1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24
25 #include "curl_setup.h"
26
27 #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
28
29 #include "urldata.h"
30 #include "sendf.h"
31 #include "http_negotiate.h"
32 #include "vauth/vauth.h"
33
34 /* The last 3 #include files should be in this order */
35 #include "curl_printf.h"
36 #include "curl_memory.h"
37 #include "memdebug.h"
38
Curl_input_negotiate(struct Curl_easy * data,struct connectdata * conn,bool proxy,const char * header)39 CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
40 bool proxy, const char *header)
41 {
42 CURLcode result;
43 size_t len;
44
45 /* Point to the username, password, service and host */
46 const char *userp;
47 const char *passwdp;
48 const char *service;
49 const char *host;
50
51 /* Point to the correct struct with this */
52 struct negotiatedata *neg_ctx;
53 curlnegotiate state;
54
55 if(proxy) {
56 #ifndef CURL_DISABLE_PROXY
57 userp = conn->http_proxy.user;
58 passwdp = conn->http_proxy.passwd;
59 service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
60 data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
61 host = conn->http_proxy.host.name;
62 neg_ctx = &conn->proxyneg;
63 state = conn->proxy_negotiate_state;
64 #else
65 return CURLE_NOT_BUILT_IN;
66 #endif
67 }
68 else {
69 userp = conn->user;
70 passwdp = conn->passwd;
71 service = data->set.str[STRING_SERVICE_NAME] ?
72 data->set.str[STRING_SERVICE_NAME] : "HTTP";
73 host = conn->host.name;
74 neg_ctx = &conn->negotiate;
75 state = conn->http_negotiate_state;
76 }
77
78 /* Not set means empty */
79 if(!userp)
80 userp = "";
81
82 if(!passwdp)
83 passwdp = "";
84
85 /* Obtain the input token, if any */
86 header += strlen("Negotiate");
87 while(*header && ISBLANK(*header))
88 header++;
89
90 len = strlen(header);
91 neg_ctx->havenegdata = len != 0;
92 if(!len) {
93 if(state == GSS_AUTHSUCC) {
94 infof(data, "Negotiate auth restarted");
95 Curl_http_auth_cleanup_negotiate(conn);
96 }
97 else if(state != GSS_AUTHNONE) {
98 /* The server rejected our authentication and hasn't supplied any more
99 negotiation mechanisms */
100 Curl_http_auth_cleanup_negotiate(conn);
101 return CURLE_LOGIN_DENIED;
102 }
103 }
104
105 /* Supports SSL channel binding for Windows ISS extended protection */
106 #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
107 neg_ctx->sslContext = conn->sslContext;
108 #endif
109
110 /* Initialize the security context and decode our challenge */
111 result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
112 host, header, neg_ctx);
113
114 if(result)
115 Curl_http_auth_cleanup_negotiate(conn);
116
117 return result;
118 }
119
Curl_output_negotiate(struct Curl_easy * data,struct connectdata * conn,bool proxy)120 CURLcode Curl_output_negotiate(struct Curl_easy *data,
121 struct connectdata *conn, bool proxy)
122 {
123 struct negotiatedata *neg_ctx;
124 struct auth *authp;
125 curlnegotiate *state;
126 char *base64 = NULL;
127 size_t len = 0;
128 char *userp;
129 CURLcode result;
130
131 if(proxy) {
132 #ifndef CURL_DISABLE_PROXY
133 neg_ctx = &conn->proxyneg;
134 authp = &data->state.authproxy;
135 state = &conn->proxy_negotiate_state;
136 #else
137 return CURLE_NOT_BUILT_IN;
138 #endif
139 }
140 else {
141 neg_ctx = &conn->negotiate;
142 authp = &data->state.authhost;
143 state = &conn->http_negotiate_state;
144 }
145
146 authp->done = FALSE;
147
148 if(*state == GSS_AUTHRECV) {
149 if(neg_ctx->havenegdata) {
150 neg_ctx->havemultiplerequests = TRUE;
151 }
152 }
153 else if(*state == GSS_AUTHSUCC) {
154 if(!neg_ctx->havenoauthpersist) {
155 neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
156 }
157 }
158
159 if(neg_ctx->noauthpersist ||
160 (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
161
162 if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
163 infof(data, "Curl_output_negotiate, "
164 "no persistent authentication: cleanup existing context");
165 Curl_http_auth_cleanup_negotiate(conn);
166 }
167 if(!neg_ctx->context) {
168 result = Curl_input_negotiate(data, conn, proxy, "Negotiate");
169 if(result == CURLE_AUTH_ERROR) {
170 /* negotiate auth failed, let's continue unauthenticated to stay
171 * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
172 authp->done = TRUE;
173 return CURLE_OK;
174 }
175 else if(result)
176 return result;
177 }
178
179 result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len);
180 if(result)
181 return result;
182
183 userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
184 base64);
185
186 if(proxy) {
187 #ifndef CURL_DISABLE_PROXY
188 Curl_safefree(data->state.aptr.proxyuserpwd);
189 data->state.aptr.proxyuserpwd = userp;
190 #endif
191 }
192 else {
193 Curl_safefree(data->state.aptr.userpwd);
194 data->state.aptr.userpwd = userp;
195 }
196
197 free(base64);
198
199 if(!userp) {
200 return CURLE_OUT_OF_MEMORY;
201 }
202
203 *state = GSS_AUTHSENT;
204 #ifdef HAVE_GSSAPI
205 if(neg_ctx->status == GSS_S_COMPLETE ||
206 neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
207 *state = GSS_AUTHDONE;
208 }
209 #else
210 #ifdef USE_WINDOWS_SSPI
211 if(neg_ctx->status == SEC_E_OK ||
212 neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
213 *state = GSS_AUTHDONE;
214 }
215 #endif
216 #endif
217 }
218
219 if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
220 /* connection is already authenticated,
221 * don't send a header in future requests */
222 authp->done = TRUE;
223 }
224
225 neg_ctx->havenegdata = FALSE;
226
227 return CURLE_OK;
228 }
229
Curl_http_auth_cleanup_negotiate(struct connectdata * conn)230 void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
231 {
232 conn->http_negotiate_state = GSS_AUTHNONE;
233 conn->proxy_negotiate_state = GSS_AUTHNONE;
234
235 Curl_auth_cleanup_spnego(&conn->negotiate);
236 Curl_auth_cleanup_spnego(&conn->proxyneg);
237 }
238
239 #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
240