1 | /***************************************************************************
|
---|
2 | * _ _ ____ _
|
---|
3 | * Project ___| | | | _ \| |
|
---|
4 | * / __| | | | |_) | |
|
---|
5 | * | (__| |_| | _ <| |___
|
---|
6 | * \___|\___/|_| \_\_____|
|
---|
7 | *
|
---|
8 | * Copyright (C) 2009, Markus Moeller, <[email protected]>
|
---|
9 | * Copyright (C) 2012 - 2018, Daniel Stenberg, <[email protected]>, et al.
|
---|
10 | *
|
---|
11 | * This software is licensed as described in the file COPYING, which
|
---|
12 | * you should have received as part of this distribution. The terms
|
---|
13 | * are also available at https://curl.haxx.se/docs/copyright.html.
|
---|
14 | *
|
---|
15 | * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
---|
16 | * copies of the Software, and permit persons to whom the Software is
|
---|
17 | * furnished to do so, under the terms of the COPYING file.
|
---|
18 | *
|
---|
19 | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
---|
20 | * KIND, either express or implied.
|
---|
21 | *
|
---|
22 | ***************************************************************************/
|
---|
23 |
|
---|
24 | #include "curl_setup.h"
|
---|
25 |
|
---|
26 | #if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_PROXY)
|
---|
27 |
|
---|
28 | #include "curl_gssapi.h"
|
---|
29 | #include "urldata.h"
|
---|
30 | #include "sendf.h"
|
---|
31 | #include "connect.h"
|
---|
32 | #include "timeval.h"
|
---|
33 | #include "socks.h"
|
---|
34 | #include "warnless.h"
|
---|
35 |
|
---|
36 | /* The last 3 #include files should be in this order */
|
---|
37 | #include "curl_printf.h"
|
---|
38 | #include "curl_memory.h"
|
---|
39 | #include "memdebug.h"
|
---|
40 |
|
---|
41 | static gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
|
---|
42 |
|
---|
43 | /*
|
---|
44 | * Helper GSS-API error functions.
|
---|
45 | */
|
---|
46 | static int check_gss_err(struct Curl_easy *data,
|
---|
47 | OM_uint32 major_status,
|
---|
48 | OM_uint32 minor_status,
|
---|
49 | const char *function)
|
---|
50 | {
|
---|
51 | if(GSS_ERROR(major_status)) {
|
---|
52 | OM_uint32 maj_stat, min_stat;
|
---|
53 | OM_uint32 msg_ctx = 0;
|
---|
54 | gss_buffer_desc status_string;
|
---|
55 | char buf[1024];
|
---|
56 | size_t len;
|
---|
57 |
|
---|
58 | len = 0;
|
---|
59 | msg_ctx = 0;
|
---|
60 | while(!msg_ctx) {
|
---|
61 | /* convert major status code (GSS-API error) to text */
|
---|
62 | maj_stat = gss_display_status(&min_stat, major_status,
|
---|
63 | GSS_C_GSS_CODE,
|
---|
64 | GSS_C_NULL_OID,
|
---|
65 | &msg_ctx, &status_string);
|
---|
66 | if(maj_stat == GSS_S_COMPLETE) {
|
---|
67 | if(sizeof(buf) > len + status_string.length + 1) {
|
---|
68 | strcpy(buf + len, (char *) status_string.value);
|
---|
69 | len += status_string.length;
|
---|
70 | }
|
---|
71 | gss_release_buffer(&min_stat, &status_string);
|
---|
72 | break;
|
---|
73 | }
|
---|
74 | gss_release_buffer(&min_stat, &status_string);
|
---|
75 | }
|
---|
76 | if(sizeof(buf) > len + 3) {
|
---|
77 | strcpy(buf + len, ".\n");
|
---|
78 | len += 2;
|
---|
79 | }
|
---|
80 | msg_ctx = 0;
|
---|
81 | while(!msg_ctx) {
|
---|
82 | /* convert minor status code (underlying routine error) to text */
|
---|
83 | maj_stat = gss_display_status(&min_stat, minor_status,
