1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.haxx.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 ***************************************************************************/
22
23 #include "curl_setup.h"
24
25 #if defined(USE_WINDOWS_SSPI) && defined(USE_NTLM)
26
27 #include <curl/curl.h>
28
29 #include "vauth/vauth.h"
30 #include "urldata.h"
31 #include "curl_base64.h"
32 #include "curl_ntlm_core.h"
33 #include "warnless.h"
34 #include "curl_multibyte.h"
35 #include "sendf.h"
36
37 /* The last #include files should be: */
38 #include "curl_memory.h"
39 #include "memdebug.h"
40
41 /*
42 * Curl_auth_is_ntlm_supported()
43 *
44 * This is used to evaluate if NTLM is supported.
45 *
46 * Parameters: None
47 *
48 * Returns TRUE if NTLM is supported by Windows SSPI.
49 */
Curl_auth_is_ntlm_supported(void)50 bool Curl_auth_is_ntlm_supported(void)
51 {
52 PSecPkgInfo SecurityPackage;
53 SECURITY_STATUS status;
54
55 /* Query the security package for NTLM */
56 status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) TEXT(SP_NAME_NTLM),
57 &SecurityPackage);
58
59 /* Release the package buffer as it is not required anymore */
60 if(status == SEC_E_OK) {
61 s_pSecFn->FreeContextBuffer(SecurityPackage);
62 }
63
64 return (status == SEC_E_OK ? TRUE : FALSE);
65 }
66
67 /*
68 * Curl_auth_create_ntlm_type1_message()
69 *
70 * This is used to generate an already encoded NTLM type-1 message ready for
71 * sending to the recipient.
72 *
73 * Parameters:
74 *
75 * data [in] - The session handle.
76 * userp [in] - The user name in the format User or Domain\User.
77 * passwdp [in] - The user's password.
78 * service [in] - The service type such as http, smtp, pop or imap.
79 * host [in] - The host name.
80 * ntlm [in/out] - The NTLM data struct being used and modified.
81 * outptr [in/out] - The address where a pointer to newly allocated memory
82 * holding the result will be stored upon completion.
83 * outlen [out] - The length of the output message.
84 *
85 * Returns CURLE_OK on success.
86 */
Curl_auth_create_ntlm_type1_message(struct Curl_easy * data,const char * userp,const char * passwdp,const char * service,const char * host,struct ntlmdata * ntlm,char ** outptr,size_t * outlen)87 CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data,
88 const char *userp,
89 const char *passwdp,
90 const char *service,
91 const char *host,
92 struct ntlmdata *ntlm,
93 char **outptr, size_t *outlen)
94 {
95 PSecPkgInfo SecurityPackage;
96 SecBuffer type_1_buf;
97 SecBufferDesc type_1_desc;
98 SECURITY_STATUS status;
99 unsigned long attrs;
100 TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
101
102 /* Clean up any former leftovers and initialise to defaults */
103 Curl_auth_cleanup_ntlm(ntlm);
104
105 /* Query the security package for NTLM */
106 status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) TEXT(SP_NAME_NTLM),
107 &SecurityPackage);
108 if(status != SEC_E_OK) {
109 failf(data, "SSPI: couldn't get auth info\n");
110 return CURLE_AUTH_ERROR;
111 }
112
113 ntlm->token_max = SecurityPackage->cbMaxToken;
114
115 /* Release the package buffer as it is not required anymore */
116 s_pSecFn->FreeContextBuffer(SecurityPackage);
117
118 /* Allocate our output buffer */
119 ntlm->output_token = malloc(ntlm->token_max);
120 if(!ntlm->output_token)
121 return CURLE_OUT_OF_MEMORY;
122
123 if(userp && *userp) {
124 CURLcode result;
125
126 /* Populate our identity structure */
127 result = Curl_create_sspi_identity(userp, passwdp, &ntlm->identity);
128 if(result)
129 return result;
130
131 /* Allow proper cleanup of the identity structure */
132 ntlm->p_identity = &ntlm->identity;
133 }
134 else
135 /* Use the current Windows user */
136 ntlm->p_identity = NULL;
137
