• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
9  *
10  * This software is licensed as described in the file COPYING, which
11  * you should have received as part of this distribution. The terms
12  * are also available at https://curl.haxx.se/docs/copyright.html.
13  *
14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15  * copies of the Software, and permit persons to whom the Software is
16  * furnished to do so, under the terms of the COPYING file.
17  *
18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19  * KIND, either express or implied.
20  *
21  ***************************************************************************/
22 
23 #include "curl_setup.h"
24 
25 #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
26 
27 #include "urldata.h"
28 #include "sendf.h"
29 #include "http_negotiate.h"
30 #include "vauth/vauth.h"
31 
32 /* The last 3 #include files should be in this order */
33 #include "curl_printf.h"
34 #include "curl_memory.h"
35 #include "memdebug.h"
36 
Curl_input_negotiate(struct connectdata * conn,bool proxy,const char * header)37 CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
38                               const char *header)
39 {
40   CURLcode result;
41   struct Curl_easy *data = conn->data;
42   size_t len;
43 
44   /* Point to the username, password, service and host */
45   const char *userp;
46   const char *passwdp;
47   const char *service;
48   const char *host;
49 
50   /* Point to the correct struct with this */
51   struct negotiatedata *neg_ctx;
52 
53   if(proxy) {
54     userp = conn->http_proxy.user;
55     passwdp = conn->http_proxy.passwd;
56     service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
57               data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
58     host = conn->http_proxy.host.name;
59     neg_ctx = &conn->proxyneg;
60   }
61   else {
62     userp = conn->user;
63     passwdp = conn->passwd;
64     service = data->set.str[STRING_SERVICE_NAME] ?
65               data->set.str[STRING_SERVICE_NAME] : "HTTP";
66     host = conn->host.name;
67     neg_ctx = &conn->negotiate;
68   }
69 
70   /* Not set means empty */
71   if(!userp)
72     userp = "";
73 
74   if(!passwdp)
75     passwdp = "";
76 
77   /* Obtain the input token, if any */
78   header += strlen("Negotiate");
79   while(*header && ISSPACE(*header))
80     header++;
81 
82   len = strlen(header);
83   neg_ctx->havenegdata = len != 0;
84   if(!len) {
85     if(neg_ctx->state == GSS_AUTHSUCC) {
86       infof(conn->data, "Negotiate auth restarted\n");
87       Curl_cleanup_negotiate(conn);
88     }
89     else if(neg_ctx->state != GSS_AUTHNONE) {
90       /* The server rejected our authentication and hasn't supplied any more
91       negotiation mechanisms */
92       Curl_cleanup_negotiate(conn);
93       return CURLE_LOGIN_DENIED;
94     }
95   }
96 
97   /* Supports SSL channel binding for Windows ISS extended protection */
98 #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
99   neg_ctx->sslContext = conn->sslContext;
100 #endif
101 
102   /* Initialize the security context and decode our challenge */
103   result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
104                                            host, header, neg_ctx);
105 
106   if(result)
107     Curl_auth_spnego_cleanup(neg_ctx);
108 
109   return result;
110 }
111 
Curl_output_negotiate(struct connectdata * conn,bool proxy)112 CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
113 {
114   struct negotiatedata *neg_ctx = proxy ? &conn->proxyneg :
115     &conn->negotiate;
116   struct auth *authp = proxy ? &conn->data->state.authproxy :
117     &conn->data->state.authhost;
118   char *base64 = NULL;
119   size_t len = 0;
120   char *userp;
121   CURLcode result;
122 
123   authp->done = FALSE;
124 
125   if(neg_ctx->state == GSS_AUTHRECV) {
126     if(neg_ctx->havenegdata) {
127       neg_ctx->havemultiplerequests = TRUE;
128     }
129   }
130   else if(neg_ctx->state == GSS_AUTHSUCC) {
131     if(!neg_ctx->havenoauthpersist) {
132       neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
133     }
134   }
135 
136   if(neg_ctx->noauthpersist ||
137     (neg_ctx->state != GSS_AUTHDONE && neg_ctx->state != GSS_AUTHSUCC)) {
138 
139     if(neg_ctx->noauthpersist && neg_ctx->state == GSS_AUTHSUCC) {
140       infof(conn->data, "Curl_output_negotiate, "
141        "no persistent authentication: cleanup existing context");
142       Curl_auth_spnego_cleanup(neg_ctx);
143     }
144     if(!neg_ctx->context) {
145       result = Curl_input_negotiate(conn, proxy, "Negotiate");
146       if(result)
147         return result;
148     }
149 
150     result = Curl_auth_create_spnego_message(conn->data,
151       neg_ctx, &base64, &len);
152     if(result)
153       return result;
154 
155     userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
156       base64);
157 
158     if(proxy) {
159       Curl_safefree(conn->allocptr.proxyuserpwd);
160       conn->allocptr.proxyuserpwd = userp;
161     }
162     else {
163       Curl_safefree(conn->allocptr.userpwd);
164       conn->allocptr.userpwd = userp;
165     }
166 
167     free(base64);
168 
169     if(userp == NULL) {
170       return CURLE_OUT_OF_MEMORY;
171     }
172 
173     neg_ctx->state = GSS_AUTHSENT;
174   #ifdef HAVE_GSSAPI
175     if(neg_ctx->status == GSS_S_COMPLETE ||
176        neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
177       neg_ctx->state = GSS_AUTHDONE;
178     }
179   #else
180   #ifdef USE_WINDOWS_SSPI
181     if(neg_ctx->status == SEC_E_OK ||
182        neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
183       neg_ctx->state = GSS_AUTHDONE;
184     }
185   #endif
186   #endif
187   }
188 
189   if(neg_ctx->state == GSS_AUTHDONE || neg_ctx->state == GSS_AUTHSUCC) {
190     /* connection is already authenticated,
191      * don't send a header in future requests */
192     authp->done = TRUE;
193   }
194 
195   neg_ctx->havenegdata = FALSE;
196 
197   return CURLE_OK;
198 }
199 
Curl_cleanup_negotiate(struct connectdata * conn)200 void Curl_cleanup_negotiate(struct connectdata *conn)
201 {
202   Curl_auth_spnego_cleanup(&conn->negotiate);
203   Curl_auth_spnego_cleanup(&conn->proxyneg);
204 }
205 
206 #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
207