113498266Sopenharmony_ci/*************************************************************************** 213498266Sopenharmony_ci * _ _ ____ _ 313498266Sopenharmony_ci * Project ___| | | | _ \| | 413498266Sopenharmony_ci * / __| | | | |_) | | 513498266Sopenharmony_ci * | (__| |_| | _ <| |___ 613498266Sopenharmony_ci * \___|\___/|_| \_\_____| 713498266Sopenharmony_ci * 813498266Sopenharmony_ci * Copyright (C) Steve Holme, <steve_holme@hotmail.com>. 913498266Sopenharmony_ci * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 1013498266Sopenharmony_ci * 1113498266Sopenharmony_ci * This software is licensed as described in the file COPYING, which 1213498266Sopenharmony_ci * you should have received as part of this distribution. The terms 1313498266Sopenharmony_ci * are also available at https://curl.se/docs/copyright.html. 1413498266Sopenharmony_ci * 1513498266Sopenharmony_ci * You may opt to use, copy, modify, merge, publish, distribute and/or sell 1613498266Sopenharmony_ci * copies of the Software, and permit persons to whom the Software is 1713498266Sopenharmony_ci * furnished to do so, under the terms of the COPYING file. 1813498266Sopenharmony_ci * 1913498266Sopenharmony_ci * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 2013498266Sopenharmony_ci * KIND, either express or implied. 2113498266Sopenharmony_ci * 2213498266Sopenharmony_ci * SPDX-License-Identifier: curl 2313498266Sopenharmony_ci * 2413498266Sopenharmony_ci * RFC4752 The Kerberos V5 ("GSSAPI") SASL Mechanism 2513498266Sopenharmony_ci * 2613498266Sopenharmony_ci ***************************************************************************/ 2713498266Sopenharmony_ci 2813498266Sopenharmony_ci#include "curl_setup.h" 2913498266Sopenharmony_ci 3013498266Sopenharmony_ci#if defined(HAVE_GSSAPI) && defined(USE_KERBEROS5) 3113498266Sopenharmony_ci 3213498266Sopenharmony_ci#include <curl/curl.h> 3313498266Sopenharmony_ci 3413498266Sopenharmony_ci#include "vauth/vauth.h" 3513498266Sopenharmony_ci#include "curl_sasl.h" 3613498266Sopenharmony_ci#include "urldata.h" 3713498266Sopenharmony_ci#include "curl_gssapi.h" 3813498266Sopenharmony_ci#include "sendf.h" 3913498266Sopenharmony_ci#include "curl_printf.h" 4013498266Sopenharmony_ci 4113498266Sopenharmony_ci/* The last #include files should be: */ 4213498266Sopenharmony_ci#include "curl_memory.h" 4313498266Sopenharmony_ci#include "memdebug.h" 4413498266Sopenharmony_ci 4513498266Sopenharmony_ci/* 4613498266Sopenharmony_ci * Curl_auth_is_gssapi_supported() 4713498266Sopenharmony_ci * 4813498266Sopenharmony_ci * This is used to evaluate if GSSAPI (Kerberos V5) is supported. 4913498266Sopenharmony_ci * 5013498266Sopenharmony_ci * Parameters: None 5113498266Sopenharmony_ci * 5213498266Sopenharmony_ci * Returns TRUE if Kerberos V5 is supported by the GSS-API library. 5313498266Sopenharmony_ci */ 5413498266Sopenharmony_cibool Curl_auth_is_gssapi_supported(void) 5513498266Sopenharmony_ci{ 5613498266Sopenharmony_ci return TRUE; 5713498266Sopenharmony_ci} 5813498266Sopenharmony_ci 5913498266Sopenharmony_ci/* 6013498266Sopenharmony_ci * Curl_auth_create_gssapi_user_message() 6113498266Sopenharmony_ci * 6213498266Sopenharmony_ci * This is used to generate an already encoded GSSAPI (Kerberos V5) user token 6313498266Sopenharmony_ci * message ready for sending to the recipient. 6413498266Sopenharmony_ci * 6513498266Sopenharmony_ci * Parameters: 6613498266Sopenharmony_ci * 6713498266Sopenharmony_ci * data [in] - The session handle. 