1/*************************************************************************** 2 * _ _ ____ _ 3 * Project ___| | | | _ \| | 4 * / __| | | | |_) | | 5 * | (__| |_| | _ <| |___ 6 * \___|\___/|_| \_\_____| 7 * 8 * Copyright (C) Steve Holme, <steve_holme@hotmail.com>. 9 * 10 * This software is licensed as described in the file COPYING, which 11 * you should have received as part of this distribution. The terms 12 * are also available at https://curl.se/docs/copyright.html. 13 * 14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 15 * copies of the Software, and permit persons to whom the Software is 16 * furnished to do so, under the terms of the COPYING file. 17 * 18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 19 * KIND, either express or implied. 20 * 21 * SPDX-License-Identifier: curl 22 * 23 * RFC4752 The Kerberos V5 ("GSSAPI") SASL Mechanism 24 * 25 ***************************************************************************/ 26 27#include "curl_setup.h" 28 29#if defined(USE_WINDOWS_SSPI) && defined(USE_KERBEROS5) 30 31#include <curl/curl.h> 32 33#include "vauth/vauth.h" 34#include "urldata.h" 35#include "warnless.h" 36#include "curl_multibyte.h" 37#include "sendf.h" 38 39/* The last #include files should be: */ 40#include "curl_memory.h" 41#include "memdebug.h" 42 43/* 44 * Curl_auth_is_gssapi_supported() 45 * 46 * This is used to evaluate if GSSAPI (Kerberos V5) is supported. 47 * 48 * Parameters: None 49 * 50 * Returns TRUE if Kerberos V5 is supported by Windows SSPI. 51 */ 52bool Curl_auth_is_gssapi_supported(void) 53{ 54 PSecPkgInfo SecurityPackage; 55 SECURITY_STATUS status; 56 57 /* Query the security package for Kerberos */ 58 status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) 59 TEXT(SP_NAME_KERBEROS), 60 &SecurityPackage); 61 62 /* Release the package buffer as it is not required anymore */ 63 if(status == SEC_E_OK) { 64 s_pSecFn->FreeContextBuffer(SecurityPackage); 65 } 66 67 return (status == SEC_E_OK ? TRUE : FALSE); 68} 69 70/* 71 * Curl_auth_create_gssapi_user_message() 72 * 73 * This is used to generate an already encoded GSSAPI (Kerberos V5) user token 74 * message ready for sending to the recipient. 75 * 76 * Parameters: 77 * 78 * data [in] - The session handle. 79 * userp [in] - The user name in the format User or Domain\User. 80 * passwdp [in] - The user's password. 81 * service [in] - The service type such as http, smtp, pop or imap. 82 * host [in] - The host name. 83 * mutual_auth [in] - Flag specifying whether or not mutual authentication 84 * is enabled. 85 * chlg [in] - Optional challenge message. 86 * krb5 [in/out] - The Kerberos 5 data struct being used and modified. 87 * out [out] - The result storage. 88 * 89 * Returns CURLE_OK on success. 90 */ 91CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data, 92 const char *userp, 93 const char *passwdp, 94 const char *service, 95 const char *host, 96 const bool mutual_auth, 97 const struct bufref *chlg, 98 struct kerberos5data *krb5, 99 struct bufref *out) 100{ 101 CURLcode result = CURLE_OK; 102 CtxtHandle context; 103 PSecPkgInfo SecurityPackage; 104 SecBuffer chlg_buf; 105 SecBuffer resp_buf; 106 SecBufferDesc chlg_desc; 107 SecBufferDesc resp_desc; 108 SECURITY_STATUS status; 109 unsigned long attrs; 110 TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */ 111 112 if(!krb5->spn) { 113 /* Generate our SPN */ 114 krb5->spn = Curl_auth_build_spn(service, host, NULL); 115 if(!krb5->spn) 116 return CURLE_OUT_OF_MEMORY; 117 } 118 119 if(!krb5->output_token) { 120 /* Query the security package for Kerberos */ 121 