ntlm_sspi.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #if defined(USE_WINDOWS_SSPI) && defined(USE_NTLM)
  26. #include <curl/curl.h>
  27. #include "vauth/vauth.h"
  28. #include "urldata.h"
  29. #include "curl_ntlm_core.h"
  30. #include "warnless.h"
  31. #include "curl_multibyte.h"
  32. #include "sendf.h"
  33. /* The last #include files should be: */
  34. #include "curl_memory.h"
  35. #include "memdebug.h"
  36. /*
  37. * Curl_auth_is_ntlm_supported()
  38. *
  39. * This is used to evaluate if NTLM is supported.
  40. *
  41. * Parameters: None
  42. *
  43. * Returns TRUE if NTLM is supported by Windows SSPI.
  44. */
  45. bool Curl_auth_is_ntlm_supported(void)
  46. {
  47. PSecPkgInfo SecurityPackage;
  48. SECURITY_STATUS status;
  49. /* Query the security package for NTLM */
  50. status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) TEXT(SP_NAME_NTLM),
  51. &SecurityPackage);
  52. /* Release the package buffer as it is not required anymore */
  53. if(status == SEC_E_OK) {
  54. s_pSecFn->FreeContextBuffer(SecurityPackage);
  55. }
  56. return (status == SEC_E_OK ? TRUE : FALSE);
  57. }
  58. /*
  59. * Curl_auth_create_ntlm_type1_message()
  60. *
  61. * This is used to generate an already encoded NTLM type-1 message ready for
  62. * sending to the recipient.
  63. *
  64. * Parameters:
  65. *
  66. * data [in] - The session handle.
  67. * userp [in] - The user name in the format User or Domain\User.
  68. * passwdp [in] - The user's password.
  69. * service [in] - The service type such as http, smtp, pop or imap.
  70. * host [in] - The host name.
  71. * ntlm [in/out] - The NTLM data struct being used and modified.
  72. * out [out] - The result storage.
  73. *
  74. * Returns CURLE_OK on success.
  75. */
  76. CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data,
  77. const char *userp,
  78. const char *passwdp,
  79. const char *service,
  80. const char *host,
  81. struct ntlmdata *ntlm,
  82. struct bufref *out)
  83. {
  84. PSecPkgInfo SecurityPackage;
  85. SecBuffer type_1_buf;
  86. SecBufferDesc type_1_desc;
  87. SECURITY_STATUS status;
  88. unsigned long attrs;
  89. TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
  90. /* Clean up any former leftovers and initialise to defaults */
  91. Curl_auth_cleanup_ntlm(ntlm);
  92. /* Query the security package for NTLM */
  93. status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) TEXT(SP_NAME_NTLM),
  94. &SecurityPackage);
  95. if(status != SEC_E_OK) {
  96. failf(data, "SSPI: couldn't get auth info");
  97. return CURLE_AUTH_ERROR;
  98. }
  99. ntlm->token_max = SecurityPackage->cbMaxToken;
  100. /* Release the package buffer as it is not required anymore */
  101. s_pSecFn->FreeContextBuffer(SecurityPackage);
  102. /* Allocate our output buffer */
  103. ntlm->output_token = malloc(ntlm->token_max);
  104. if(!ntlm->output_token)
  105. return CURLE_OUT_OF_MEMORY;
  106. if(userp && *userp) {
  107. CURLcode result;
  108. /* Populate our identity structure */
  109. result = Curl_create_sspi_identity(userp, passwdp, &ntlm->identity);
  110. if(result)
  111. return result;
  112. /* Allow proper cleanup of the identity structure */
  113. ntlm->p_identity = &ntlm->identity;
  114. }
  115. else
  116. /* Use the current Windows user */
  117. ntlm->p_identity = NULL;
  118. /* Allocate our credentials handle */
  119. ntlm->credentials = calloc(1, sizeof(CredHandle));
  120. if(!ntlm->credentials)
  121. return CURLE_OUT_OF_MEMORY;
  122. /* Acquire our credentials handle */
  123. status = s_pSecFn->AcquireCredentialsHandle(NULL,
  124. (TCHAR *) TEXT(SP_NAME_NTLM),
  125. SECPKG_CRED_OUTBOUND, NULL,
  126. ntlm->p_identity, NULL, NULL,
  127. ntlm->credentials, &expiry);
  128. if(status != SEC_E_OK)
  129. return CURLE_LOGIN_DENIED;
  130. /* Allocate our new context handle */
  131. ntlm->context = calloc(1, sizeof(CtxtHandle));
  132. if(!ntlm->context)
  133. return CURLE_OUT_OF_MEMORY;
  134. ntlm->spn = Curl_auth_build_spn(service, host, NULL);