6813498266Sopenharmony_ci * userp [in] - The user name. 6913498266Sopenharmony_ci * passwdp [in] - The user's password. 7013498266Sopenharmony_ci * service [in] - The service type such as http, smtp, pop or imap. 7113498266Sopenharmony_ci * host [in[ - The host name. 7213498266Sopenharmony_ci * mutual_auth [in] - Flag specifying whether or not mutual authentication 7313498266Sopenharmony_ci * is enabled. 7413498266Sopenharmony_ci * chlg [in] - Optional challenge message. 7513498266Sopenharmony_ci * krb5 [in/out] - The Kerberos 5 data struct being used and modified. 7613498266Sopenharmony_ci * out [out] - The result storage. 7713498266Sopenharmony_ci * 7813498266Sopenharmony_ci * Returns CURLE_OK on success. 7913498266Sopenharmony_ci */ 8013498266Sopenharmony_ciCURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data, 8113498266Sopenharmony_ci const char *userp, 8213498266Sopenharmony_ci const char *passwdp, 8313498266Sopenharmony_ci const char *service, 8413498266Sopenharmony_ci const char *host, 8513498266Sopenharmony_ci const bool mutual_auth, 8613498266Sopenharmony_ci const struct bufref *chlg, 8713498266Sopenharmony_ci struct kerberos5data *krb5, 8813498266Sopenharmony_ci struct bufref *out) 8913498266Sopenharmony_ci{ 9013498266Sopenharmony_ci CURLcode result = CURLE_OK; 9113498266Sopenharmony_ci OM_uint32 major_status; 9213498266Sopenharmony_ci OM_uint32 minor_status; 9313498266Sopenharmony_ci OM_uint32 unused_status; 9413498266Sopenharmony_ci gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER; 9513498266Sopenharmony_ci gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; 9613498266Sopenharmony_ci gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; 9713498266Sopenharmony_ci 9813498266Sopenharmony_ci (void) userp; 9913498266Sopenharmony_ci (void) passwdp; 10013498266Sopenharmony_ci 10113498266Sopenharmony_ci if(!krb5->spn) { 10213498266Sopenharmony_ci /* Generate our SPN */ 10313498266Sopenharmony_ci char *spn = Curl_auth_build_spn(service, NULL, host); 10413498266Sopenharmony_ci if(!spn) 10513498266Sopenharmony_ci return CURLE_OUT_OF_MEMORY; 10613498266Sopenharmony_ci 10713498266Sopenharmony_ci /* Populate the SPN structure */ 10813498266Sopenharmony_ci spn_token.value = spn; 10913498266Sopenharmony_ci spn_token.length = strlen(spn); 11013498266Sopenharmony_ci 11113498266Sopenharmony_ci /* Import the SPN */ 11213498266Sopenharmony_ci major_status = gss_import_name(&minor_status, &spn_token, 11313498266Sopenharmony_ci GSS_C_NT_HOSTBASED_SERVICE, &krb5->spn); 11413498266Sopenharmony_ci if(GSS_ERROR(major_status)) { 11513498266Sopenharmony_ci Curl_gss_log_error(data, "gss_import_name() failed: ", 11613498266Sopenharmony_ci major_status, minor_status); 11713498266Sopenharmony_ci 11813498266Sopenharmony_ci free(spn); 11913498266Sopenharmony_ci 12013498266Sopenharmony_ci return CURLE_AUTH_ERROR; 12113498266Sopenharmony_ci } 12213498266Sopenharmony_ci 12313498266Sopenharmony_ci free(spn); 12413498266Sopenharmony_ci } 12513498266Sopenharmony_ci 12613498266Sopenharmony_ci if(chlg) { 12713498266Sopenharmony_ci if(!Curl_bufref_len(chlg)) { 12813498266Sopenharmony_ci infof(data, "GSSAPI handshake failure (empty challenge message)"); 12913498266Sopenharmony_ci return CURLE_BAD_CONTENT_ENCODING; 13013498266Sopenharmony_ci } 13113498266Sopenharmony_ci input_token.value = (void *) Curl_bufref_ptr(chlg); 13213498266Sopenharmony_ci