|
---|
84 | GSS_C_MECH_CODE,
|
---|
85 | GSS_C_NULL_OID,
|
---|
86 | &msg_ctx, &status_string);
|
---|
87 | if(maj_stat == GSS_S_COMPLETE) {
|
---|
88 | if(sizeof(buf) > len + status_string.length)
|
---|
89 | strcpy(buf + len, (char *) status_string.value);
|
---|
90 | gss_release_buffer(&min_stat, &status_string);
|
---|
91 | break;
|
---|
92 | }
|
---|
93 | gss_release_buffer(&min_stat, &status_string);
|
---|
94 | }
|
---|
95 | failf(data, "GSS-API error: %s failed:\n%s", function, buf);
|
---|
96 | return 1;
|
---|
97 | }
|
---|
98 |
|
---|
99 | return 0;
|
---|
100 | }
|
---|
101 |
|
---|
102 | CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
|
---|
103 | struct connectdata *conn)
|
---|
104 | {
|
---|
105 | struct Curl_easy *data = conn->data;
|
---|
106 | curl_socket_t sock = conn->sock[sockindex];
|
---|
107 | CURLcode code;
|
---|
108 | ssize_t actualread;
|
---|
109 | ssize_t written;
|
---|
110 | int result;
|
---|
111 | OM_uint32 gss_major_status, gss_minor_status, gss_status;
|
---|
112 | OM_uint32 gss_ret_flags;
|
---|
113 | int gss_conf_state, gss_enc;
|
---|
114 | gss_buffer_desc service = GSS_C_EMPTY_BUFFER;
|
---|
115 | gss_buffer_desc gss_send_token = GSS_C_EMPTY_BUFFER;
|
---|
116 | gss_buffer_desc gss_recv_token = GSS_C_EMPTY_BUFFER;
|
---|
117 | gss_buffer_desc gss_w_token = GSS_C_EMPTY_BUFFER;
|
---|
118 | gss_buffer_desc* gss_token = GSS_C_NO_BUFFER;
|
---|
119 | gss_name_t server = GSS_C_NO_NAME;
|
---|
120 | gss_name_t gss_client_name = GSS_C_NO_NAME;
|
---|
121 | unsigned short us_length;
|
---|
122 | char *user = NULL;
|
---|
123 | unsigned char socksreq[4]; /* room for GSS-API exchange header only */
|
---|
124 | const char *serviceptr = data->set.str[STRING_PROXY_SERVICE_NAME] ?
|
---|
125 | data->set.str[STRING_PROXY_SERVICE_NAME] : "rcmd";
|
---|
126 | const size_t serviceptr_length = strlen(serviceptr);
|
---|
127 |
|
---|
128 | /* GSS-API request looks like
|
---|
129 | * +----+------+-----+----------------+
|
---|
130 | * |VER | MTYP | LEN | TOKEN |
|
---|
131 | * +----+------+----------------------+
|
---|
132 | * | 1 | 1 | 2 | up to 2^16 - 1 |
|
---|
133 | * +----+------+-----+----------------+
|
---|
134 | */
|
---|
135 |
|
---|
136 | /* prepare service name */
|
---|
137 | if(strchr(serviceptr, '/')) {
|
---|
138 | service.length = serviceptr_length;
|
---|
139 | service.value = malloc(service.length);
|
---|
140 | if(!service.value)
|
---|
141 | return CURLE_OUT_OF_MEMORY;
|
---|
142 | memcpy(service.value, serviceptr, service.length);
|
---|
143 |
|
---|
144 | gss_major_status = gss_import_name(&gss_minor_status, &service,
|
---|
145 | (gss_OID) GSS_C_NULL_OID, &server);
|
---|
146 | }
|
---|
147 | else {
|
---|
148 | service.value = malloc(serviceptr_length +
|
---|
149 | strlen(conn->socks_proxy.host.name) + 2);
|
---|
150 | if(!service.value)
|
---|
151 | return CURLE_OUT_OF_MEMORY;
|
---|
152 | service.length = serviceptr_length +
|
---|
153 | strlen(conn->socks_proxy.host.name) + 1;
|
---|
154 | msnprintf(service.value, service.length + 1, "%s@%s",
|
---|
155 | serviceptr, conn->socks_proxy.host.name);
|
---|
156 |
|
---|
157 | gss_major_status = gss_import_name(&gss_minor_status, &service,
|
---|
158 | GSS_C_NT_HOSTBASED_SERVICE, &server);
|
---|
159 | }
|
