distribution.
  18. *
  19. * 3. Neither the name of the Institute nor the names of its contributors
  20. * may be used to endorse or promote products derived from this software
  21. * without specific prior written permission.
  22. *
  23. * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  24. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  25. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  26. * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  27. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  28. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  29. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  30. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  31. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  32. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  33. * SUCH DAMAGE. */
  34. #include "setup.h"
  35. #ifndef CURL_DISABLE_FTP
  36. #ifdef HAVE_GSSAPI
  37. #ifdef HAVE_OLD_GSSMIT
  38. #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
  39. #endif
  40. #include <stdlib.h>
  41. #ifdef HAVE_NETDB_H
  42. #include <netdb.h>
  43. #endif
  44. #include <string.h>
  45. #ifdef HAVE_GSSMIT
  46. /* MIT style */
  47. #include <gssapi/gssapi.h>
  48. #include <gssapi/gssapi_generic.h>
  49. #include <gssapi/gssapi_krb5.h>
  50. #else
  51. /* Heimdal-style */
  52. #include <gssapi.h>
  53. #endif
  54. #include "urldata.h"
  55. #include "curl_base64.h"
  56. #include "ftp.h"
  57. #include "sendf.h"
  58. #include "krb4.h"
  59. #include "curl_memory.h"
  60. #define _MPRINTF_REPLACE /* use our functions only */
  61. #include <curl/mprintf.h>
  62. /* The last #include file should be: */
  63. #include "memdebug.h"
  64. #define LOCAL_ADDR (&conn->local_addr)
  65. #define REMOTE_ADDR conn->ip_addr->ai_addr
  66. static int
  67. krb5_check_prot(void *app_data, int level)
  68. {
  69. app_data = NULL; /* prevent compiler warning */
  70. if(level == prot_confidential)
  71. return -1;
  72. return 0;
  73. }
  74. static int
  75. krb5_decode(void *app_data, void *buf, int len, int level,
  76. struct connectdata *conn)
  77. {
  78. gss_ctx_id_t *context = app_data;
  79. OM_uint32 maj, min;
  80. gss_buffer_desc enc, dec;
  81. /* shut gcc up */
  82. level = 0;
  83. conn = NULL;
  84. enc.value = buf;
  85. enc.length = len;
  86. maj = gss_unseal(&min, *context, &enc, &dec, NULL, NULL);
  87. if(maj != GSS_S_COMPLETE) {
  88. if(len >= 4)
  89. strcpy(buf, "599 ");
  90. return -1;
  91. }
  92. memcpy(buf, dec.value, dec.length);
  93. len = dec.length;
  94. gss_release_buffer(&min, &dec);
  95. return len;
  96. }
  97. static int
  98. krb5_overhead(void *app_data, int level, int len)
  99. {
  100. /* no arguments are used, just init them to prevent compiler warnings */
  101. app_data = NULL;
  102. level = 0;
  103. len = 0;
  104. return 0;
  105. }
  106. static int
  107. krb5_encode(void *app_data, const void *from, int length, int level, void **to,
  108. struct connectdata *conn)
  109. {
  110. gss_ctx_id_t *context = app_data;
  111. gss_buffer_desc dec, enc;
  112. OM_uint32 maj, min;
  113. int state;
  114. int len;
  115. /* shut gcc up */
  116. conn = NULL;
  117. /* NOTE that the cast is safe, neither of the krb5, gnu gss and heimdal
  118. * libraries modify the input buffer in gss_seal()
  119. */
  120. dec.value = (void*)from;
  121. dec.length = length;
  122. maj = gss_seal(&min, *context,
  123. level == prot_private,
  124. GSS_C_QOP_DEFAULT,
  125. &dec, &state, &enc);
  126. if(maj != GSS_S_COMPLETE)
  127. return -1;
  128. /* malloc a new buffer, in case gss_release_buffer doesn't work as expected */
  129. *to = malloc(enc.length);
  130. if(!*to)
  131. return -1;
  132. memcpy(*to, enc.value, enc.length);
  133. len = enc.length;
  134. gss_release_buffer(&min, &enc);
  135. return len;
  136. }
  137. static int
  138. krb5_auth(void *app_data, struct connectdata *conn)
  139. {
  140. int ret;
  141. char *p;
  142. const char *host = conn->dns_entry->addr->ai_canonname;
  143. ssize_t nread;
  144. curl_socklen_t l = sizeof(conn->local_addr);
  145. struct SessionHandle *data = conn->data;
