1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.haxx.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 ***************************************************************************/
22
23 #include "curl_setup.h"
24
25 #if defined(USE_WINDOWS_SSPI) && defined(USE_NTLM)
26
27 #include <curl/curl.h>
28
29 #include "vauth/vauth.h"
30 #include "urldata.h"
31 #include "curl_base64.h"
32 #include "curl_ntlm_core.h"
33 #include "warnless.h"
34 #include "curl_multibyte.h"
35 #include "sendf.h"
36
37 /* The last #include files should be: */
38 #include "curl_memory.h"
39 #include "memdebug.h"
40
41 /*
42 * Curl_auth_is_ntlm_supported()
43 *
44 * This is used to evaluate if NTLM is supported.
45 *
46 * Parameters: None
47 *
48 * Returns TRUE if NTLM is supported by Windows SSPI.
49 */
Curl_auth_is_ntlm_supported(void)50 bool Curl_auth_is_ntlm_supported(void)
51 {
52 PSecPkgInfo SecurityPackage;
53 SECURITY_STATUS status;
54
55 /* Query the security package for NTLM */
56 status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) TEXT(SP_NAME_NTLM),
57 &SecurityPackage);
58
59 return (status == SEC_E_OK ? TRUE : FALSE);
60 }
61
62 /*
63 * Curl_auth_create_ntlm_type1_message()
64 *
65 * This is used to generate an already encoded NTLM type-1 message ready for
66 * sending to the recipient.
67 *
68 * Parameters:
69 *
70 * data [in] - The session handle.
71 * userp [in] - The user name in the format User or Domain\User.
72 * passwdp [in] - The user's password.
73 * service [in] - The service type such as http, smtp, pop or imap.
74 * host [in] - The host name.
75 * ntlm [in/out] - The NTLM data struct being used and modified.
76 * outptr [in/out] - The address where a pointer to newly allocated memory
77 * holding the result will be stored upon completion.
78 * outlen [out] - The length of the output message.
79 *
80 * Returns CURLE_OK on success.
81 */
Curl_auth_create_ntlm_type1_message(struct Curl_easy * data,const char * userp,const char * passwdp,const char * service,const char * host,struct ntlmdata * ntlm,char ** outptr,size_t * outlen)82 CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data,
83 const char *userp,
84 const char *passwdp,
85 const char *service,
86 const char *host,
87 struct ntlmdata *ntlm,
88 char **outptr, size_t *outlen)
89 {
90 PSecPkgInfo SecurityPackage;
91 SecBuffer type_1_buf;
92 SecBufferDesc type_1_desc;
93 SECURITY_STATUS status;
94 unsigned long attrs;
95 TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
96
97 /* Clean up any former leftovers and initialise to defaults */
98 Curl_auth_ntlm_cleanup(ntlm);
99
100 /* Query the security package for NTLM */
101 status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) TEXT(SP_NAME_NTLM),
102 &SecurityPackage);
103 if(status != SEC_E_OK)
104 return CURLE_NOT_BUILT_IN;
105
106 ntlm->token_max = SecurityPackage->cbMaxToken;
107
108 /* Release the package buffer as it is not required anymore */
109 s_pSecFn->FreeContextBuffer(SecurityPackage);
110
111 /* Allocate our output buffer */
112 ntlm->output_token = malloc(ntlm->token_max);
113 if(!ntlm->output_token)
114 return CURLE_OUT_OF_MEMORY;
115
116 if(userp && *userp) {
117 CURLcode result;
118
119 /* Populate our identity structure */
120 result = Curl_create_sspi_identity(userp, passwdp, &ntlm->identity);
121 if(result)
122 return result;
123
124 /* Allow proper cleanup of the identity structure */
125 ntlm->p_identity = &ntlm->identity;
126 }
127 else
128 /* Use the current Windows user */
129 ntlm->p_identity = NULL;
130
131 /* Allocate our credentials handle */
132 ntlm->credentials = calloc(1, sizeof(CredHandle));