138 /* Allocate our credentials handle */
139 ntlm->credentials = calloc(1, sizeof(CredHandle));
140 if(!ntlm->credentials)
141 return CURLE_OUT_OF_MEMORY;
142
143 /* Acquire our credentials handle */
144 status = s_pSecFn->AcquireCredentialsHandle(NULL,
145 (TCHAR *) TEXT(SP_NAME_NTLM),
146 SECPKG_CRED_OUTBOUND, NULL,
147 ntlm->p_identity, NULL, NULL,
148 ntlm->credentials, &expiry);
149 if(status != SEC_E_OK)
150 return CURLE_LOGIN_DENIED;
151
152 /* Allocate our new context handle */
153 ntlm->context = calloc(1, sizeof(CtxtHandle));
154 if(!ntlm->context)
155 return CURLE_OUT_OF_MEMORY;
156
157 ntlm->spn = Curl_auth_build_spn(service, host, NULL);
158 if(!ntlm->spn)
159 return CURLE_OUT_OF_MEMORY;
160
161 /* Setup the type-1 "output" security buffer */
162 type_1_desc.ulVersion = SECBUFFER_VERSION;
163 type_1_desc.cBuffers = 1;
164 type_1_desc.pBuffers = &type_1_buf;
165 type_1_buf.BufferType = SECBUFFER_TOKEN;
166 type_1_buf.pvBuffer = ntlm->output_token;
167 type_1_buf.cbBuffer = curlx_uztoul(ntlm->token_max);
168
169 /* Generate our type-1 message */
170 status = s_pSecFn->InitializeSecurityContext(ntlm->credentials, NULL,
171 ntlm->spn,
172 0, 0, SECURITY_NETWORK_DREP,
173 NULL, 0,
174 ntlm->context, &type_1_desc,
175 &attrs, &expiry);
176 if(status == SEC_I_COMPLETE_NEEDED ||
177 status == SEC_I_COMPLETE_AND_CONTINUE)
178 s_pSecFn->CompleteAuthToken(ntlm->context, &type_1_desc);
179 else if(status == SEC_E_INSUFFICIENT_MEMORY)
180 return CURLE_OUT_OF_MEMORY;
181 else if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED)
182 return CURLE_AUTH_ERROR;
183
184 /* Base64 encode the response */
185 return Curl_base64_encode(data, (char *) ntlm->output_token,
186 type_1_buf.cbBuffer, outptr, outlen);
187 }
188
189 /*
190 * Curl_auth_decode_ntlm_type2_message()
191 *
192 * This is used to decode an already encoded NTLM type-2 message.
193 *
194 * Parameters:
195 *
196 * data [in] - The session handle.
197 * type2msg [in] - The base64 encoded type-2 message.
198 * ntlm [in/out] - The NTLM data struct being used and modified.
199 *
200 * Returns CURLE_OK on success.
201 */
Curl_auth_decode_ntlm_type2_message(struct Curl_easy * data,const char * type2msg,struct ntlmdata * ntlm)202 CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data,
203 const char *type2msg,
204 struct ntlmdata *ntlm)
205 {
206 CURLcode result = CURLE_OK;
207 unsigned char *type2 = NULL;
208 size_t type2_len = 0;
209
210 #if defined(CURL_DISABLE_VERBOSE_STRINGS)
211 (void) data;
212 #endif
213
214 /* Decode the base-64 encoded type-2 message */
215 if(strlen(type2msg) && *type2msg != '=') {
216 result = Curl_base64_decode(type2msg, &type2, &type2_len);
217 if(result)
218 return result;
219 }
220
221 /* Ensure we have a valid type-2 message */
222 if(!type2) {
223 infof(data, "NTLM handshake failure (empty type-2 message)\n");
224
225 return CURLE_BAD_CONTENT_ENCODING;
226 }
227
228 /* Simply store the challenge for use later */
229 ntlm->input_token = type2;
230 ntlm->input_token_len = type2_len;
231
232 return result;
233 }
234
235 /*
236 * Curl_auth_create_ntlm_type3_message()
237 * Curl_auth_create_ntlm_type3_message()
238 *
239 * This is used to generate an already encoded NTLM type-3 message ready for
240 * sending to the recipient.
241 *
242 * Parameters:
243 *
244 * data [in] - The session handle.
245 * userp [in] - The user name in the format User or Domain\User.
246 * passwdp [in] - The user's password.
247 * ntlm [in/out] - The NTLM data struct being used and modified.
248 * outptr [in/out] - The address where a pointer to newly allocated memory
249 * holding the result will be stored upon completion.
250 * outlen [out] - The length of the output message.
251 *
252 * Returns CURLE_OK on success.