status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) 122 TEXT(SP_NAME_KERBEROS), 123 &SecurityPackage); 124 if(status != SEC_E_OK) { 125 failf(data, "SSPI: couldn't get auth info"); 126 return CURLE_AUTH_ERROR; 127 } 128 129 krb5->token_max = SecurityPackage->cbMaxToken; 130 131 /* Release the package buffer as it is not required anymore */ 132 s_pSecFn->FreeContextBuffer(SecurityPackage); 133 134 /* Allocate our response buffer */ 135 krb5->output_token = malloc(krb5->token_max); 136 if(!krb5->output_token) 137 return CURLE_OUT_OF_MEMORY; 138 } 139 140 if(!krb5->credentials) { 141 /* Do we have credentials to use or are we using single sign-on? */ 142 if(userp && *userp) { 143 /* Populate our identity structure */ 144 result = Curl_create_sspi_identity(userp, passwdp, &krb5->identity); 145 if(result) 146 return result; 147 148 /* Allow proper cleanup of the identity structure */ 149 krb5->p_identity = &krb5->identity; 150 } 151 else 152 /* Use the current Windows user */ 153 krb5->p_identity = NULL; 154 155 /* Allocate our credentials handle */ 156 krb5->credentials = calloc(1, sizeof(CredHandle)); 157 if(!krb5->credentials) 158 return CURLE_OUT_OF_MEMORY; 159 160 /* Acquire our credentials handle */ 161 status = s_pSecFn->AcquireCredentialsHandle(NULL, 162 (TCHAR *) 163 TEXT(SP_NAME_KERBEROS), 164 SECPKG_CRED_OUTBOUND, NULL, 165 krb5->p_identity, NULL, NULL, 166 krb5->credentials, &expiry); 167 if(status != SEC_E_OK) 168 return CURLE_LOGIN_DENIED; 169 170 /* Allocate our new context handle */ 171 krb5->context = calloc(1, sizeof(CtxtHandle)); 172 if(!krb5->context) 173 return CURLE_OUT_OF_MEMORY; 174 } 175 176 if(chlg) { 177 if(!Curl_bufref_len(chlg)) { 178 infof(data, "GSSAPI handshake failure (empty challenge message)"); 179 return CURLE_BAD_CONTENT_ENCODING; 180 } 181 182 /* Setup the challenge "input" security buffer */ 183 chlg_desc.ulVersion = SECBUFFER_VERSION; 184 chlg_desc.cBuffers = 1; 185 chlg_desc.pBuffers = &chlg_buf; 186 chlg_buf.BufferType = SECBUFFER_TOKEN; 187 chlg_buf.pvBuffer = (void *) Curl_bufref_ptr(chlg); 188 chlg_buf.cbBuffer = curlx_uztoul(Curl_bufref_len(chlg)); 189 } 190 191 /* Setup the response "output" security buffer */ 192 resp_desc.ulVersion = SECBUFFER_VERSION; 193 resp_desc.cBuffers = 1; 194 resp_desc.pBuffers = &resp_buf; 195 resp_buf.BufferType = SECBUFFER_TOKEN; 196 resp_buf.pvBuffer = krb5->output_token; 197 resp_buf.cbBuffer = curlx_uztoul(krb5->token_max); 198 199 /* Generate our challenge-response message */ 200 status = s_pSecFn->InitializeSecurityContext(krb5->credentials, 201 chlg ? krb5->context : NULL, 202 krb5->spn, 203 (mutual_auth ? 204 ISC_REQ_MUTUAL_AUTH : 0), 205 0, SECURITY_NATIVE_DREP, 206 chlg ? &chlg_desc : NULL, 0, 207 &context, 208 &resp_desc, &attrs, 209 &expiry); 210 211 if(status == SEC_E_INSUFFICIENT_MEMORY) 212 return CURLE_OUT_OF_MEMORY; 213 214 if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED) 215 return CURLE_AUTH_ERROR; 216 217 if(memcmp(&context, krb5->context, sizeof(context))) { 218 s_pSecFn->DeleteSecurityContext(krb5->context); 219 220 memcpy(krb5->context, &context, sizeof(context)); 221 } 222 223 if(resp_buf.cbBuffer) { 224 result = Curl_bufref_memdup(out, resp_buf.pvBuffer, resp_buf.cbBuffer); 225 } 226 else if(mutual_auth) 227 Curl_bufref_set(out, "", 0, NULL); 228 else 229 Curl_bufref_set(out, NULL, 0, NULL); 230 231 return result; 232} 233 234/* 235 * Curl_auth_create_gssapi_security_message() 236 * 237 * This is used to generate an already encoded GSSAPI (Kerberos V5) security 238 * token message ready for sending to the recipient. 