input_token.length = Curl_bufref_len(chlg); 13313498266Sopenharmony_ci } 13413498266Sopenharmony_ci 13513498266Sopenharmony_ci major_status = Curl_gss_init_sec_context(data, 13613498266Sopenharmony_ci &minor_status, 13713498266Sopenharmony_ci &krb5->context, 13813498266Sopenharmony_ci krb5->spn, 13913498266Sopenharmony_ci &Curl_krb5_mech_oid, 14013498266Sopenharmony_ci GSS_C_NO_CHANNEL_BINDINGS, 14113498266Sopenharmony_ci &input_token, 14213498266Sopenharmony_ci &output_token, 14313498266Sopenharmony_ci mutual_auth, 14413498266Sopenharmony_ci NULL); 14513498266Sopenharmony_ci 14613498266Sopenharmony_ci if(GSS_ERROR(major_status)) { 14713498266Sopenharmony_ci if(output_token.value) 14813498266Sopenharmony_ci gss_release_buffer(&unused_status, &output_token); 14913498266Sopenharmony_ci 15013498266Sopenharmony_ci Curl_gss_log_error(data, "gss_init_sec_context() failed: ", 15113498266Sopenharmony_ci major_status, minor_status); 15213498266Sopenharmony_ci 15313498266Sopenharmony_ci return CURLE_AUTH_ERROR; 15413498266Sopenharmony_ci } 15513498266Sopenharmony_ci 15613498266Sopenharmony_ci if(output_token.value && output_token.length) { 15713498266Sopenharmony_ci result = Curl_bufref_memdup(out, output_token.value, output_token.length); 15813498266Sopenharmony_ci gss_release_buffer(&unused_status, &output_token); 15913498266Sopenharmony_ci } 16013498266Sopenharmony_ci else 16113498266Sopenharmony_ci Curl_bufref_set(out, mutual_auth? "": NULL, 0, NULL); 16213498266Sopenharmony_ci 16313498266Sopenharmony_ci return result; 16413498266Sopenharmony_ci} 16513498266Sopenharmony_ci 16613498266Sopenharmony_ci/* 16713498266Sopenharmony_ci * Curl_auth_create_gssapi_security_message() 16813498266Sopenharmony_ci * 16913498266Sopenharmony_ci * This is used to generate an already encoded GSSAPI (Kerberos V5) security 17013498266Sopenharmony_ci * token message ready for sending to the recipient. 17113498266Sopenharmony_ci * 17213498266Sopenharmony_ci * Parameters: 17313498266Sopenharmony_ci * 17413498266Sopenharmony_ci * data [in] - The session handle. 17513498266Sopenharmony_ci * authzid [in] - The authorization identity if some. 17613498266Sopenharmony_ci * chlg [in] - Optional challenge message. 17713498266Sopenharmony_ci * krb5 [in/out] - The Kerberos 5 data struct being used and modified. 17813498266Sopenharmony_ci * out [out] - The result storage. 17913498266Sopenharmony_ci * 18013498266Sopenharmony_ci * Returns CURLE_OK on success. 18113498266Sopenharmony_ci */ 18213498266Sopenharmony_ciCURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data, 18313498266Sopenharmony_ci const char *authzid, 18413498266Sopenharmony_ci const struct bufref *chlg, 18513498266Sopenharmony_ci struct kerberos5data *krb5, 18613498266Sopenharmony_ci struct bufref *out) 18713498266Sopenharmony_ci{ 18813498266Sopenharmony_ci CURLcode result = CURLE_OK; 18913498266Sopenharmony_ci size_t messagelen = 0; 19013498266Sopenharmony_ci unsigned char *message = NULL; 19113498266Sopenharmony_ci OM_uint32 major_status; 19213498266Sopenharmony_ci OM_uint32 minor_status; 19313498266Sopenharmony_ci OM_uint32 unused_status; 19413498266Sopenharmony_ci gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; 19513498266Sopenharmony_ci gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; 19613498266Sopenharmony_ci unsigned char *indata; 19713498266Sopenharmony_ci gss_qop_t qop = GSS_C_QOP_DEFAULT; 19813498266Sopenharmony_ci