1: /***************************************************************************
2: * _ _ ____ _
3: * Project ___| | | | _ \| |
4: * / __| | | | |_) | |
5: * | (__| |_| | _ <| |___
6: * \___|\___/|_| \_\_____|
7: *
8: * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
9: *
10: * This software is licensed as described in the file COPYING, which
11: * you should have received as part of this distribution. The terms
12: * are also available at https://curl.haxx.se/docs/copyright.html.
13: *
14: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15: * copies of the Software, and permit persons to whom the Software is
16: * furnished to do so, under the terms of the COPYING file.
17: *
18: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19: * KIND, either express or implied.
20: *
21: * RFC4178 Simple and Protected GSS-API Negotiation Mechanism
22: *
23: ***************************************************************************/
24:
25: #include "curl_setup.h"
26:
27: #if defined(USE_WINDOWS_SSPI) && defined(USE_SPNEGO)
28:
29: #include <curl/curl.h>
30:
31: #include "vauth/vauth.h"
32: #include "urldata.h"
33: #include "curl_base64.h"
34: #include "warnless.h"
35: #include "curl_multibyte.h"
36: #include "sendf.h"
37: #include "strerror.h"
38:
39: /* The last #include files should be: */
40: #include "curl_memory.h"
41: #include "memdebug.h"
42:
43: /*
44: * Curl_auth_is_spnego_supported()
45: *
46: * This is used to evaluate if SPNEGO (Negotiate) is supported.
47: *
48: * Parameters: None
49: *
50: * Returns TRUE if Negotiate is supported by Windows SSPI.
51: */
52: bool Curl_auth_is_spnego_supported(void)
53: {
54: PSecPkgInfo SecurityPackage;
55: SECURITY_STATUS status;
56:
57: /* Query the security package for Negotiate */
58: status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
59: TEXT(SP_NAME_NEGOTIATE),
60: &SecurityPackage);
61:
62: /* Release the package buffer as it is not required anymore */
63: if(status == SEC_E_OK) {
64: s_pSecFn->FreeContextBuffer(SecurityPackage);
65: }
66:
67:
68: return (status == SEC_E_OK ? TRUE : FALSE);
69: }
70:
71: /*
72: * Curl_auth_decode_spnego_message()
73: *
74: * This is used to decode an already encoded SPNEGO (Negotiate) challenge
75: * message.
76: *
77: * Parameters:
78: *
79: * data [in] - The session handle.
80: * user [in] - The user name in the format User or Domain\User.
81: * password [in] - The user's password.
82: * service [in] - The service type such as http, smtp, pop or imap.
83: * host [in] - The host name.
84: * chlg64 [in] - The optional base64 encoded challenge message.
85: * nego [in/out] - The Negotiate data struct being used and modified.
86: *
87: * Returns CURLE_OK on success.
88: */
89: CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
90: const char *user,
91: const char *password,
92: const char *service,
93: const char *host,
94: const char *chlg64,
95: struct negotiatedata *nego)
96: {
97: CURLcode result = CURLE_OK;
98: size_t chlglen = 0;
99: unsigned char *chlg = NULL;
100: PSecPkgInfo SecurityPackage;
101: SecBuffer chlg_buf[2];
102: SecBuffer resp_buf;
103: SecBufferDesc chlg_desc;
104: SecBufferDesc resp_desc;
105: unsigned long attrs;
106: TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
107:
108: #if defined(CURL_DISABLE_VERBOSE_STRINGS)
109: (void) data;
110: #endif
111:
112: if(nego->context && nego->status == SEC_E_OK) {
113: /* We finished successfully our part of authentication, but server
114: * rejected it (since we're again here). Exit with an error since we
115: * can't invent anything better */
116: Curl_auth_cleanup_spnego(nego);
117: return CURLE_LOGIN_DENIED;
118: }
119:
120: if(!nego->spn) {
121: /* Generate our SPN */
122: nego->spn = Curl_auth_build_spn(service, host, NULL);
123: if(!nego->spn)
124: return CURLE_OUT_OF_MEMORY;