239 * 240 * Parameters: 241 * 242 * data [in] - The session handle. 243 * authzid [in] - The authorization identity if some. 244 * chlg [in] - The optional challenge message. 245 * krb5 [in/out] - The Kerberos 5 data struct being used and modified. 246 * out [out] - The result storage. 247 * 248 * Returns CURLE_OK on success. 249 */ 250CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data, 251 const char *authzid, 252 const struct bufref *chlg, 253 struct kerberos5data *krb5, 254 struct bufref *out) 255{ 256 size_t offset = 0; 257 size_t messagelen = 0; 258 size_t appdatalen = 0; 259 unsigned char *trailer = NULL; 260 unsigned char *message = NULL; 261 unsigned char *padding = NULL; 262 unsigned char *appdata = NULL; 263 SecBuffer input_buf[2]; 264 SecBuffer wrap_buf[3]; 265 SecBufferDesc input_desc; 266 SecBufferDesc wrap_desc; 267 unsigned char *indata; 268 unsigned long qop = 0; 269 unsigned long sec_layer = 0; 270 unsigned long max_size = 0; 271 SecPkgContext_Sizes sizes; 272 SECURITY_STATUS status; 273 274#if defined(CURL_DISABLE_VERBOSE_STRINGS) 275 (void) data; 276#endif 277 278 /* Ensure we have a valid challenge message */ 279 if(!Curl_bufref_len(chlg)) { 280 infof(data, "GSSAPI handshake failure (empty security message)"); 281 return CURLE_BAD_CONTENT_ENCODING; 282 } 283 284 /* Get our response size information */ 285 status = s_pSecFn->QueryContextAttributes(krb5->context, 286 SECPKG_ATTR_SIZES, 287 &sizes); 288 289 if(status == SEC_E_INSUFFICIENT_MEMORY) 290 return CURLE_OUT_OF_MEMORY; 291 292 if(status != SEC_E_OK) 293 return CURLE_AUTH_ERROR; 294 295 /* Setup the "input" security buffer */ 296 input_desc.ulVersion = SECBUFFER_VERSION; 297 input_desc.cBuffers = 2; 298 input_desc.pBuffers = input_buf; 299 input_buf[0].BufferType = SECBUFFER_STREAM; 300 input_buf[0].pvBuffer = (void *) Curl_bufref_ptr(chlg); 301 input_buf[0].cbBuffer = curlx_uztoul(Curl_bufref_len(chlg)); 302 input_buf[1].BufferType = SECBUFFER_DATA; 303 input_buf[1].pvBuffer = NULL; 304 input_buf[1].cbBuffer = 0; 305 306 /* Decrypt the inbound challenge and obtain the qop */ 307 status = s_pSecFn->DecryptMessage(krb5->context, &input_desc, 0, &qop); 308 if(status != SEC_E_OK) { 309 infof(data, "GSSAPI handshake failure (empty security message)"); 310 return CURLE_BAD_CONTENT_ENCODING; 311 } 312 313 /* Not 4 octets long so fail as per RFC4752 Section 3.1 */ 314 if(input_buf[1].cbBuffer != 4) { 315 infof(data, "GSSAPI handshake failure (invalid security data)"); 316 return CURLE_BAD_CONTENT_ENCODING; 317 } 318 319 /* Extract the security layer and the maximum message size */ 320 indata = input_buf[1].pvBuffer; 321 sec_layer = indata[0]; 322 max_size = ((unsigned long)indata[1] << 16) | 323 ((unsigned long)indata[2] << 8) | indata[3]; 324 325 /* Free the challenge as it is not required anymore */ 326 s_pSecFn->FreeContextBuffer(input_buf[1].pvBuffer); 327 328 /* Process the security layer */ 329 if(!(sec_layer & KERB_WRAP_NO_ENCRYPT)) { 330 infof(data, "GSSAPI handshake failure (invalid security layer)"); 331 return CURLE_BAD_CONTENT_ENCODING; 332 } 333 sec_layer &= KERB_WRAP_NO_ENCRYPT; /* We do not support a security layer */ 334 335 /* Process the maximum message size the server can receive */ 336 if(max_size > 0) { 337 /* The server has told us it supports a maximum receive buffer, however, as 338 we don't require one unless we are encrypting data, we tell the server 339 our receive buffer is zero. */ 340 max_size = 0; 341 } 342 343 /* Allocate the trailer */ 344 trailer = malloc(sizes.cbSecurityTrailer); 345 if(!trailer) 