133 if(!ntlm->credentials)
134 return CURLE_OUT_OF_MEMORY;
135
136 /* Acquire our credentials handle */
137 status = s_pSecFn->AcquireCredentialsHandle(NULL,
138 (TCHAR *) TEXT(SP_NAME_NTLM),
139 SECPKG_CRED_OUTBOUND, NULL,
140 ntlm->p_identity, NULL, NULL,
141 ntlm->credentials, &expiry);
142 if(status != SEC_E_OK)
143 return CURLE_LOGIN_DENIED;
144
145 /* Allocate our new context handle */
146 ntlm->context = calloc(1, sizeof(CtxtHandle));
147 if(!ntlm->context)
148 return CURLE_OUT_OF_MEMORY;
149
150 ntlm->spn = Curl_auth_build_spn(service, host, NULL);
151 if(!ntlm->spn)
152 return CURLE_OUT_OF_MEMORY;
153
154 /* Setup the type-1 "output" security buffer */
155 type_1_desc.ulVersion = SECBUFFER_VERSION;
156 type_1_desc.cBuffers = 1;
157 type_1_desc.pBuffers = &type_1_buf;
158 type_1_buf.BufferType = SECBUFFER_TOKEN;
159 type_1_buf.pvBuffer = ntlm->output_token;
160 type_1_buf.cbBuffer = curlx_uztoul(ntlm->token_max);
161
162 /* Generate our type-1 message */
163 status = s_pSecFn->InitializeSecurityContext(ntlm->credentials, NULL,
164 ntlm->spn,
165 0, 0, SECURITY_NETWORK_DREP,
166 NULL, 0,
167 ntlm->context, &type_1_desc,
168 &attrs, &expiry);
169 if(status == SEC_I_COMPLETE_NEEDED ||
170 status == SEC_I_COMPLETE_AND_CONTINUE)
171 s_pSecFn->CompleteAuthToken(ntlm->context, &type_1_desc);
172 else if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED)
173 return CURLE_RECV_ERROR;
174
175 /* Base64 encode the response */
176 return Curl_base64_encode(data, (char *) ntlm->output_token,
177 type_1_buf.cbBuffer, outptr, outlen);
178 }
179
180 /*
181 * Curl_auth_decode_ntlm_type2_message()
182 *
183 * This is used to decode an already encoded NTLM type-2 message.
184 *
185 * Parameters:
186 *
187 * data [in] - The session handle.
188 * type2msg [in] - The base64 encoded type-2 message.
189 * ntlm [in/out] - The NTLM data struct being used and modified.
190 *
191 * Returns CURLE_OK on success.
192 */
Curl_auth_decode_ntlm_type2_message(struct Curl_easy * data,const char * type2msg,struct ntlmdata * ntlm)193 CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data,
194 const char *type2msg,
195 struct ntlmdata *ntlm)
196 {
197 CURLcode result = CURLE_OK;
198 unsigned char *type2 = NULL;
199 size_t type2_len = 0;
200
201 #if defined(CURL_DISABLE_VERBOSE_STRINGS)
202 (void) data;
203 #endif
204
205 /* Decode the base-64 encoded type-2 message */
206 if(strlen(type2msg) && *type2msg != '=') {
207 result = Curl_base64_decode(type2msg, &type2, &type2_len);
208 if(result)
209 return result;
210 }
211
212 /* Ensure we have a valid type-2 message */
213 if(!type2) {
214 infof(data, "NTLM handshake failure (empty type-2 message)\n");
215
216 return CURLE_BAD_CONTENT_ENCODING;
217 }
218
219 /* Simply store the challenge for use later */
220 ntlm->input_token = type2;
221 ntlm->input_token_len = type2_len;
222
223 return result;
224 }
225
226 /*
227 * Curl_auth_create_ntlm_type3_message()
228 * Curl_auth_create_ntlm_type3_message()
229 *
230 * This is used to generate an already encoded NTLM type-3 message ready for
231 * sending to the recipient.
232 *
233 * Parameters:
234 *
235 * data [in] - The session handle.
236 * userp [in] - The user name in the format User or Domain\User.
237 * passwdp [in] - The user's password.
238 * ntlm [in/out] - The NTLM data struct being used and modified.
239 * outptr [in/out] - The address where a pointer to newly allocated memory
240 * holding the result will be stored upon completion.
241 * outlen [out] - The length of the output message.
242 *
243 * Returns CURLE_OK on success.