125: }
126:
127: if(!nego->output_token) {
128: /* Query the security package for Negotiate */
129: nego->status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
130: TEXT(SP_NAME_NEGOTIATE),
131: &SecurityPackage);
132: if(nego->status != SEC_E_OK)
133: return CURLE_NOT_BUILT_IN;
134:
135: nego->token_max = SecurityPackage->cbMaxToken;
136:
137: /* Release the package buffer as it is not required anymore */
138: s_pSecFn->FreeContextBuffer(SecurityPackage);
139:
140: /* Allocate our output buffer */
141: nego->output_token = malloc(nego->token_max);
142: if(!nego->output_token)
143: return CURLE_OUT_OF_MEMORY;
144: }
145:
146: if(!nego->credentials) {
147: /* Do we have credentials to use or are we using single sign-on? */
148: if(user && *user) {
149: /* Populate our identity structure */
150: result = Curl_create_sspi_identity(user, password, &nego->identity);
151: if(result)
152: return result;
153:
154: /* Allow proper cleanup of the identity structure */
155: nego->p_identity = &nego->identity;
156: }
157: else
158: /* Use the current Windows user */
159: nego->p_identity = NULL;
160:
161: /* Allocate our credentials handle */
162: nego->credentials = calloc(1, sizeof(CredHandle));
163: if(!nego->credentials)
164: return CURLE_OUT_OF_MEMORY;
165:
166: /* Acquire our credentials handle */
167: nego->status =
168: s_pSecFn->AcquireCredentialsHandle(NULL,
169: (TCHAR *)TEXT(SP_NAME_NEGOTIATE),
170: SECPKG_CRED_OUTBOUND, NULL,
171: nego->p_identity, NULL, NULL,
172: nego->credentials, &expiry);
173: if(nego->status != SEC_E_OK)
174: return CURLE_AUTH_ERROR;
175:
176: /* Allocate our new context handle */
177: nego->context = calloc(1, sizeof(CtxtHandle));
178: if(!nego->context)
179: return CURLE_OUT_OF_MEMORY;
180: }
181:
182: if(chlg64 && *chlg64) {
183: /* Decode the base-64 encoded challenge message */
184: if(*chlg64 != '=') {
185: result = Curl_base64_decode(chlg64, &chlg, &chlglen);
186: if(result)
187: return result;
188: }
189:
190: /* Ensure we have a valid challenge message */
191: if(!chlg) {
192: infof(data, "SPNEGO handshake failure (empty challenge message)\n");
193:
194: return CURLE_BAD_CONTENT_ENCODING;
195: }
196:
197: /* Setup the challenge "input" security buffer */
198: chlg_desc.ulVersion = SECBUFFER_VERSION;
199: chlg_desc.cBuffers = 1;
200: chlg_desc.pBuffers = &chlg_buf[0];
201: chlg_buf[0].BufferType = SECBUFFER_TOKEN;
202: chlg_buf[0].pvBuffer = chlg;
203: chlg_buf[0].cbBuffer = curlx_uztoul(chlglen);
204:
205: #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
206: /* ssl context comes from Schannel.
207: * When extended protection is used in IIS server,
208: * we have to pass a second SecBuffer to the SecBufferDesc
209: * otherwise IIS will not pass the authentication (401 response).
210: * Minimum supported version is Windows 7.
211: * https://docs.microsoft.com/en-us/security-updates
212: * /SecurityAdvisories/2009/973811
213: */
214: if(nego->sslContext) {
215: SEC_CHANNEL_BINDINGS channelBindings;
216: SecPkgContext_Bindings pkgBindings;
217: pkgBindings.Bindings = &channelBindings;
218: nego->status = s_pSecFn->QueryContextAttributes(
219: nego->sslContext,
220: SECPKG_ATTR_ENDPOINT_BINDINGS,
221: &pkgBindings
222: );
223: if(nego->status == SEC_E_OK) {
224: chlg_desc.cBuffers++;
225: chlg_buf[1].BufferType = SECBUFFER_CHANNEL_BINDINGS;
226: chlg_buf[1].cbBuffer = pkgBindings.BindingsLength;
227: chlg_buf[1].pvBuffer = pkgBindings.Bindings;
228: }
229: }
230: #endif
231: }
232:
233: /* Setup the response "output" security buffer */
234: resp_desc.ulVersion = SECBUFFER_VERSION;
235: resp_desc.cBuffers = 1;
236: resp_desc.pBuffers = &resp_buf;
237: resp_buf.BufferType = SECBUFFER_TOKEN;
238: resp_buf.pvBuffer = nego->output_token;
239: resp_buf.cbBuffer = curlx_uztoul(nego->token_max);
240:
241: /* Generate our challenge-response message */
242: nego->status = s_pSecFn->InitializeSecurityContext(nego->credentials,
243: chlg ? nego->context :
244: NULL,
245: nego->spn,
246: ISC_REQ_CONFIDENTIALITY,
247: 0, SECURITY_NATIVE_DREP,
248: chlg ? &chlg_desc : NULL,
249: 0, nego->context,
250: &resp_desc, &attrs,
251: &expiry);
252:
253: /* Free the decoded challenge as it is not required anymore */
254: free(chlg);
255:
256: if(GSS_ERROR(nego->status)) {
257: char buffer[STRERROR_LEN];
258: failf(data, "InitializeSecurityContext failed: %s",
259: Curl_sspi_strerror(nego->status, buffer, sizeof(buffer)));
260:
261: if(nego->status == (DWORD)SEC_E_INSUFFICIENT_MEMORY)
262: return CURLE_OUT_OF_MEMORY;
263:
264: return CURLE_AUTH_ERROR;
265: }
266:
267: if(nego->status == SEC_I_COMPLETE_NEEDED ||
268: nego->status == SEC_I_COMPLETE_AND_CONTINUE) {
269: nego->status = s_pSecFn->CompleteAuthToken(nego->context, &resp_desc);
270: if(GSS_ERROR(nego->status)) {
271: char buffer[STRERROR_LEN];
272: failf(data, "CompleteAuthToken failed: %s",
273: Curl_sspi_strerror(nego->status, buffer, sizeof(buffer)));
274:
275: if(nego->status == (DWORD)SEC_E_INSUFFICIENT_MEMORY)
276: return CURLE_OUT_OF_MEMORY;
277:
278: return CURLE_AUTH_ERROR;
279: }
280: }
281:
282: nego->output_token_length = resp_buf.cbBuffer;
283:
284: return result;
285: }
286:
287: /*
288: * Curl_auth_create_spnego_message()
289: *
290: * This is used to generate an already encoded SPNEGO (Negotiate) response
291: * message ready for sending to the recipient.
292: *
293: * Parameters:
294: *
295: * data [in] - The session handle.
296: * nego [in/out] - The Negotiate data struct being used and modified.
297: * outptr [in/out] - The address where a pointer to newly allocated memory
298: * holding the result will be stored upon completion.
299: * outlen [out] - The length of the output message.
300: *
301: * Returns CURLE_OK on success.
302: */
303: CURLcode Curl_auth_create_spnego_message(struct Curl_easy *data,
304: struct negotiatedata *nego,
305: char **outptr, size_t *outlen)
306: {
307: CURLcode result;
308:
309: /* Base64 encode the already generated response */
310: result = Curl_base64_encode(data,
311: (const char *) nego->output_token,
312: nego->output_token_length,
313: outptr, outlen);
314:
315: if(result)
316: return result;
317:
318: if(!*outptr || !*outlen) {
319: free(*outptr);
320: return CURLE_REMOTE_ACCESS_DENIED;
321: }
322:
323: return CURLE_OK;
324: }
325:
326: /*
327: * Curl_auth_cleanup_spnego()
328: *
329: * This is used to clean up the SPNEGO (Negotiate) specific data.
330: *
331: * Parameters:
332: *
333: * nego [in/out] - The Negotiate data struct being cleaned up.
334: *
335: */
336: void Curl_auth_cleanup_spnego(struct negotiatedata *nego)
337: {
338: /* Free our security context */
339: if(nego->context) {
340: s_pSecFn->DeleteSecurityContext(nego->context);
341: free(nego->context);
342: nego->context = NULL;
343: }
344:
345: /* Free our credentials handle */
346: if(nego->credentials) {
347: s_pSecFn->FreeCredentialsHandle(nego->credentials);
348: free(nego->credentials);
349: nego->credentials = NULL;
350: }
351:
352: /* Free our identity */
353: Curl_sspi_free_identity(nego->p_identity);
354: nego->p_identity = NULL;
355:
356: /* Free the SPN and output token */
357: Curl_safefree(nego->spn);
358: Curl_safefree(nego->output_token);
359:
360: /* Reset any variables */
361: nego->status = 0;
362: nego->token_max = 0;
363: nego->noauthpersist = FALSE;
364: nego->havenoauthpersist = FALSE;
365: nego->havenegdata = FALSE;
366: nego->havemultiplerequests = FALSE;
367: }
368:
369: #endif /* USE_WINDOWS_SSPI && USE_SPNEGO */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to spnego_sspi.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib / vauth