346 return CURLE_OUT_OF_MEMORY; 347 348 /* Allocate our message */ 349 messagelen = 4; 350 if(authzid) 351 messagelen += strlen(authzid); 352 message = malloc(messagelen); 353 if(!message) { 354 free(trailer); 355 356 return CURLE_OUT_OF_MEMORY; 357 } 358 359 /* Populate the message with the security layer and client supported receive 360 message size. */ 361 message[0] = sec_layer & 0xFF; 362 message[1] = (max_size >> 16) & 0xFF; 363 message[2] = (max_size >> 8) & 0xFF; 364 message[3] = max_size & 0xFF; 365 366 /* If given, append the authorization identity. */ 367 368 if(authzid && *authzid) 369 memcpy(message + 4, authzid, messagelen - 4); 370 371 /* Allocate the padding */ 372 padding = malloc(sizes.cbBlockSize); 373 if(!padding) { 374 free(message); 375 free(trailer); 376 377 return CURLE_OUT_OF_MEMORY; 378 } 379 380 /* Setup the "authentication data" security buffer */ 381 wrap_desc.ulVersion = SECBUFFER_VERSION; 382 wrap_desc.cBuffers = 3; 383 wrap_desc.pBuffers = wrap_buf; 384 wrap_buf[0].BufferType = SECBUFFER_TOKEN; 385 wrap_buf[0].pvBuffer = trailer; 386 wrap_buf[0].cbBuffer = sizes.cbSecurityTrailer; 387 wrap_buf[1].BufferType = SECBUFFER_DATA; 388 wrap_buf[1].pvBuffer = message; 389 wrap_buf[1].cbBuffer = curlx_uztoul(messagelen); 390 wrap_buf[2].BufferType = SECBUFFER_PADDING; 391 wrap_buf[2].pvBuffer = padding; 392 wrap_buf[2].cbBuffer = sizes.cbBlockSize; 393 394 /* Encrypt the data */ 395 status = s_pSecFn->EncryptMessage(krb5->context, KERB_WRAP_NO_ENCRYPT, 396 &wrap_desc, 0); 397 if(status != SEC_E_OK) { 398 free(padding); 399 free(message); 400 free(trailer); 401 402 if(status == SEC_E_INSUFFICIENT_MEMORY) 403 return CURLE_OUT_OF_MEMORY; 404 405 return CURLE_AUTH_ERROR; 406 } 407 408 /* Allocate the encryption (wrap) buffer */ 409 appdatalen = wrap_buf[0].cbBuffer + wrap_buf[1].cbBuffer + 410 wrap_buf[2].cbBuffer; 411 appdata = malloc(appdatalen); 412 if(!appdata) { 413 free(padding); 414 free(message); 415 free(trailer); 416 417 return CURLE_OUT_OF_MEMORY; 418 } 419 420 /* Populate the encryption buffer */ 421 memcpy(appdata, wrap_buf[0].pvBuffer, wrap_buf[0].cbBuffer); 422 offset += wrap_buf[0].cbBuffer; 423 memcpy(appdata + offset, wrap_buf[1].pvBuffer, wrap_buf[1].cbBuffer); 424 offset += wrap_buf[1].cbBuffer; 425 memcpy(appdata + offset, wrap_buf[2].pvBuffer, wrap_buf[2].cbBuffer); 426 427 /* Free all of our local buffers */ 428 free(padding); 429 free(message); 430 free(trailer); 431 432 /* Return the response. */ 433 Curl_bufref_set(out, appdata, appdatalen, curl_free); 434 return CURLE_OK; 435} 436 437/* 438 * Curl_auth_cleanup_gssapi() 439 * 440 * This is used to clean up the GSSAPI (Kerberos V5) specific data. 441 * 442 * Parameters: 443 * 444 * krb5 [in/out] - The Kerberos 5 data struct being cleaned up. 445 * 446 */ 447void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5) 448{ 449 /* Free our security context */ 450 if(krb5->context) { 451 s_pSecFn->DeleteSecurityContext(krb5->context); 452 free(krb5->context); 453 krb5->context = NULL; 454 } 455 456 /* Free our credentials handle */ 457 if(krb5->credentials) { 458 s_pSecFn->FreeCredentialsHandle(krb5->credentials); 459 free(krb5->credentials); 460 krb5->credentials = NULL; 461 } 462 463 /* Free our identity */ 464 Curl_sspi_free_identity(krb5->p_identity); 465 krb5->p_identity = NULL; 466 467 /* Free the SPN and output token */ 468 Curl_safefree(krb5->spn); 469 Curl_safefree(krb5->output_token); 470 471 /* Reset any variables */ 472 krb5->token_max = 0; 473} 474 475#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5 */ 476