253 */
Curl_auth_create_ntlm_type3_message(struct Curl_easy * data,const char * userp,const char * passwdp,struct ntlmdata * ntlm,char ** outptr,size_t * outlen)254 CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
255 const char *userp,
256 const char *passwdp,
257 struct ntlmdata *ntlm,
258 char **outptr, size_t *outlen)
259 {
260 CURLcode result = CURLE_OK;
261 SecBuffer type_2_bufs[2];
262 SecBuffer type_3_buf;
263 SecBufferDesc type_2_desc;
264 SecBufferDesc type_3_desc;
265 SECURITY_STATUS status;
266 unsigned long attrs;
267 TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
268
269 (void) passwdp;
270 (void) userp;
271
272 /* Setup the type-2 "input" security buffer */
273 type_2_desc.ulVersion = SECBUFFER_VERSION;
274 type_2_desc.cBuffers = 1;
275 type_2_desc.pBuffers = &type_2_bufs[0];
276 type_2_bufs[0].BufferType = SECBUFFER_TOKEN;
277 type_2_bufs[0].pvBuffer = ntlm->input_token;
278 type_2_bufs[0].cbBuffer = curlx_uztoul(ntlm->input_token_len);
279
280 #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
281 /* ssl context comes from schannel.
282 * When extended protection is used in IIS server,
283 * we have to pass a second SecBuffer to the SecBufferDesc
284 * otherwise IIS will not pass the authentication (401 response).
285 * Minimum supported version is Windows 7.
286 * https://docs.microsoft.com/en-us/security-updates
287 * /SecurityAdvisories/2009/973811
288 */
289 if(ntlm->sslContext) {
290 SEC_CHANNEL_BINDINGS channelBindings;
291 SecPkgContext_Bindings pkgBindings;
292 pkgBindings.Bindings = &channelBindings;
293 status = s_pSecFn->QueryContextAttributes(
294 ntlm->sslContext,
295 SECPKG_ATTR_ENDPOINT_BINDINGS,
296 &pkgBindings
297 );
298 if(status == SEC_E_OK) {
299 type_2_desc.cBuffers++;
300 type_2_bufs[1].BufferType = SECBUFFER_CHANNEL_BINDINGS;
301 type_2_bufs[1].cbBuffer = pkgBindings.BindingsLength;
302 type_2_bufs[1].pvBuffer = pkgBindings.Bindings;
303 }
304 }
305 #endif
306
307 /* Setup the type-3 "output" security buffer */
308 type_3_desc.ulVersion = SECBUFFER_VERSION;
309 type_3_desc.cBuffers = 1;
310 type_3_desc.pBuffers = &type_3_buf;
311 type_3_buf.BufferType = SECBUFFER_TOKEN;
312 type_3_buf.pvBuffer = ntlm->output_token;
313 type_3_buf.cbBuffer = curlx_uztoul(ntlm->token_max);
314
315 /* Generate our type-3 message */
316 status = s_pSecFn->InitializeSecurityContext(ntlm->credentials,
317 ntlm->context,
318 ntlm->spn,
319 0, 0, SECURITY_NETWORK_DREP,
320 &type_2_desc,
321 0, ntlm->context,
322 &type_3_desc,
323 &attrs, &expiry);
324 if(status != SEC_E_OK) {
325 infof(data, "NTLM handshake failure (type-3 message): Status=%x\n",
326 status);
327
328 if(status == SEC_E_INSUFFICIENT_MEMORY)
329 return CURLE_OUT_OF_MEMORY;
330
331 return CURLE_AUTH_ERROR;
332 }
333
334 /* Base64 encode the response */
335 result = Curl_base64_encode(data, (char *) ntlm->output_token,
336 type_3_buf.cbBuffer, outptr, outlen);
337
338 Curl_auth_cleanup_ntlm(ntlm);
339
340 return result;
341 }
342
343 /*
344 * Curl_auth_cleanup_ntlm()
345 *
346 * This is used to clean up the NTLM specific data.
347 *
348 * Parameters:
349 *
350 * ntlm [in/out] - The NTLM data struct being cleaned up.
351 *
352 */
Curl_auth_cleanup_ntlm(struct ntlmdata * ntlm)353 void Curl_auth_cleanup_ntlm(struct ntlmdata *ntlm)
354 {
355 /* Free our security context */
356 if(ntlm->context) {
357 s_pSecFn->DeleteSecurityContext(ntlm->context);
358 free(ntlm->context);
359 ntlm->context = NULL;
360 }
361
362 /* Free our credentials handle */
363 if(ntlm->credentials) {
364 s_pSecFn->FreeCredentialsHandle(ntlm->credentials);
365 free(ntlm->credentials);
366 ntlm->credentials = NULL;
367 }
368
369 /* Free our identity */
370 Curl_sspi_free_identity(ntlm->p_identity);
371 ntlm->p_identity = NULL;
372
373 /* Free the input and output tokens */
374 Curl_safefree(ntlm->input_token);
375 Curl_safefree(ntlm->output_token);
376
377 /* Reset any variables */
378 ntlm->token_max = 0;
379
380 Curl_safefree(ntlm->spn);
381 }
382
383 #endif /* USE_WINDOWS_SSPI && USE_NTLM */
384