1*6236dae4SAndroid Build Coastguard Worker /***************************************************************************
2*6236dae4SAndroid Build Coastguard Worker * _ _ ____ _
3*6236dae4SAndroid Build Coastguard Worker * Project ___| | | | _ \| |
4*6236dae4SAndroid Build Coastguard Worker * / __| | | | |_) | |
5*6236dae4SAndroid Build Coastguard Worker * | (__| |_| | _ <| |___
6*6236dae4SAndroid Build Coastguard Worker * \___|\___/|_| \_\_____|
7*6236dae4SAndroid Build Coastguard Worker *
8*6236dae4SAndroid Build Coastguard Worker * Copyright (C) Daniel Stenberg, <[email protected]>, et al.
9*6236dae4SAndroid Build Coastguard Worker *
10*6236dae4SAndroid Build Coastguard Worker * This software is licensed as described in the file COPYING, which
11*6236dae4SAndroid Build Coastguard Worker * you should have received as part of this distribution. The terms
12*6236dae4SAndroid Build Coastguard Worker * are also available at https://curl.se/docs/copyright.html.
13*6236dae4SAndroid Build Coastguard Worker *
14*6236dae4SAndroid Build Coastguard Worker * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15*6236dae4SAndroid Build Coastguard Worker * copies of the Software, and permit persons to whom the Software is
16*6236dae4SAndroid Build Coastguard Worker * furnished to do so, under the terms of the COPYING file.
17*6236dae4SAndroid Build Coastguard Worker *
18*6236dae4SAndroid Build Coastguard Worker * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19*6236dae4SAndroid Build Coastguard Worker * KIND, either express or implied.
20*6236dae4SAndroid Build Coastguard Worker *
21*6236dae4SAndroid Build Coastguard Worker * SPDX-License-Identifier: curl
22*6236dae4SAndroid Build Coastguard Worker *
23*6236dae4SAndroid Build Coastguard Worker * RFC4178 Simple and Protected GSS-API Negotiation Mechanism
24*6236dae4SAndroid Build Coastguard Worker *
25*6236dae4SAndroid Build Coastguard Worker ***************************************************************************/
26*6236dae4SAndroid Build Coastguard Worker
27*6236dae4SAndroid Build Coastguard Worker #include "curl_setup.h"
28*6236dae4SAndroid Build Coastguard Worker
29*6236dae4SAndroid Build Coastguard Worker #if defined(USE_WINDOWS_SSPI) && defined(USE_SPNEGO)
30*6236dae4SAndroid Build Coastguard Worker
31*6236dae4SAndroid Build Coastguard Worker #include <curl/curl.h>
32*6236dae4SAndroid Build Coastguard Worker
33*6236dae4SAndroid Build Coastguard Worker #include "vauth/vauth.h"
34*6236dae4SAndroid Build Coastguard Worker #include "urldata.h"
35*6236dae4SAndroid Build Coastguard Worker #include "curl_base64.h"
36*6236dae4SAndroid Build Coastguard Worker #include "warnless.h"
37*6236dae4SAndroid Build Coastguard Worker #include "curl_multibyte.h"
38*6236dae4SAndroid Build Coastguard Worker #include "sendf.h"
39*6236dae4SAndroid Build Coastguard Worker #include "strerror.h"
40*6236dae4SAndroid Build Coastguard Worker
41*6236dae4SAndroid Build Coastguard Worker /* The last #include files should be: */
42*6236dae4SAndroid Build Coastguard Worker #include "curl_memory.h"
43*6236dae4SAndroid Build Coastguard Worker #include "memdebug.h"
44*6236dae4SAndroid Build Coastguard Worker
45*6236dae4SAndroid Build Coastguard Worker /*
46*6236dae4SAndroid Build Coastguard Worker * Curl_auth_is_spnego_supported()
47*6236dae4SAndroid Build Coastguard Worker *
48*6236dae4SAndroid Build Coastguard Worker * This is used to evaluate if SPNEGO (Negotiate) is supported.
49*6236dae4SAndroid Build Coastguard Worker *
50*6236dae4SAndroid Build Coastguard Worker * Parameters: None
51*6236dae4SAndroid Build Coastguard Worker *
52*6236dae4SAndroid Build Coastguard Worker * Returns TRUE if Negotiate is supported by Windows SSPI.
53*6236dae4SAndroid Build Coastguard Worker */
Curl_auth_is_spnego_supported(void)54*6236dae4SAndroid Build Coastguard Worker bool Curl_auth_is_spnego_supported(void)
55*6236dae4SAndroid Build Coastguard Worker {
56*6236dae4SAndroid Build Coastguard Worker PSecPkgInfo SecurityPackage;
57*6236dae4SAndroid Build Coastguard Worker SECURITY_STATUS status;
58*6236dae4SAndroid Build Coastguard Worker
59*6236dae4SAndroid Build Coastguard Worker /* Query the security package for Negotiate */
60*6236dae4SAndroid Build Coastguard Worker status = Curl_pSecFn->QuerySecurityPackageInfo((TCHAR *)
61*6236dae4SAndroid Build Coastguard Worker TEXT(SP_NAME_NEGOTIATE),
62*6236dae4SAndroid Build Coastguard Worker &SecurityPackage);
63*6236dae4SAndroid Build Coastguard Worker
64*6236dae4SAndroid Build Coastguard Worker /* Release the package buffer as it is not required anymore */
65*6236dae4SAndroid Build Coastguard Worker if(status == SEC_E_OK) {
66*6236dae4SAndroid Build Coastguard Worker Curl_pSecFn->FreeContextBuffer(SecurityPackage);
67*6236dae4SAndroid Build Coastguard Worker }
68*6236dae4SAndroid Build Coastguard Worker
69*6236dae4SAndroid Build Coastguard Worker
70*6236dae4SAndroid Build Coastguard Worker return (status == SEC_E_OK);
71*6236dae4SAndroid Build Coastguard Worker }
72*6236dae4SAndroid Build Coastguard Worker
73*6236dae4SAndroid Build Coastguard Worker /*
74*6236dae4SAndroid Build Coastguard Worker * Curl_auth_decode_spnego_message()
75*6236dae4SAndroid Build Coastguard Worker *
76*6236dae4SAndroid Build Coastguard Worker * This is used to decode an already encoded SPNEGO (Negotiate) challenge
77*6236dae4SAndroid Build Coastguard Worker * message.
78*6236dae4SAndroid Build Coastguard Worker *
79*6236dae4SAndroid Build Coastguard Worker * Parameters:
80*6236dae4SAndroid Build Coastguard Worker *
81*6236dae4SAndroid Build Coastguard Worker * data [in] - The session handle.
82*6236dae4SAndroid Build Coastguard Worker * user [in] - The username in the format User or Domain\User.
83*6236dae4SAndroid Build Coastguard Worker * password [in] - The user's password.
84*6236dae4SAndroid Build Coastguard Worker * service [in] - The service type such as http, smtp, pop or imap.
85*6236dae4SAndroid Build Coastguard Worker * host [in] - The hostname.
86*6236dae4SAndroid Build Coastguard Worker * chlg64 [in] - The optional base64 encoded challenge message.
87*6236dae4SAndroid Build Coastguard Worker * nego [in/out] - The Negotiate data struct being used and modified.
88*6236dae4SAndroid Build Coastguard Worker *
89*6236dae4SAndroid Build Coastguard Worker * Returns CURLE_OK on success.
90*6236dae4SAndroid Build Coastguard Worker */
Curl_auth_decode_spnego_message(struct Curl_easy * data,const char * user,const char * password,const char * service,const char * host,const char * chlg64,struct negotiatedata * nego)91*6236dae4SAndroid Build Coastguard Worker CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
92*6236dae4SAndroid Build Coastguard Worker const char *user,
93*6236dae4SAndroid Build Coastguard Worker const char *password,
94*6236dae4SAndroid Build Coastguard Worker const char *service,
95*6236dae4SAndroid Build Coastguard Worker const char *host,
96*6236dae4SAndroid Build Coastguard Worker const char *chlg64,
97*6236dae4SAndroid Build Coastguard Worker struct negotiatedata *nego)
98*6236dae4SAndroid Build Coastguard Worker {
99*6236dae4SAndroid Build Coastguard Worker CURLcode result = CURLE_OK;
100*6236dae4SAndroid Build Coastguard Worker size_t chlglen = 0;
101*6236dae4SAndroid Build Coastguard Worker unsigned char *chlg = NULL;
102*6236dae4SAndroid Build Coastguard Worker PSecPkgInfo SecurityPackage;
103*6236dae4SAndroid Build Coastguard Worker SecBuffer chlg_buf[2];
104*6236dae4SAndroid Build Coastguard Worker SecBuffer resp_buf;
105*6236dae4SAndroid Build Coastguard Worker SecBufferDesc chlg_desc;
106*6236dae4SAndroid Build Coastguard Worker SecBufferDesc resp_desc;
107*6236dae4SAndroid Build Coastguard Worker unsigned long attrs;
108*6236dae4SAndroid Build Coastguard Worker TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
109*6236dae4SAndroid Build Coastguard Worker
110*6236dae4SAndroid Build Coastguard Worker #if defined(CURL_DISABLE_VERBOSE_STRINGS)
111*6236dae4SAndroid Build Coastguard Worker (void) data;
112*6236dae4SAndroid Build Coastguard Worker #endif
113*6236dae4SAndroid Build Coastguard Worker
114*6236dae4SAndroid Build Coastguard Worker if(nego->context && nego->status == SEC_E_OK) {
115*6236dae4SAndroid Build Coastguard Worker /* We finished successfully our part of authentication, but server
116*6236dae4SAndroid Build Coastguard Worker * rejected it (since we are again here). Exit with an error since we
117*6236dae4SAndroid Build Coastguard Worker * cannot invent anything better */
118*6236dae4SAndroid Build Coastguard Worker Curl_auth_cleanup_spnego(nego);
119*6236dae4SAndroid Build Coastguard Worker return CURLE_LOGIN_DENIED;
120*6236dae4SAndroid Build Coastguard Worker }
121*6236dae4SAndroid Build Coastguard Worker
122*6236dae4SAndroid Build Coastguard Worker if(!nego->spn) {
123*6236dae4SAndroid Build Coastguard Worker /* Generate our SPN */
124*6236dae4SAndroid Build Coastguard Worker nego->spn = Curl_auth_build_spn(service, host, NULL);
125*6236dae4SAndroid Build Coastguard Worker if(!nego->spn)
126*6236dae4SAndroid Build Coastguard Worker return CURLE_OUT_OF_MEMORY;
127*6236dae4SAndroid Build Coastguard Worker }
128*6236dae4SAndroid Build Coastguard Worker
129*6236dae4SAndroid Build Coastguard Worker if(!nego->output_token) {
130*6236dae4SAndroid Build Coastguard Worker /* Query the security package for Negotiate */
131*6236dae4SAndroid Build Coastguard Worker nego->status = (DWORD)Curl_pSecFn->QuerySecurityPackageInfo((TCHAR *)
132*6236dae4SAndroid Build Coastguard Worker TEXT(SP_NAME_NEGOTIATE),
133*6236dae4SAndroid Build Coastguard Worker &SecurityPackage);
134*6236dae4SAndroid Build Coastguard Worker if(nego->status != SEC_E_OK) {
135*6236dae4SAndroid Build Coastguard Worker failf(data, "SSPI: could not get auth info");
136*6236dae4SAndroid Build Coastguard Worker return CURLE_AUTH_ERROR;
137*6236dae4SAndroid Build Coastguard Worker }
138*6236dae4SAndroid Build Coastguard Worker
139*6236dae4SAndroid Build Coastguard Worker nego->token_max = SecurityPackage->cbMaxToken;
140*6236dae4SAndroid Build Coastguard Worker
141*6236dae4SAndroid Build Coastguard Worker /* Release the package buffer as it is not required anymore */
142*6236dae4SAndroid Build Coastguard Worker Curl_pSecFn->FreeContextBuffer(SecurityPackage);
143*6236dae4SAndroid Build Coastguard Worker
144*6236dae4SAndroid Build Coastguard Worker /* Allocate our output buffer */
145*6236dae4SAndroid Build Coastguard Worker nego->output_token = malloc(nego->token_max);
146*6236dae4SAndroid Build Coastguard Worker if(!nego->output_token)
147*6236dae4SAndroid Build Coastguard Worker return CURLE_OUT_OF_MEMORY;
148*6236dae4SAndroid Build Coastguard Worker }
149*6236dae4SAndroid Build Coastguard Worker
150*6236dae4SAndroid Build Coastguard Worker if(!nego->credentials) {
151*6236dae4SAndroid Build Coastguard Worker /* Do we have credentials to use or are we using single sign-on? */
152*6236dae4SAndroid Build Coastguard Worker if(user && *user) {
153*6236dae4SAndroid Build Coastguard Worker /* Populate our identity structure */
154*6236dae4SAndroid Build Coastguard Worker result = Curl_create_sspi_identity(user, password, &nego->identity);
155*6236dae4SAndroid Build Coastguard Worker if(result)
156*6236dae4SAndroid Build Coastguard Worker return result;
157*6236dae4SAndroid Build Coastguard Worker
158*6236dae4SAndroid Build Coastguard Worker /* Allow proper cleanup of the identity structure */
159*6236dae4SAndroid Build Coastguard Worker nego->p_identity = &nego->identity;
160*6236dae4SAndroid Build Coastguard Worker }
161*6236dae4SAndroid Build Coastguard Worker else
162*6236dae4SAndroid Build Coastguard Worker /* Use the current Windows user */
163*6236dae4SAndroid Build Coastguard Worker nego->p_identity = NULL;
164*6236dae4SAndroid Build Coastguard Worker
165*6236dae4SAndroid Build Coastguard Worker /* Allocate our credentials handle */
166*6236dae4SAndroid Build Coastguard Worker nego->credentials = calloc(1, sizeof(CredHandle));
167*6236dae4SAndroid Build Coastguard Worker if(!nego->credentials)
168*6236dae4SAndroid Build Coastguard Worker return CURLE_OUT_OF_MEMORY;
169*6236dae4SAndroid Build Coastguard Worker
170*6236dae4SAndroid Build Coastguard Worker /* Acquire our credentials handle */
171*6236dae4SAndroid Build Coastguard Worker nego->status = (DWORD)
172*6236dae4SAndroid Build Coastguard Worker Curl_pSecFn->AcquireCredentialsHandle(NULL,
173*6236dae4SAndroid Build Coastguard Worker (TCHAR *)TEXT(SP_NAME_NEGOTIATE),
174*6236dae4SAndroid Build Coastguard Worker SECPKG_CRED_OUTBOUND, NULL,
175*6236dae4SAndroid Build Coastguard Worker nego->p_identity, NULL, NULL,
176*6236dae4SAndroid Build Coastguard Worker nego->credentials, &expiry);
177*6236dae4SAndroid Build Coastguard Worker if(nego->status != SEC_E_OK)
178*6236dae4SAndroid Build Coastguard Worker return CURLE_AUTH_ERROR;
179*6236dae4SAndroid Build Coastguard Worker
180*6236dae4SAndroid Build Coastguard Worker /* Allocate our new context handle */
181*6236dae4SAndroid Build Coastguard Worker nego->context = calloc(1, sizeof(CtxtHandle));
182*6236dae4SAndroid Build Coastguard Worker if(!nego->context)
183*6236dae4SAndroid Build Coastguard Worker return CURLE_OUT_OF_MEMORY;
184*6236dae4SAndroid Build Coastguard Worker }
185*6236dae4SAndroid Build Coastguard Worker
186*6236dae4SAndroid Build Coastguard Worker if(chlg64 && *chlg64) {
187*6236dae4SAndroid Build Coastguard Worker /* Decode the base-64 encoded challenge message */
188*6236dae4SAndroid Build Coastguard Worker if(*chlg64 != '=') {
189*6236dae4SAndroid Build Coastguard Worker result = Curl_base64_decode(chlg64, &chlg, &chlglen);
190*6236dae4SAndroid Build Coastguard Worker if(result)
191*6236dae4SAndroid Build Coastguard Worker return result;
192*6236dae4SAndroid Build Coastguard Worker }
193*6236dae4SAndroid Build Coastguard Worker
194*6236dae4SAndroid Build Coastguard Worker /* Ensure we have a valid challenge message */
195*6236dae4SAndroid Build Coastguard Worker if(!chlg) {
196*6236dae4SAndroid Build Coastguard Worker infof(data, "SPNEGO handshake failure (empty challenge message)");
197*6236dae4SAndroid Build Coastguard Worker return CURLE_BAD_CONTENT_ENCODING;
198*6236dae4SAndroid Build Coastguard Worker }
199*6236dae4SAndroid Build Coastguard Worker
200*6236dae4SAndroid Build Coastguard Worker /* Setup the challenge "input" security buffer */
201*6236dae4SAndroid Build Coastguard Worker chlg_desc.ulVersion = SECBUFFER_VERSION;
202*6236dae4SAndroid Build Coastguard Worker chlg_desc.cBuffers = 1;
203*6236dae4SAndroid Build Coastguard Worker chlg_desc.pBuffers = &chlg_buf[0];
204*6236dae4SAndroid Build Coastguard Worker chlg_buf[0].BufferType = SECBUFFER_TOKEN;
205*6236dae4SAndroid Build Coastguard Worker chlg_buf[0].pvBuffer = chlg;
206*6236dae4SAndroid Build Coastguard Worker chlg_buf[0].cbBuffer = curlx_uztoul(chlglen);
207*6236dae4SAndroid Build Coastguard Worker
208*6236dae4SAndroid Build Coastguard Worker #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
209*6236dae4SAndroid Build Coastguard Worker /* ssl context comes from Schannel.
210*6236dae4SAndroid Build Coastguard Worker * When extended protection is used in IIS server,
211*6236dae4SAndroid Build Coastguard Worker * we have to pass a second SecBuffer to the SecBufferDesc
212*6236dae4SAndroid Build Coastguard Worker * otherwise IIS will not pass the authentication (401 response).
213*6236dae4SAndroid Build Coastguard Worker * Minimum supported version is Windows 7.
214*6236dae4SAndroid Build Coastguard Worker * https://docs.microsoft.com/en-us/security-updates
215*6236dae4SAndroid Build Coastguard Worker * /SecurityAdvisories/2009/973811
216*6236dae4SAndroid Build Coastguard Worker */
217*6236dae4SAndroid Build Coastguard Worker if(nego->sslContext) {
218*6236dae4SAndroid Build Coastguard Worker SEC_CHANNEL_BINDINGS channelBindings;
219*6236dae4SAndroid Build Coastguard Worker SecPkgContext_Bindings pkgBindings;
220*6236dae4SAndroid Build Coastguard Worker pkgBindings.Bindings = &channelBindings;
221*6236dae4SAndroid Build Coastguard Worker nego->status = (DWORD)Curl_pSecFn->QueryContextAttributes(
222*6236dae4SAndroid Build Coastguard Worker nego->sslContext,
223*6236dae4SAndroid Build Coastguard Worker SECPKG_ATTR_ENDPOINT_BINDINGS,
224*6236dae4SAndroid Build Coastguard Worker &pkgBindings
225*6236dae4SAndroid Build Coastguard Worker );
226*6236dae4SAndroid Build Coastguard Worker if(nego->status == SEC_E_OK) {
227*6236dae4SAndroid Build Coastguard Worker chlg_desc.cBuffers++;
228*6236dae4SAndroid Build Coastguard Worker chlg_buf[1].BufferType = SECBUFFER_CHANNEL_BINDINGS;
229*6236dae4SAndroid Build Coastguard Worker chlg_buf[1].cbBuffer = pkgBindings.BindingsLength;
230*6236dae4SAndroid Build Coastguard Worker chlg_buf[1].pvBuffer = pkgBindings.Bindings;
231*6236dae4SAndroid Build Coastguard Worker }
232*6236dae4SAndroid Build Coastguard Worker }
233*6236dae4SAndroid Build Coastguard Worker #endif
234*6236dae4SAndroid Build Coastguard Worker }
235*6236dae4SAndroid Build Coastguard Worker
236*6236dae4SAndroid Build Coastguard Worker /* Setup the response "output" security buffer */
237*6236dae4SAndroid Build Coastguard Worker resp_desc.ulVersion = SECBUFFER_VERSION;
238*6236dae4SAndroid Build Coastguard Worker resp_desc.cBuffers = 1;
239*6236dae4SAndroid Build Coastguard Worker resp_desc.pBuffers = &resp_buf;
240*6236dae4SAndroid Build Coastguard Worker resp_buf.BufferType = SECBUFFER_TOKEN;
241*6236dae4SAndroid Build Coastguard Worker resp_buf.pvBuffer = nego->output_token;
242*6236dae4SAndroid Build Coastguard Worker resp_buf.cbBuffer = curlx_uztoul(nego->token_max);
243*6236dae4SAndroid Build Coastguard Worker
244*6236dae4SAndroid Build Coastguard Worker /* Generate our challenge-response message */
245*6236dae4SAndroid Build Coastguard Worker nego->status =
246*6236dae4SAndroid Build Coastguard Worker (DWORD)Curl_pSecFn->InitializeSecurityContext(nego->credentials,
247*6236dae4SAndroid Build Coastguard Worker chlg ? nego->context : NULL,
248*6236dae4SAndroid Build Coastguard Worker nego->spn,
249*6236dae4SAndroid Build Coastguard Worker ISC_REQ_CONFIDENTIALITY,
250*6236dae4SAndroid Build Coastguard Worker 0, SECURITY_NATIVE_DREP,
251*6236dae4SAndroid Build Coastguard Worker chlg ? &chlg_desc : NULL,
252*6236dae4SAndroid Build Coastguard Worker 0, nego->context,
253*6236dae4SAndroid Build Coastguard Worker &resp_desc, &attrs,
254*6236dae4SAndroid Build Coastguard Worker &expiry);
255*6236dae4SAndroid Build Coastguard Worker
256*6236dae4SAndroid Build Coastguard Worker /* Free the decoded challenge as it is not required anymore */
257*6236dae4SAndroid Build Coastguard Worker free(chlg);
258*6236dae4SAndroid Build Coastguard Worker
259*6236dae4SAndroid Build Coastguard Worker if(GSS_ERROR(nego->status)) {
260*6236dae4SAndroid Build Coastguard Worker char buffer[STRERROR_LEN];
261*6236dae4SAndroid Build Coastguard Worker failf(data, "InitializeSecurityContext failed: %s",
262*6236dae4SAndroid Build Coastguard Worker Curl_sspi_strerror((int)nego->status, buffer, sizeof(buffer)));
263*6236dae4SAndroid Build Coastguard Worker
264*6236dae4SAndroid Build Coastguard Worker if(nego->status == (DWORD)SEC_E_INSUFFICIENT_MEMORY)
265*6236dae4SAndroid Build Coastguard Worker return CURLE_OUT_OF_MEMORY;
266*6236dae4SAndroid Build Coastguard Worker
267*6236dae4SAndroid Build Coastguard Worker return CURLE_AUTH_ERROR;
268*6236dae4SAndroid Build Coastguard Worker }
269*6236dae4SAndroid Build Coastguard Worker
270*6236dae4SAndroid Build Coastguard Worker if(nego->status == SEC_I_COMPLETE_NEEDED ||
271*6236dae4SAndroid Build Coastguard Worker nego->status == SEC_I_COMPLETE_AND_CONTINUE) {
272*6236dae4SAndroid Build Coastguard Worker nego->status = (DWORD)Curl_pSecFn->CompleteAuthToken(nego->context,
273*6236dae4SAndroid Build Coastguard Worker &resp_desc);
274*6236dae4SAndroid Build Coastguard Worker if(GSS_ERROR(nego->status)) {
275*6236dae4SAndroid Build Coastguard Worker char buffer[STRERROR_LEN];
276*6236dae4SAndroid Build Coastguard Worker failf(data, "CompleteAuthToken failed: %s",
277*6236dae4SAndroid Build Coastguard Worker Curl_sspi_strerror((int)nego->status, buffer, sizeof(buffer)));
278*6236dae4SAndroid Build Coastguard Worker
279*6236dae4SAndroid Build Coastguard Worker if(nego->status == (DWORD)SEC_E_INSUFFICIENT_MEMORY)
280*6236dae4SAndroid Build Coastguard Worker return CURLE_OUT_OF_MEMORY;
281*6236dae4SAndroid Build Coastguard Worker
282*6236dae4SAndroid Build Coastguard Worker return CURLE_AUTH_ERROR;
283*6236dae4SAndroid Build Coastguard Worker }
284*6236dae4SAndroid Build Coastguard Worker }
285*6236dae4SAndroid Build Coastguard Worker
286*6236dae4SAndroid Build Coastguard Worker nego->output_token_length = resp_buf.cbBuffer;
287*6236dae4SAndroid Build Coastguard Worker
288*6236dae4SAndroid Build Coastguard Worker return result;
289*6236dae4SAndroid Build Coastguard Worker }
290*6236dae4SAndroid Build Coastguard Worker
291*6236dae4SAndroid Build Coastguard Worker /*
292*6236dae4SAndroid Build Coastguard Worker * Curl_auth_create_spnego_message()
293*6236dae4SAndroid Build Coastguard Worker *
294*6236dae4SAndroid Build Coastguard Worker * This is used to generate an already encoded SPNEGO (Negotiate) response
295*6236dae4SAndroid Build Coastguard Worker * message ready for sending to the recipient.
296*6236dae4SAndroid Build Coastguard Worker *
297*6236dae4SAndroid Build Coastguard Worker * Parameters:
298*6236dae4SAndroid Build Coastguard Worker *
299*6236dae4SAndroid Build Coastguard Worker * data [in] - The session handle.
300*6236dae4SAndroid Build Coastguard Worker * nego [in/out] - The Negotiate data struct being used and modified.
301*6236dae4SAndroid Build Coastguard Worker * outptr [in/out] - The address where a pointer to newly allocated memory
302*6236dae4SAndroid Build Coastguard Worker * holding the result will be stored upon completion.
303*6236dae4SAndroid Build Coastguard Worker * outlen [out] - The length of the output message.
304*6236dae4SAndroid Build Coastguard Worker *
305*6236dae4SAndroid Build Coastguard Worker * Returns CURLE_OK on success.
306*6236dae4SAndroid Build Coastguard Worker */
Curl_auth_create_spnego_message(struct negotiatedata * nego,char ** outptr,size_t * outlen)307*6236dae4SAndroid Build Coastguard Worker CURLcode Curl_auth_create_spnego_message(struct negotiatedata *nego,
308*6236dae4SAndroid Build Coastguard Worker char **outptr, size_t *outlen)
309*6236dae4SAndroid Build Coastguard Worker {
310*6236dae4SAndroid Build Coastguard Worker /* Base64 encode the already generated response */
311*6236dae4SAndroid Build Coastguard Worker CURLcode result = Curl_base64_encode((const char *) nego->output_token,
312*6236dae4SAndroid Build Coastguard Worker nego->output_token_length, outptr,
313*6236dae4SAndroid Build Coastguard Worker outlen);
314*6236dae4SAndroid Build Coastguard Worker if(!result && (!*outptr || !*outlen)) {
315*6236dae4SAndroid Build Coastguard Worker free(*outptr);
316*6236dae4SAndroid Build Coastguard Worker result = CURLE_REMOTE_ACCESS_DENIED;
317*6236dae4SAndroid Build Coastguard Worker }
318*6236dae4SAndroid Build Coastguard Worker
319*6236dae4SAndroid Build Coastguard Worker return result;
320*6236dae4SAndroid Build Coastguard Worker }
321*6236dae4SAndroid Build Coastguard Worker
322*6236dae4SAndroid Build Coastguard Worker /*
323*6236dae4SAndroid Build Coastguard Worker * Curl_auth_cleanup_spnego()
324*6236dae4SAndroid Build Coastguard Worker *
325*6236dae4SAndroid Build Coastguard Worker * This is used to clean up the SPNEGO (Negotiate) specific data.
326*6236dae4SAndroid Build Coastguard Worker *
327*6236dae4SAndroid Build Coastguard Worker * Parameters:
328*6236dae4SAndroid Build Coastguard Worker *
329*6236dae4SAndroid Build Coastguard Worker * nego [in/out] - The Negotiate data struct being cleaned up.
330*6236dae4SAndroid Build Coastguard Worker *
331*6236dae4SAndroid Build Coastguard Worker */
Curl_auth_cleanup_spnego(struct negotiatedata * nego)332*6236dae4SAndroid Build Coastguard Worker void Curl_auth_cleanup_spnego(struct negotiatedata *nego)
333*6236dae4SAndroid Build Coastguard Worker {
334*6236dae4SAndroid Build Coastguard Worker /* Free our security context */
335*6236dae4SAndroid Build Coastguard Worker if(nego->context) {
336*6236dae4SAndroid Build Coastguard Worker Curl_pSecFn->DeleteSecurityContext(nego->context);
337*6236dae4SAndroid Build Coastguard Worker free(nego->context);
338*6236dae4SAndroid Build Coastguard Worker nego->context = NULL;
339*6236dae4SAndroid Build Coastguard Worker }
340*6236dae4SAndroid Build Coastguard Worker
341*6236dae4SAndroid Build Coastguard Worker /* Free our credentials handle */
342*6236dae4SAndroid Build Coastguard Worker if(nego->credentials) {
343*6236dae4SAndroid Build Coastguard Worker Curl_pSecFn->FreeCredentialsHandle(nego->credentials);
344*6236dae4SAndroid Build Coastguard Worker free(nego->credentials);
345*6236dae4SAndroid Build Coastguard Worker nego->credentials = NULL;
346*6236dae4SAndroid Build Coastguard Worker }
347*6236dae4SAndroid Build Coastguard Worker
348*6236dae4SAndroid Build Coastguard Worker /* Free our identity */
349*6236dae4SAndroid Build Coastguard Worker Curl_sspi_free_identity(nego->p_identity);
350*6236dae4SAndroid Build Coastguard Worker nego->p_identity = NULL;
351*6236dae4SAndroid Build Coastguard Worker
352*6236dae4SAndroid Build Coastguard Worker /* Free the SPN and output token */
353*6236dae4SAndroid Build Coastguard Worker Curl_safefree(nego->spn);
354*6236dae4SAndroid Build Coastguard Worker Curl_safefree(nego->output_token);
355*6236dae4SAndroid Build Coastguard Worker
356*6236dae4SAndroid Build Coastguard Worker /* Reset any variables */
357*6236dae4SAndroid Build Coastguard Worker nego->status = 0;
358*6236dae4SAndroid Build Coastguard Worker nego->token_max = 0;
359*6236dae4SAndroid Build Coastguard Worker nego->noauthpersist = FALSE;
360*6236dae4SAndroid Build Coastguard Worker nego->havenoauthpersist = FALSE;
361*6236dae4SAndroid Build Coastguard Worker nego->havenegdata = FALSE;
362*6236dae4SAndroid Build Coastguard Worker nego->havemultiplerequests = FALSE;
363*6236dae4SAndroid Build Coastguard Worker }
364*6236dae4SAndroid Build Coastguard Worker
365*6236dae4SAndroid Build Coastguard Worker #endif /* USE_WINDOWS_SSPI && USE_SPNEGO */
366