1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24
25 #include "curl_setup.h"
26
27 #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
28
29 #include "urldata.h"
30 #include "sendf.h"
31 #include "http_negotiate.h"
32 #include "vauth/vauth.h"
33 #include "vtls/vtls.h"
34
35 /* The last 3 #include files should be in this order */
36 #include "curl_printf.h"
37 #include "curl_memory.h"
38 #include "memdebug.h"
39
Curl_input_negotiate(struct Curl_easy * data,struct connectdata * conn,bool proxy,const char * header)40 CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
41 bool proxy, const char *header)
42 {
43 CURLcode result;
44 size_t len;
45
46 /* Point to the username, password, service and host */
47 const char *userp;
48 const char *passwdp;
49 const char *service;
50 const char *host;
51
52 /* Point to the correct struct with this */
53 struct negotiatedata *neg_ctx;
54 curlnegotiate state;
55
56 if(proxy) {
57 #ifndef CURL_DISABLE_PROXY
58 userp = conn->http_proxy.user;
59 passwdp = conn->http_proxy.passwd;
60 service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
61 data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
62 host = conn->http_proxy.host.name;
63 neg_ctx = &conn->proxyneg;
64 state = conn->proxy_negotiate_state;
65 #else
66 return CURLE_NOT_BUILT_IN;
67 #endif
68 }
69 else {
70 userp = conn->user;
71 passwdp = conn->passwd;
72 service = data->set.str[STRING_SERVICE_NAME] ?
73 data->set.str[STRING_SERVICE_NAME] : "HTTP";
74 host = conn->host.name;
75 neg_ctx = &conn->negotiate;
76 state = conn->http_negotiate_state;
77 }
78
79 /* Not set means empty */
80 if(!userp)
81 userp = "";
82
83 if(!passwdp)
84 passwdp = "";
85
86 /* Obtain the input token, if any */
87 header += strlen("Negotiate");
88 while(*header && ISBLANK(*header))
89 header++;
90
91 len = strlen(header);
92 neg_ctx->havenegdata = len != 0;
93 if(!len) {
94 if(state == GSS_AUTHSUCC) {
95 infof(data, "Negotiate auth restarted");
96 Curl_http_auth_cleanup_negotiate(conn);
97 }
98 else if(state != GSS_AUTHNONE) {
99 /* The server rejected our authentication and has not supplied any more
100 negotiation mechanisms */
101 Curl_http_auth_cleanup_negotiate(conn);
102 return CURLE_LOGIN_DENIED;
103 }
104 }
105
106 /* Supports SSL channel binding for Windows ISS extended protection */
107 #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
108 neg_ctx->sslContext = conn->sslContext;
109 #endif
110 /* Check if the connection is using SSL and get the channel binding data */
111 #if defined(USE_SSL) && defined(HAVE_GSSAPI)
112 if(conn->handler->flags & PROTOPT_SSL) {
113 Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE);
114 result = Curl_ssl_get_channel_binding(
115 data, FIRSTSOCKET, &neg_ctx->channel_binding_data);
116 if(result) {
117 Curl_http_auth_cleanup_negotiate(conn);
118 return result;
119 }
120 }
121 #endif
122
123 /* Initialize the security context and decode our challenge */
124 result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
125 host, header, neg_ctx);
126
127 #if defined(USE_SSL) && defined(HAVE_GSSAPI)
128 Curl_dyn_free(&neg_ctx->channel_binding_data);
129 #endif
130
131 if(result)
132 Curl_http_auth_cleanup_negotiate(conn);
133
134 return result;
135 }
136
Curl_output_negotiate(struct Curl_easy * data,struct connectdata * conn,bool proxy)137 CURLcode Curl_output_negotiate(struct Curl_easy *data,
138 struct connectdata *conn, bool proxy)
139 {
140 struct negotiatedata *neg_ctx;
141 struct auth *authp;
142 curlnegotiate *state;
143 char *base64 = NULL;
144 size_t len = 0;
145 char *userp;
146 CURLcode result;
147
148 if(proxy) {
149 #ifndef CURL_DISABLE_PROXY
150 neg_ctx = &conn->proxyneg;
151 authp = &data->state.authproxy;
152 state = &conn->proxy_negotiate_state;
153 #else
154 return CURLE_NOT_BUILT_IN;
155 #endif
156 }
157 else {
158 neg_ctx = &conn->negotiate;
159 authp = &data->state.authhost;
160 state = &conn->http_negotiate_state;
161 }
162
163 authp->done = FALSE;
164
165 if(*state == GSS_AUTHRECV) {
166 if(neg_ctx->havenegdata) {
167 neg_ctx->havemultiplerequests = TRUE;
168 }
169 }
170 else if(*state == GSS_AUTHSUCC) {
171 if(!neg_ctx->havenoauthpersist) {
172 neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
173 }
174 }
175
176 if(neg_ctx->noauthpersist ||
177 (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
178
179 if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
180 infof(data, "Curl_output_negotiate, "
181 "no persistent authentication: cleanup existing context");
182 Curl_http_auth_cleanup_negotiate(conn);
183 }
184 if(!neg_ctx->context) {
185 result = Curl_input_negotiate(data, conn, proxy, "Negotiate");
186 if(result == CURLE_AUTH_ERROR) {
187 /* negotiate auth failed, let's continue unauthenticated to stay
188 * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
189 authp->done = TRUE;
190 return CURLE_OK;
191 }
192 else if(result)
193 return result;
194 }
195
196 result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len);
197 if(result)
198 return result;
199
200 userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
201 base64);
202
203 if(proxy) {
204 #ifndef CURL_DISABLE_PROXY
205 Curl_safefree(data->state.aptr.proxyuserpwd);
206 data->state.aptr.proxyuserpwd = userp;
207 #endif
208 }
209 else {
210 Curl_safefree(data->state.aptr.userpwd);
211 data->state.aptr.userpwd = userp;
212 }
213
214 free(base64);
215
216 if(!userp) {
217 return CURLE_OUT_OF_MEMORY;
218 }
219
220 *state = GSS_AUTHSENT;
221 #ifdef HAVE_GSSAPI
222 if(neg_ctx->status == GSS_S_COMPLETE ||
223 neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
224 *state = GSS_AUTHDONE;
225 }
226 #else
227 #ifdef USE_WINDOWS_SSPI
228 if(neg_ctx->status == SEC_E_OK ||
229 neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
230 *state = GSS_AUTHDONE;
231 }
232 #endif
233 #endif
234 }
235
236 if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
237 /* connection is already authenticated,
238 * do not send a header in future requests */
239 authp->done = TRUE;
240 }
241
242 neg_ctx->havenegdata = FALSE;
243
244 return CURLE_OK;
245 }
246
Curl_http_auth_cleanup_negotiate(struct connectdata * conn)247 void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
248 {
249 conn->http_negotiate_state = GSS_AUTHNONE;
250 conn->proxy_negotiate_state = GSS_AUTHNONE;
251
252 Curl_auth_cleanup_spnego(&conn->negotiate);
253 Curl_auth_cleanup_spnego(&conn->proxyneg);
254 }
255
256 #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
257
