113498266Sopenharmony_ci/*************************************************************************** 213498266Sopenharmony_ci * _ _ ____ _ 313498266Sopenharmony_ci * Project ___| | | | _ \| | 413498266Sopenharmony_ci * / __| | | | |_) | | 513498266Sopenharmony_ci * | (__| |_| | _ <| |___ 613498266Sopenharmony_ci * \___|\___/|_| \_\_____| 713498266Sopenharmony_ci * 813498266Sopenharmony_ci * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 913498266Sopenharmony_ci * 1013498266Sopenharmony_ci * This software is licensed as described in the file COPYING, which 1113498266Sopenharmony_ci * you should have received as part of this distribution. The terms 1213498266Sopenharmony_ci * are also available at https://curl.se/docs/copyright.html. 1313498266Sopenharmony_ci * 1413498266Sopenharmony_ci * You may opt to use, copy, modify, merge, publish, distribute and/or sell 1513498266Sopenharmony_ci * copies of the Software, and permit persons to whom the Software is 1613498266Sopenharmony_ci * furnished to do so, under the terms of the COPYING file. 1713498266Sopenharmony_ci * 1813498266Sopenharmony_ci * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 1913498266Sopenharmony_ci * KIND, either express or implied. 2013498266Sopenharmony_ci * 2113498266Sopenharmony_ci * SPDX-License-Identifier: curl 2213498266Sopenharmony_ci * 2313498266Sopenharmony_ci * RFC4178 Simple and Protected GSS-API Negotiation Mechanism 2413498266Sopenharmony_ci * 2513498266Sopenharmony_ci ***************************************************************************/ 2613498266Sopenharmony_ci 2713498266Sopenharmony_ci#include "curl_setup.h" 2813498266Sopenharmony_ci 2913498266Sopenharmony_ci#if defined(HAVE_GSSAPI) && defined(USE_SPNEGO) 3013498266Sopenharmony_ci 3113498266Sopenharmony_ci#include <curl/curl.h> 3213498266Sopenharmony_ci 3313498266Sopenharmony_ci#include "vauth/vauth.h" 3413498266Sopenharmony_ci#include "urldata.h" 3513498266Sopenharmony_ci#include "curl_base64.h" 3613498266Sopenharmony_ci#include "curl_gssapi.h" 3713498266Sopenharmony_ci#include "warnless.h" 3813498266Sopenharmony_ci#include "curl_multibyte.h" 3913498266Sopenharmony_ci#include "sendf.h" 4013498266Sopenharmony_ci 4113498266Sopenharmony_ci/* The last #include files should be: */ 4213498266Sopenharmony_ci#include "curl_memory.h" 4313498266Sopenharmony_ci#include "memdebug.h" 4413498266Sopenharmony_ci 4513498266Sopenharmony_ci/* 4613498266Sopenharmony_ci * Curl_auth_is_spnego_supported() 4713498266Sopenharmony_ci * 4813498266Sopenharmony_ci * This is used to evaluate if SPNEGO (Negotiate) is supported. 4913498266Sopenharmony_ci * 5013498266Sopenharmony_ci * Parameters: None 5113498266Sopenharmony_ci * 5213498266Sopenharmony_ci * Returns TRUE if Negotiate supported by the GSS-API library. 5313498266Sopenharmony_ci */ 5413498266Sopenharmony_cibool Curl_auth_is_spnego_supported(void) 5513498266Sopenharmony_ci{ 5613498266Sopenharmony_ci return TRUE; 5713498266Sopenharmony_ci} 5813498266Sopenharmony_ci 5913498266Sopenharmony_ci/* 6013498266Sopenharmony_ci * Curl_auth_decode_spnego_message() 6113498266Sopenharmony_ci * 6213498266Sopenharmony_ci * This is used to decode an already encoded SPNEGO (Negotiate) challenge 6313498266Sopenharmony_ci * message. 6413498266Sopenharmony_ci * 6513498266Sopenharmony_ci * Parameters: 6613498266Sopenharmony_ci * 6713498266Sopenharmony_ci * data [in] - The session handle. 6813498266Sopenharmony_ci * userp [in] - The user name in the format User or Domain\User. 6913498266Sopenharmony_ci * passwdp [in] - The user's password. 