113498266Sopenharmony_ci/*************************************************************************** 213498266Sopenharmony_ci * _ _ ____ _ 313498266Sopenharmony_ci * Project ___| | | | _ \| | 413498266Sopenharmony_ci * / __| | | | |_) | | 513498266Sopenharmony_ci * | (__| |_| | _ <| |___ 613498266Sopenharmony_ci * \___|\___/|_| \_\_____| 713498266Sopenharmony_ci * 813498266Sopenharmony_ci * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 913498266Sopenharmony_ci * 1013498266Sopenharmony_ci * This software is licensed as described in the file COPYING, which 1113498266Sopenharmony_ci * you should have received as part of this distribution. The terms 1213498266Sopenharmony_ci * are also available at https://curl.se/docs/copyright.html. 1313498266Sopenharmony_ci * 1413498266Sopenharmony_ci * You may opt to use, copy, modify, merge, publish, distribute and/or sell 1513498266Sopenharmony_ci * copies of the Software, and permit persons to whom the Software is 1613498266Sopenharmony_ci * furnished to do so, under the terms of the COPYING file. 1713498266Sopenharmony_ci * 1813498266Sopenharmony_ci * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 1913498266Sopenharmony_ci * KIND, either express or implied. 2013498266Sopenharmony_ci * 2113498266Sopenharmony_ci * SPDX-License-Identifier: curl 2213498266Sopenharmony_ci * 2313498266Sopenharmony_ci ***************************************************************************/ 2413498266Sopenharmony_ci 2513498266Sopenharmony_ci#include "curl_setup.h" 2613498266Sopenharmony_ci 2713498266Sopenharmony_ci#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) 2813498266Sopenharmony_ci 2913498266Sopenharmony_ci#include "urldata.h" 3013498266Sopenharmony_ci#include "sendf.h" 3113498266Sopenharmony_ci#include "http_negotiate.h" 3213498266Sopenharmony_ci#include "vauth/vauth.h" 3313498266Sopenharmony_ci 3413498266Sopenharmony_ci/* The last 3 #include files should be in this order */ 3513498266Sopenharmony_ci#include "curl_printf.h" 3613498266Sopenharmony_ci#include "curl_memory.h" 3713498266Sopenharmony_ci#include "memdebug.h" 3813498266Sopenharmony_ci 3913498266Sopenharmony_ciCURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, 4013498266Sopenharmony_ci bool proxy, const char *header) 4113498266Sopenharmony_ci{ 4213498266Sopenharmony_ci CURLcode result; 4313498266Sopenharmony_ci size_t len; 4413498266Sopenharmony_ci 4513498266Sopenharmony_ci /* Point to the username, password, service and host */ 4613498266Sopenharmony_ci const char *userp; 4713498266Sopenharmony_ci const char *passwdp; 4813498266Sopenharmony_ci const char *service; 4913498266Sopenharmony_ci const char *host; 5013498266Sopenharmony_ci 5113498266Sopenharmony_ci /* Point to the correct struct with this */ 5213498266Sopenharmony_ci struct negotiatedata *neg_ctx; 5313498266Sopenharmony_ci curlnegotiate state; 5413498266Sopenharmony_ci 5513498266Sopenharmony_ci if(proxy) { 5613498266Sopenharmony_ci#ifndef CURL_DISABLE_PROXY 5713498266Sopenharmony_ci userp = conn->http_proxy.user; 5813498266Sopenharmony_ci passwdp = conn->http_proxy.passwd; 5913498266Sopenharmony_ci service = data->set.str[STRING_PROXY_SERVICE_NAME] ? 6013498266Sopenharmony_ci data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP"; 6113498266Sopenharmony_ci host = conn->http_proxy.host.name; 6213498266Sopenharmony_ci neg_ctx = &conn->proxyneg; 6313498266Sopenharmony_ci state = conn->proxy_negotiate_state; 6413498266Sopenharmony_ci#else 6513498266Sopenharmony_ci return CURLE_NOT_BUILT_IN; 6613498266Sopenharmony_ci#endif 6713498266Sopenharmony_ci } 6813498266Sopenharmony_ci else { 6913498266Sopenharmony_ci userp = conn->user; 7013498266Sopenharmony_ci passwdp = conn->passwd; 7113498266Sopenharmony_ci service = data->set.str[STRING_SERVICE_NAME] ? 