1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24
25 #include "curl_setup.h"
26
27 #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
28
29 #include "urldata.h"
30 #include "cfilters.h"
31 #include "sendf.h"
32 #include "http_negotiate.h"
33 #include "vauth/vauth.h"
34 #include "vtls/vtls.h"
35
36 /* The last 3 #include files should be in this order */
37 #include "curl_printf.h"
38 #include "curl_memory.h"
39 #include "memdebug.h"
40
Curl_input_negotiate(struct Curl_easy * data,struct connectdata * conn,bool proxy,const char * header)41 CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
42 bool proxy, const char *header)
43 {
44 CURLcode result;
45 size_t len;
46
47 /* Point to the username, password, service and host */
48 const char *userp;
49 const char *passwdp;
50 const char *service;
51 const char *host;
52
53 /* Point to the correct struct with this */
54 struct negotiatedata *neg_ctx;
55 curlnegotiate state;
56
57 if(proxy) {
58 #ifndef CURL_DISABLE_PROXY
59 userp = conn->http_proxy.user;
60 passwdp = conn->http_proxy.passwd;
61 service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
62 data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
63 host = conn->http_proxy.host.name;
64 neg_ctx = &conn->proxyneg;
65 state = conn->proxy_negotiate_state;
66 #else
67 return CURLE_NOT_BUILT_IN;
68 #endif
69 }
70 else {
71 userp = conn->user;
72 passwdp = conn->passwd;
73 service = data->set.str[STRING_SERVICE_NAME] ?
74 data->set.str[STRING_SERVICE_NAME] : "HTTP";
75 host = conn->host.name;
76 neg_ctx = &conn->negotiate;
77 state = conn->http_negotiate_state;
78 }
79
80 /* Not set means empty */
81 if(!userp)
82 userp = "";
83
84 if(!passwdp)
85 passwdp = "";
86
87 /* Obtain the input token, if any */
88 header += strlen("Negotiate");
89 while(*header && ISBLANK(*header))
90 header++;
91
92 len = strlen(header);
93 neg_ctx->havenegdata = len != 0;
94 if(!len) {
95 if(state == GSS_AUTHSUCC) {
96 infof(data, "Negotiate auth restarted");
97 Curl_http_auth_cleanup_negotiate(conn);
98 }
99 else if(state != GSS_AUTHNONE) {
100 /* The server rejected our authentication and has not supplied any more
101 negotiation mechanisms */
102 Curl_http_auth_cleanup_negotiate(conn);
103 return CURLE_LOGIN_DENIED;
104 }
105 }
106
107 /* Supports SSL channel binding for Windows ISS extended protection */
108 #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
109 neg_ctx->sslContext = conn->sslContext;
110 #endif
111 /* Check if the connection is using SSL and get the channel binding data */
112 #if defined(USE_SSL) && defined(HAVE_GSSAPI)
113 if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
114 Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1);
115 result = Curl_ssl_get_channel_binding(
116 data, FIRSTSOCKET, &neg_ctx->channel_binding_data);
117 if(result) {
118 Curl_http_auth_cleanup_negotiate(conn);
119 return result;
120 }
121 }
122 #endif
123
124 /* Initialize the security context and decode our challenge */
125 result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
126 host, header, neg_ctx);
127
128 #if defined(USE_SSL) && defined(HAVE_GSSAPI)
129 Curl_dyn_free(&neg_ctx->channel_binding_data);
130 #endif
131
132 if(result)
133 Curl_http_auth_cleanup_negotiate(conn);
134
135 return result;
136 }
137
Curl_output_negotiate(struct Curl_easy * data,struct connectdata * conn,bool proxy)138 CURLcode Curl_output_negotiate(struct Curl_easy *data,
139 struct connectdata *conn, bool proxy)
140 {
141 struct negotiatedata *neg_ctx;
142 struct auth *authp;
143 curlnegotiate *state;
144 char *base64 = NULL;
145 size_t len = 0;
146 char *userp;
147 CURLcode result;
148
149 if(proxy) {
150 #ifndef CURL_DISABLE_PROXY
151 neg_ctx = &conn->proxyneg;
152 authp = &data->state.authproxy;
153 state = &conn->proxy_negotiate_state;
154 #else
155 return CURLE_NOT_BUILT_IN;
156 #endif
157 }
158 else {
159 neg_ctx = &conn->negotiate;
160 authp = &data->state.authhost;
161 state = &conn->http_negotiate_state;
162 }
163
164 authp->done = FALSE;
165
166 if(*state == GSS_AUTHRECV) {
167 if(neg_ctx->havenegdata) {
168 neg_ctx->havemultiplerequests = TRUE;
169 }
170 }
171 else if(*state == GSS_AUTHSUCC) {
172 if(!neg_ctx->havenoauthpersist) {
173 neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
174 }
175 }
176
177 if(neg_ctx->noauthpersist ||
178 (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
179
180 if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
181 infof(data, "Curl_output_negotiate, "
182 "no persistent authentication: cleanup existing context");
183 Curl_http_auth_cleanup_negotiate(conn);
184 }
185 if(!neg_ctx->context) {
186 result = Curl_input_negotiate(data, conn, proxy, "Negotiate");
187 if(result == CURLE_AUTH_ERROR) {
188 /* negotiate auth failed, let's continue unauthenticated to stay
189 * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
190 authp->done = TRUE;
191 return CURLE_OK;
192 }
193 else if(result)
194 return result;
195 }
196
197 result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len);
198 if(result)
199 return result;
200
201 userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
202 base64);
203
204 if(proxy) {
205 #ifndef CURL_DISABLE_PROXY
206 Curl_safefree(data->state.aptr.proxyuserpwd);
207 data->state.aptr.proxyuserpwd = userp;
208 #endif
209 }
210 else {
211 Curl_safefree(data->state.aptr.userpwd);
212 data->state.aptr.userpwd = userp;
213 }
214
215 free(base64);
216
217 if(!userp) {
218 return CURLE_OUT_OF_MEMORY;
219 }
220
221 *state = GSS_AUTHSENT;
222 #ifdef HAVE_GSSAPI
223 if(neg_ctx->status == GSS_S_COMPLETE ||
224 neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
225 *state = GSS_AUTHDONE;
226 }
227 #else
228 #ifdef USE_WINDOWS_SSPI
229 if(neg_ctx->status == SEC_E_OK ||
230 neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
231 *state = GSS_AUTHDONE;
232 }
233 #endif
234 #endif
235 }
236
237 if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
238 /* connection is already authenticated,
239 * do not send a header in future requests */
240 authp->done = TRUE;
241 }
242
243 neg_ctx->havenegdata = FALSE;
244
245 return CURLE_OK;
246 }
247
Curl_http_auth_cleanup_negotiate(struct connectdata * conn)248 void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
249 {
250 conn->http_negotiate_state = GSS_AUTHNONE;
251 conn->proxy_negotiate_state = GSS_AUTHNONE;
252
253 Curl_auth_cleanup_spnego(&conn->negotiate);
254 Curl_auth_cleanup_spnego(&conn->proxyneg);
255 }
256
257 #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
258