7013498266Sopenharmony_ci * service [in] - The service type such as http, smtp, pop or imap. 7113498266Sopenharmony_ci * host [in] - The host name. 7213498266Sopenharmony_ci * chlg64 [in] - The optional base64 encoded challenge message. 7313498266Sopenharmony_ci * nego [in/out] - The Negotiate data struct being used and modified. 7413498266Sopenharmony_ci * 7513498266Sopenharmony_ci * Returns CURLE_OK on success. 7613498266Sopenharmony_ci */ 7713498266Sopenharmony_ciCURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data, 7813498266Sopenharmony_ci const char *user, 7913498266Sopenharmony_ci const char *password, 8013498266Sopenharmony_ci const char *service, 8113498266Sopenharmony_ci const char *host, 8213498266Sopenharmony_ci const char *chlg64, 8313498266Sopenharmony_ci struct negotiatedata *nego) 8413498266Sopenharmony_ci{ 8513498266Sopenharmony_ci CURLcode result = CURLE_OK; 8613498266Sopenharmony_ci size_t chlglen = 0; 8713498266Sopenharmony_ci unsigned char *chlg = NULL; 8813498266Sopenharmony_ci OM_uint32 major_status; 8913498266Sopenharmony_ci OM_uint32 minor_status; 9013498266Sopenharmony_ci OM_uint32 unused_status; 9113498266Sopenharmony_ci gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER; 9213498266Sopenharmony_ci gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; 9313498266Sopenharmony_ci gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; 9413498266Sopenharmony_ci 9513498266Sopenharmony_ci (void) user; 9613498266Sopenharmony_ci (void) password; 9713498266Sopenharmony_ci 9813498266Sopenharmony_ci if(nego->context && nego->status == GSS_S_COMPLETE) { 9913498266Sopenharmony_ci /* We finished successfully our part of authentication, but server 10013498266Sopenharmony_ci * rejected it (since we're again here). Exit with an error since we 10113498266Sopenharmony_ci * can't invent anything better */ 10213498266Sopenharmony_ci Curl_auth_cleanup_spnego(nego); 10313498266Sopenharmony_ci return CURLE_LOGIN_DENIED; 10413498266Sopenharmony_ci } 10513498266Sopenharmony_ci 10613498266Sopenharmony_ci if(!nego->spn) { 10713498266Sopenharmony_ci /* Generate our SPN */ 10813498266Sopenharmony_ci char *spn = Curl_auth_build_spn(service, NULL, host); 10913498266Sopenharmony_ci if(!spn) 11013498266Sopenharmony_ci return CURLE_OUT_OF_MEMORY; 11113498266Sopenharmony_ci 11213498266Sopenharmony_ci /* Populate the SPN structure */ 11313498266Sopenharmony_ci spn_token.value = spn; 11413498266Sopenharmony_ci spn_token.length = strlen(spn); 11513498266Sopenharmony_ci 11613498266Sopenharmony_ci /* Import the SPN */ 11713498266Sopenharmony_ci major_status = gss_import_name(&minor_status, &spn_token, 11813498266Sopenharmony_ci GSS_C_NT_HOSTBASED_SERVICE, 11913498266Sopenharmony_ci &nego->spn); 12013498266Sopenharmony_ci if(GSS_ERROR(major_status)) { 12113498266Sopenharmony_ci Curl_gss_log_error(data, "gss_import_name() failed: ", 12213498266Sopenharmony_ci major_status, minor_status); 12313498266Sopenharmony_ci 12413498266Sopenharmony_ci free(spn); 12513498266Sopenharmony_ci 12613498266Sopenharmony_ci return CURLE_AUTH_ERROR; 12713498266Sopenharmony_ci } 12813498266Sopenharmony_ci 12913498266Sopenharmony_ci free(spn); 13013498266Sopenharmony_ci } 13113498266Sopenharmony_ci 13213498266Sopenharmony_ci if(chlg64 && *chlg64) { 13313498266Sopenharmony_ci /* Decode the base-64 encoded challenge message */ 13413498266Sopenharmony_ci if(*chlg64 != '=') { 13513498266Sopenharmony_ci result = Curl_base64_decode(chlg64, &chlg, &chlglen); 13613498266Sopenharmony_ci if(result) 13713498266Sopenharmony_ci return result; 13813498266Sopenharmony_ci } 13913498266Sopenharmony_ci 14013498266Sopenharmony_ci /* Ensure we have a valid challenge message */ 14113498266Sopenharmony_ci if(!chlg) { 14213498266Sopenharmony_ci infof(data, "SPNEGO handshake failure (empty challenge message)"); 14313498266Sopenharmony_ci return CURLE_BAD_CONTENT_ENCODING; 14413498266Sopenharmony_ci } 14513498266Sopenharmony_ci 14613498266Sopenharmony_ci /* Setup the challenge "input" security buffer */ 14713498266Sopenharmony_ci input_token.value = chlg; 14813498266Sopenharmony_ci input_token.length = chlglen; 14913498266Sopenharmony_ci } 15013498266Sopenharmony_ci 15113498266Sopenharmony_ci /* Generate our challenge-response message */ 15213498266Sopenharmony_ci major_status = Curl_gss_init_sec_context(data, 15313498266Sopenharmony_ci &minor_status, 15413498266Sopenharmony_ci &nego->context, 15513498266Sopenharmony_ci nego->spn, 15613498266Sopenharmony_ci &Curl_spnego_mech_oid, 15713498266Sopenharmony_ci GSS_C_NO_CHANNEL_BINDINGS, 15813498266Sopenharmony_ci &input_token, 15913498266Sopenharmony_ci &output_token, 16013498266Sopenharmony_ci TRUE, 16113498266Sopenharmony_ci NULL); 16213498266Sopenharmony_ci 16313498266Sopenharmony_ci /* Free the decoded challenge as it is not required anymore */ 16413498266Sopenharmony_ci Curl_safefree(input_token.value); 16513498266Sopenharmony_ci 16613498266Sopenharmony_ci nego->status = major_status; 16713498266Sopenharmony_ci if(GSS_ERROR(major_status)) { 16813498266Sopenharmony_ci if(output_token.value) 16913498266Sopenharmony_ci gss_release_buffer(&unused_status, &output_token); 17013498266Sopenharmony_ci 17113498266Sopenharmony_ci Curl_gss_log_error(data, "gss_init_sec_context() failed: ", 17213498266Sopenharmony_ci major_status, minor_status); 17313498266Sopenharmony_ci 17413498266Sopenharmony_ci return CURLE_AUTH_ERROR; 17513498266Sopenharmony_ci } 17613498266Sopenharmony_ci 17713498266Sopenharmony_ci if(!output_token.value || !output_token.length) { 17813498266Sopenharmony_ci if(output_token.value) 17913498266Sopenharmony_ci gss_release_buffer(&unused_status, &output_token); 18013498266Sopenharmony_ci 18113498266Sopenharmony_ci return CURLE_AUTH_ERROR; 18213498266Sopenharmony_ci } 18313498266Sopenharmony_ci 18413498266Sopenharmony_ci /* Free previous token */ 18513498266Sopenharmony_ci if(nego->output_token.length && nego->output_token.value) 18613498266Sopenharmony_ci gss_release_buffer(&unused_status, &nego->output_token); 18713498266Sopenharmony_ci 18813498266Sopenharmony_ci nego->output_token = output_token; 18913498266Sopenharmony_ci 19013498266Sopenharmony_ci return CURLE_OK; 19113498266Sopenharmony_ci} 19213498266Sopenharmony_ci 19313498266Sopenharmony_ci/* 19413498266Sopenharmony_ci * Curl_auth_create_spnego_message() 19513498266Sopenharmony_ci * 19613498266Sopenharmony_ci * This is used to generate an already encoded SPNEGO (Negotiate) response 19713498266Sopenharmony_ci * message ready for sending to the recipient. 19813498266Sopenharmony_ci * 19913498266Sopenharmony_ci * Parameters: 20013498266Sopenharmony_ci * 20113498266Sopenharmony_ci * data [in] - The session handle. 20213498266Sopenharmony_ci * nego [in/out] - The Negotiate data struct being used and modified. 20313498266Sopenharmony_ci * outptr [in/out] - The address where a pointer to newly allocated memory 20413498266Sopenharmony_ci * holding the result will be stored upon completion. 20513498266Sopenharmony_ci * outlen [out] - The length of the output message. 20613498266Sopenharmony_ci * 20713498266Sopenharmony_ci * Returns CURLE_OK on success. 