7213498266Sopenharmony_ci data->set.str[STRING_SERVICE_NAME] : "HTTP"; 7313498266Sopenharmony_ci host = conn->host.name; 7413498266Sopenharmony_ci neg_ctx = &conn->negotiate; 7513498266Sopenharmony_ci state = conn->http_negotiate_state; 7613498266Sopenharmony_ci } 7713498266Sopenharmony_ci 7813498266Sopenharmony_ci /* Not set means empty */ 7913498266Sopenharmony_ci if(!userp) 8013498266Sopenharmony_ci userp = ""; 8113498266Sopenharmony_ci 8213498266Sopenharmony_ci if(!passwdp) 8313498266Sopenharmony_ci passwdp = ""; 8413498266Sopenharmony_ci 8513498266Sopenharmony_ci /* Obtain the input token, if any */ 8613498266Sopenharmony_ci header += strlen("Negotiate"); 8713498266Sopenharmony_ci while(*header && ISBLANK(*header)) 8813498266Sopenharmony_ci header++; 8913498266Sopenharmony_ci 9013498266Sopenharmony_ci len = strlen(header); 9113498266Sopenharmony_ci neg_ctx->havenegdata = len != 0; 9213498266Sopenharmony_ci if(!len) { 9313498266Sopenharmony_ci if(state == GSS_AUTHSUCC) { 9413498266Sopenharmony_ci infof(data, "Negotiate auth restarted"); 9513498266Sopenharmony_ci Curl_http_auth_cleanup_negotiate(conn); 9613498266Sopenharmony_ci } 9713498266Sopenharmony_ci else if(state != GSS_AUTHNONE) { 9813498266Sopenharmony_ci /* The server rejected our authentication and hasn't supplied any more 9913498266Sopenharmony_ci negotiation mechanisms */ 10013498266Sopenharmony_ci Curl_http_auth_cleanup_negotiate(conn); 10113498266Sopenharmony_ci return CURLE_LOGIN_DENIED; 10213498266Sopenharmony_ci } 10313498266Sopenharmony_ci } 10413498266Sopenharmony_ci 10513498266Sopenharmony_ci /* Supports SSL channel binding for Windows ISS extended protection */ 10613498266Sopenharmony_ci#if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS) 10713498266Sopenharmony_ci neg_ctx->sslContext = conn->sslContext; 10813498266Sopenharmony_ci#endif 10913498266Sopenharmony_ci 11013498266Sopenharmony_ci /* Initialize the security context and decode our challenge */ 11113498266Sopenharmony_ci result = Curl_auth_decode_spnego_message(data, userp, passwdp, service, 11213498266Sopenharmony_ci host, header, neg_ctx); 11313498266Sopenharmony_ci 11413498266Sopenharmony_ci if(result) 11513498266Sopenharmony_ci Curl_http_auth_cleanup_negotiate(conn); 11613498266Sopenharmony_ci 11713498266Sopenharmony_ci return result; 11813498266Sopenharmony_ci} 11913498266Sopenharmony_ci 12013498266Sopenharmony_ciCURLcode Curl_output_negotiate(struct Curl_easy *data, 12113498266Sopenharmony_ci struct connectdata *conn, bool proxy) 12213498266Sopenharmony_ci{ 12313498266Sopenharmony_ci struct negotiatedata *neg_ctx = proxy ? &conn->proxyneg : 12413498266Sopenharmony_ci &conn->negotiate; 12513498266Sopenharmony_ci struct auth *authp = proxy ? &data->state.authproxy : &data->state.authhost; 12613498266Sopenharmony_ci curlnegotiate *state = proxy ? &conn->proxy_negotiate_state : 12713498266Sopenharmony_ci &conn->http_negotiate_state; 12813498266Sopenharmony_ci char *base64 = NULL; 12913498266Sopenharmony_ci size_t len = 0; 13013498266Sopenharmony_ci char *userp; 13113498266Sopenharmony_ci CURLcode result; 13213498266Sopenharmony_ci 13313498266Sopenharmony_ci authp->done = FALSE; 13413498266Sopenharmony_ci 13513498266Sopenharmony_ci if(*state == GSS_AUTHRECV) { 13613498266Sopenharmony_ci if(neg_ctx->havenegdata) { 13713498266Sopenharmony_ci neg_ctx->havemultiplerequests = TRUE; 13813498266Sopenharmony_ci } 13913498266Sopenharmony_ci } 14013498266Sopenharmony_ci else if(*state == GSS_AUTHSUCC) { 14113498266Sopenharmony_ci if(!neg_ctx->havenoauthpersist) { 14213498266Sopenharmony_ci neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests; 14313498266Sopenharmony_ci } 14413498266Sopenharmony_ci } 14513498266Sopenharmony_ci 14613498266Sopenharmony_ci if(neg_ctx->noauthpersist || 14713498266Sopenharmony_ci (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) { 