unsigned int sec_layer = 0; 19913498266Sopenharmony_ci unsigned int max_size = 0; 20013498266Sopenharmony_ci 20113498266Sopenharmony_ci /* Ensure we have a valid challenge message */ 20213498266Sopenharmony_ci if(!Curl_bufref_len(chlg)) { 20313498266Sopenharmony_ci infof(data, "GSSAPI handshake failure (empty security message)"); 20413498266Sopenharmony_ci return CURLE_BAD_CONTENT_ENCODING; 20513498266Sopenharmony_ci } 20613498266Sopenharmony_ci 20713498266Sopenharmony_ci /* Setup the challenge "input" security buffer */ 20813498266Sopenharmony_ci input_token.value = (void *) Curl_bufref_ptr(chlg); 20913498266Sopenharmony_ci input_token.length = Curl_bufref_len(chlg); 21013498266Sopenharmony_ci 21113498266Sopenharmony_ci /* Decrypt the inbound challenge and obtain the qop */ 21213498266Sopenharmony_ci major_status = gss_unwrap(&minor_status, krb5->context, &input_token, 21313498266Sopenharmony_ci &output_token, NULL, &qop); 21413498266Sopenharmony_ci if(GSS_ERROR(major_status)) { 21513498266Sopenharmony_ci Curl_gss_log_error(data, "gss_unwrap() failed: ", 21613498266Sopenharmony_ci major_status, minor_status); 21713498266Sopenharmony_ci return CURLE_BAD_CONTENT_ENCODING; 21813498266Sopenharmony_ci } 21913498266Sopenharmony_ci 22013498266Sopenharmony_ci /* Not 4 octets long so fail as per RFC4752 Section 3.1 */ 22113498266Sopenharmony_ci if(output_token.length != 4) { 22213498266Sopenharmony_ci infof(data, "GSSAPI handshake failure (invalid security data)"); 22313498266Sopenharmony_ci return CURLE_BAD_CONTENT_ENCODING; 22413498266Sopenharmony_ci } 22513498266Sopenharmony_ci 22613498266Sopenharmony_ci /* Extract the security layer and the maximum message size */ 22713498266Sopenharmony_ci indata = output_token.value; 22813498266Sopenharmony_ci sec_layer = indata[0]; 22913498266Sopenharmony_ci max_size = ((unsigned int)indata[1] << 16) | 23013498266Sopenharmony_ci ((unsigned int)indata[2] << 8) | indata[3]; 23113498266Sopenharmony_ci 23213498266Sopenharmony_ci /* Free the challenge as it is not required anymore */ 23313498266Sopenharmony_ci gss_release_buffer(&unused_status, &output_token); 23413498266Sopenharmony_ci 23513498266Sopenharmony_ci /* Process the security layer */ 23613498266Sopenharmony_ci if(!(sec_layer & GSSAUTH_P_NONE)) { 23713498266Sopenharmony_ci infof(data, "GSSAPI handshake failure (invalid security layer)"); 23813498266Sopenharmony_ci 23913498266Sopenharmony_ci return CURLE_BAD_CONTENT_ENCODING; 24013498266Sopenharmony_ci } 24113498266Sopenharmony_ci sec_layer &= GSSAUTH_P_NONE; /* We do not support a security layer */ 24213498266Sopenharmony_ci 24313498266Sopenharmony_ci /* Process the maximum message size the server can receive */ 24413498266Sopenharmony_ci if(max_size > 0) { 24513498266Sopenharmony_ci /* The server has told us it supports a maximum receive buffer, however, as 24613498266Sopenharmony_ci we don't require one unless we are encrypting data, we tell the server 24713498266Sopenharmony_ci our receive buffer is zero. */ 24813498266Sopenharmony_ci max_size = 0; 24913498266Sopenharmony_ci } 25013498266Sopenharmony_ci 25113498266Sopenharmony_ci /* Allocate our message */ 25213498266Sopenharmony_ci messagelen = 4; 25313498266Sopenharmony_ci if(authzid) 25413498266Sopenharmony_ci messagelen += strlen(authzid); 25513498266Sopenharmony_ci message = malloc(messagelen); 25613498266Sopenharmony_ci if(!message) 25713498266Sopenharmony_ci return