1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
9  *
10  * This software is licensed as described in the file COPYING, which
11  * you should have received as part of this distribution. The terms
12  * are also available at https://curl.haxx.se/docs/copyright.html.
13  *
14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15  * copies of the Software, and permit persons to whom the Software is
16  * furnished to do so, under the terms of the COPYING file.
17  *
18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19  * KIND, either express or implied.
20  *
21  ***************************************************************************/
22 
23 #include "curl_setup.h"
24 
25 #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
26 
27 #include "urldata.h"
28 #include "sendf.h"
29 #include "http_negotiate.h"
30 #include "vauth/vauth.h"
31 
32 /* The last 3 #include files should be in this order */
33 #include "curl_printf.h"
34 #include "curl_memory.h"
35 #include "memdebug.h"
36 
Curl_input_negotiate(struct connectdata * conn,bool proxy,const char * header)37 CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
38                               const char *header)
39 {
40   CURLcode result;
41   struct Curl_easy *data = conn->data;
42   size_t len;
43 
44   /* Point to the username, password, service and host */
45   const char *userp;
46   const char *passwdp;
47   const char *service;
48   const char *host;
49 
50   /* Point to the correct struct with this */
51   struct negotiatedata *neg_ctx;
52   curlnegotiate state;
53 
54   if(proxy) {
55 #ifndef CURL_DISABLE_PROXY
56     userp = conn->http_proxy.user;
57     passwdp = conn->http_proxy.passwd;
58     service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
59               data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
60     host = conn->http_proxy.host.name;
61     neg_ctx = &conn->proxyneg;
62     state = conn->proxy_negotiate_state;
63 #else
64     return CURLE_NOT_BUILT_IN;
65 #endif
66   }
67   else {
68     userp = conn->user;
69     passwdp = conn->passwd;
70     service = data->set.str[STRING_SERVICE_NAME] ?
71               data->set.str[STRING_SERVICE_NAME] : "HTTP";
72     host = conn->host.name;
73     neg_ctx = &conn->negotiate;
74     state = conn->http_negotiate_state;
75   }
76 
77   /* Not set means empty */
78   if(!userp)
79     userp = "";
80 
81   if(!passwdp)
82     passwdp = "";
83 
84   /* Obtain the input token, if any */
85   header += strlen("Negotiate");
86   while(*header && ISSPACE(*header))
87     header++;
88 
89   len = strlen(header);
90   neg_ctx->havenegdata = len != 0;
91   if(!len) {
92     if(state == GSS_AUTHSUCC) {
93       infof(conn->data, "Negotiate auth restarted\n");
94       Curl_http_auth_cleanup_negotiate(conn);
95     }
96     else if(state != GSS_AUTHNONE) {
97       /* The server rejected our authentication and hasn't supplied any more
98       negotiation mechanisms */
99       Curl_http_auth_cleanup_negotiate(conn);
100       return CURLE_LOGIN_DENIED;
101     }
102   }
103 
104   /* Supports SSL channel binding for Windows ISS extended protection */
105 #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
106   neg_ctx->sslContext = conn->sslContext;
107 #endif
108 
109   /* Initialize the security context and decode our challenge */
110   result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
111                                            host, header, neg_ctx);
112 
113   if(result)
114     Curl_http_auth_cleanup_negotiate(conn);
115 
116   return result;
117 }
118 
Curl_output_negotiate(struct connectdata * conn,bool proxy)119 CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
120 {
121   struct negotiatedata *neg_ctx = proxy ? &conn->proxyneg :
122     &conn->negotiate;
123   struct auth *authp = proxy ? &conn->data->state.authproxy :
124     &conn->data->state.authhost;
125   curlnegotiate *state = proxy ? &conn->proxy_negotiate_state :
126     &conn->http_negotiate_state;
127   struct Curl_easy *data = conn->data;
128   char *base64 = NULL;
129   size_t len = 0;
130   char *userp;
131   CURLcode result;
132 
133   authp->done = FALSE;
134 
135   if(*state == GSS_AUTHRECV) {
136     if(neg_ctx->havenegdata) {
137       neg_ctx->havemultiplerequests = TRUE;
138     }
139   }
140   else if(*state == GSS_AUTHSUCC) {
141     if(!neg_ctx->havenoauthpersist) {
142       neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
143     }
144   }
145 
146   if(neg_ctx->noauthpersist ||
147     (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
148 
149     if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
150       infof(conn->data, "Curl_output_negotiate, "
151        "no persistent authentication: cleanup existing context");
152       Curl_http_auth_cleanup_negotiate(conn);
153     }
154     if(!neg_ctx->context) {
155       result = Curl_input_negotiate(conn, proxy, "Negotiate");
156       if(result == CURLE_AUTH_ERROR) {
157         /* negotiate auth failed, let's continue unauthenticated to stay
158          * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
159         authp->done = TRUE;
160         return CURLE_OK;
161       }
162       else if(result)
163         return result;
164     }
165 
166     result = Curl_auth_create_spnego_message(conn->data,
167       neg_ctx, &base64, &len);
168     if(result)
169       return result;
170 
171     userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
172                     base64);
173 
174     if(proxy) {
175       Curl_safefree(data->state.aptr.proxyuserpwd);
176       data->state.aptr.proxyuserpwd = userp;
177     }
178     else {
179       Curl_safefree(data->state.aptr.userpwd);
180       data->state.aptr.userpwd = userp;
181     }
182 
183     free(base64);
184 
185     if(userp == NULL) {
186       return CURLE_OUT_OF_MEMORY;
187     }
188 
189     *state = GSS_AUTHSENT;
190   #ifdef HAVE_GSSAPI
191     if(neg_ctx->status == GSS_S_COMPLETE ||
192        neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
193       *state = GSS_AUTHDONE;
194     }
195   #else
196   #ifdef USE_WINDOWS_SSPI
197     if(neg_ctx->status == SEC_E_OK ||
198        neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
199       *state = GSS_AUTHDONE;
200     }
201   #endif
202   #endif
203   }
204 
205   if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
206     /* connection is already authenticated,
207      * don't send a header in future requests */
208     authp->done = TRUE;
209   }
210 
211   neg_ctx->havenegdata = FALSE;
212 
213   return CURLE_OK;
214 }
215 
Curl_http_auth_cleanup_negotiate(struct connectdata * conn)216 void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
217 {
218   conn->http_negotiate_state = GSS_AUTHNONE;
219   conn->proxy_negotiate_state = GSS_AUTHNONE;
220 
221   Curl_auth_cleanup_spnego(&conn->negotiate);
222   Curl_auth_cleanup_spnego(&conn->proxyneg);
223 }
224 
225 #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
226