---|
160 |
|
---|
161 | gss_release_buffer(&gss_status, &service); /* clear allocated memory */
|
---|
162 |
|
---|
163 | if(check_gss_err(data, gss_major_status,
|
---|
164 | gss_minor_status, "gss_import_name()")) {
|
---|
165 | failf(data, "Failed to create service name.");
|
---|
166 | gss_release_name(&gss_status, &server);
|
---|
167 | return CURLE_COULDNT_CONNECT;
|
---|
168 | }
|
---|
169 |
|
---|
170 | /* As long as we need to keep sending some context info, and there's no */
|
---|
171 | /* errors, keep sending it... */
|
---|
172 | for(;;) {
|
---|
173 | gss_major_status = Curl_gss_init_sec_context(data,
|
---|
174 | &gss_minor_status,
|
---|
175 | &gss_context,
|
---|
176 | server,
|
---|
177 | &Curl_krb5_mech_oid,
|
---|
178 | NULL,
|
---|
179 | gss_token,
|
---|
180 | &gss_send_token,
|
---|
181 | TRUE,
|
---|
182 | &gss_ret_flags);
|
---|
183 |
|
---|
184 | if(gss_token != GSS_C_NO_BUFFER)
|
---|
185 | gss_release_buffer(&gss_status, &gss_recv_token);
|
---|
186 | if(check_gss_err(data, gss_major_status,
|
---|
187 | gss_minor_status, "gss_init_sec_context")) {
|
---|
188 | gss_release_name(&gss_status, &server);
|
---|
189 | gss_release_buffer(&gss_status, &gss_recv_token);
|
---|
190 | gss_release_buffer(&gss_status, &gss_send_token);
|
---|
191 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
192 | failf(data, "Failed to initial GSS-API token.");
|
---|
193 | return CURLE_COULDNT_CONNECT;
|
---|
194 | }
|
---|
195 |
|
---|
196 | if(gss_send_token.length != 0) {
|
---|
197 | socksreq[0] = 1; /* GSS-API subnegotiation version */
|
---|
198 | socksreq[1] = 1; /* authentication message type */
|
---|
199 | us_length = htons((short)gss_send_token.length);
|
---|
200 | memcpy(socksreq + 2, &us_length, sizeof(short));
|
---|
201 |
|
---|
202 | code = Curl_write_plain(conn, sock, (char *)socksreq, 4, &written);
|
---|
203 | if(code || (4 != written)) {
|
---|
204 | failf(data, "Failed to send GSS-API authentication request.");
|
---|
205 | gss_release_name(&gss_status, &server);
|
---|
206 | gss_release_buffer(&gss_status, &gss_recv_token);
|
---|
207 | gss_release_buffer(&gss_status, &gss_send_token);
|
---|
208 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
209 | return CURLE_COULDNT_CONNECT;
|
---|
210 | }
|
---|
211 |
|
---|
212 | code = Curl_write_plain(conn, sock, (char *)gss_send_token.value,
|
---|
213 | gss_send_token.length, &written);
|
---|
214 |
|
---|
215 | if(code || ((ssize_t)gss_send_token.length != written)) {
|
---|
216 | failf(data, "Failed to send GSS-API authentication token.");
|
---|
217 | gss_release_name(&gss_status, &server);
|
---|
218 | gss_release_buffer(&gss_status, &gss_recv_token);
|
---|
219 | gss_release_buffer(&gss_status, &gss_send_token);
|
---|
220 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
221 | return CURLE_COULDNT_CONNECT;
|
---|
222 | }
|
---|
223 |
|
---|
224 | }
|
---|
225 |
|
---|
226 | gss_release_buffer(&gss_status, &gss_send_token);
|
---|
227 | gss_release_buffer(&gss_status, &gss_recv_token);
|
---|
228 | if(gss_major_status != GSS_S_CONTINUE_NEEDED) break;
|
---|
229 |
|
---|
230 | /* analyse response */
|
---|
231 |
|
---|
232 | /* GSS-API response looks like
|
---|
233 | * +----+------+-----+----------------+
|
---|