CURLE_OUT_OF_MEMORY; 25813498266Sopenharmony_ci 25913498266Sopenharmony_ci /* Populate the message with the security layer and client supported receive 26013498266Sopenharmony_ci message size. */ 26113498266Sopenharmony_ci message[0] = sec_layer & 0xFF; 26213498266Sopenharmony_ci message[1] = (max_size >> 16) & 0xFF; 26313498266Sopenharmony_ci message[2] = (max_size >> 8) & 0xFF; 26413498266Sopenharmony_ci message[3] = max_size & 0xFF; 26513498266Sopenharmony_ci 26613498266Sopenharmony_ci /* If given, append the authorization identity. */ 26713498266Sopenharmony_ci 26813498266Sopenharmony_ci if(authzid && *authzid) 26913498266Sopenharmony_ci memcpy(message + 4, authzid, messagelen - 4); 27013498266Sopenharmony_ci 27113498266Sopenharmony_ci /* Setup the "authentication data" security buffer */ 27213498266Sopenharmony_ci input_token.value = message; 27313498266Sopenharmony_ci input_token.length = messagelen; 27413498266Sopenharmony_ci 27513498266Sopenharmony_ci /* Encrypt the data */ 27613498266Sopenharmony_ci major_status = gss_wrap(&minor_status, krb5->context, 0, 27713498266Sopenharmony_ci GSS_C_QOP_DEFAULT, &input_token, NULL, 27813498266Sopenharmony_ci &output_token); 27913498266Sopenharmony_ci if(GSS_ERROR(major_status)) { 28013498266Sopenharmony_ci Curl_gss_log_error(data, "gss_wrap() failed: ", 28113498266Sopenharmony_ci major_status, minor_status); 28213498266Sopenharmony_ci free(message); 28313498266Sopenharmony_ci return CURLE_AUTH_ERROR; 28413498266Sopenharmony_ci } 28513498266Sopenharmony_ci 28613498266Sopenharmony_ci /* Return the response. */ 28713498266Sopenharmony_ci result = Curl_bufref_memdup(out, output_token.value, output_token.length); 28813498266Sopenharmony_ci /* Free the output buffer */ 28913498266Sopenharmony_ci gss_release_buffer(&unused_status, &output_token); 29013498266Sopenharmony_ci 29113498266Sopenharmony_ci /* Free the message buffer */ 29213498266Sopenharmony_ci free(message); 29313498266Sopenharmony_ci 29413498266Sopenharmony_ci return result; 29513498266Sopenharmony_ci} 29613498266Sopenharmony_ci 29713498266Sopenharmony_ci/* 29813498266Sopenharmony_ci * Curl_auth_cleanup_gssapi() 29913498266Sopenharmony_ci * 30013498266Sopenharmony_ci * This is used to clean up the GSSAPI (Kerberos V5) specific data. 30113498266Sopenharmony_ci * 30213498266Sopenharmony_ci * Parameters: 30313498266Sopenharmony_ci * 30413498266Sopenharmony_ci * krb5 [in/out] - The Kerberos 5 data struct being cleaned up. 30513498266Sopenharmony_ci * 30613498266Sopenharmony_ci */ 30713498266Sopenharmony_civoid Curl_auth_cleanup_gssapi(struct kerberos5data *krb5) 30813498266Sopenharmony_ci{ 30913498266Sopenharmony_ci OM_uint32 minor_status; 31013498266Sopenharmony_ci 31113498266Sopenharmony_ci /* Free our security context */ 31213498266Sopenharmony_ci if(krb5->context != GSS_C_NO_CONTEXT) { 31313498266Sopenharmony_ci gss_delete_sec_context(&minor_status, &krb5->context, GSS_C_NO_BUFFER); 31413498266Sopenharmony_ci krb5->context = GSS_C_NO_CONTEXT; 31513498266Sopenharmony_ci } 31613498266Sopenharmony_ci 31713498266Sopenharmony_ci /* Free the SPN */ 31813498266Sopenharmony_ci if(krb5->spn != GSS_C_NO_NAME) { 31913498266Sopenharmony_ci gss_release_name(&minor_status, &krb5->spn); 32013498266Sopenharmony_ci krb5->spn = GSS_C_NO_NAME; 32113498266Sopenharmony_ci } 32213498266Sopenharmony_ci} 32313498266Sopenharmony_ci 32413498266Sopenharmony_ci#endif /* HAVE_GSSAPI && USE_KERBEROS5 */ 325