1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.haxx.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 ***************************************************************************/
22
23 #include "curl_setup.h"
24
25 #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
26
27 #include "urldata.h"
28 #include "sendf.h"
29 #include "http_negotiate.h"
30 #include "vauth/vauth.h"
31
32 /* The last 3 #include files should be in this order */
33 #include "curl_printf.h"
34 #include "curl_memory.h"
35 #include "memdebug.h"
36
Curl_input_negotiate(struct connectdata * conn,bool proxy,const char * header)37 CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
38 const char *header)
39 {
40 CURLcode result;
41 struct Curl_easy *data = conn->data;
42 size_t len;
43
44 /* Point to the username, password, service and host */
45 const char *userp;
46 const char *passwdp;
47 const char *service;
48 const char *host;
49
50 /* Point to the correct struct with this */
51 struct negotiatedata *neg_ctx;
52
53 if(proxy) {
54 userp = conn->http_proxy.user;
55 passwdp = conn->http_proxy.passwd;
56 service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
57 data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
58 host = conn->http_proxy.host.name;
59 neg_ctx = &conn->proxyneg;
60 }
61 else {
62 userp = conn->user;
63 passwdp = conn->passwd;
64 service = data->set.str[STRING_SERVICE_NAME] ?
65 data->set.str[STRING_SERVICE_NAME] : "HTTP";
66 host = conn->host.name;
67 neg_ctx = &conn->negotiate;
68 }
69
70 /* Not set means empty */
71 if(!userp)
72 userp = "";
73
74 if(!passwdp)
75 passwdp = "";
76
77 /* Obtain the input token, if any */
78 header += strlen("Negotiate");
79 while(*header && ISSPACE(*header))
80 header++;
81
82 len = strlen(header);
83 neg_ctx->havenegdata = len != 0;
84 if(!len) {
85 if(neg_ctx->state == GSS_AUTHSUCC) {
86 infof(conn->data, "Negotiate auth restarted\n");
87 Curl_cleanup_negotiate(conn);
88 }
89 else if(neg_ctx->state != GSS_AUTHNONE) {
90 /* The server rejected our authentication and hasn't supplied any more
91 negotiation mechanisms */
92 Curl_cleanup_negotiate(conn);
93 return CURLE_LOGIN_DENIED;
94 }
95 }
96
97 /* Supports SSL channel binding for Windows ISS extended protection */
98 #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
99 neg_ctx->sslContext = conn->sslContext;
100 #endif
101
102 /* Initialize the security context and decode our challenge */
103 result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
104 host, header, neg_ctx);
105
106 if(result)
107 Curl_auth_spnego_cleanup(neg_ctx);
108
109 return result;
110 }
111
Curl_output_negotiate(struct connectdata * conn,bool proxy)112 CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
113 {
114 struct negotiatedata *neg_ctx = proxy ? &conn->proxyneg :
115 &conn->negotiate;
116 struct auth *authp = proxy ? &conn->data->state.authproxy :
117 &conn->data->state.authhost;
118 char *base64 = NULL;
119 size_t len = 0;
120 char *userp;
121 CURLcode result;
122
123 authp->done = FALSE;
124
125 if(neg_ctx->state == GSS_AUTHRECV) {
126 if(neg_ctx->havenegdata) {
127 neg_ctx->havemultiplerequests = TRUE;
128 }
129 }
130 else if(neg_ctx->state == GSS_AUTHSUCC) {
131 if(!neg_ctx->havenoauthpersist) {
132 neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
133 }
134 }
135
136 if(neg_ctx->noauthpersist ||
137 (neg_ctx->state != GSS_AUTHDONE && neg_ctx->state != GSS_AUTHSUCC)) {
138
139 if(neg_ctx->noauthpersist && neg_ctx->state == GSS_AUTHSUCC) {
140 infof(conn->data, "Curl_output_negotiate, "
141 "no persistent authentication: cleanup existing context");
142 Curl_auth_spnego_cleanup(neg_ctx);
143 }
144 if(!neg_ctx->context) {
145 result = Curl_input_negotiate(conn, proxy, "Negotiate");
146 if(result)
147 return result;
148 }
149
150 result = Curl_auth_create_spnego_message(conn->data,
151 neg_ctx, &base64, &len);
152 if(result)
153 return result;
154
155 userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
156 base64);
157
158 if(proxy) {
159 Curl_safefree(conn->allocptr.proxyuserpwd);
160 conn->allocptr.proxyuserpwd = userp;
161 }
162 else {
163 Curl_safefree(conn->allocptr.userpwd);
164 conn->allocptr.userpwd = userp;
165 }
166
167 free(base64);
168
169 if(userp == NULL) {
170 return CURLE_OUT_OF_MEMORY;
171 }
172
173 neg_ctx->state = GSS_AUTHSENT;
174 #ifdef HAVE_GSSAPI
175 if(neg_ctx->status == GSS_S_COMPLETE ||
176 neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
177 neg_ctx->state = GSS_AUTHDONE;
178 }
179 #else
180 #ifdef USE_WINDOWS_SSPI
181 if(neg_ctx->status == SEC_E_OK ||
182 neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
183 neg_ctx->state = GSS_AUTHDONE;
184 }
185 #endif
186 #endif
187 }
188
189 if(neg_ctx->state == GSS_AUTHDONE || neg_ctx->state == GSS_AUTHSUCC) {
190 /* connection is already authenticated,
191 * don't send a header in future requests */
192 authp->done = TRUE;
193 }
194
195 neg_ctx->havenegdata = FALSE;
196
197 return CURLE_OK;
198 }
199
Curl_cleanup_negotiate(struct connectdata * conn)200 void Curl_cleanup_negotiate(struct connectdata *conn)
201 {
202 Curl_auth_spnego_cleanup(&conn->negotiate);
203 Curl_auth_spnego_cleanup(&conn->proxyneg);
204 }
205
206 #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
207