1/*************************************************************************** 2 * _ _ ____ _ 3 * Project ___| | | | _ \| | 4 * / __| | | | |_) | | 5 * | (__| |_| | _ <| |___ 6 * \___|\___/|_| \_\_____| 7 * 8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 9 * 10 * This software is licensed as described in the file COPYING, which 11 * you should have received as part of this distribution. The terms 12 * are also available at https://curl.se/docs/copyright.html. 13 * 14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 15 * copies of the Software, and permit persons to whom the Software is 16 * furnished to do so, under the terms of the COPYING file. 17 * 18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 19 * KIND, either express or implied. 20 * 21 * SPDX-License-Identifier: curl 22 * 23 * RFC4178 Simple and Protected GSS-API Negotiation Mechanism 24 * 25 ***************************************************************************/ 26 27#include "curl_setup.h" 28 29#if defined(HAVE_GSSAPI) && defined(USE_SPNEGO) 30 31#include <curl/curl.h> 32 33#include "vauth/vauth.h" 34#include "urldata.h" 35#include "curl_base64.h" 36#include "curl_gssapi.h" 37#include "warnless.h" 38#include "curl_multibyte.h" 39#include "sendf.h" 40 41/* The last #include files should be: */ 42#include "curl_memory.h" 43#include "memdebug.h" 44 45/* 46 * Curl_auth_is_spnego_supported() 47 * 48 * This is used to evaluate if SPNEGO (Negotiate) is supported. 49 * 50 * Parameters: None 51 * 52 * Returns TRUE if Negotiate supported by the GSS-API library. 53 */ 54bool Curl_auth_is_spnego_supported(void) 55{ 56 return TRUE; 57} 58 59/* 60 * Curl_auth_decode_spnego_message() 61 * 62 * This is used to decode an already encoded SPNEGO (Negotiate) challenge 63 * message. 64 * 65 * Parameters: 66 * 67 * data [in] - The session handle. 68 * userp [in] - The user name in the format User or Domain\User. 69 * passwdp [in] - The user's password. 70 * service [in] - The service type such as http, smtp, pop or imap. 71 * host [in] - The host name. 72 * chlg64 [in] - The optional base64 encoded challenge message. 73 * nego [in/out] - The Negotiate data struct being used and modified. 74 * 75 * Returns CURLE_OK on success. 76 */ 77CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data, 78 const char *user, 79 const char *password, 80 const char *service, 81 const char *host, 82 const char *chlg64, 83 struct negotiatedata *nego) 84{ 85 CURLcode result = CURLE_OK; 86 size_t chlglen = 0; 87 unsigned char *chlg = NULL; 88 OM_uint32 major_status; 89 OM_uint32 minor_status; 90 OM_uint32 unused_status; 91 gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER; 92 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; 93 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; 94 95 (void) user; 96 (void) password; 97 98 if(nego->context && nego->status == GSS_S_COMPLETE) { 99 /* We finished successfully our part of authentication, but server 100 * rejected it (since we're again here). Exit with an error since we 101 * can't invent anything better */ 102 Curl_auth_cleanup_spnego(nego); 103 return CURLE_LOGIN_DENIED; 104 } 105 106 if(!nego->spn) { 107 /* Generate our SPN */ 108 char *spn = Curl_auth_build_spn(service, NULL, host); 109 if(!spn) 110 return CURLE_OUT_OF_MEMORY; 111 112 /* Populate the SPN structure */ 113 spn_token.value = spn; 114 spn_token.length = strlen(spn); 115 116 /* Import the SPN */ 117 major_status = gss_import_name(&minor_status, &spn_token, 118 GSS_C_NT_HOSTBASED_SERVICE, 119 &nego->spn); 120 if(GSS_ERROR(major_status)) { 121 Curl_gss_log_error(data, "gss_import_name() failed: ", 122 major_status, minor_status); 123 124 free(spn); 125 126 return CURLE_AUTH_ERROR; 127 } 128 129 free(spn); 130 } 131 132 if(chlg64 && *chlg64) { 133 /* Decode the base-64 encoded challenge message */ 134 if(*chlg64 != '=') { 135 result = Curl_base64_decode(chlg64, &chlg, &chlglen); 