20813498266Sopenharmony_ci */ 20913498266Sopenharmony_ciCURLcode Curl_auth_create_spnego_message(struct negotiatedata *nego, 21013498266Sopenharmony_ci char **outptr, size_t *outlen) 21113498266Sopenharmony_ci{ 21213498266Sopenharmony_ci CURLcode result; 21313498266Sopenharmony_ci OM_uint32 minor_status; 21413498266Sopenharmony_ci 21513498266Sopenharmony_ci /* Base64 encode the already generated response */ 21613498266Sopenharmony_ci result = Curl_base64_encode(nego->output_token.value, 21713498266Sopenharmony_ci nego->output_token.length, 21813498266Sopenharmony_ci outptr, outlen); 21913498266Sopenharmony_ci 22013498266Sopenharmony_ci if(result) { 22113498266Sopenharmony_ci gss_release_buffer(&minor_status, &nego->output_token); 22213498266Sopenharmony_ci nego->output_token.value = NULL; 22313498266Sopenharmony_ci nego->output_token.length = 0; 22413498266Sopenharmony_ci 22513498266Sopenharmony_ci return result; 22613498266Sopenharmony_ci } 22713498266Sopenharmony_ci 22813498266Sopenharmony_ci if(!*outptr || !*outlen) { 22913498266Sopenharmony_ci gss_release_buffer(&minor_status, &nego->output_token); 23013498266Sopenharmony_ci nego->output_token.value = NULL; 23113498266Sopenharmony_ci nego->output_token.length = 0; 23213498266Sopenharmony_ci 23313498266Sopenharmony_ci return CURLE_REMOTE_ACCESS_DENIED; 23413498266Sopenharmony_ci } 23513498266Sopenharmony_ci 23613498266Sopenharmony_ci return CURLE_OK; 23713498266Sopenharmony_ci} 23813498266Sopenharmony_ci 23913498266Sopenharmony_ci/* 24013498266Sopenharmony_ci * Curl_auth_cleanup_spnego() 24113498266Sopenharmony_ci * 24213498266Sopenharmony_ci * This is used to clean up the SPNEGO (Negotiate) specific data. 24313498266Sopenharmony_ci * 24413498266Sopenharmony_ci * Parameters: 24513498266Sopenharmony_ci * 24613498266Sopenharmony_ci * nego [in/out] - The Negotiate data struct being cleaned up. 24713498266Sopenharmony_ci * 24813498266Sopenharmony_ci */ 24913498266Sopenharmony_civoid Curl_auth_cleanup_spnego(struct negotiatedata *nego) 25013498266Sopenharmony_ci{ 25113498266Sopenharmony_ci OM_uint32 minor_status; 25213498266Sopenharmony_ci 25313498266Sopenharmony_ci /* Free our security context */ 25413498266Sopenharmony_ci if(nego->context != GSS_C_NO_CONTEXT) { 25513498266Sopenharmony_ci gss_delete_sec_context(&minor_status, &nego->context, GSS_C_NO_BUFFER); 25613498266Sopenharmony_ci nego->context = GSS_C_NO_CONTEXT; 25713498266Sopenharmony_ci } 25813498266Sopenharmony_ci 25913498266Sopenharmony_ci /* Free the output token */ 26013498266Sopenharmony_ci if(nego->output_token.value) { 26113498266Sopenharmony_ci gss_release_buffer(&minor_status, &nego->output_token); 26213498266Sopenharmony_ci nego->output_token.value = NULL; 26313498266Sopenharmony_ci nego->output_token.length = 0; 26413498266Sopenharmony_ci 26513498266Sopenharmony_ci } 26613498266Sopenharmony_ci 26713498266Sopenharmony_ci /* Free the SPN */ 26813498266Sopenharmony_ci if(nego->spn != GSS_C_NO_NAME) { 26913498266Sopenharmony_ci gss_release_name(&minor_status, &nego->spn); 27013498266Sopenharmony_ci nego->spn = GSS_C_NO_NAME; 27113498266Sopenharmony_ci } 27213498266Sopenharmony_ci 27313498266Sopenharmony_ci /* Reset any variables */ 27413498266Sopenharmony_ci nego->status = 0; 27513498266Sopenharmony_ci nego->noauthpersist = FALSE; 27613498266Sopenharmony_ci nego->havenoauthpersist = FALSE; 27713498266Sopenharmony_ci nego->havenegdata = FALSE; 27813498266Sopenharmony_ci nego->havemultiplerequests = FALSE; 27913498266Sopenharmony_ci} 28013498266Sopenharmony_ci 28113498266Sopenharmony_ci#endif /* HAVE_GSSAPI && USE_SPNEGO */ 282