234 | * |VER | MTYP | LEN | TOKEN |
|
---|
235 | * +----+------+----------------------+
|
---|
236 | * | 1 | 1 | 2 | up to 2^16 - 1 |
|
---|
237 | * +----+------+-----+----------------+
|
---|
238 | */
|
---|
239 |
|
---|
240 | result = Curl_blockread_all(conn, sock, (char *)socksreq, 4, &actualread);
|
---|
241 | if(result || (actualread != 4)) {
|
---|
242 | failf(data, "Failed to receive GSS-API authentication response.");
|
---|
243 | gss_release_name(&gss_status, &server);
|
---|
244 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
245 | return CURLE_COULDNT_CONNECT;
|
---|
246 | }
|
---|
247 |
|
---|
248 | /* ignore the first (VER) byte */
|
---|
249 | if(socksreq[1] == 255) { /* status / message type */
|
---|
250 | failf(data, "User was rejected by the SOCKS5 server (%d %d).",
|
---|
251 | socksreq[0], socksreq[1]);
|
---|
252 | gss_release_name(&gss_status, &server);
|
---|
253 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
254 | return CURLE_COULDNT_CONNECT;
|
---|
255 | }
|
---|
256 |
|
---|
257 | if(socksreq[1] != 1) { /* status / messgae type */
|
---|
258 | failf(data, "Invalid GSS-API authentication response type (%d %d).",
|
---|
259 | socksreq[0], socksreq[1]);
|
---|
260 | gss_release_name(&gss_status, &server);
|
---|
261 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
262 | return CURLE_COULDNT_CONNECT;
|
---|
263 | }
|
---|
264 |
|
---|
265 | memcpy(&us_length, socksreq + 2, sizeof(short));
|
---|
266 | us_length = ntohs(us_length);
|
---|
267 |
|
---|
268 | gss_recv_token.length = us_length;
|
---|
269 | gss_recv_token.value = malloc(us_length);
|
---|
270 | if(!gss_recv_token.value) {
|
---|
271 | failf(data,
|
---|
272 | "Could not allocate memory for GSS-API authentication "
|
---|
273 | "response token.");
|
---|
274 | gss_release_name(&gss_status, &server);
|
---|
275 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
276 | return CURLE_OUT_OF_MEMORY;
|
---|
277 | }
|
---|
278 |
|
---|
279 | result = Curl_blockread_all(conn, sock, (char *)gss_recv_token.value,
|
---|
280 | gss_recv_token.length, &actualread);
|
---|
281 |
|
---|
282 | if(result || (actualread != us_length)) {
|
---|
283 | failf(data, "Failed to receive GSS-API authentication token.");
|
---|
284 | gss_release_name(&gss_status, &server);
|
---|
285 | gss_release_buffer(&gss_status, &gss_recv_token);
|
---|
286 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
287 | return CURLE_COULDNT_CONNECT;
|
---|
288 | }
|
---|
289 |
|
---|
290 | gss_token = &gss_recv_token;
|
---|
291 | }
|
---|
292 |
|
---|
293 | gss_release_name(&gss_status, &server);
|
---|
294 |
|
---|
295 | /* Everything is good so far, user was authenticated! */
|
---|
296 | gss_major_status = gss_inquire_context(&gss_minor_status, gss_context,
|
---|
297 | &gss_client_name, NULL, NULL, NULL,
|
---|
298 | NULL, NULL, NULL);
|
---|
299 | if(check_gss_err(data, gss_major_status,
|
---|
300 | gss_minor_status, "gss_inquire_context")) {
|
---|
301 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
302 | gss_release_name(&gss_status, &gss_client_name);
|
---|
303 | failf(data, "Failed to determine user name.");
|
---|
304 | return CURLE_COULDNT_CONNECT;
|
---|
305 | }
|
---|
306 | gss_major_status = gss_display_name(&gss_minor_status, gss_client_name,
|
---|