  135. if(!ntlm->spn)
  136. return CURLE_OUT_OF_MEMORY;
  137. /* Setup the type-1 "output" security buffer */
  138. type_1_desc.ulVersion = SECBUFFER_VERSION;
  139. type_1_desc.cBuffers = 1;
  140. type_1_desc.pBuffers = &type_1_buf;
  141. type_1_buf.BufferType = SECBUFFER_TOKEN;
  142. type_1_buf.pvBuffer = ntlm->output_token;
  143. type_1_buf.cbBuffer = curlx_uztoul(ntlm->token_max);
  144. /* Generate our type-1 message */
  145. status = s_pSecFn->InitializeSecurityContext(ntlm->credentials, NULL,
  146. ntlm->spn,
  147. 0, 0, SECURITY_NETWORK_DREP,
  148. NULL, 0,
  149. ntlm->context, &type_1_desc,
  150. &attrs, &expiry);
  151. if(status == SEC_I_COMPLETE_NEEDED ||
  152. status == SEC_I_COMPLETE_AND_CONTINUE)
  153. s_pSecFn->CompleteAuthToken(ntlm->context, &type_1_desc);
  154. else if(status == SEC_E_INSUFFICIENT_MEMORY)
  155. return CURLE_OUT_OF_MEMORY;
  156. else if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED)
  157. return CURLE_AUTH_ERROR;
  158. /* Return the response. */
  159. Curl_bufref_set(out, ntlm->output_token, type_1_buf.cbBuffer, NULL);
  160. return CURLE_OK;
  161. }
  162. /*
  163. * Curl_auth_decode_ntlm_type2_message()
  164. *
  165. * This is used to decode an already encoded NTLM type-2 message.
  166. *
  167. * Parameters:
  168. *
  169. * data [in] - The session handle.
  170. * type2 [in] - The type-2 message.
  171. * ntlm [in/out] - The NTLM data struct being used and modified.
  172. *
  173. * Returns CURLE_OK on success.
  174. */
  175. CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data,
  176. const struct bufref *type2,
  177. struct ntlmdata *ntlm)
  178. {
  179. #if defined(CURL_DISABLE_VERBOSE_STRINGS)
  180. (void) data;
  181. #endif
  182. /* Ensure we have a valid type-2 message */
  183. if(!Curl_bufref_len(type2)) {
  184. infof(data, "NTLM handshake failure (empty type-2 message)");
  185. return CURLE_BAD_CONTENT_ENCODING;
  186. }
  187. /* Store the challenge for later use */
  188. ntlm->input_token = malloc(Curl_bufref_len(type2) + 1);
  189. if(!ntlm->input_token)
  190. return CURLE_OUT_OF_MEMORY;
  191. memcpy(ntlm->input_token, Curl_bufref_ptr(type2), Curl_bufref_len(type2));
  192. ntlm->input_token[Curl_bufref_len(type2)] = '\0';
  193. ntlm->input_token_len = Curl_bufref_len(type2);
  194. return CURLE_OK;
  195. }
  196. /*
  197. * Curl_auth_create_ntlm_type3_message()
  198. * Curl_auth_create_ntlm_type3_message()
  199. *
  200. * This is used to generate an already encoded NTLM type-3 message ready for
  201. * sending to the recipient.
  202. *
  203. * Parameters:
  204. *
  205. * data [in] - The session handle.
  206. * userp [in] - The user name in the format User or Domain\User.
  207. * passwdp [in] - The user's password.
  208. * ntlm [in/out] - The NTLM data struct being used and modified.
  209. * out [out] - The result storage.
  210. *
  211. * Returns CURLE_OK on success.
  212. */
  213. CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
  214. const char *userp,
  215. const char *passwdp,
  216. struct ntlmdata *ntlm,
  217. struct bufref *out)
  218. {
  219. CURLcode result = CURLE_OK;
  220. SecBuffer type_2_bufs[2];
  221. SecBuffer type_3_buf;
  222. SecBufferDesc type_2_desc;
  223. SecBufferDesc type_3_desc;
  224. SECURITY_STATUS status;
  225. unsigned long attrs;
  226. TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
  227. #if defined(CURL_DISABLE_VERBOSE_STRINGS)
  228. (void) data;
  229. #endif
  230. (void) passwdp;
  231. (void) userp;
  232. /* Setup the type-2 "input" security buffer */
  233. type_2_desc.ulVersion = SECBUFFER_VERSION;
  234. type_2_desc.cBuffers = 1;
  235. type_2_desc.pBuffers = &type_2_bufs[0];
  236. type_2_bufs[0].BufferType = SECBUFFER_TOKEN;
  237. type_2_bufs[0].pvBuffer = ntlm->input_token;
  238. type_2_bufs[0].cbBuffer = curlx_uztoul(ntlm->input_token_len);
  239. #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
  240. /* ssl context comes from schannel.
