Annotation of embedaddon/curl/lib/vauth/spnego_sspi.c, revision 1.1
1.1 ! misho 1: /***************************************************************************
! 2: * _ _ ____ _
! 3: * Project ___| | | | _ \| |
! 4: * / __| | | | |_) | |
! 5: * | (__| |_| | _ <| |___
! 6: * \___|\___/|_| \_\_____|
! 7: *
! 8: * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
! 9: *
! 10: * This software is licensed as described in the file COPYING, which
! 11: * you should have received as part of this distribution. The terms
! 12: * are also available at https://curl.haxx.se/docs/copyright.html.
! 13: *
! 14: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
! 15: * copies of the Software, and permit persons to whom the Software is
! 16: * furnished to do so, under the terms of the COPYING file.
! 17: *
! 18: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
! 19: * KIND, either express or implied.
! 20: *
! 21: * RFC4178 Simple and Protected GSS-API Negotiation Mechanism
! 22: *
! 23: ***************************************************************************/
! 24:
! 25: #include "curl_setup.h"
! 26:
! 27: #if defined(USE_WINDOWS_SSPI) && defined(USE_SPNEGO)
! 28:
! 29: #include <curl/curl.h>
! 30:
! 31: #include "vauth/vauth.h"
! 32: #include "urldata.h"
! 33: #include "curl_base64.h"
! 34: #include "warnless.h"
! 35: #include "curl_multibyte.h"
! 36: #include "sendf.h"
! 37: #include "strerror.h"
! 38:
! 39: /* The last #include files should be: */
! 40: #include "curl_memory.h"
! 41: #include "memdebug.h"
! 42:
! 43: /*
! 44: * Curl_auth_is_spnego_supported()
! 45: *
! 46: * This is used to evaluate if SPNEGO (Negotiate) is supported.
! 47: *
! 48: * Parameters: None
! 49: *
! 50: * Returns TRUE if Negotiate is supported by Windows SSPI.
! 51: */
! 52: bool Curl_auth_is_spnego_supported(void)
! 53: {
! 54: PSecPkgInfo SecurityPackage;
! 55: SECURITY_STATUS status;
! 56:
! 57: /* Query the security package for Negotiate */
! 58: status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
! 59: TEXT(SP_NAME_NEGOTIATE),
! 60: &SecurityPackage);
! 61:
! 62: /* Release the package buffer as it is not required anymore */
! 63: if(status == SEC_E_OK) {
! 64: s_pSecFn->FreeContextBuffer(SecurityPackage);
! 65: }
! 66:
! 67:
! 68: return (status == SEC_E_OK ? TRUE : FALSE);
! 69: }
! 70:
! 71: /*
! 72: * Curl_auth_decode_spnego_message()
! 73: *
! 74: * This is used to decode an already encoded SPNEGO (Negotiate) challenge
! 75: * message.
! 76: *
! 77: * Parameters:
! 78: *
! 79: * data [in] - The session handle.
! 80: * user [in] - The user name in the format User or Domain\User.
! 81: * password [in] - The user's password.
! 82: * service [in] - The service type such as http, smtp, pop or imap.
! 83: * host [in] - The host name.
! 84: * chlg64 [in] - The optional base64 encoded challenge message.
! 85: * nego [in/out] - The Negotiate data struct being used and modified.
! 86: *
! 87: * Returns CURLE_OK on success.
! 88: */
! 89: CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
! 90: const char *user,
! 91: const char *password,
! 92: const char *service,
! 93: const char *host,
! 94: const char *chlg64,
! 95: struct negotiatedata *nego)
! 96: {
! 97: CURLcode result = CURLE_OK;
! 98: size_t chlglen = 0;
! 99: unsigned char *chlg = NULL;
! 100: PSecPkgInfo SecurityPackage;
! 101: SecBuffer chlg_buf[2];
! 102: SecBuffer resp_buf;
! 103: SecBufferDesc chlg_desc;
! 104: SecBufferDesc resp_desc;
! 105: unsigned long attrs;
! 106: TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
! 107:
! 108: #if defined(CURL_DISABLE_VERBOSE_STRINGS)
! 109: (void) data;
! 110: #endif
! 111:
! 112: if(nego->context && nego->status == SEC_E_OK) {
! 113: /* We finished successfully our part of authentication, but server
! 114: * rejected it (since we're again here). Exit with an error since we
! 115: * can't invent anything better */
! 116: Curl_auth_cleanup_spnego(nego);
! 117: return CURLE_LOGIN_DENIED;
! 118: }
! 119:
! 120: if(!nego->spn) {
! 121: /* Generate our SPN */
! 122: nego->spn = Curl_auth_build_spn(service, host, NULL);
