| 1 | /***************************************************************************
|
|---|
| 2 | * _ _ ____ _
|
|---|
| 3 | * Project ___| | | | _ \| |
|
|---|
| 4 | * / __| | | | |_) | |
|
|---|
| 5 | * | (__| |_| | _ <| |___
|
|---|
| 6 | * \___|\___/|_| \_\_____|
|
|---|
| 7 | *
|
|---|
| 8 | * Copyright (C) 1998 - 2019, Daniel Stenberg, <[email protected]>, et al.
|
|---|
| 9 | *
|
|---|
| 10 | * This software is licensed as described in the file COPYING, which
|
|---|
| 11 | * you should have received as part of this distribution. The terms
|
|---|
| 12 | * are also available at https://curl.haxx.se/docs/copyright.html.
|
|---|
| 13 | *
|
|---|
| 14 | * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|---|
| 15 | * copies of the Software, and permit persons to whom the Software is
|
|---|
| 16 | * furnished to do so, under the terms of the COPYING file.
|
|---|
| 17 | *
|
|---|
| 18 | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|---|
| 19 | * KIND, either express or implied.
|
|---|
| 20 | *
|
|---|
| 21 | ***************************************************************************/
|
|---|
| 22 |
|
|---|
| 23 | #include "curl_setup.h"
|
|---|
| 24 |
|
|---|
| 25 | #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
|
|---|
| 26 |
|
|---|
| 27 | #include "urldata.h"
|
|---|
| 28 | #include "sendf.h"
|
|---|
| 29 | #include "http_negotiate.h"
|
|---|
| 30 | #include "vauth/vauth.h"
|
|---|
| 31 |
|
|---|
| 32 | /* The last 3 #include files should be in this order */
|
|---|
| 33 | #include "curl_printf.h"
|
|---|
| 34 | #include "curl_memory.h"
|
|---|
| 35 | #include "memdebug.h"
|
|---|
| 36 |
|
|---|
| 37 | CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
|---|
| 38 | const char *header)
|
|---|
| 39 | {
|
|---|
| 40 | CURLcode result;
|
|---|
| 41 | struct Curl_easy *data = conn->data;
|
|---|
| 42 | size_t len;
|
|---|
| 43 |
|
|---|
| 44 | /* Point to the username, password, service and host */
|
|---|
| 45 | const char *userp;
|
|---|
| 46 | const char *passwdp;
|
|---|
| 47 | const char *service;
|
|---|
| 48 | const char *host;
|
|---|
| 49 |
|
|---|
| 50 | /* Point to the correct struct with this */
|
|---|
| 51 | struct negotiatedata *neg_ctx;
|
|---|
| 52 |
|
|---|
| 53 | if(proxy) {
|
|---|
| 54 | userp = conn->http_proxy.user;
|
|---|
| 55 | passwdp = conn->http_proxy.passwd;
|
|---|
| 56 | service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
|
|---|
| 57 | data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
|
|---|
| 58 | host = conn->http_proxy.host.name;
|
|---|
| 59 | neg_ctx = &data->state.proxyneg;
|
|---|
| 60 | }
|
|---|
| 61 | else {
|
|---|
| 62 | userp = conn->user;
|
|---|
| 63 | passwdp = conn->passwd;
|
|---|
| 64 | service = data->set.str[STRING_SERVICE_NAME] ?
|
|---|
| 65 | data->set.str[STRING_SERVICE_NAME] : "HTTP";
|
|---|
| 66 | host = conn->host.name;
|
|---|
| 67 | neg_ctx = &data->state.negotiate;
|
|---|
| 68 | }
|
|---|
| 69 |
|
|---|
| 70 | /* Not set means empty */
|
|---|
| 71 | if(!userp)
|
|---|
| 72 | userp = "";
|
|---|
| 73 |
|
|---|
| 74 | if(!passwdp)
|
|---|
| 75 | passwdp = "";
|
|---|
| 76 |
|
|---|
| 77 | /* Obtain the input token, if any */
|
|---|
| 78 | header += strlen("Negotiate");
|
|---|
| 79 | while(*header && ISSPACE(*header))
|
|---|
| 80 | header++;
|
|---|
| 81 |
|
|---|
| 82 | len = strlen(header);
|
|---|
| 83 | if(!len) {
|
|---|
| 84 | /* Is this the first call in a new negotiation? */
|
|---|
| 85 | if(neg_ctx->context) {
|
|---|
| 86 | /* The server rejected our authentication and hasn't suppled any more
|
|---|
| 87 | negotiation mechanisms */
|
|---|
| 88 | return CURLE_LOGIN_DENIED;
|
|---|
| 89 | }
|
|---|
| 90 | }
|
|---|
| 91 |
|
|---|
| 92 | /* Supports SSL channel binding for Windows ISS extended protection */
|
|---|
| 93 | #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
|
|---|
| 94 | neg_ctx->sslContext = conn->sslContext;
|
|---|
| 95 | #endif
|
|---|
| 96 |
|
|---|
| 97 | /* Initialize the security context and decode our challenge */
|
|---|
| 98 | result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
|
|---|
| 99 | host, header, neg_ctx);
|
|---|
| 100 |
|
|---|
| 101 | if(result)
|
|---|
| 102 | Curl_auth_spnego_cleanup(neg_ctx);
|
|---|
| 103 |
|
|---|
| 104 | return result;
|
|---|
| 105 | }
|
|---|
| 106 |
|
|---|
| 107 | CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
|
|---|
| 108 | {
|
|---|
| 109 | struct negotiatedata *neg_ctx = proxy ? &conn->data->state.proxyneg :
|
|---|
| 110 | &conn->data->state.negotiate;
|
|---|
| 111 | char *base64 = NULL;
|
|---|
| 112 | size_t len = 0;
|
|---|
| 113 | char *userp;
|
|---|
| 114 | CURLcode result;
|
|---|
| 115 |
|
|---|
| 116 | result = Curl_auth_create_spnego_message(conn->data, neg_ctx, &base64, &len);
|
|---|
| 117 | if(result)
|
|---|
| 118 | return result;
|
|---|
| 119 |
|
|---|
| 120 | userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
|
|---|
| 121 | base64);
|
|---|
| 122 |
|
|---|
| 123 | if(proxy) {
|
|---|
| 124 | Curl_safefree(conn->allocptr.proxyuserpwd);
|
|---|
| 125 | conn->allocptr.proxyuserpwd = userp;
|
|---|
| 126 | }
|
|---|
| 127 | else {
|
|---|
| 128 | Curl_safefree(conn->allocptr.userpwd);
|
|---|
| 129 | conn->allocptr.userpwd = userp;
|
|---|
| 130 | }
|
|---|
| 131 |
|
|---|
| 132 | free(base64);
|
|---|
| 133 |
|
|---|
| 134 | return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
|
|---|
| 135 | }
|
|---|
| 136 |
|
|---|
| 137 | void Curl_cleanup_negotiate(struct Curl_easy *data)
|
|---|
| 138 | {
|
|---|
| 139 | Curl_auth_spnego_cleanup(&data->state.negotiate);
|
|---|
| 140 | Curl_auth_spnego_cleanup(&data->state.proxyneg);
|
|---|
| 141 | }
|
|---|
| 142 |
|
|---|
| 143 | #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
|
|---|