244 */
Curl_auth_create_ntlm_type3_message(struct Curl_easy * data,const char * userp,const char * passwdp,struct ntlmdata * ntlm,char ** outptr,size_t * outlen)245 CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
246 const char *userp,
247 const char *passwdp,
248 struct ntlmdata *ntlm,
249 char **outptr, size_t *outlen)
250 {
251 CURLcode result = CURLE_OK;
252 SecBuffer type_2_bufs[2];
253 SecBuffer type_3_buf;
254 SecBufferDesc type_2_desc;
255 SecBufferDesc type_3_desc;
256 SECURITY_STATUS status;
257 unsigned long attrs;
258 TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
259
260 (void) passwdp;
261 (void) userp;
262
263 /* Setup the type-2 "input" security buffer */
264 type_2_desc.ulVersion = SECBUFFER_VERSION;
265 type_2_desc.cBuffers = 1;
266 type_2_desc.pBuffers = &type_2_bufs[0];
267 type_2_bufs[0].BufferType = SECBUFFER_TOKEN;
268 type_2_bufs[0].pvBuffer = ntlm->input_token;
269 type_2_bufs[0].cbBuffer = curlx_uztoul(ntlm->input_token_len);
270
271 #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
272 /* ssl context comes from schannel.
273 * When extended protection is used in IIS server,
274 * we have to pass a second SecBuffer to the SecBufferDesc
275 * otherwise IIS will not pass the authentication (401 response).
276 * Minimum supported version is Windows 7.
277 * https://docs.microsoft.com/en-us/security-updates
278 * /SecurityAdvisories/2009/973811
279 */
280 if(ntlm->sslContext) {
281 SEC_CHANNEL_BINDINGS channelBindings;
282 SecPkgContext_Bindings pkgBindings;
283 pkgBindings.Bindings = &channelBindings;
284 status = s_pSecFn->QueryContextAttributes(
285 ntlm->sslContext,
286 SECPKG_ATTR_ENDPOINT_BINDINGS,
287 &pkgBindings
288 );
289 if(status == SEC_E_OK) {
290 type_2_desc.cBuffers++;
291 type_2_bufs[1].BufferType = SECBUFFER_CHANNEL_BINDINGS;
292 type_2_bufs[1].cbBuffer = pkgBindings.BindingsLength;
293 type_2_bufs[1].pvBuffer = pkgBindings.Bindings;
294 }
295 }
296 #endif
297
298 /* Setup the type-3 "output" security buffer */
299 type_3_desc.ulVersion = SECBUFFER_VERSION;
300 type_3_desc.cBuffers = 1;
301 type_3_desc.pBuffers = &type_3_buf;
302 type_3_buf.BufferType = SECBUFFER_TOKEN;
303 type_3_buf.pvBuffer = ntlm->output_token;
304 type_3_buf.cbBuffer = curlx_uztoul(ntlm->token_max);
305
306 /* Generate our type-3 message */
307 status = s_pSecFn->InitializeSecurityContext(ntlm->credentials,
308 ntlm->context,
309 ntlm->spn,
310 0, 0, SECURITY_NETWORK_DREP,
311 &type_2_desc,
312 0, ntlm->context,
313 &type_3_desc,
314 &attrs, &expiry);
315 if(status != SEC_E_OK) {
316 infof(data, "NTLM handshake failure (type-3 message): Status=%x\n",
317 status);
318
319 return CURLE_RECV_ERROR;
320 }
321
322 /* Base64 encode the response */
323 result = Curl_base64_encode(data, (char *) ntlm->output_token,
324 type_3_buf.cbBuffer, outptr, outlen);
325
326 Curl_auth_ntlm_cleanup(ntlm);
327
328 return result;
329 }
330
331 /*
332 * Curl_auth_ntlm_cleanup()
333 *
334 * This is used to clean up the NTLM specific data.
335 *
336 * Parameters:
337 *
338 * ntlm [in/out] - The NTLM data struct being cleaned up.
339 *
340 */
Curl_auth_ntlm_cleanup(struct ntlmdata * ntlm)341 void Curl_auth_ntlm_cleanup(struct ntlmdata *ntlm)
342 {
343 /* Free our security context */
344 if(ntlm->context) {
345 s_pSecFn->DeleteSecurityContext(ntlm->context);
346 free(ntlm->context);
347 ntlm->context = NULL;
348 }
349
350 /* Free our credentials handle */
351 if(ntlm->credentials) {
352 s_pSecFn->FreeCredentialsHandle(ntlm->credentials);
353 free(ntlm->credentials);
354 ntlm->credentials = NULL;
355 }
356
357 /* Free our identity */
358 Curl_sspi_free_identity(ntlm->p_identity);
359 ntlm->p_identity = NULL;
360
361 /* Free the input and output tokens */
362 Curl_safefree(ntlm->input_token);
363 Curl_safefree(ntlm->output_token);
364
365 /* Reset any variables */
366 ntlm->token_max = 0;
367
368 Curl_safefree(ntlm->spn);
369 }
370
371 #endif /* USE_WINDOWS_SSPI && USE_NTLM */
372