  146. CURLcode result;
  147. const char *service = "ftp", *srv_host = "host";
  148. gss_buffer_desc gssbuf, _gssresp, *gssresp;
  149. OM_uint32 maj, min;
  150. gss_name_t gssname;
  151. gss_ctx_id_t *context = app_data;
  152. struct gss_channel_bindings_struct chan;
  153. if(getsockname(conn->sock[FIRSTSOCKET],
  154. (struct sockaddr *)LOCAL_ADDR, &l) < 0)
  155. perror("getsockname()");
  156. chan.initiator_addrtype = GSS_C_AF_INET;
  157. chan.initiator_address.length = l - 4;
  158. chan.initiator_address.value =
  159. &((struct sockaddr_in *)LOCAL_ADDR)->sin_addr.s_addr;
  160. chan.acceptor_addrtype = GSS_C_AF_INET;
  161. chan.acceptor_address.length = l - 4;
  162. chan.acceptor_address.value =
  163. &((struct sockaddr_in *)REMOTE_ADDR)->sin_addr.s_addr;
  164. chan.application_data.length = 0;
  165. chan.application_data.value = NULL;
  166. /* this loop will execute twice (once for service, once for host) */
  167. while(1) {
  168. /* this really shouldn't be repeated here, but can't help it */
  169. if(service == srv_host) {
  170. result = Curl_ftpsendf(conn, "AUTH GSSAPI");
  171. if(result)
  172. return -2;
  173. if(Curl_GetFTPResponse(&nread, conn, NULL))
  174. return -1;
  175. if(data->state.buffer[0] != '3')
  176. return -1;
  177. }
  178. gssbuf.value = data->state.buffer;
  179. gssbuf.length = snprintf(gssbuf.value, BUFSIZE, "%s@%s", service, host);
  180. maj = gss_import_name(&min, &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &gssname);
  181. if(maj != GSS_S_COMPLETE) {
  182. gss_release_name(&min, &gssname);
  183. if(service == srv_host) {
  184. Curl_failf(data, "Error importing service name %s", gssbuf.value);
  185. return AUTH_ERROR;
  186. }
  187. service = srv_host;
  188. continue;
  189. }
  190. {
  191. gss_OID t;
  192. gss_display_name(&min, gssname, &gssbuf, &t);
  193. Curl_infof(data, "Trying against %s\n", gssbuf.value);
  194. gss_release_buffer(&min, &gssbuf);
  195. }
  196. gssresp = GSS_C_NO_BUFFER;
  197. *context = GSS_C_NO_CONTEXT;
  198. do {
  199. ret = AUTH_OK;
  200. maj = gss_init_sec_context(&min,
  201. GSS_C_NO_CREDENTIAL,
  202. context,
  203. gssname,
  204. GSS_C_NO_OID,
  205. GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
  206. 0,
  207. &chan,
  208. gssresp,
  209. NULL,
  210. &gssbuf,
  211. NULL,
  212. NULL);
  213. if(gssresp) {
  214. free(_gssresp.value);
  215. gssresp = NULL;
  216. }
  217. if(maj != GSS_S_COMPLETE && maj != GSS_S_CONTINUE_NEEDED) {
  218. Curl_infof(data, "Error creating security context");
  219. ret = AUTH_ERROR;
  220. break;
  221. }
  222. if(gssbuf.length != 0) {
  223. if(Curl_base64_encode(data, (char *)gssbuf.value, gssbuf.length, &p)
  224. < 1) {
  225. Curl_infof(data, "Out of memory base64-encoding");
  226. ret = AUTH_CONTINUE;
  227. break;
  228. }
  229. result = Curl_ftpsendf(conn, "ADAT %s", p);
  230. free(p);
  231. if(result) {
  232. ret = -2;
  233. break;
  234. }
  235. if(Curl_GetFTPResponse(&nread, conn, NULL)) {
  236. ret = -1;
  237. break;
  238. }
  239. if(data->state.buffer[0] != '2' && data->state.buffer[0] != '3'){
  240. Curl_infof(data, "Server didn't accept auth data\n");
  241. ret = AUTH_ERROR;
  242. break;
  243. }
  244. p = data->state.buffer + 4;
  245. p = strstr(p, "ADAT=");
  246. if(p) {
  247. _gssresp.length = Curl_base64_decode(p + 5, (unsigned char **)
  248. &_gssresp.value);
  249. if(_gssresp.length < 1) {
  250. Curl_failf(data, "Out of memory base64-encoding");
  251. ret = AUTH_CONTINUE;
  252. break;
  253. }
  254. }
  255. gssresp = &_gssresp;
  256. }
  257. } while(maj == GSS_S_CONTINUE_NEEDED);
  258. gss_release_name(&min, &gssname);
  259. if(gssresp)
  260. free(_gssresp.value);
  261. if(ret == AUTH_OK || service == srv_host)
  262. return ret;
  263. service = srv_host;
  264. }
  265. }
  266. struct Curl_sec_client_mech Curl_krb5_client_mech = {
  267. "GSSAPI",
  268. sizeof(gss_ctx_id_t),
  269. NULL, /* init */
  270. krb5_auth,
  271. NULL, /* end */
  272. krb5_check_prot,
  273. krb5_overhead,
  274. krb5_encode,
  275. krb5_decode
  276. };
  277. #endif /* HAVE_GSSAPI */
  278. #endif /* CURL_DISABLE_FTP */