1*6236dae4SAndroid Build Coastguard Worker /***************************************************************************
2*6236dae4SAndroid Build Coastguard Worker * _ _ ____ _
3*6236dae4SAndroid Build Coastguard Worker * Project ___| | | | _ \| |
4*6236dae4SAndroid Build Coastguard Worker * / __| | | | |_) | |
5*6236dae4SAndroid Build Coastguard Worker * | (__| |_| | _ <| |___
6*6236dae4SAndroid Build Coastguard Worker * \___|\___/|_| \_\_____|
7*6236dae4SAndroid Build Coastguard Worker *
8*6236dae4SAndroid Build Coastguard Worker * Copyright (C) Daniel Stenberg, <[email protected]>, et al.
9*6236dae4SAndroid Build Coastguard Worker *
10*6236dae4SAndroid Build Coastguard Worker * This software is licensed as described in the file COPYING, which
11*6236dae4SAndroid Build Coastguard Worker * you should have received as part of this distribution. The terms
12*6236dae4SAndroid Build Coastguard Worker * are also available at https://curl.se/docs/copyright.html.
13*6236dae4SAndroid Build Coastguard Worker *
14*6236dae4SAndroid Build Coastguard Worker * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15*6236dae4SAndroid Build Coastguard Worker * copies of the Software, and permit persons to whom the Software is
16*6236dae4SAndroid Build Coastguard Worker * furnished to do so, under the terms of the COPYING file.
17*6236dae4SAndroid Build Coastguard Worker *
18*6236dae4SAndroid Build Coastguard Worker * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19*6236dae4SAndroid Build Coastguard Worker * KIND, either express or implied.
20*6236dae4SAndroid Build Coastguard Worker *
21*6236dae4SAndroid Build Coastguard Worker * SPDX-License-Identifier: curl
22*6236dae4SAndroid Build Coastguard Worker *
23*6236dae4SAndroid Build Coastguard Worker ***************************************************************************/
24*6236dae4SAndroid Build Coastguard Worker
25*6236dae4SAndroid Build Coastguard Worker #include "curl_setup.h"
26*6236dae4SAndroid Build Coastguard Worker
27*6236dae4SAndroid Build Coastguard Worker #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
28*6236dae4SAndroid Build Coastguard Worker
29*6236dae4SAndroid Build Coastguard Worker #include "urldata.h"
30*6236dae4SAndroid Build Coastguard Worker #include "sendf.h"
31*6236dae4SAndroid Build Coastguard Worker #include "http_negotiate.h"
32*6236dae4SAndroid Build Coastguard Worker #include "vauth/vauth.h"
33*6236dae4SAndroid Build Coastguard Worker #include "vtls/vtls.h"
34*6236dae4SAndroid Build Coastguard Worker
35*6236dae4SAndroid Build Coastguard Worker /* The last 3 #include files should be in this order */
36*6236dae4SAndroid Build Coastguard Worker #include "curl_printf.h"
37*6236dae4SAndroid Build Coastguard Worker #include "curl_memory.h"
38*6236dae4SAndroid Build Coastguard Worker #include "memdebug.h"
39*6236dae4SAndroid Build Coastguard Worker
Curl_input_negotiate(struct Curl_easy * data,struct connectdata * conn,bool proxy,const char * header)40*6236dae4SAndroid Build Coastguard Worker CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
41*6236dae4SAndroid Build Coastguard Worker bool proxy, const char *header)
42*6236dae4SAndroid Build Coastguard Worker {
43*6236dae4SAndroid Build Coastguard Worker CURLcode result;
44*6236dae4SAndroid Build Coastguard Worker size_t len;
45*6236dae4SAndroid Build Coastguard Worker
46*6236dae4SAndroid Build Coastguard Worker /* Point to the username, password, service and host */
47*6236dae4SAndroid Build Coastguard Worker const char *userp;
48*6236dae4SAndroid Build Coastguard Worker const char *passwdp;
49*6236dae4SAndroid Build Coastguard Worker const char *service;
50*6236dae4SAndroid Build Coastguard Worker const char *host;
51*6236dae4SAndroid Build Coastguard Worker
52*6236dae4SAndroid Build Coastguard Worker /* Point to the correct struct with this */
53*6236dae4SAndroid Build Coastguard Worker struct negotiatedata *neg_ctx;
54*6236dae4SAndroid Build Coastguard Worker curlnegotiate state;
55*6236dae4SAndroid Build Coastguard Worker
56*6236dae4SAndroid Build Coastguard Worker if(proxy) {
57*6236dae4SAndroid Build Coastguard Worker #ifndef CURL_DISABLE_PROXY
58*6236dae4SAndroid Build Coastguard Worker userp = conn->http_proxy.user;
59*6236dae4SAndroid Build Coastguard Worker passwdp = conn->http_proxy.passwd;
60*6236dae4SAndroid Build Coastguard Worker service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
61*6236dae4SAndroid Build Coastguard Worker data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
62*6236dae4SAndroid Build Coastguard Worker host = conn->http_proxy.host.name;
63*6236dae4SAndroid Build Coastguard Worker neg_ctx = &conn->proxyneg;
64*6236dae4SAndroid Build Coastguard Worker state = conn->proxy_negotiate_state;
65*6236dae4SAndroid Build Coastguard Worker #else
66*6236dae4SAndroid Build Coastguard Worker return CURLE_NOT_BUILT_IN;
67*6236dae4SAndroid Build Coastguard Worker #endif
68*6236dae4SAndroid Build Coastguard Worker }
69*6236dae4SAndroid Build Coastguard Worker else {
70*6236dae4SAndroid Build Coastguard Worker userp = conn->user;
71*6236dae4SAndroid Build Coastguard Worker passwdp = conn->passwd;
72*6236dae4SAndroid Build Coastguard Worker service = data->set.str[STRING_SERVICE_NAME] ?
73*6236dae4SAndroid Build Coastguard Worker data->set.str[STRING_SERVICE_NAME] : "HTTP";
74*6236dae4SAndroid Build Coastguard Worker host = conn->host.name;
75*6236dae4SAndroid Build Coastguard Worker neg_ctx = &conn->negotiate;
76*6236dae4SAndroid Build Coastguard Worker state = conn->http_negotiate_state;
77*6236dae4SAndroid Build Coastguard Worker }
78*6236dae4SAndroid Build Coastguard Worker
79*6236dae4SAndroid Build Coastguard Worker /* Not set means empty */
80*6236dae4SAndroid Build Coastguard Worker if(!userp)
81*6236dae4SAndroid Build Coastguard Worker userp = "";
82*6236dae4SAndroid Build Coastguard Worker
83*6236dae4SAndroid Build Coastguard Worker if(!passwdp)
84*6236dae4SAndroid Build Coastguard Worker passwdp = "";
85*6236dae4SAndroid Build Coastguard Worker
86*6236dae4SAndroid Build Coastguard Worker /* Obtain the input token, if any */
87*6236dae4SAndroid Build Coastguard Worker header += strlen("Negotiate");
88*6236dae4SAndroid Build Coastguard Worker while(*header && ISBLANK(*header))
89*6236dae4SAndroid Build Coastguard Worker header++;
90*6236dae4SAndroid Build Coastguard Worker
91*6236dae4SAndroid Build Coastguard Worker len = strlen(header);
92*6236dae4SAndroid Build Coastguard Worker neg_ctx->havenegdata = len != 0;
93*6236dae4SAndroid Build Coastguard Worker if(!len) {
94*6236dae4SAndroid Build Coastguard Worker if(state == GSS_AUTHSUCC) {
95*6236dae4SAndroid Build Coastguard Worker infof(data, "Negotiate auth restarted");
96*6236dae4SAndroid Build Coastguard Worker Curl_http_auth_cleanup_negotiate(conn);
97*6236dae4SAndroid Build Coastguard Worker }
98*6236dae4SAndroid Build Coastguard Worker else if(state != GSS_AUTHNONE) {
99*6236dae4SAndroid Build Coastguard Worker /* The server rejected our authentication and has not supplied any more
100*6236dae4SAndroid Build Coastguard Worker negotiation mechanisms */
101*6236dae4SAndroid Build Coastguard Worker Curl_http_auth_cleanup_negotiate(conn);
102*6236dae4SAndroid Build Coastguard Worker return CURLE_LOGIN_DENIED;
103*6236dae4SAndroid Build Coastguard Worker }
104*6236dae4SAndroid Build Coastguard Worker }
105*6236dae4SAndroid Build Coastguard Worker
106*6236dae4SAndroid Build Coastguard Worker /* Supports SSL channel binding for Windows ISS extended protection */
107*6236dae4SAndroid Build Coastguard Worker #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
108*6236dae4SAndroid Build Coastguard Worker neg_ctx->sslContext = conn->sslContext;
109*6236dae4SAndroid Build Coastguard Worker #endif
110*6236dae4SAndroid Build Coastguard Worker /* Check if the connection is using SSL and get the channel binding data */
111*6236dae4SAndroid Build Coastguard Worker #if defined(USE_SSL) && defined(HAVE_GSSAPI)
112*6236dae4SAndroid Build Coastguard Worker if(conn->handler->flags & PROTOPT_SSL) {
113*6236dae4SAndroid Build Coastguard Worker Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE);
114*6236dae4SAndroid Build Coastguard Worker result = Curl_ssl_get_channel_binding(
115*6236dae4SAndroid Build Coastguard Worker data, FIRSTSOCKET, &neg_ctx->channel_binding_data);
116*6236dae4SAndroid Build Coastguard Worker if(result) {
117*6236dae4SAndroid Build Coastguard Worker Curl_http_auth_cleanup_negotiate(conn);
118*6236dae4SAndroid Build Coastguard Worker return result;
119*6236dae4SAndroid Build Coastguard Worker }
120*6236dae4SAndroid Build Coastguard Worker }
121*6236dae4SAndroid Build Coastguard Worker #endif
122*6236dae4SAndroid Build Coastguard Worker
123*6236dae4SAndroid Build Coastguard Worker /* Initialize the security context and decode our challenge */
124*6236dae4SAndroid Build Coastguard Worker result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
125*6236dae4SAndroid Build Coastguard Worker host, header, neg_ctx);
126*6236dae4SAndroid Build Coastguard Worker
127*6236dae4SAndroid Build Coastguard Worker #if defined(USE_SSL) && defined(HAVE_GSSAPI)
128*6236dae4SAndroid Build Coastguard Worker Curl_dyn_free(&neg_ctx->channel_binding_data);
129*6236dae4SAndroid Build Coastguard Worker #endif
130*6236dae4SAndroid Build Coastguard Worker
131*6236dae4SAndroid Build Coastguard Worker if(result)
132*6236dae4SAndroid Build Coastguard Worker Curl_http_auth_cleanup_negotiate(conn);
133*6236dae4SAndroid Build Coastguard Worker
134*6236dae4SAndroid Build Coastguard Worker return result;
135*6236dae4SAndroid Build Coastguard Worker }
136*6236dae4SAndroid Build Coastguard Worker
Curl_output_negotiate(struct Curl_easy * data,struct connectdata * conn,bool proxy)137*6236dae4SAndroid Build Coastguard Worker CURLcode Curl_output_negotiate(struct Curl_easy *data,
138*6236dae4SAndroid Build Coastguard Worker struct connectdata *conn, bool proxy)
139*6236dae4SAndroid Build Coastguard Worker {
140*6236dae4SAndroid Build Coastguard Worker struct negotiatedata *neg_ctx;
141*6236dae4SAndroid Build Coastguard Worker struct auth *authp;
142*6236dae4SAndroid Build Coastguard Worker curlnegotiate *state;
143*6236dae4SAndroid Build Coastguard Worker char *base64 = NULL;
144*6236dae4SAndroid Build Coastguard Worker size_t len = 0;
145*6236dae4SAndroid Build Coastguard Worker char *userp;
146*6236dae4SAndroid Build Coastguard Worker CURLcode result;
147*6236dae4SAndroid Build Coastguard Worker
148*6236dae4SAndroid Build Coastguard Worker if(proxy) {
149*6236dae4SAndroid Build Coastguard Worker #ifndef CURL_DISABLE_PROXY
150*6236dae4SAndroid Build Coastguard Worker neg_ctx = &conn->proxyneg;
151*6236dae4SAndroid Build Coastguard Worker authp = &data->state.authproxy;
152*6236dae4SAndroid Build Coastguard Worker state = &conn->proxy_negotiate_state;
153*6236dae4SAndroid Build Coastguard Worker #else
154*6236dae4SAndroid Build Coastguard Worker return CURLE_NOT_BUILT_IN;
155*6236dae4SAndroid Build Coastguard Worker #endif
156*6236dae4SAndroid Build Coastguard Worker }
157*6236dae4SAndroid Build Coastguard Worker else {
158*6236dae4SAndroid Build Coastguard Worker neg_ctx = &conn->negotiate;
159*6236dae4SAndroid Build Coastguard Worker authp = &data->state.authhost;
160*6236dae4SAndroid Build Coastguard Worker state = &conn->http_negotiate_state;
161*6236dae4SAndroid Build Coastguard Worker }
162*6236dae4SAndroid Build Coastguard Worker
163*6236dae4SAndroid Build Coastguard Worker authp->done = FALSE;
164*6236dae4SAndroid Build Coastguard Worker
165*6236dae4SAndroid Build Coastguard Worker if(*state == GSS_AUTHRECV) {
166*6236dae4SAndroid Build Coastguard Worker if(neg_ctx->havenegdata) {
167*6236dae4SAndroid Build Coastguard Worker neg_ctx->havemultiplerequests = TRUE;
168*6236dae4SAndroid Build Coastguard Worker }
169*6236dae4SAndroid Build Coastguard Worker }
170*6236dae4SAndroid Build Coastguard Worker else if(*state == GSS_AUTHSUCC) {
171*6236dae4SAndroid Build Coastguard Worker if(!neg_ctx->havenoauthpersist) {
172*6236dae4SAndroid Build Coastguard Worker neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
173*6236dae4SAndroid Build Coastguard Worker }
174*6236dae4SAndroid Build Coastguard Worker }
175*6236dae4SAndroid Build Coastguard Worker
176*6236dae4SAndroid Build Coastguard Worker if(neg_ctx->noauthpersist ||
177*6236dae4SAndroid Build Coastguard Worker (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
178*6236dae4SAndroid Build Coastguard Worker
179*6236dae4SAndroid Build Coastguard Worker if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
180*6236dae4SAndroid Build Coastguard Worker infof(data, "Curl_output_negotiate, "
181*6236dae4SAndroid Build Coastguard Worker "no persistent authentication: cleanup existing context");
182*6236dae4SAndroid Build Coastguard Worker Curl_http_auth_cleanup_negotiate(conn);
183*6236dae4SAndroid Build Coastguard Worker }
184*6236dae4SAndroid Build Coastguard Worker if(!neg_ctx->context) {
185*6236dae4SAndroid Build Coastguard Worker result = Curl_input_negotiate(data, conn, proxy, "Negotiate");
186*6236dae4SAndroid Build Coastguard Worker if(result == CURLE_AUTH_ERROR) {
187*6236dae4SAndroid Build Coastguard Worker /* negotiate auth failed, let's continue unauthenticated to stay
188*6236dae4SAndroid Build Coastguard Worker * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
189*6236dae4SAndroid Build Coastguard Worker authp->done = TRUE;
190*6236dae4SAndroid Build Coastguard Worker return CURLE_OK;
191*6236dae4SAndroid Build Coastguard Worker }
192*6236dae4SAndroid Build Coastguard Worker else if(result)
193*6236dae4SAndroid Build Coastguard Worker return result;
194*6236dae4SAndroid Build Coastguard Worker }
195*6236dae4SAndroid Build Coastguard Worker
196*6236dae4SAndroid Build Coastguard Worker result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len);
197*6236dae4SAndroid Build Coastguard Worker if(result)
198*6236dae4SAndroid Build Coastguard Worker return result;
199*6236dae4SAndroid Build Coastguard Worker
200*6236dae4SAndroid Build Coastguard Worker userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
201*6236dae4SAndroid Build Coastguard Worker base64);
202*6236dae4SAndroid Build Coastguard Worker
203*6236dae4SAndroid Build Coastguard Worker if(proxy) {
204*6236dae4SAndroid Build Coastguard Worker #ifndef CURL_DISABLE_PROXY
205*6236dae4SAndroid Build Coastguard Worker Curl_safefree(data->state.aptr.proxyuserpwd);
206*6236dae4SAndroid Build Coastguard Worker data->state.aptr.proxyuserpwd = userp;
207*6236dae4SAndroid Build Coastguard Worker #endif
208*6236dae4SAndroid Build Coastguard Worker }
209*6236dae4SAndroid Build Coastguard Worker else {
210*6236dae4SAndroid Build Coastguard Worker Curl_safefree(data->state.aptr.userpwd);
211*6236dae4SAndroid Build Coastguard Worker data->state.aptr.userpwd = userp;
212*6236dae4SAndroid Build Coastguard Worker }
213*6236dae4SAndroid Build Coastguard Worker
214*6236dae4SAndroid Build Coastguard Worker free(base64);
215*6236dae4SAndroid Build Coastguard Worker
216*6236dae4SAndroid Build Coastguard Worker if(!userp) {
217*6236dae4SAndroid Build Coastguard Worker return CURLE_OUT_OF_MEMORY;
218*6236dae4SAndroid Build Coastguard Worker }
219*6236dae4SAndroid Build Coastguard Worker
220*6236dae4SAndroid Build Coastguard Worker *state = GSS_AUTHSENT;
221*6236dae4SAndroid Build Coastguard Worker #ifdef HAVE_GSSAPI
222*6236dae4SAndroid Build Coastguard Worker if(neg_ctx->status == GSS_S_COMPLETE ||
223*6236dae4SAndroid Build Coastguard Worker neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
224*6236dae4SAndroid Build Coastguard Worker *state = GSS_AUTHDONE;
225*6236dae4SAndroid Build Coastguard Worker }
226*6236dae4SAndroid Build Coastguard Worker #else
227*6236dae4SAndroid Build Coastguard Worker #ifdef USE_WINDOWS_SSPI
228*6236dae4SAndroid Build Coastguard Worker if(neg_ctx->status == SEC_E_OK ||
229*6236dae4SAndroid Build Coastguard Worker neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
230*6236dae4SAndroid Build Coastguard Worker *state = GSS_AUTHDONE;
231*6236dae4SAndroid Build Coastguard Worker }
232*6236dae4SAndroid Build Coastguard Worker #endif
233*6236dae4SAndroid Build Coastguard Worker #endif
234*6236dae4SAndroid Build Coastguard Worker }
235*6236dae4SAndroid Build Coastguard Worker
236*6236dae4SAndroid Build Coastguard Worker if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
237*6236dae4SAndroid Build Coastguard Worker /* connection is already authenticated,
238*6236dae4SAndroid Build Coastguard Worker * do not send a header in future requests */
239*6236dae4SAndroid Build Coastguard Worker authp->done = TRUE;
240*6236dae4SAndroid Build Coastguard Worker }
241*6236dae4SAndroid Build Coastguard Worker
242*6236dae4SAndroid Build Coastguard Worker neg_ctx->havenegdata = FALSE;
243*6236dae4SAndroid Build Coastguard Worker
244*6236dae4SAndroid Build Coastguard Worker return CURLE_OK;
245*6236dae4SAndroid Build Coastguard Worker }
246*6236dae4SAndroid Build Coastguard Worker
Curl_http_auth_cleanup_negotiate(struct connectdata * conn)247*6236dae4SAndroid Build Coastguard Worker void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
248*6236dae4SAndroid Build Coastguard Worker {
249*6236dae4SAndroid Build Coastguard Worker conn->http_negotiate_state = GSS_AUTHNONE;
250*6236dae4SAndroid Build Coastguard Worker conn->proxy_negotiate_state = GSS_AUTHNONE;
251*6236dae4SAndroid Build Coastguard Worker
252*6236dae4SAndroid Build Coastguard Worker Curl_auth_cleanup_spnego(&conn->negotiate);
253*6236dae4SAndroid Build Coastguard Worker Curl_auth_cleanup_spnego(&conn->proxyneg);
254*6236dae4SAndroid Build Coastguard Worker }
255*6236dae4SAndroid Build Coastguard Worker
256*6236dae4SAndroid Build Coastguard Worker #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
257