xref: /curl/lib/http_negotiate.c (revision 1ec5336b)
1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9  *
10  * This software is licensed as described in the file COPYING, which
11  * you should have received as part of this distribution. The terms
12  * are also available at https://curl.se/docs/copyright.html.
13  *
14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15  * copies of the Software, and permit persons to whom the Software is
16  * furnished to do so, under the terms of the COPYING file.
17  *
18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19  * KIND, either express or implied.
20  *
21  * SPDX-License-Identifier: curl
22  *
23  ***************************************************************************/
24 
25 #include "curl_setup.h"
26 
27 #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
28 
29 #include "urldata.h"
30 #include "sendf.h"
31 #include "http_negotiate.h"
32 #include "vauth/vauth.h"
33 #include "vtls/vtls.h"
34 
35 /* The last 3 #include files should be in this order */
36 #include "curl_printf.h"
37 #include "curl_memory.h"
38 #include "memdebug.h"
39 
Curl_input_negotiate(struct Curl_easy * data,struct connectdata * conn,bool proxy,const char * header)40 CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
41                               bool proxy, const char *header)
42 {
43   CURLcode result;
44   size_t len;
45 
46   /* Point to the username, password, service and host */
47   const char *userp;
48   const char *passwdp;
49   const char *service;
50   const char *host;
51 
52   /* Point to the correct struct with this */
53   struct negotiatedata *neg_ctx;
54   curlnegotiate state;
55 
56   if(proxy) {
57 #ifndef CURL_DISABLE_PROXY
58     userp = conn->http_proxy.user;
59     passwdp = conn->http_proxy.passwd;
60     service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
61               data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
62     host = conn->http_proxy.host.name;
63     neg_ctx = &conn->proxyneg;
64     state = conn->proxy_negotiate_state;
65 #else
66     return CURLE_NOT_BUILT_IN;
67 #endif
68   }
69   else {
70     userp = conn->user;
71     passwdp = conn->passwd;
72     service = data->set.str[STRING_SERVICE_NAME] ?
73               data->set.str[STRING_SERVICE_NAME] : "HTTP";
74     host = conn->host.name;
75     neg_ctx = &conn->negotiate;
76     state = conn->http_negotiate_state;
77   }
78 
79   /* Not set means empty */
80   if(!userp)
81     userp = "";
82 
83   if(!passwdp)
84     passwdp = "";
85 
86   /* Obtain the input token, if any */
87   header += strlen("Negotiate");
88   while(*header && ISBLANK(*header))
89     header++;
90 
91   len = strlen(header);
92   neg_ctx->havenegdata = len != 0;
93   if(!len) {
94     if(state == GSS_AUTHSUCC) {
95       infof(data, "Negotiate auth restarted");
96       Curl_http_auth_cleanup_negotiate(conn);
97     }
98     else if(state != GSS_AUTHNONE) {
99       /* The server rejected our authentication and has not supplied any more
100       negotiation mechanisms */
101       Curl_http_auth_cleanup_negotiate(conn);
102       return CURLE_LOGIN_DENIED;
103     }
104   }
105 
106   /* Supports SSL channel binding for Windows ISS extended protection */
107 #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
108   neg_ctx->sslContext = conn->sslContext;
109 #endif
110   /* Check if the connection is using SSL and get the channel binding data */
111 #if defined(USE_SSL) && defined(HAVE_GSSAPI)
112   if(conn->handler->flags & PROTOPT_SSL) {
113     Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE);
114     result = Curl_ssl_get_channel_binding(
115       data, FIRSTSOCKET, &neg_ctx->channel_binding_data);
116     if(result) {
117       Curl_http_auth_cleanup_negotiate(conn);
118       return result;
119     }
120   }
121 #endif
122 
123   /* Initialize the security context and decode our challenge */
124   result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