! 123: if(!nego->spn)
! 124: return CURLE_OUT_OF_MEMORY;
! 125: }
! 126:
! 127: if(!nego->output_token) {
! 128: /* Query the security package for Negotiate */
! 129: nego->status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
! 130: TEXT(SP_NAME_NEGOTIATE),
! 131: &SecurityPackage);
! 132: if(nego->status != SEC_E_OK)
! 133: return CURLE_NOT_BUILT_IN;
! 134:
! 135: nego->token_max = SecurityPackage->cbMaxToken;
! 136:
! 137: /* Release the package buffer as it is not required anymore */
! 138: s_pSecFn->FreeContextBuffer(SecurityPackage);
! 139:
! 140: /* Allocate our output buffer */
! 141: nego->output_token = malloc(nego->token_max);
! 142: if(!nego->output_token)
! 143: return CURLE_OUT_OF_MEMORY;
! 144: }
! 145:
! 146: if(!nego->credentials) {
! 147: /* Do we have credentials to use or are we using single sign-on? */
! 148: if(user && *user) {
! 149: /* Populate our identity structure */
! 150: result = Curl_create_sspi_identity(user, password, &nego->identity);
! 151: if(result)
! 152: return result;
! 153:
! 154: /* Allow proper cleanup of the identity structure */
! 155: nego->p_identity = &nego->identity;
! 156: }
! 157: else
! 158: /* Use the current Windows user */
! 159: nego->p_identity = NULL;
! 160:
! 161: /* Allocate our credentials handle */
! 162: nego->credentials = calloc(1, sizeof(CredHandle));
! 163: if(!nego->credentials)
! 164: return CURLE_OUT_OF_MEMORY;
! 165:
! 166: /* Acquire our credentials handle */
! 167: nego->status =
! 168: s_pSecFn->AcquireCredentialsHandle(NULL,
! 169: (TCHAR *)TEXT(SP_NAME_NEGOTIATE),
! 170: SECPKG_CRED_OUTBOUND, NULL,
! 171: nego->p_identity, NULL, NULL,
! 172: nego->credentials, &expiry);
! 173: if(nego->status != SEC_E_OK)
! 174: return CURLE_AUTH_ERROR;
! 175:
! 176: /* Allocate our new context handle */
! 177: nego->context = calloc(1, sizeof(CtxtHandle));
! 178: if(!nego->context)
! 179: return CURLE_OUT_OF_MEMORY;
! 180: }
! 181:
! 182: if(chlg64 && *chlg64) {
! 183: /* Decode the base-64 encoded challenge message */
! 184: if(*chlg64 != '=') {
! 185: result = Curl_base64_decode(chlg64, &chlg, &chlglen);
! 186: if(result)
! 187: return result;
! 188: }
! 189:
! 190: /* Ensure we have a valid challenge message */
! 191: if(!chlg) {
! 192: infof(data, "SPNEGO handshake failure (empty challenge message)\n");
! 193:
! 194: return CURLE_BAD_CONTENT_ENCODING;
! 195: }
! 196:
! 197: /* Setup the challenge "input" security buffer */
! 198: chlg_desc.ulVersion = SECBUFFER_VERSION;
! 199: chlg_desc.cBuffers = 1;
! 200: chlg_desc.pBuffers = &chlg_buf[0];
! 201: chlg_buf[0].BufferType = SECBUFFER_TOKEN;
! 202: chlg_buf[0].pvBuffer = chlg;
! 203: chlg_buf[0].cbBuffer = curlx_uztoul(chlglen);
! 204:
! 205: #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
! 206: /* ssl context comes from Schannel.
! 207: * When extended protection is used in IIS server,
! 208: * we have to pass a second SecBuffer to the SecBufferDesc
! 209: * otherwise IIS will not pass the authentication (401 response).
! 210: * Minimum supported version is Windows 7.
! 211: * https://docs.microsoft.com/en-us/security-updates
! 212: * /SecurityAdvisories/2009/973811
! 213: */
! 214: if(nego->sslContext) {
! 215: SEC_CHANNEL_BINDINGS channelBindings;
! 216: SecPkgContext_Bindings pkgBindings;
! 217: pkgBindings.Bindings = &channelBindings;
! 218: nego->status = s_pSecFn->QueryContextAttributes(
! 219: nego->sslContext,
! 220: SECPKG_ATTR_ENDPOINT_BINDINGS,
! 221: &pkgBindings
! 222: );
! 223: if(nego->status == SEC_E_OK) {
! 224: chlg_desc.cBuffers++;
! 225: chlg_buf[1].BufferType = SECBUFFER_CHANNEL_BINDINGS;
! 226: chlg_buf[1].cbBuffer = pkgBindings.BindingsLength;
! 227: chlg_buf[1].pvBuffer = pkgBindings.Bindings;
! 228: }
! 229: }
! 230: #endif
! 231: }
! 232:
! 233: /* Setup the response "output" security buffer */
! 234: resp_desc.ulVersion = SECBUFFER_VERSION;
! 235: resp_desc.cBuffers = 1;
! 236: resp_desc.pBuffers = &resp_buf;
! 237: resp_buf.BufferType = SECBUFFER_TOKEN;
! 238: resp_buf.pvBuffer = nego->output_token;
! 239: resp_buf.cbBuffer = curlx_uztoul(nego->token_max);
! 240:
! 241: /* Generate our challenge-response message */
! 242: nego->status = s_pSecFn->InitializeSecurityContext(nego->credentials,
! 243: chlg ? nego->context :
! 244: NULL,
! 245: nego->spn,
! 246: ISC_REQ_CONFIDENTIALITY,
! 247: 0, SECURITY_NATIVE_DREP,
! 248: chlg ? &chlg_desc : NULL,
! 249: 0, nego->context,
! 250: &resp_desc, &attrs,
! 251: &expiry);
! 252:
! 253: /* Free the decoded challenge as it is not required anymore */
! 254: free(chlg);
! 255:
! 256: if(GSS_ERROR(nego->status)) {
! 257: char buffer[STRERROR_LEN];
! 258: failf(data, "InitializeSecurityContext failed: %s",
! 259: Curl_sspi_strerror(nego->status, buffer, sizeof(buffer)));
! 260:
! 261: if(nego->status == (DWORD)SEC_E_INSUFFICIENT_MEMORY)
! 262: return CURLE_OUT_OF_MEMORY;
! 263:
! 264: return CURLE_AUTH_ERROR;
! 265: }
! 266:
! 267: if(nego->status == SEC_I_COMPLETE_NEEDED ||
! 268: nego->status == SEC_I_COMPLETE_AND_CONTINUE) {
! 269: nego->status = s_pSecFn->CompleteAuthToken(nego->context, &resp_desc);
! 270: if(GSS_ERROR(nego->status)) {
! 271: char buffer[STRERROR_LEN];
! 272: failf(data, "CompleteAuthToken failed: %s",
! 273: Curl_sspi_strerror(nego->status, buffer, sizeof(buffer)));
! 274:
! 275: if(nego->status == (DWORD)SEC_E_INSUFFICIENT_MEMORY)
! 276: return CURLE_OUT_OF_MEMORY;
! 277:
! 278: return CURLE_AUTH_ERROR;
! 279: }
! 280: }
! 281:
! 282: nego->output_token_length = resp_buf.cbBuffer;
! 283:
! 284: return result;
! 285: }
! 286:
! 287: /*
! 288: * Curl_auth_create_spnego_message()
! 289: *
! 290: * This is used to generate an already encoded SPNEGO (Negotiate) response
! 291: * message ready for sending to the recipient.
! 292: *
! 293: * Parameters:
! 294: *
! 295: * data [in] - The session handle.
! 296: * nego [in/out] - The Negotiate data struct being used and modified.
! 297: * outptr [in/out] - The address where a pointer to newly allocated memory
! 298: * holding the result will be stored upon completion.
! 299: * outlen [out] - The length of the output message.
! 300: *
! 301: * Returns CURLE_OK on success.
! 302: */
! 303: CURLcode Curl_auth_create_spnego_message(struct Curl_easy *data,
! 304: struct negotiatedata *nego,
! 305: char **outptr, size_t *outlen)
! 306: {
! 307: CURLcode result;
! 308:
! 309: /* Base64 encode the already generated response */
! 310: result = Curl_base64_encode(data,
! 311: (const char *) nego->output_token,
! 312: nego->output_token_length,
! 313: outptr, outlen);
! 314:
! 315: if(result)
! 316: return result;
! 317:
! 318: if(!*outptr || !*outlen) {
! 319: free(*outptr);
! 320: return CURLE_REMOTE_ACCESS_DENIED;
! 321: }
! 322:
! 323: return CURLE_OK;
! 324: }
! 325:
! 326: /*
! 327: * Curl_auth_cleanup_spnego()
! 328: *
! 329: * This is used to clean up the SPNEGO (Negotiate) specific data.
! 330: *
! 331: * Parameters:
! 332: *
! 333: * nego [in/out] - The Negotiate data struct being cleaned up.
! 334: *
! 335: */
! 336: void Curl_auth_cleanup_spnego(struct negotiatedata *nego)
! 337: {
! 338: /* Free our security context */
! 339: if(nego->context) {
! 340: s_pSecFn->DeleteSecurityContext(nego->context);
! 341: free(nego->context);
! 342: nego->context = NULL;
! 343: }
! 344:
! 345: /* Free our credentials handle */
! 346: if(nego->credentials) {
! 347: s_pSecFn->FreeCredentialsHandle(nego->credentials);
! 348: free(nego->credentials);
! 349: nego->credentials = NULL;
! 350: }
! 351:
! 352: /* Free our identity */
! 353: Curl_sspi_free_identity(nego->p_identity);
! 354: nego->p_identity = NULL;
! 355:
! 356: /* Free the SPN and output token */
! 357: Curl_safefree(nego->spn);
! 358: Curl_safefree(nego->output_token);
! 359:
! 360: /* Reset any variables */
! 361: nego->status = 0;
! 362: nego->token_max = 0;
! 363: nego->noauthpersist = FALSE;
! 364: nego->havenoauthpersist = FALSE;
! 365: nego->havenegdata = FALSE;
! 366: nego->havemultiplerequests = FALSE;
! 367: }
! 368:
! 369: #endif /* USE_WINDOWS_SSPI && USE_SPNEGO */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to spnego_sspi.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib / vauth