http_negotiate.c 6.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
  26. #include "urldata.h"
  27. #include "sendf.h"
  28. #include "http_negotiate.h"
  29. #include "vauth/vauth.h"
  30. /* The last 3 #include files should be in this order */
  31. #include "curl_printf.h"
  32. #include "curl_memory.h"
  33. #include "memdebug.h"
  34. CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
  35. bool proxy, const char *header)
  36. {
  37. CURLcode result;
  38. size_t len;
  39. /* Point to the username, password, service and host */
  40. const char *userp;
  41. const char *passwdp;
  42. const char *service;
  43. const char *host;
  44. /* Point to the correct struct with this */
  45. struct negotiatedata *neg_ctx;
  46. curlnegotiate state;
  47. if(proxy) {
  48. #ifndef CURL_DISABLE_PROXY
  49. userp = conn->http_proxy.user;
  50. passwdp = conn->http_proxy.passwd;
  51. service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
  52. data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
  53. host = conn->http_proxy.host.name;
  54. neg_ctx = &conn->proxyneg;
  55. state = conn->proxy_negotiate_state;
  56. #else
  57. return CURLE_NOT_BUILT_IN;
  58. #endif
  59. }
  60. else {
  61. userp = conn->user;
  62. passwdp = conn->passwd;
  63. service = data->set.str[STRING_SERVICE_NAME] ?
  64. data->set.str[STRING_SERVICE_NAME] : "HTTP";
  65. host = conn->host.name;
  66. neg_ctx = &conn->negotiate;
  67. state = conn->http_negotiate_state;
  68. }
  69. /* Not set means empty */
  70. if(!userp)
  71. userp = "";
  72. if(!passwdp)
  73. passwdp = "";
  74. /* Obtain the input token, if any */
  75. header += strlen("Negotiate");
  76. while(*header && ISBLANK(*header))
  77. header++;
  78. len = strlen(header);
  79. neg_ctx->havenegdata = len != 0;
  80. if(!len) {
  81. if(state == GSS_AUTHSUCC) {
  82. infof(data, "Negotiate auth restarted");
  83. Curl_http_auth_cleanup_negotiate(conn);
  84. }
  85. else if(state != GSS_AUTHNONE) {
  86. /* The server rejected our authentication and hasn't supplied any more
  87. negotiation mechanisms */
  88. Curl_http_auth_cleanup_negotiate(conn);
  89. return CURLE_LOGIN_DENIED;
  90. }
  91. }
  92. /* Supports SSL channel binding for Windows ISS extended protection */
  93. #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
  94. neg_ctx->sslContext = conn->sslContext;
  95. #endif
  96. /* Initialize the security context and decode our challenge */
  97. result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
  98. host, header, neg_ctx);
  99. if(result)
  100. Curl_http_auth_cleanup_negotiate(conn);
  101. return result;
  102. }
  103. CURLcode Curl_output_negotiate(struct Curl_easy *data,
  104. struct connectdata *conn, bool proxy)
  105. {
  106. struct negotiatedata *neg_ctx = proxy ? &conn->proxyneg :
  107. &conn->negotiate;
  108. struct auth *authp = proxy ? &data->state.authproxy : &data->state.authhost;
  109. curlnegotiate *state = proxy ? &conn->proxy_negotiate_state :
  110. &conn->http_negotiate_state;
  111. char *base64 = NULL;
  112. size_t len = 0;
  113. char *userp;
  114. CURLcode result;
  115. authp->done = FALSE;
  116. if(*state == GSS_AUTHRECV) {
  117. if(neg_ctx->havenegdata) {
  118. neg_ctx->havemultiplerequests = TRUE;
  119. }
  120. }
  121. else if(*state == GSS_AUTHSUCC) {
  122. if(!neg_ctx->havenoauthpersist) {
  123. neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
  124. }
  125. }
  126. if(neg_ctx->noauthpersist ||
  127. (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
  128. if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
  129. infof(data, "Curl_output_negotiate, "
  130. "no persistent authentication: cleanup existing context");
  131. Curl_http_auth_cleanup_negotiate(conn);
  132. }
  133. if(!neg_ctx->context) {
  134. result = Curl_input_negotiate(data, conn, proxy, "Negotiate");
  135. if(result == CURLE_AUTH_ERROR) {
  136. /* negotiate auth failed, let's continue unauthenticated to stay
  137. * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
  138. authp->done = TRUE;
  139. return CURLE_OK;
  140. }
  141. else if(result)
  142. return result;
  143. }
  144. result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len);
  145. if(result)
  146. return result;
  147. userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
  148. base64);
  149. if(proxy) {
  150. Curl_safefree(data->state.aptr.proxyuserpwd);
  151. data->state.aptr.proxyuserpwd = userp;
  152. }
  153. else {
  154. Curl_safefree(data->state.aptr.userpwd);
  155. data->state.aptr.userpwd = userp;
  156. }
  157. free(base64);
  158. if(!userp) {
  159. return CURLE_OUT_OF_MEMORY;
  160. }
  161. *state = GSS_AUTHSENT;
  162. #ifdef HAVE_GSSAPI
  163. if(neg_ctx->status == GSS_S_COMPLETE ||
  164. neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
  165. *state = GSS_AUTHDONE;
  166. }
  167. #else
  168. #ifdef USE_WINDOWS_SSPI
  169. if(neg_ctx->status == SEC_E_OK ||
  170. neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
  171. *state = GSS_AUTHDONE;
  172. }
  173. #endif
  174. #endif
  175. }
  176. if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
  177. /* connection is already authenticated,
  178. * don't send a header in future requests */
  179. authp->done = TRUE;
  180. }
  181. neg_ctx->havenegdata = FALSE;
  182. return CURLE_OK;
  183. }
  184. void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
  185. {
  186. conn->http_negotiate_state = GSS_AUTHNONE;
  187. conn->proxy_negotiate_state = GSS_AUTHNONE;
  188. Curl_auth_cleanup_spnego(&conn->negotiate);
  189. Curl_auth_cleanup_spnego(&conn->proxyneg);
  190. }
  191. #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */