Annotation of embedaddon/curl/lib/vauth/krb5_sspi.c, revision 1.1
1.1 ! misho 1: /***************************************************************************
! 2: * _ _ ____ _
! 3: * Project ___| | | | _ \| |
! 4: * / __| | | | |_) | |
! 5: * | (__| |_| | _ <| |___
! 6: * \___|\___/|_| \_\_____|
! 7: *
! 8: * Copyright (C) 2014 - 2019, Steve Holme, <steve_holme@hotmail.com>.
! 9: *
! 10: * This software is licensed as described in the file COPYING, which
! 11: * you should have received as part of this distribution. The terms
! 12: * are also available at https://curl.haxx.se/docs/copyright.html.
! 13: *
! 14: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
! 15: * copies of the Software, and permit persons to whom the Software is
! 16: * furnished to do so, under the terms of the COPYING file.
! 17: *
! 18: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
! 19: * KIND, either express or implied.
! 20: *
! 21: * RFC4752 The Kerberos V5 ("GSSAPI") SASL Mechanism
! 22: *
! 23: ***************************************************************************/
! 24:
! 25: #include "curl_setup.h"
! 26:
! 27: #if defined(USE_WINDOWS_SSPI) && defined(USE_KERBEROS5)
! 28:
! 29: #include <curl/curl.h>
! 30:
! 31: #include "vauth/vauth.h"
! 32: #include "urldata.h"
! 33: #include "curl_base64.h"
! 34: #include "warnless.h"
! 35: #include "curl_multibyte.h"
! 36: #include "sendf.h"
! 37:
! 38: /* The last #include files should be: */
! 39: #include "curl_memory.h"
! 40: #include "memdebug.h"
! 41:
! 42: /*
! 43: * Curl_auth_is_gssapi_supported()
! 44: *
! 45: * This is used to evaluate if GSSAPI (Kerberos V5) is supported.
! 46: *
! 47: * Parameters: None
! 48: *
! 49: * Returns TRUE if Kerberos V5 is supported by Windows SSPI.
! 50: */
! 51: bool Curl_auth_is_gssapi_supported(void)
! 52: {
! 53: PSecPkgInfo SecurityPackage;
! 54: SECURITY_STATUS status;
! 55:
! 56: /* Query the security package for Kerberos */
! 57: status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
! 58: TEXT(SP_NAME_KERBEROS),
! 59: &SecurityPackage);
! 60:
! 61: /* Release the package buffer as it is not required anymore */
! 62: if(status == SEC_E_OK) {
! 63: s_pSecFn->FreeContextBuffer(SecurityPackage);
! 64: }
! 65:
! 66: return (status == SEC_E_OK ? TRUE : FALSE);
! 67: }
! 68:
! 69: /*
! 70: * Curl_auth_create_gssapi_user_message()
! 71: *
! 72: * This is used to generate an already encoded GSSAPI (Kerberos V5) user token
! 73: * message ready for sending to the recipient.
! 74: *
! 75: * Parameters:
! 76: *
! 77: * data [in] - The session handle.
! 78: * userp [in] - The user name in the format User or Domain\User.
! 79: * passwdp [in] - The user's password.
! 80: * service [in] - The service type such as http, smtp, pop or imap.
! 81: * host [in] - The host name.
! 82: * mutual_auth [in] - Flag specifying whether or not mutual authentication
! 83: * is enabled.
! 84: * chlg64 [in] - The optional base64 encoded challenge message.
! 85: * krb5 [in/out] - The Kerberos 5 data struct being used and modified.
! 86: * outptr [in/out] - The address where a pointer to newly allocated memory
! 87: * holding the result will be stored upon completion.
! 88: * outlen [out] - The length of the output message.
! 89: *
! 90: * Returns CURLE_OK on success.
! 91: */
! 92: CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
! 93: const char *userp,
! 94: const char *passwdp,
! 95: const char *service,
! 96: const char *host,
! 97: const bool mutual_auth,
! 98: const char *chlg64,
! 99: struct kerberos5data *krb5,
! 100: char **outptr, size_t *outlen)
! 101: {
! 102: CURLcode result = CURLE_OK;
! 103: size_t chlglen = 0;
! 104: unsigned char *chlg = NULL;
! 105: CtxtHandle context;
! 106: PSecPkgInfo SecurityPackage;
! 107: SecBuffer chlg_buf;
! 108: SecBuffer resp_buf;
! 109: SecBufferDesc chlg_desc;
! 110: SecBufferDesc resp_desc;
! 111: SECURITY_STATUS status;
! 112: unsigned long attrs;
! 113: TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
! 114:
! 115: if(!krb5->spn) {
! 116: /* Generate our SPN */
! 117: krb5->spn = Curl_auth_build_spn(service, host, NULL);
! 118: if(!krb5->spn)
! 119: return CURLE_OUT_OF_MEMORY;
! 120: }
! 121:
! 122: if(!krb5->output_token) {
! 123: /* Query the security package for Kerberos */
! 124: status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
! 125: TEXT(SP_NAME_KERBEROS),
! 126: &SecurityPackage);
! 127: if(status != SEC_E_OK) {
! 128: return CURLE_NOT_BUILT_IN;
! 129: }
! 130:
! 131: krb5->token_max = SecurityPackage->cbMaxToken;
! 132:
! 133: /* Release the package buffer as it is not required anymore */
! 134: s_pSecFn->FreeContextBuffer(SecurityPackage);
! 135:
! 136: /* Allocate our response buffer */
! 137: krb5->output_token = malloc(krb5->token_max);
! 138: if(!krb5->output_token)
! 139: return CURLE_OUT_OF_MEMORY;
! 140: }
! 141:
! 142: if(!krb5->credentials) {
! 143: /* Do we have credentials to use or are we using single sign-on? */
! 144: if(userp && *userp) {
! 145: /* Populate our identity structure */
! 146: result = Curl_create_sspi_identity(userp, passwdp, &krb5->identity);
! 147: if(result)
! 148: return result;
! 149:
! 150: /* Allow proper cleanup of the identity structure */
! 151: krb5->p_identity = &krb5->identity;
! 152: }
! 153: else
! 154: /* Use the current Windows user */
! 155: krb5->p_identity = NULL;
! 156:
! 157: /* Allocate our credentials handle */
! 158: krb5->credentials = calloc(1, sizeof(CredHandle));
! 159: if(!krb5->credentials)
! 160: return CURLE_OUT_OF_MEMORY;
! 161:
! 162: /* Acquire our credentials handle */
! 163: status = s_pSecFn->AcquireCredentialsHandle(NULL,
! 164: (TCHAR *)
! 165: TEXT(SP_NAME_KERBEROS),
! 166: SECPKG_CRED_OUTBOUND, NULL,
! 167: krb5->p_identity, NULL, NULL,
! 168: krb5->credentials, &expiry);
! 169: if(status != SEC_E_OK)
! 170: return CURLE_LOGIN_DENIED;
! 171:
! 172: /* Allocate our new context handle */
! 173: krb5->context = calloc(1, sizeof(CtxtHandle));
! 174: if(!krb5->context)
! 175: return CURLE_OUT_OF_MEMORY;
! 176: }
! 177:
! 178: if(chlg64 && *chlg64) {
! 179: /* Decode the base-64 encoded challenge message */
! 180: if(*chlg64 != '=') {
! 181: result = Curl_base64_decode(chlg64, &chlg, &chlglen);
! 182: if(result)
! 183: return result;
! 184: }
! 185:
! 186: /* Ensure we have a valid challenge message */
! 187: if(!chlg) {
! 188: infof(data, "GSSAPI handshake failure (empty challenge message)\n");
! 189:
! 190: return CURLE_BAD_CONTENT_ENCODING;
! 191: }
! 192:
! 193: /* Setup the challenge "input" security buffer */
! 194: chlg_desc.ulVersion = SECBUFFER_VERSION;
! 195: chlg_desc.cBuffers = 1;
! 196: chlg_desc.pBuffers = &chlg_buf;
! 197: chlg_buf.BufferType = SECBUFFER_TOKEN;
! 198: chlg_buf.pvBuffer = chlg;
! 199: chlg_buf.cbBuffer = curlx_uztoul(chlglen);
! 200: }
! 201:
! 202: /* Setup the response "output" security buffer */
! 203: resp_desc.ulVersion = SECBUFFER_VERSION;
! 204: resp_desc.cBuffers = 1;
! 205: resp_desc.pBuffers = &resp_buf;
! 206: resp_buf.BufferType = SECBUFFER_TOKEN;
! 207: resp_buf.pvBuffer = krb5->output_token;
! 208: resp_buf.cbBuffer = curlx_uztoul(krb5->token_max);
! 209:
! 210: /* Generate our challenge-response message */
! 211: status = s_pSecFn->InitializeSecurityContext(krb5->credentials,
! 212: chlg ? krb5->context : NULL,
! 213: krb5->spn,
! 214: (mutual_auth ?
! 215: ISC_REQ_MUTUAL_AUTH : 0),
! 216: 0, SECURITY_NATIVE_DREP,
! 217: chlg ? &chlg_desc : NULL, 0,
! 218: &context,
! 219: &resp_desc, &attrs,
! 220: &expiry);
! 221:
! 222: /* Free the decoded challenge as it is not required anymore */
! 223: free(chlg);
! 224:
! 225: if(status == SEC_E_INSUFFICIENT_MEMORY) {
! 226: return CURLE_OUT_OF_MEMORY;
! 227: }
! 228:
! 229: if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED) {
! 230: return CURLE_AUTH_ERROR;
! 231: }
! 232:
! 233: if(memcmp(&context, krb5->context, sizeof(context))) {
! 234: s_pSecFn->DeleteSecurityContext(krb5->context);
! 235:
! 236: memcpy(krb5->context, &context, sizeof(context));
! 237: }
! 238:
! 239: if(resp_buf.cbBuffer) {
! 240: /* Base64 encode the response */
! 241: result = Curl_base64_encode(data, (char *) resp_buf.pvBuffer,
! 242: resp_buf.cbBuffer, outptr, outlen);
! 243: }
! 244: else if(mutual_auth) {
! 245: *outptr = strdup("");
! 246: if(!*outptr)
! 247: result = CURLE_OUT_OF_MEMORY;
! 248: }
! 249:
! 250: return result;
! 251: }
! 252:
! 253: /*
! 254: * Curl_auth_create_gssapi_security_message()
! 255: *
! 256: * This is used to generate an already encoded GSSAPI (Kerberos V5) security
! 257: * token message ready for sending to the recipient.
! 258: *
! 259: * Parameters:
! 260: *
! 261: * data [in] - The session handle.
! 262: * chlg64 [in] - The optional base64 encoded challenge message.
! 263: * krb5 [in/out] - The Kerberos 5 data struct being used and modified.
! 264: * outptr [in/out] - The address where a pointer to newly allocated memory
! 265: * holding the result will be stored upon completion.
! 266: * outlen [out] - The length of the output message.
! 267: *
! 268: * Returns CURLE_OK on success.
! 269: */
! 270: CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
! 271: const char *chlg64,
! 272: struct kerberos5data *krb5,
! 273: char **outptr,
! 274: size_t *outlen)
! 275: {
! 276: CURLcode result = CURLE_OK;
! 277: size_t offset = 0;
! 278: size_t chlglen = 0;
! 279: size_t messagelen = 0;
! 280: size_t appdatalen = 0;
! 281: unsigned char *chlg = NULL;
! 282: unsigned char *trailer = NULL;
! 283: unsigned char *message = NULL;
! 284: unsigned char *padding = NULL;
! 285: unsigned char *appdata = NULL;
! 286: SecBuffer input_buf[2];
! 287: SecBuffer wrap_buf[3];
! 288: SecBufferDesc input_desc;
! 289: SecBufferDesc wrap_desc;
! 290: unsigned long indata = 0;
! 291: unsigned long outdata = 0;
! 292: unsigned long qop = 0;
! 293: unsigned long sec_layer = 0;
! 294: unsigned long max_size = 0;
! 295: SecPkgContext_Sizes sizes;
! 296: SecPkgCredentials_Names names;
! 297: SECURITY_STATUS status;
! 298: char *user_name;
! 299:
! 300: /* Decode the base-64 encoded input message */
! 301: if(strlen(chlg64) && *chlg64 != '=') {
! 302: result = Curl_base64_decode(chlg64, &chlg, &chlglen);
! 303: if(result)
! 304: return result;
! 305: }
! 306:
! 307: /* Ensure we have a valid challenge message */
! 308: if(!chlg) {
! 309: infof(data, "GSSAPI handshake failure (empty security message)\n");
! 310:
! 311: return CURLE_BAD_CONTENT_ENCODING;
! 312: }
! 313:
! 314: /* Get our response size information */
! 315: status = s_pSecFn->QueryContextAttributes(krb5->context,
! 316: SECPKG_ATTR_SIZES,
! 317: &sizes);
! 318: if(status != SEC_E_OK) {
! 319: free(chlg);
! 320:
! 321: if(status == SEC_E_INSUFFICIENT_MEMORY)
! 322: return CURLE_OUT_OF_MEMORY;
! 323:
! 324: return CURLE_AUTH_ERROR;
! 325: }
! 326:
! 327: /* Get the fully qualified username back from the context */
! 328: status = s_pSecFn->QueryCredentialsAttributes(krb5->credentials,
! 329: SECPKG_CRED_ATTR_NAMES,
! 330: &names);
! 331: if(status != SEC_E_OK) {
! 332: free(chlg);
! 333:
! 334: if(status == SEC_E_INSUFFICIENT_MEMORY)
! 335: return CURLE_OUT_OF_MEMORY;
! 336:
! 337: return CURLE_AUTH_ERROR;
! 338: }
! 339:
! 340: /* Setup the "input" security buffer */
! 341: input_desc.ulVersion = SECBUFFER_VERSION;
! 342: input_desc.cBuffers = 2;
! 343: input_desc.pBuffers = input_buf;
! 344: input_buf[0].BufferType = SECBUFFER_STREAM;
! 345: input_buf[0].pvBuffer = chlg;
! 346: input_buf[0].cbBuffer = curlx_uztoul(chlglen);
! 347: input_buf[1].BufferType = SECBUFFER_DATA;
! 348: input_buf[1].pvBuffer = NULL;
! 349: input_buf[1].cbBuffer = 0;
! 350:
! 351: /* Decrypt the inbound challenge and obtain the qop */
! 352: status = s_pSecFn->DecryptMessage(krb5->context, &input_desc, 0, &qop);
! 353: if(status != SEC_E_OK) {
! 354: infof(data, "GSSAPI handshake failure (empty security message)\n");
! 355:
! 356: free(chlg);
! 357:
! 358: return CURLE_BAD_CONTENT_ENCODING;
! 359: }
! 360:
! 361: /* Not 4 octets long so fail as per RFC4752 Section 3.1 */
! 362: if(input_buf[1].cbBuffer != 4) {
! 363: infof(data, "GSSAPI handshake failure (invalid security data)\n");
! 364:
! 365: free(chlg);
! 366:
! 367: return CURLE_BAD_CONTENT_ENCODING;
! 368: }
! 369:
! 370: /* Copy the data out and free the challenge as it is not required anymore */
! 371: memcpy(&indata, input_buf[1].pvBuffer, 4);
! 372: s_pSecFn->FreeContextBuffer(input_buf[1].pvBuffer);
! 373: free(chlg);
! 374:
! 375: /* Extract the security layer */
! 376: sec_layer = indata & 0x000000FF;
! 377: if(!(sec_layer & KERB_WRAP_NO_ENCRYPT)) {
! 378: infof(data, "GSSAPI handshake failure (invalid security layer)\n");
! 379:
! 380: return CURLE_BAD_CONTENT_ENCODING;
! 381: }
! 382:
! 383: /* Extract the maximum message size the server can receive */
! 384: max_size = ntohl(indata & 0xFFFFFF00);
! 385: if(max_size > 0) {
! 386: /* The server has told us it supports a maximum receive buffer, however, as
! 387: we don't require one unless we are encrypting data, we tell the server
! 388: our receive buffer is zero. */
! 389: max_size = 0;
! 390: }
! 391:
! 392: /* Allocate the trailer */
! 393: trailer = malloc(sizes.cbSecurityTrailer);
! 394: if(!trailer)
! 395: return CURLE_OUT_OF_MEMORY;
! 396:
! 397: /* Convert the user name to UTF8 when operating with Unicode */
! 398: user_name = Curl_convert_tchar_to_UTF8(names.sUserName);
! 399: if(!user_name) {
! 400: free(trailer);
! 401:
! 402: return CURLE_OUT_OF_MEMORY;
! 403: }
! 404:
! 405: /* Allocate our message */
! 406: messagelen = sizeof(outdata) + strlen(user_name) + 1;
! 407: message = malloc(messagelen);
! 408: if(!message) {
! 409: free(trailer);
! 410: Curl_unicodefree(user_name);
! 411:
! 412: return CURLE_OUT_OF_MEMORY;
! 413: }
! 414:
! 415: /* Populate the message with the security layer, client supported receive
! 416: message size and authorization identity including the 0x00 based
! 417: terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
! 418: identity is not terminated with the zero-valued (%x00) octet." it seems
! 419: necessary to include it. */
! 420: outdata = htonl(max_size) | sec_layer;
! 421: memcpy(message, &outdata, sizeof(outdata));
! 422: strcpy((char *) message + sizeof(outdata), user_name);
! 423: Curl_unicodefree(user_name);
! 424:
! 425: /* Allocate the padding */
! 426: padding = malloc(sizes.cbBlockSize);
! 427: if(!padding) {
! 428: free(message);
! 429: free(trailer);
! 430:
! 431: return CURLE_OUT_OF_MEMORY;
! 432: }
! 433:
! 434: /* Setup the "authentication data" security buffer */
! 435: wrap_desc.ulVersion = SECBUFFER_VERSION;
! 436: wrap_desc.cBuffers = 3;
! 437: wrap_desc.pBuffers = wrap_buf;
! 438: wrap_buf[0].BufferType = SECBUFFER_TOKEN;
! 439: wrap_buf[0].pvBuffer = trailer;
! 440: wrap_buf[0].cbBuffer = sizes.cbSecurityTrailer;
! 441: wrap_buf[1].BufferType = SECBUFFER_DATA;
! 442: wrap_buf[1].pvBuffer = message;
! 443: wrap_buf[1].cbBuffer = curlx_uztoul(messagelen);
! 444: wrap_buf[2].BufferType = SECBUFFER_PADDING;
! 445: wrap_buf[2].pvBuffer = padding;
! 446: wrap_buf[2].cbBuffer = sizes.cbBlockSize;
! 447:
! 448: /* Encrypt the data */
! 449: status = s_pSecFn->EncryptMessage(krb5->context, KERB_WRAP_NO_ENCRYPT,
! 450: &wrap_desc, 0);
! 451: if(status != SEC_E_OK) {
! 452: free(padding);
! 453: free(message);
! 454: free(trailer);
! 455:
! 456: if(status == SEC_E_INSUFFICIENT_MEMORY)
! 457: return CURLE_OUT_OF_MEMORY;
! 458:
! 459: return CURLE_AUTH_ERROR;
! 460: }
! 461:
! 462: /* Allocate the encryption (wrap) buffer */
! 463: appdatalen = wrap_buf[0].cbBuffer + wrap_buf[1].cbBuffer +
! 464: wrap_buf[2].cbBuffer;
! 465: appdata = malloc(appdatalen);
! 466: if(!appdata) {
! 467: free(padding);
! 468: free(message);
! 469: free(trailer);
! 470:
! 471: return CURLE_OUT_OF_MEMORY;
! 472: }
! 473:
! 474: /* Populate the encryption buffer */
! 475: memcpy(appdata, wrap_buf[0].pvBuffer, wrap_buf[0].cbBuffer);
! 476: offset += wrap_buf[0].cbBuffer;
! 477: memcpy(appdata + offset, wrap_buf[1].pvBuffer, wrap_buf[1].cbBuffer);
! 478: offset += wrap_buf[1].cbBuffer;
! 479: memcpy(appdata + offset, wrap_buf[2].pvBuffer, wrap_buf[2].cbBuffer);
! 480:
! 481: /* Base64 encode the response */
! 482: result = Curl_base64_encode(data, (char *) appdata, appdatalen, outptr,
! 483: outlen);
! 484:
! 485: /* Free all of our local buffers */
! 486: free(appdata);
! 487: free(padding);
! 488: free(message);
! 489: free(trailer);
! 490:
! 491: return result;
! 492: }
! 493:
! 494: /*
! 495: * Curl_auth_cleanup_gssapi()
! 496: *
! 497: * This is used to clean up the GSSAPI (Kerberos V5) specific data.
! 498: *
! 499: * Parameters:
! 500: *
! 501: * krb5 [in/out] - The Kerberos 5 data struct being cleaned up.
! 502: *
! 503: */
! 504: void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5)
! 505: {
! 506: /* Free our security context */
! 507: if(krb5->context) {
! 508: s_pSecFn->DeleteSecurityContext(krb5->context);
! 509: free(krb5->context);
! 510: krb5->context = NULL;
! 511: }
! 512:
! 513: /* Free our credentials handle */
! 514: if(krb5->credentials) {
! 515: s_pSecFn->FreeCredentialsHandle(krb5->credentials);
! 516: free(krb5->credentials);
! 517: krb5->credentials = NULL;
! 518: }
! 519:
! 520: /* Free our identity */
! 521: Curl_sspi_free_identity(krb5->p_identity);
! 522: krb5->p_identity = NULL;
! 523:
! 524: /* Free the SPN and output token */
! 525: Curl_safefree(krb5->spn);
! 526: Curl_safefree(krb5->output_token);
! 527:
! 528: /* Reset any variables */
! 529: krb5->token_max = 0;
! 530: }
! 531:
! 532: #endif /* USE_WINDOWS_SSPI && USE_KERBEROS5*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to krb5_sspi.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib / vauth