http_negotiate.c 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
  26. #include "urldata.h"
  27. #include "sendf.h"
  28. #include "http_negotiate.h"
  29. #include "vauth/vauth.h"
  30. /* The last 3 #include files should be in this order */
  31. #include "curl_printf.h"
  32. #include "curl_memory.h"
  33. #include "memdebug.h"
  34. CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
  35. bool proxy, const char *header)
  36. {
  37. CURLcode result;
  38. size_t len;
  39. /* Point to the username, password, service and host */
  40. const char *userp;
  41. const char *passwdp;
  42. const char *service;
  43. const char *host;
  44. /* Point to the correct struct with this */
  45. struct negotiatedata *neg_ctx;
  46. curlnegotiate state;
  47. if(proxy) {
  48. #ifndef CURL_DISABLE_PROXY
  49. userp = conn->http_proxy.user;
  50. passwdp = conn->http_proxy.passwd;
  51. service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
  52. data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
  53. host = conn->http_proxy.host.name;
  54. neg_ctx = &conn->proxyneg;
  55. state = conn->proxy_negotiate_state;
  56. #else
  57. return CURLE_NOT_BUILT_IN;
  58. #endif
  59. }
  60. else {
  61. userp = conn->user;
  62. passwdp = conn->passwd;
  63. service = data->set.str[STRING_SERVICE_NAME] ?
  64. data->set.str[STRING_SERVICE_NAME] : "HTTP";
  65. host = conn->host.name;
  66. neg_ctx = &conn->negotiate;
  67. state = conn->http_negotiate_state;
  68. }
  69. /* Not set means empty */
  70. if(!userp)
  71. userp = "";
  72. if(!passwdp)
  73. passwdp = "";
  74. /* Obtain the input token, if any */
  75. header += strlen("Negotiate");
  76. while(*header && ISBLANK(*header))
  77. header++;
  78. len = strlen(header);
  79. neg_ctx->havenegdata = len != 0;
  80. if(!len) {
  81. if(state == GSS_AUTHSUCC) {
  82. infof(data, "Negotiate auth restarted");
  83. Curl_http_auth_cleanup_negotiate(conn);
  84. }
  85. else if(state != GSS_AUTHNONE) {
  86. /* The server rejected our authentication and has not supplied any more
  87. negotiation mechanisms */
  88. Curl_http_auth_cleanup_negotiate(conn);
  89. return CURLE_LOGIN_DENIED;
  90. }
  91. }
  92. /* Supports SSL channel binding for Windows ISS extended protection */
  93. #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
  94. neg_ctx->sslContext = conn->sslContext;
  95. #endif
  96. /* Initialize the security context and decode our challenge */
  97. result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
  98. host, header, neg_ctx);
  99. if(result)
  100. Curl_http_auth_cleanup_negotiate(conn);
  101. return result;
  102. }
  103. CURLcode Curl_output_negotiate(struct Curl_easy *data,
  104. struct connectdata *conn, bool proxy)
  105. {
  106. struct negotiatedata *neg_ctx;
  107. struct auth *authp;
  108. curlnegotiate *state;
  109. char *base64 = NULL;
  110. size_t len = 0;
  111. char *userp;
  112. CURLcode result;
  113. if(proxy) {
  114. #ifndef CURL_DISABLE_PROXY
  115. neg_ctx = &conn->proxyneg;
  116. authp = &data->state.authproxy;
  117. state = &conn->proxy_negotiate_state;
  118. #else
  119. return CURLE_NOT_BUILT_IN;
  120. #endif
  121. }
  122. else {
  123. neg_ctx = &conn->negotiate;
  124. authp = &data->state.authhost;
  125. state = &conn->http_negotiate_state;
  126. }
  127. authp->done = FALSE;
  128. if(*state == GSS_AUTHRECV) {
  129. if(neg_ctx->havenegdata) {
  130. neg_ctx->havemultiplerequests = TRUE;
  131. }
  132. }
  133. else if(*state == GSS_AUTHSUCC) {
  134. if(!neg_ctx->havenoauthpersist) {
  135. neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
  136. }
  137. }
  138. if(neg_ctx->noauthpersist ||
  139. (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
  140. if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
  141. infof(data, "Curl_output_negotiate, "
  142. "no persistent authentication: cleanup existing context");
  143. Curl_http_auth_cleanup_negotiate(conn);
  144. }
  145. if(!neg_ctx->context) {
  146. result = Curl_input_negotiate(data, conn, proxy, "Negotiate");
  147. if(result == CURLE_AUTH_ERROR) {
  148. /* negotiate auth failed, let's continue unauthenticated to stay
  149. * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
  150. authp->done = TRUE;
  151. return CURLE_OK;
  152. }
  153. else if(result)
  154. return result;
  155. }
  156. result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len);
  157. if(result)
  158. return result;
  159. userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
  160. base64);
  161. if(proxy) {
  162. #ifndef CURL_DISABLE_PROXY
  163. Curl_safefree(data->state.aptr.proxyuserpwd);
  164. data->state.aptr.proxyuserpwd = userp;
  165. #endif
  166. }
  167. else {
  168. Curl_safefree(data->state.aptr.userpwd);
  169. data->state.aptr.userpwd = userp;
  170. }
  171. free(base64);
  172. if(!userp) {
  173. return CURLE_OUT_OF_MEMORY;
  174. }
  175. *state = GSS_AUTHSENT;
  176. #ifdef HAVE_GSSAPI
  177. if(neg_ctx->status == GSS_S_COMPLETE ||
  178. neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
  179. *state = GSS_AUTHDONE;
  180. }
  181. #else
  182. #ifdef USE_WINDOWS_SSPI
  183. if(neg_ctx->status == SEC_E_OK ||
  184. neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
  185. *state = GSS_AUTHDONE;
  186. }
  187. #endif
  188. #endif
  189. }
  190. if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
  191. /* connection is already authenticated,
  192. * do not send a header in future requests */
  193. authp->done = TRUE;
  194. }
  195. neg_ctx->havenegdata = FALSE;
  196. return CURLE_OK;
  197. }
  198. void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
  199. {
  200. conn->http_negotiate_state = GSS_AUTHNONE;
  201. conn->proxy_negotiate_state = GSS_AUTHNONE;
  202. Curl_auth_cleanup_spnego(&conn->negotiate);
  203. Curl_auth_cleanup_spnego(&conn->proxyneg);
  204. }
  205. #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */