Annotation of embedaddon/curl/lib/vauth/krb5_gssapi.c, revision 1.1
1.1 ! misho 1: /***************************************************************************
! 2: * _ _ ____ _
! 3: * Project ___| | | | _ \| |
! 4: * / __| | | | |_) | |
! 5: * | (__| |_| | _ <| |___
! 6: * \___|\___/|_| \_\_____|
! 7: *
! 8: * Copyright (C) 2014 - 2019, Steve Holme, <steve_holme@hotmail.com>.
! 9: * Copyright (C) 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
! 10: *
! 11: * This software is licensed as described in the file COPYING, which
! 12: * you should have received as part of this distribution. The terms
! 13: * are also available at https://curl.haxx.se/docs/copyright.html.
! 14: *
! 15: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
! 16: * copies of the Software, and permit persons to whom the Software is
! 17: * furnished to do so, under the terms of the COPYING file.
! 18: *
! 19: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
! 20: * KIND, either express or implied.
! 21: *
! 22: * RFC4752 The Kerberos V5 ("GSSAPI") SASL Mechanism
! 23: *
! 24: ***************************************************************************/
! 25:
! 26: #include "curl_setup.h"
! 27:
! 28: #if defined(HAVE_GSSAPI) && defined(USE_KERBEROS5)
! 29:
! 30: #include <curl/curl.h>
! 31:
! 32: #include "vauth/vauth.h"
! 33: #include "curl_sasl.h"
! 34: #include "urldata.h"
! 35: #include "curl_base64.h"
! 36: #include "curl_gssapi.h"
! 37: #include "sendf.h"
! 38: #include "curl_printf.h"
! 39:
! 40: /* The last #include files should be: */
! 41: #include "curl_memory.h"
! 42: #include "memdebug.h"
! 43:
! 44: /*
! 45: * Curl_auth_is_gssapi_supported()
! 46: *
! 47: * This is used to evaluate if GSSAPI (Kerberos V5) is supported.
! 48: *
! 49: * Parameters: None
! 50: *
! 51: * Returns TRUE if Kerberos V5 is supported by the GSS-API library.
! 52: */
! 53: bool Curl_auth_is_gssapi_supported(void)
! 54: {
! 55: return TRUE;
! 56: }
! 57:
! 58: /*
! 59: * Curl_auth_create_gssapi_user_message()
! 60: *
! 61: * This is used to generate an already encoded GSSAPI (Kerberos V5) user token
! 62: * message ready for sending to the recipient.
! 63: *
! 64: * Parameters:
! 65: *
! 66: * data [in] - The session handle.
! 67: * userp [in] - The user name.
! 68: * passwdp [in] - The user's password.
! 69: * service [in] - The service type such as http, smtp, pop or imap.
! 70: * host [in[ - The host name.
! 71: * mutual_auth [in] - Flag specifying whether or not mutual authentication
! 72: * is enabled.
! 73: * chlg64 [in] - Pointer to the optional base64 encoded challenge
! 74: * message.
! 75: * krb5 [in/out] - The Kerberos 5 data struct being used and modified.
! 76: * outptr [in/out] - The address where a pointer to newly allocated memory
! 77: * holding the result will be stored upon completion.
! 78: * outlen [out] - The length of the output message.
! 79: *
! 80: * Returns CURLE_OK on success.
! 81: */
! 82: CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
! 83: const char *userp,
! 84: const char *passwdp,
! 85: const char *service,
! 86: const char *host,
! 87: const bool mutual_auth,
! 88: const char *chlg64,
! 89: struct kerberos5data *krb5,
! 90: char **outptr, size_t *outlen)
! 91: {
! 92: CURLcode result = CURLE_OK;
! 93: size_t chlglen = 0;
! 94: unsigned char *chlg = NULL;
! 95: OM_uint32 major_status;
! 96: OM_uint32 minor_status;
! 97: OM_uint32 unused_status;
! 98: gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER;
! 99: gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
! 100: gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
! 101:
! 102: (void) userp;
! 103: (void) passwdp;
! 104:
! 105: if(!krb5->spn) {
! 106: /* Generate our SPN */
! 107: char *spn = Curl_auth_build_spn(service, NULL, host);
! 108: if(!spn)
! 109: return CURLE_OUT_OF_MEMORY;
! 110:
! 111: /* Populate the SPN structure */
! 112: spn_token.value = spn;
! 113: spn_token.length = strlen(spn);
! 114:
! 115: /* Import the SPN */
! 116: major_status = gss_import_name(&minor_status, &spn_token,
! 117: GSS_C_NT_HOSTBASED_SERVICE, &krb5->spn);
! 118: if(GSS_ERROR(major_status)) {
! 119: Curl_gss_log_error(data, "gss_import_name() failed: ",
! 120: major_status, minor_status);
! 121:
! 122: free(spn);
! 123:
! 124: return CURLE_AUTH_ERROR;
! 125: }
! 126:
! 127: free(spn);
! 128: }
! 129:
! 130: if(chlg64 && *chlg64) {
! 131: /* Decode the base-64 encoded challenge message */
! 132: if(*chlg64 != '=') {
! 133: result = Curl_base64_decode(chlg64, &chlg, &chlglen);
! 134: if(result)
! 135: return result;
! 136: }
! 137:
! 138: /* Ensure we have a valid challenge message */
! 139: if(!chlg) {
! 140: infof(data, "GSSAPI handshake failure (empty challenge message)\n");
! 141:
! 142: return CURLE_BAD_CONTENT_ENCODING;
! 143: }
! 144:
! 145: /* Setup the challenge "input" security buffer */
! 146: input_token.value = chlg;
! 147: input_token.length = chlglen;
! 148: }
! 149:
! 150: major_status = Curl_gss_init_sec_context(data,
! 151: &minor_status,
! 152: &krb5->context,
! 153: krb5->spn,
! 154: &Curl_krb5_mech_oid,
! 155: GSS_C_NO_CHANNEL_BINDINGS,
! 156: &input_token,
! 157: &output_token,
! 158: mutual_auth,
! 159: NULL);
! 160:
! 161: /* Free the decoded challenge as it is not required anymore */
! 162: free(input_token.value);
! 163:
! 164: if(GSS_ERROR(major_status)) {
! 165: if(output_token.value)
! 166: gss_release_buffer(&unused_status, &output_token);
! 167:
! 168: Curl_gss_log_error(data, "gss_init_sec_context() failed: ",
! 169: major_status, minor_status);
! 170:
! 171: return CURLE_AUTH_ERROR;
! 172: }
! 173:
! 174: if(output_token.value && output_token.length) {
! 175: /* Base64 encode the response */
! 176: result = Curl_base64_encode(data, (char *) output_token.value,
! 177: output_token.length, outptr, outlen);
! 178:
! 179: gss_release_buffer(&unused_status, &output_token);
! 180: }
! 181: else if(mutual_auth) {
! 182: *outptr = strdup("");
! 183: if(!*outptr)
! 184: result = CURLE_OUT_OF_MEMORY;
! 185: }
! 186:
! 187: return result;
! 188: }
! 189:
! 190: /*
! 191: * Curl_auth_create_gssapi_security_message()
! 192: *
! 193: * This is used to generate an already encoded GSSAPI (Kerberos V5) security
! 194: * token message ready for sending to the recipient.
! 195: *
! 196: * Parameters:
! 197: *
! 198: * data [in] - The session handle.
! 199: * chlg64 [in] - Pointer to the optional base64 encoded challenge message.
! 200: * krb5 [in/out] - The Kerberos 5 data struct being used and modified.
! 201: * outptr [in/out] - The address where a pointer to newly allocated memory
! 202: * holding the result will be stored upon completion.
! 203: * outlen [out] - The length of the output message.
! 204: *
! 205: * Returns CURLE_OK on success.
