Home Explore Help
Sign In
OWEALs
/
curl
mirror of https://github.com/curl/curl.git
2
0
Fork 0
Files Issues 8 Wiki
Tree: fb243b0475
Branches Tags
curl
/
lib
/
http_negotiate.c

http_negotiate.c 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212 
  1. /***************************************************************************
    2. 

  2.  *                                  _   _ ____  _
    3. 

  3.  *  Project                     ___| | | |  _ \| |
    4. 

  4.  *                             / __| | | | |_) | |
    5. 

  5.  *                            | (__| |_| |  _ <| |___
    6. 

  6.  *                             \___|\___/|_| \_\_____|
    7. 

  7.  *
    8. 

  8.  * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
    9. 

  9.  *
    10. 

  10.  * This software is licensed as described in the file COPYING, which
    11. 

  11.  * you should have received as part of this distribution. The terms
    12. 

  12.  * are also available at https://curl.haxx.se/docs/copyright.html.
    13. 

  13.  *
    14. 

  14.  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
    15. 

  15.  * copies of the Software, and permit persons to whom the Software is
    16. 

  16.  * furnished to do so, under the terms of the COPYING file.
    17. 

  17.  *
    18. 

  18.  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
    19. 

  19.  * KIND, either express or implied.
    20. 

  20.  *
    21. 

  21.  ***************************************************************************/
    22. 

  22. 

  23. #include "curl_setup.h"
    24. 

  24. 

  25. #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
    26. 

  26. 

  27. #include "urldata.h"
    28. 

  28. #include "sendf.h"
    29. 

  29. #include "http_negotiate.h"
    30. 

  30. #include "vauth/vauth.h"
    31. 

  31. 

  32. /* The last 3 #include files should be in this order */
    33. 

  33. #include "curl_printf.h"
    34. 

  34. #include "curl_memory.h"
    35. 

  35. #include "memdebug.h"
    36. 

  36. 

  37. CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
    38. 

  38.                               const char *header)
    39. 

  39. {
    40. 

  40.   CURLcode result;
    41. 

  41.   struct Curl_easy *data = conn->data;
    42. 

  42.   size_t len;
    43. 

  43. 

  44.   /* Point to the username, password, service and host */
    45. 

  45.   const char *userp;
    46. 

  46.   const char *passwdp;
    47. 

  47.   const char *service;
    48. 

  48.   const char *host;
    49. 

  49. 

  50.   /* Point to the correct struct with this */
    51. 

  51.   struct negotiatedata *neg_ctx;
    52. 

  52. 

  53.   if(proxy) {
    54. 

  54.     userp = conn->http_proxy.user;
    55. 

  55.     passwdp = conn->http_proxy.passwd;
    56. 

  56.     service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
    57. 

  57.               data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
    58. 

  58.     host = conn->http_proxy.host.name;
    59. 

  59.     neg_ctx = &conn->proxyneg;
    60. 

  60.   }
    61. 

  61.   else {
    62. 

  62.     userp = conn->user;
    63. 

  63.     passwdp = conn->passwd;
    64. 

  64.     service = data->set.str[STRING_SERVICE_NAME] ?
    65. 

  65.               data->set.str[STRING_SERVICE_NAME] : "HTTP";
    66. 

  66.     host = conn->host.name;
    67. 

  67.     neg_ctx = &conn->negotiate;
    68. 

  68.   }
    69. 

  69. 

  70.   /* Not set means empty */
    71. 

  71.   if(!userp)
    72. 

  72.     userp = "";
    73. 

  73. 

  74.   if(!passwdp)
    75. 

  75.     passwdp = "";
    76. 

  76. 

  77.   /* Obtain the input token, if any */
    78. 

  78.   header += strlen("Negotiate");
    79. 

  79.   while(*header && ISSPACE(*header))
    80. 

  80.     header++;
    81. 

  81. 

  82.   len = strlen(header);
    83. 

  83.   neg_ctx->havenegdata = len != 0;
    84. 

  84.   if(!len) {
    85. 

  85.     if(neg_ctx->state == GSS_AUTHSUCC) {
    86. 

  86.       infof(conn->data, "Negotiate auth restarted\n");
    87. 

  87.       Curl_cleanup_negotiate(conn);
    88. 

  88.     }
    89. 

  89.     else if(neg_ctx->state != GSS_AUTHNONE) {
    90. 

  90.       /* The server rejected our authentication and hasn't supplied any more
    91. 

  91.       negotiation mechanisms */
    92. 

  92.       Curl_cleanup_negotiate(conn);
    93. 

  93.       return CURLE_LOGIN_DENIED;
    94. 

  94.     }
    95. 

  95.   }
    96. 

  96. 

  97.   /* Supports SSL channel binding for Windows ISS extended protection */
    98. 

  98. #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
    99. 

  99.   neg_ctx->sslContext = conn->sslContext;
    100. 

  100. #endif
    101. 

  101. 

  102.   /* Initialize the security context and decode our challenge */
    103. 

  103.   result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
    104. 

  104.                                            host, header, neg_ctx);
    105. 

  105. 

  106.   if(result)
    107. 

  107.     Curl_auth_spnego_cleanup(neg_ctx);
    108. 

  108. 

  109.   return result;
    110. 

  110. }
    111. 

  111. 

  112. CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
    113. 

  113. {
    114. 

  114.   struct negotiatedata *neg_ctx = proxy ? &conn->proxyneg :
    115. 

  115.     &conn->negotiate;
    116. 

  116.   struct auth *authp = proxy ? &conn->data->state.authproxy :
    117. 

  117.     &conn->data->state.authhost;
    118. 

  118.   char *base64 = NULL;
    119. 

  119.   size_t len = 0;
    120. 

  120.   char *userp;
    121. 

  121.   CURLcode result;
    122. 

  122. 

  123.   authp->done = FALSE;
    124. 

  124. 

  125.   if(neg_ctx->state == GSS_AUTHRECV) {
    126. 

  126.     if(neg_ctx->havenegdata) {
    127. 

  127.       neg_ctx->havemultiplerequests = TRUE;
    128. 

  128.     }
    129. 

  129.   }
    130. 

  130.   else if(neg_ctx->state == GSS_AUTHSUCC) {
    131. 

  131.     if(!neg_ctx->havenoauthpersist) {
    132. 

  132.       neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
    133. 

  133.     }
    134. 

  134.   }
    135. 

  135. 

  136.   if(neg_ctx->noauthpersist ||
    137. 

  137.     (neg_ctx->state != GSS_AUTHDONE && neg_ctx->state != GSS_AUTHSUCC)) {
    138. 

  138. 

  139.     if(neg_ctx->noauthpersist && neg_ctx->state == GSS_AUTHSUCC) {
    140. 

  140.       infof(conn->data, "Curl_output_negotiate, "
    141. 

  141.        "no persistent authentication: cleanup existing context");
    142. 

  142.       Curl_auth_spnego_cleanup(neg_ctx);
    143. 

  143.     }
    144. 

  144.     if(!neg_ctx->context) {
    145. 

  145.       result = Curl_input_negotiate(conn, proxy, "Negotiate");
    146. 

  146.       if(result == CURLE_LOGIN_DENIED) {
    147. 

  147.         /* negotiate auth failed, let's continue unauthenticated to stay
    148. 

  148.          * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
    149. 

  149.         conn->data->state.authproblem = TRUE;
    150. 

  150.         return CURLE_OK;
    151. 

  151.       }
    152. 

  152.       else if(result)
    153. 

  153.         return result;
    154. 

  154.     }
    155. 

  155. 

  156.     result = Curl_auth_create_spnego_message(conn->data,
    157. 

  157.       neg_ctx, &base64, &len);
    158. 

  158.     if(result)
    159. 

  159.       return result;
    160. 

  160. 

  161.     userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
    162. 

  162.       base64);
    163. 

  163. 

  164.     if(proxy) {
    165. 

  165.       Curl_safefree(conn->allocptr.proxyuserpwd);
    166. 

  166.       conn->allocptr.proxyuserpwd = userp;
    167. 

  167.     }
    168. 

  168.     else {
    169. 

  169.       Curl_safefree(conn->allocptr.userpwd);
    170. 

  170.       conn->allocptr.userpwd = userp;
    171. 

  171.     }
    172. 

  172. 

  173.     free(base64);
    174. 

  174. 

  175.     if(userp == NULL) {
    176. 

  176.       return CURLE_OUT_OF_MEMORY;
    177. 

  177.     }
    178. 

  178. 

  179.     neg_ctx->state = GSS_AUTHSENT;
    180. 

  180.   #ifdef HAVE_GSSAPI
    181. 

  181.     if(neg_ctx->status == GSS_S_COMPLETE ||
    182. 

  182.        neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
    183. 

  183.       neg_ctx->state = GSS_AUTHDONE;
    184. 

  184.     }
    185. 

  185.   #else
    186. 

  186.   #ifdef USE_WINDOWS_SSPI
    187. 

  187.     if(neg_ctx->status == SEC_E_OK ||
    188. 

  188.        neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
    189. 

  189.       neg_ctx->state = GSS_AUTHDONE;
    190. 

  190.     }
    191. 

  191.   #endif
    192. 

  192.   #endif
    193. 

  193.   }
    194. 

  194. 

  195.   if(neg_ctx->state == GSS_AUTHDONE || neg_ctx->state == GSS_AUTHSUCC) {
    196. 

  196.     /* connection is already authenticated,
    197. 

  197.      * don't send a header in future requests */
    198. 

  198.     authp->done = TRUE;
    199. 

  199.   }
    200. 

  200. 

  201.   neg_ctx->havenegdata = FALSE;
    202. 

  202. 

  203.   return CURLE_OK;
    204. 

  204. }
    205. 

  205. 

  206. void Curl_cleanup_negotiate(struct connectdata *conn)
    207. 

  207. {
    208. 

  208.   Curl_auth_spnego_cleanup(&conn->negotiate);
    209. 

  209.   Curl_auth_spnego_cleanup(&conn->proxyneg);
    210. 

  210. }
    211. 

  211. 

  212. #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
    213.