307 | &gss_send_token, NULL);
|
---|
308 | if(check_gss_err(data, gss_major_status,
|
---|
309 | gss_minor_status, "gss_display_name")) {
|
---|
310 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
311 | gss_release_name(&gss_status, &gss_client_name);
|
---|
312 | gss_release_buffer(&gss_status, &gss_send_token);
|
---|
313 | failf(data, "Failed to determine user name.");
|
---|
314 | return CURLE_COULDNT_CONNECT;
|
---|
315 | }
|
---|
316 | user = malloc(gss_send_token.length + 1);
|
---|
317 | if(!user) {
|
---|
318 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
319 | gss_release_name(&gss_status, &gss_client_name);
|
---|
320 | gss_release_buffer(&gss_status, &gss_send_token);
|
---|
321 | return CURLE_OUT_OF_MEMORY;
|
---|
322 | }
|
---|
323 |
|
---|
324 | memcpy(user, gss_send_token.value, gss_send_token.length);
|
---|
325 | user[gss_send_token.length] = '\0';
|
---|
326 | gss_release_name(&gss_status, &gss_client_name);
|
---|
327 | gss_release_buffer(&gss_status, &gss_send_token);
|
---|
328 | infof(data, "SOCKS5 server authencticated user %s with GSS-API.\n",user);
|
---|
329 | free(user);
|
---|
330 | user = NULL;
|
---|
331 |
|
---|
332 | /* Do encryption */
|
---|
333 | socksreq[0] = 1; /* GSS-API subnegotiation version */
|
---|
334 | socksreq[1] = 2; /* encryption message type */
|
---|
335 |
|
---|
336 | gss_enc = 0; /* no data protection */
|
---|
337 | /* do confidentiality protection if supported */
|
---|
338 | if(gss_ret_flags & GSS_C_CONF_FLAG)
|
---|
339 | gss_enc = 2;
|
---|
340 | /* else do integrity protection */
|
---|
341 | else if(gss_ret_flags & GSS_C_INTEG_FLAG)
|
---|
342 | gss_enc = 1;
|
---|
343 |
|
---|
344 | infof(data, "SOCKS5 server supports GSS-API %s data protection.\n",
|
---|
345 | (gss_enc == 0)?"no":((gss_enc==1)?"integrity":"confidentiality"));
|
---|
346 | /* force for the moment to no data protection */
|
---|
347 | gss_enc = 0;
|
---|
348 | /*
|
---|
349 | * Sending the encryption type in clear seems wrong. It should be
|
---|
350 | * protected with gss_seal()/gss_wrap(). See RFC1961 extract below
|
---|
351 | * The NEC reference implementations on which this is based is
|
---|
352 | * therefore at fault
|
---|
353 | *
|
---|
354 | * +------+------+------+.......................+
|
---|
355 | * + ver | mtyp | len | token |
|
---|
356 | * +------+------+------+.......................+
|
---|
357 | * + 0x01 | 0x02 | 0x02 | up to 2^16 - 1 octets |
|
---|
358 | * +------+------+------+.......................+
|
---|
359 | *
|
---|
360 | * Where:
|
---|
361 | *
|
---|
362 | * - "ver" is the protocol version number, here 1 to represent the
|
---|
363 | * first version of the SOCKS/GSS-API protocol
|
---|
364 | *
|
---|
365 | * - "mtyp" is the message type, here 2 to represent a protection
|
---|
366 | * -level negotiation message
|
---|
367 | *
|
---|
368 | * - "len" is the length of the "token" field in octets
|
---|
369 | *
|
---|
370 | * - "token" is the GSS-API encapsulated protection level
|
---|
371 | *
|
---|
372 | * The token is produced by encapsulating an octet containing the
|
---|
373 | * required protection level using gss_seal()/gss_wrap() with conf_req
|
---|
374 | * set to FALSE. The token is verified using gss_unseal()/
|
---|
375 | * gss_unwrap().