! 206: */
! 207: CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
! 208: const char *chlg64,
! 209: struct kerberos5data *krb5,
! 210: char **outptr,
! 211: size_t *outlen)
! 212: {
! 213: CURLcode result = CURLE_OK;
! 214: size_t chlglen = 0;
! 215: size_t messagelen = 0;
! 216: unsigned char *chlg = NULL;
! 217: unsigned char *message = NULL;
! 218: OM_uint32 major_status;
! 219: OM_uint32 minor_status;
! 220: OM_uint32 unused_status;
! 221: gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
! 222: gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
! 223: unsigned int indata = 0;
! 224: unsigned int outdata = 0;
! 225: gss_qop_t qop = GSS_C_QOP_DEFAULT;
! 226: unsigned int sec_layer = 0;
! 227: unsigned int max_size = 0;
! 228: gss_name_t username = GSS_C_NO_NAME;
! 229: gss_buffer_desc username_token;
! 230:
! 231: /* Decode the base-64 encoded input message */
! 232: if(strlen(chlg64) && *chlg64 != '=') {
! 233: result = Curl_base64_decode(chlg64, &chlg, &chlglen);
! 234: if(result)
! 235: return result;
! 236: }
! 237:
! 238: /* Ensure we have a valid challenge message */
! 239: if(!chlg) {
! 240: infof(data, "GSSAPI handshake failure (empty security message)\n");
! 241:
! 242: return CURLE_BAD_CONTENT_ENCODING;
! 243: }
! 244:
! 245: /* Get the fully qualified username back from the context */
! 246: major_status = gss_inquire_context(&minor_status, krb5->context,
! 247: &username, NULL, NULL, NULL, NULL,
! 248: NULL, NULL);
! 249: if(GSS_ERROR(major_status)) {
! 250: Curl_gss_log_error(data, "gss_inquire_context() failed: ",
! 251: major_status, minor_status);
! 252:
! 253: free(chlg);
! 254:
! 255: return CURLE_AUTH_ERROR;
! 256: }
! 257:
! 258: /* Convert the username from internal format to a displayable token */
! 259: major_status = gss_display_name(&minor_status, username,
! 260: &username_token, NULL);
! 261: if(GSS_ERROR(major_status)) {
! 262: Curl_gss_log_error(data, "gss_display_name() failed: ",
! 263: major_status, minor_status);
! 264:
! 265: free(chlg);
! 266:
! 267: return CURLE_AUTH_ERROR;
! 268: }
! 269:
! 270: /* Setup the challenge "input" security buffer */
! 271: input_token.value = chlg;
! 272: input_token.length = chlglen;
! 273:
! 274: /* Decrypt the inbound challenge and obtain the qop */
! 275: major_status = gss_unwrap(&minor_status, krb5->context, &input_token,
! 276: &output_token, NULL, &qop);
! 277: if(GSS_ERROR(major_status)) {
! 278: Curl_gss_log_error(data, "gss_unwrap() failed: ",
! 279: major_status, minor_status);
! 280:
! 281: gss_release_buffer(&unused_status, &username_token);
! 282: free(chlg);
! 283:
! 284: return CURLE_BAD_CONTENT_ENCODING;
! 285: }
! 286:
! 287: /* Not 4 octets long so fail as per RFC4752 Section 3.1 */
! 288: if(output_token.length != 4) {
! 289: infof(data, "GSSAPI handshake failure (invalid security data)\n");
! 290:
! 291: gss_release_buffer(&unused_status, &username_token);
! 292: free(chlg);
! 293:
! 294: return CURLE_BAD_CONTENT_ENCODING;
! 295: }
! 296:
! 297: /* Copy the data out and free the challenge as it is not required anymore */
! 298: memcpy(&indata, output_token.value, 4);
! 299: gss_release_buffer(&unused_status, &output_token);
! 300: free(chlg);
! 301:
! 302: /* Extract the security layer */
! 303: sec_layer = indata & 0x000000FF;
! 304: if(!(sec_layer & GSSAUTH_P_NONE)) {
! 305: infof(data, "GSSAPI handshake failure (invalid security layer)\n");
! 306:
! 307: gss_release_buffer(&unused_status, &username_token);
! 308:
! 309: return CURLE_BAD_CONTENT_ENCODING;
! 310: }
! 311:
! 312: /* Extract the maximum message size the server can receive */
! 313: max_size = ntohl(indata & 0xFFFFFF00);
! 314: if(max_size > 0) {
! 315: /* The server has told us it supports a maximum receive buffer, however, as
! 316: we don't require one unless we are encrypting data, we tell the server
! 317: our receive buffer is zero. */
! 318: max_size = 0;
! 319: }
! 320:
! 321: /* Allocate our message */
! 322: messagelen = sizeof(outdata) + username_token.length + 1;
! 323: message = malloc(messagelen);
! 324: if(!message) {
! 325: gss_release_buffer(&unused_status, &username_token);
! 326:
! 327: return CURLE_OUT_OF_MEMORY;
! 328: }
! 329:
! 330: /* Populate the message with the security layer, client supported receive
! 331: message size and authorization identity including the 0x00 based
! 332: terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
! 333: identity is not terminated with the zero-valued (%x00) octet." it seems
! 334: necessary to include it. */
! 335: outdata = htonl(max_size) | sec_layer;
! 336: memcpy(message, &outdata, sizeof(outdata));
! 337: memcpy(message + sizeof(outdata), username_token.value,
! 338: username_token.length);
! 339: message[messagelen - 1] = '\0';
! 340:
! 341: /* Free the username token as it is not required anymore */
! 342: gss_release_buffer(&unused_status, &username_token);
! 343:
! 344: /* Setup the "authentication data" security buffer */
! 345: input_token.value = message;
! 346: input_token.length = messagelen;
! 347:
! 348: /* Encrypt the data */
! 349: major_status = gss_wrap(&minor_status, krb5->context, 0,
! 350: GSS_C_QOP_DEFAULT, &input_token, NULL,
! 351: &output_token);
! 352: if(GSS_ERROR(major_status)) {
! 353: Curl_gss_log_error(data, "gss_wrap() failed: ",
! 354: major_status, minor_status);
! 355:
! 356: free(message);
! 357:
! 358: return CURLE_AUTH_ERROR;
! 359: }
! 360:
! 361: /* Base64 encode the response */
! 362: result = Curl_base64_encode(data, (char *) output_token.value,
! 363: output_token.length, outptr, outlen);
! 364:
! 365: /* Free the output buffer */
! 366: gss_release_buffer(&unused_status, &output_token);
! 367:
! 368: /* Free the message buffer */
! 369: free(message);
! 370:
! 371: return result;
! 372: }
! 373:
! 374: /*
! 375: * Curl_auth_cleanup_gssapi()
! 376: *
! 377: * This is used to clean up the GSSAPI (Kerberos V5) specific data.
! 378: *
! 379: * Parameters:
! 380: *
! 381: * krb5 [in/out] - The Kerberos 5 data struct being cleaned up.
! 382: *
! 383: */
! 384: void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5)
! 385: {
! 386: OM_uint32 minor_status;
! 387:
! 388: /* Free our security context */
! 389: if(krb5->context != GSS_C_NO_CONTEXT) {
! 390: gss_delete_sec_context(&minor_status, &krb5->context, GSS_C_NO_BUFFER);
! 391: krb5->context = GSS_C_NO_CONTEXT;
! 392: }
! 393:
! 394: /* Free the SPN */
! 395: if(krb5->spn != GSS_C_NO_NAME) {
! 396: gss_release_name(&minor_status, &krb5->spn);
! 397: krb5->spn = GSS_C_NO_NAME;
! 398: }
! 399: }
! 400:
! 401: #endif /* HAVE_GSSAPI && USE_KERBEROS5 */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to krb5_gssapi.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib / vauth