  241. * When extended protection is used in IIS server,
  242. * we have to pass a second SecBuffer to the SecBufferDesc
  243. * otherwise IIS will not pass the authentication (401 response).
  244. * Minimum supported version is Windows 7.
  245. * https://docs.microsoft.com/en-us/security-updates
  246. * /SecurityAdvisories/2009/973811
  247. */
  248. if(ntlm->sslContext) {
  249. SEC_CHANNEL_BINDINGS channelBindings;
  250. SecPkgContext_Bindings pkgBindings;
  251. pkgBindings.Bindings = &channelBindings;
  252. status = s_pSecFn->QueryContextAttributes(
  253. ntlm->sslContext,
  254. SECPKG_ATTR_ENDPOINT_BINDINGS,
  255. &pkgBindings
  256. );
  257. if(status == SEC_E_OK) {
  258. type_2_desc.cBuffers++;
  259. type_2_bufs[1].BufferType = SECBUFFER_CHANNEL_BINDINGS;
  260. type_2_bufs[1].cbBuffer = pkgBindings.BindingsLength;
  261. type_2_bufs[1].pvBuffer = pkgBindings.Bindings;
  262. }
  263. }
  264. #endif
  265. /* Setup the type-3 "output" security buffer */
  266. type_3_desc.ulVersion = SECBUFFER_VERSION;
  267. type_3_desc.cBuffers = 1;
  268. type_3_desc.pBuffers = &type_3_buf;
  269. type_3_buf.BufferType = SECBUFFER_TOKEN;
  270. type_3_buf.pvBuffer = ntlm->output_token;
  271. type_3_buf.cbBuffer = curlx_uztoul(ntlm->token_max);
  272. /* Generate our type-3 message */
  273. status = s_pSecFn->InitializeSecurityContext(ntlm->credentials,
  274. ntlm->context,
  275. ntlm->spn,
  276. 0, 0, SECURITY_NETWORK_DREP,
  277. &type_2_desc,
  278. 0, ntlm->context,
  279. &type_3_desc,
  280. &attrs, &expiry);
  281. if(status != SEC_E_OK) {
  282. infof(data, "NTLM handshake failure (type-3 message): Status=%x",
  283. status);
  284. if(status == SEC_E_INSUFFICIENT_MEMORY)
  285. return CURLE_OUT_OF_MEMORY;
  286. return CURLE_AUTH_ERROR;
  287. }
  288. /* Return the response. */
  289. result = Curl_bufref_memdup(out, ntlm->output_token, type_3_buf.cbBuffer);
  290. Curl_auth_cleanup_ntlm(ntlm);
  291. return result;
  292. }
  293. /*
  294. * Curl_auth_cleanup_ntlm()
  295. *
  296. * This is used to clean up the NTLM specific data.
  297. *
  298. * Parameters:
  299. *
  300. * ntlm [in/out] - The NTLM data struct being cleaned up.
  301. *
  302. */
  303. void Curl_auth_cleanup_ntlm(struct ntlmdata *ntlm)
  304. {
  305. /* Free our security context */
  306. if(ntlm->context) {
  307. s_pSecFn->DeleteSecurityContext(ntlm->context);
  308. free(ntlm->context);
  309. ntlm->context = NULL;
  310. }
  311. /* Free our credentials handle */
  312. if(ntlm->credentials) {
  313. s_pSecFn->FreeCredentialsHandle(ntlm->credentials);
  314. free(ntlm->credentials);
  315. ntlm->credentials = NULL;
  316. }
  317. /* Free our identity */
  318. Curl_sspi_free_identity(ntlm->p_identity);
  319. ntlm->p_identity = NULL;
  320. /* Free the input and output tokens */
  321. Curl_safefree(ntlm->input_token);
  322. Curl_safefree(ntlm->output_token);
  323. /* Reset any variables */
  324. ntlm->token_max = 0;
  325. Curl_safefree(ntlm->spn);
  326. }
  327. #endif /* USE_WINDOWS_SSPI && USE_NTLM */