125                                            host, header, neg_ctx);
126 
127 #if defined(USE_SSL) && defined(HAVE_GSSAPI)
128   Curl_dyn_free(&neg_ctx->channel_binding_data);
129 #endif
130 
131   if(result)
132     Curl_http_auth_cleanup_negotiate(conn);
133 
134   return result;
135 }
136 
Curl_output_negotiate(struct Curl_easy * data,struct connectdata * conn,bool proxy)137 CURLcode Curl_output_negotiate(struct Curl_easy *data,
138                                struct connectdata *conn, bool proxy)
139 {
140   struct negotiatedata *neg_ctx;
141   struct auth *authp;
142   curlnegotiate *state;
143   char *base64 = NULL;
144   size_t len = 0;
145   char *userp;
146   CURLcode result;
147 
148   if(proxy) {
149 #ifndef CURL_DISABLE_PROXY
150     neg_ctx = &conn->proxyneg;
151     authp = &data->state.authproxy;
152     state = &conn->proxy_negotiate_state;
153 #else
154     return CURLE_NOT_BUILT_IN;
155 #endif
156   }
157   else {
158     neg_ctx = &conn->negotiate;
159     authp = &data->state.authhost;
160     state = &conn->http_negotiate_state;
161   }
162 
163   authp->done = FALSE;
164 
165   if(*state == GSS_AUTHRECV) {
166     if(neg_ctx->havenegdata) {
167       neg_ctx->havemultiplerequests = TRUE;
168     }
169   }
170   else if(*state == GSS_AUTHSUCC) {
171     if(!neg_ctx->havenoauthpersist) {
172       neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
173     }
174   }
175 
176   if(neg_ctx->noauthpersist ||
177      (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
178 
179     if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
180       infof(data, "Curl_output_negotiate, "
181             "no persistent authentication: cleanup existing context");
182       Curl_http_auth_cleanup_negotiate(conn);
183     }
184     if(!neg_ctx->context) {
185       result = Curl_input_negotiate(data, conn, proxy, "Negotiate");
186       if(result == CURLE_AUTH_ERROR) {
187         /* negotiate auth failed, let's continue unauthenticated to stay
188          * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
189         authp->done = TRUE;
190         return CURLE_OK;
191       }
192       else if(result)
193         return result;
194     }
195 
196     result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len);
197     if(result)
198       return result;
199 
200     userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
201                     base64);
202 
203     if(proxy) {
204 #ifndef CURL_DISABLE_PROXY
205       Curl_safefree(data->state.aptr.proxyuserpwd);
206       data->state.aptr.proxyuserpwd = userp;
207 #endif
208     }
209     else {
210       Curl_safefree(data->state.aptr.userpwd);
211       data->state.aptr.userpwd = userp;
212     }
213 
214     free(base64);
215 
216     if(!userp) {
217       return CURLE_OUT_OF_MEMORY;
218     }
219 
220     *state = GSS_AUTHSENT;
221   #ifdef HAVE_GSSAPI
222     if(neg_ctx->status == GSS_S_COMPLETE ||
223        neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
224       *state = GSS_AUTHDONE;
225     }
226   #else
227   #ifdef USE_WINDOWS_SSPI
228     if(neg_ctx->status == SEC_E_OK ||
229        neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
230       *state = GSS_AUTHDONE;
231     }
232   #endif
233   #endif
234   }
235 
236   if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
237     /* connection is already authenticated,
238      * do not send a header in future requests */
239     authp->done = TRUE;
240   }
241 
242   neg_ctx->havenegdata = FALSE;
243 
244   return CURLE_OK;
245 }
246 
Curl_http_auth_cleanup_negotiate(struct connectdata * conn)247 void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
248 {
249   conn->http_negotiate_state = GSS_AUTHNONE;
250   conn->proxy_negotiate_state = GSS_AUTHNONE;
251 
252   Curl_auth_cleanup_spnego(&conn->negotiate);
253   Curl_auth_cleanup_spnego(&conn->proxyneg);
254 }
255 
256 #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
257