136 if(result) 137 return result; 138 } 139 140 /* Ensure we have a valid challenge message */ 141 if(!chlg) { 142 infof(data, "SPNEGO handshake failure (empty challenge message)"); 143 return CURLE_BAD_CONTENT_ENCODING; 144 } 145 146 /* Setup the challenge "input" security buffer */ 147 input_token.value = chlg; 148 input_token.length = chlglen; 149 } 150 151 /* Generate our challenge-response message */ 152 major_status = Curl_gss_init_sec_context(data, 153 &minor_status, 154 &nego->context, 155 nego->spn, 156 &Curl_spnego_mech_oid, 157 GSS_C_NO_CHANNEL_BINDINGS, 158 &input_token, 159 &output_token, 160 TRUE, 161 NULL); 162 163 /* Free the decoded challenge as it is not required anymore */ 164 Curl_safefree(input_token.value); 165 166 nego->status = major_status; 167 if(GSS_ERROR(major_status)) { 168 if(output_token.value) 169 gss_release_buffer(&unused_status, &output_token); 170 171 Curl_gss_log_error(data, "gss_init_sec_context() failed: ", 172 major_status, minor_status); 173 174 return CURLE_AUTH_ERROR; 175 } 176 177 if(!output_token.value || !output_token.length) { 178 if(output_token.value) 179 gss_release_buffer(&unused_status, &output_token); 180 181 return CURLE_AUTH_ERROR; 182 } 183 184 /* Free previous token */ 185 if(nego->output_token.length && nego->output_token.value) 186 gss_release_buffer(&unused_status, &nego->output_token); 187 188 nego->output_token = output_token; 189 190 return CURLE_OK; 191} 192 193/* 194 * Curl_auth_create_spnego_message() 195 * 196 * This is used to generate an already encoded SPNEGO (Negotiate) response 197 * message ready for sending to the recipient. 198 * 199 * Parameters: 200 * 201 * data [in] - The session handle. 202 * nego [in/out] - The Negotiate data struct being used and modified. 203 * outptr [in/out] - The address where a pointer to newly allocated memory 204 * holding the result will be stored upon completion. 205 * outlen [out] - The length of the output message. 206 * 207 * Returns CURLE_OK on success. 208 */ 209CURLcode Curl_auth_create_spnego_message(struct negotiatedata *nego, 210 char **outptr, size_t *outlen) 211{ 212 CURLcode result; 213 OM_uint32 minor_status; 214 215 /* Base64 encode the already generated response */ 216 result = Curl_base64_encode(nego->output_token.value, 217 nego->output_token.length, 218 outptr, outlen); 219 220 if(result) { 221 gss_release_buffer(&minor_status, &nego->output_token); 222 nego->output_token.value = NULL; 223 nego->output_token.length = 0; 224 225 return result; 226 } 227 228 if(!*outptr || !*outlen) { 229 gss_release_buffer(&minor_status, &nego->output_token); 230 nego->output_token.value = NULL; 231 nego->output_token.length = 0; 232 233 return CURLE_REMOTE_ACCESS_DENIED; 234 } 235 236 return CURLE_OK; 237} 238 239/* 240 * Curl_auth_cleanup_spnego() 241 * 242 * This is used to clean up the SPNEGO (Negotiate) specific data. 243 * 244 * Parameters: 245 * 246 * nego [in/out] - The Negotiate data struct being cleaned up. 247 * 248 */ 249void Curl_auth_cleanup_spnego(struct negotiatedata *nego) 250{ 251 OM_uint32 minor_status; 252 253 /* Free our security context */ 254 if(nego->context != GSS_C_NO_CONTEXT) { 255 gss_delete_sec_context(&minor_status, &nego->context, GSS_C_NO_BUFFER); 256 nego->context = GSS_C_NO_CONTEXT; 257 } 258 259 /* Free the output token */ 260 if(nego->output_token.value) { 261 gss_release_buffer(&minor_status, &nego->output_token); 262 nego->output_token.value = NULL; 263 nego->output_token.length = 0; 264 265 } 266 267 /* Free the SPN */ 268 if(nego->spn != GSS_C_NO_NAME) { 269 gss_release_name(&minor_status, &nego->spn); 270 nego->spn = GSS_C_NO_NAME; 271 } 272 273 /* Reset any variables */ 274 nego->status = 0; 275 nego->noauthpersist = FALSE; 276 nego->havenoauthpersist = FALSE; 277 nego->havenegdata = FALSE; 278 nego->havemultiplerequests = FALSE; 279} 280 281#endif /* HAVE_GSSAPI && USE_SPNEGO */ 282