14813498266Sopenharmony_ci 14913498266Sopenharmony_ci if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) { 15013498266Sopenharmony_ci infof(data, "Curl_output_negotiate, " 15113498266Sopenharmony_ci "no persistent authentication: cleanup existing context"); 15213498266Sopenharmony_ci Curl_http_auth_cleanup_negotiate(conn); 15313498266Sopenharmony_ci } 15413498266Sopenharmony_ci if(!neg_ctx->context) { 15513498266Sopenharmony_ci result = Curl_input_negotiate(data, conn, proxy, "Negotiate"); 15613498266Sopenharmony_ci if(result == CURLE_AUTH_ERROR) { 15713498266Sopenharmony_ci /* negotiate auth failed, let's continue unauthenticated to stay 15813498266Sopenharmony_ci * compatible with the behavior before curl-7_64_0-158-g6c6035532 */ 15913498266Sopenharmony_ci authp->done = TRUE; 16013498266Sopenharmony_ci return CURLE_OK; 16113498266Sopenharmony_ci } 16213498266Sopenharmony_ci else if(result) 16313498266Sopenharmony_ci return result; 16413498266Sopenharmony_ci } 16513498266Sopenharmony_ci 16613498266Sopenharmony_ci result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len); 16713498266Sopenharmony_ci if(result) 16813498266Sopenharmony_ci return result; 16913498266Sopenharmony_ci 17013498266Sopenharmony_ci userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "", 17113498266Sopenharmony_ci base64); 17213498266Sopenharmony_ci 17313498266Sopenharmony_ci if(proxy) { 17413498266Sopenharmony_ci Curl_safefree(data->state.aptr.proxyuserpwd); 17513498266Sopenharmony_ci data->state.aptr.proxyuserpwd = userp; 17613498266Sopenharmony_ci } 17713498266Sopenharmony_ci else { 17813498266Sopenharmony_ci Curl_safefree(data->state.aptr.userpwd); 17913498266Sopenharmony_ci data->state.aptr.userpwd = userp; 18013498266Sopenharmony_ci } 18113498266Sopenharmony_ci 18213498266Sopenharmony_ci free(base64); 18313498266Sopenharmony_ci 18413498266Sopenharmony_ci if(!userp) { 18513498266Sopenharmony_ci return CURLE_OUT_OF_MEMORY; 18613498266Sopenharmony_ci } 18713498266Sopenharmony_ci 18813498266Sopenharmony_ci *state = GSS_AUTHSENT; 18913498266Sopenharmony_ci #ifdef HAVE_GSSAPI 19013498266Sopenharmony_ci if(neg_ctx->status == GSS_S_COMPLETE || 19113498266Sopenharmony_ci neg_ctx->status == GSS_S_CONTINUE_NEEDED) { 19213498266Sopenharmony_ci *state = GSS_AUTHDONE; 19313498266Sopenharmony_ci } 19413498266Sopenharmony_ci #else 19513498266Sopenharmony_ci #ifdef USE_WINDOWS_SSPI 19613498266Sopenharmony_ci if(neg_ctx->status == SEC_E_OK || 19713498266Sopenharmony_ci neg_ctx->status == SEC_I_CONTINUE_NEEDED) { 19813498266Sopenharmony_ci *state = GSS_AUTHDONE; 19913498266Sopenharmony_ci } 20013498266Sopenharmony_ci #endif 20113498266Sopenharmony_ci #endif 20213498266Sopenharmony_ci } 20313498266Sopenharmony_ci 20413498266Sopenharmony_ci if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) { 20513498266Sopenharmony_ci /* connection is already authenticated, 20613498266Sopenharmony_ci * don't send a header in future requests */ 20713498266Sopenharmony_ci authp->done = TRUE; 20813498266Sopenharmony_ci } 20913498266Sopenharmony_ci 21013498266Sopenharmony_ci neg_ctx->havenegdata = FALSE; 21113498266Sopenharmony_ci 21213498266Sopenharmony_ci return CURLE_OK; 21313498266Sopenharmony_ci} 21413498266Sopenharmony_ci 21513498266Sopenharmony_civoid Curl_http_auth_cleanup_negotiate(struct connectdata *conn) 21613498266Sopenharmony_ci{ 21713498266Sopenharmony_ci conn->http_negotiate_state = GSS_AUTHNONE; 21813498266Sopenharmony_ci conn->proxy_negotiate_state = GSS_AUTHNONE; 21913498266Sopenharmony_ci 22013498266Sopenharmony_ci Curl_auth_cleanup_spnego(&conn->negotiate); 22113498266Sopenharmony_ci Curl_auth_cleanup_spnego(&conn->proxyneg); 22213498266Sopenharmony_ci} 22313498266Sopenharmony_ci 22413498266Sopenharmony_ci#endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */ 225