|
---|
376 | *
|
---|
377 | */
|
---|
378 | if(data->set.socks5_gssapi_nec) {
|
---|
379 | us_length = htons((short)1);
|
---|
380 | memcpy(socksreq + 2, &us_length, sizeof(short));
|
---|
381 | }
|
---|
382 | else {
|
---|
383 | gss_send_token.length = 1;
|
---|
384 | gss_send_token.value = malloc(1);
|
---|
385 | if(!gss_send_token.value) {
|
---|
386 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
387 | return CURLE_OUT_OF_MEMORY;
|
---|
388 | }
|
---|
389 | memcpy(gss_send_token.value, &gss_enc, 1);
|
---|
390 |
|
---|
391 | gss_major_status = gss_wrap(&gss_minor_status, gss_context, 0,
|
---|
392 | GSS_C_QOP_DEFAULT, &gss_send_token,
|
---|
393 | &gss_conf_state, &gss_w_token);
|
---|
394 |
|
---|
395 | if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_wrap")) {
|
---|
396 | gss_release_buffer(&gss_status, &gss_send_token);
|
---|
397 | gss_release_buffer(&gss_status, &gss_w_token);
|
---|
398 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
399 | failf(data, "Failed to wrap GSS-API encryption value into token.");
|
---|
400 | return CURLE_COULDNT_CONNECT;
|
---|
401 | }
|
---|
402 | gss_release_buffer(&gss_status, &gss_send_token);
|
---|
403 |
|
---|
404 | us_length = htons((short)gss_w_token.length);
|
---|
405 | memcpy(socksreq + 2, &us_length, sizeof(short));
|
---|
406 | }
|
---|
407 |
|
---|
408 | code = Curl_write_plain(conn, sock, (char *)socksreq, 4, &written);
|
---|
409 | if(code || (4 != written)) {
|
---|
410 | failf(data, "Failed to send GSS-API encryption request.");
|
---|
411 | gss_release_buffer(&gss_status, &gss_w_token);
|
---|
412 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
413 | return CURLE_COULDNT_CONNECT;
|
---|
414 | }
|
---|
415 |
|
---|
416 | if(data->set.socks5_gssapi_nec) {
|
---|
417 | memcpy(socksreq, &gss_enc, 1);
|
---|
418 | code = Curl_write_plain(conn, sock, socksreq, 1, &written);
|
---|
419 | if(code || ( 1 != written)) {
|
---|
420 | failf(data, "Failed to send GSS-API encryption type.");
|
---|
421 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
422 | return CURLE_COULDNT_CONNECT;
|
---|
423 | }
|
---|
424 | }
|
---|
425 | else {
|
---|
426 | code = Curl_write_plain(conn, sock, (char *)gss_w_token.value,
|
---|
427 | gss_w_token.length, &written);
|
---|
428 | if(code || ((ssize_t)gss_w_token.length != written)) {
|
---|
429 | failf(data, "Failed to send GSS-API encryption type.");
|
---|
430 | gss_release_buffer(&gss_status, &gss_w_token);
|
---|
431 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
432 | return CURLE_COULDNT_CONNECT;
|
---|
433 | }
|
---|
434 | gss_release_buffer(&gss_status, &gss_w_token);
|
---|
435 | }
|
---|
436 |
|
---|
437 | result = Curl_blockread_all(conn, sock, (char *)socksreq, 4, &actualread);
|
---|
438 | if(result || (actualread != 4)) {
|
---|
439 | failf(data, "Failed to receive GSS-API encryption response.");
|
---|
440 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
441 | return CURLE_COULDNT_CONNECT;
|
---|
442 | }
|
---|
443 |
|
---|
444 | /* ignore the first (VER) byte */
|
---|
445 | if(socksreq[1] == 255) { /* status / message type */
|
---|
446 | failf(data, "User was rejected by the SOCKS5 server (%d %d).",
|
---|
447 | socksreq[0], socksreq[1]);
|
---|
448 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
449 | return CURLE_COULDNT_CONNECT;
|
---|
450 | }
|
---|
451 |
|
---|
452 | if(socksreq[1] != 2) { /* status / messgae type */
|
---|
453 | failf(data, "Invalid GSS-API encryption response type (%d %d).",
|
---|
454 | socksreq[0], socksreq[1]);
|
---|
455 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
456 | return CURLE_COULDNT_CONNECT;
|
---|
457 | }
|
---|
458 |
|
---|
459 | memcpy(&us_length, socksreq + 2, sizeof(short));
|
---|
460 | us_length = ntohs(us_length);
|
---|
461 |
|
---|
462 | gss_recv_token.length = us_length;
|
---|
463 | gss_recv_token.value = malloc(gss_recv_token.length);
|
---|
464 | if(!gss_recv_token.value) {
|
---|
465 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
466 | return CURLE_OUT_OF_MEMORY;
|
---|
467 | }
|
---|
468 | result = Curl_blockread_all(conn, sock, (char *)gss_recv_token.value,
|
---|
469 | gss_recv_token.length, &actualread);
|
---|
470 |
|
---|
471 | if(result || (actualread != us_length)) {
|
---|
472 | failf(data, "Failed to receive GSS-API encryptrion type.");
|
---|
473 | gss_release_buffer(&gss_status, &gss_recv_token);
|
---|
474 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
475 | return CURLE_COULDNT_CONNECT;
|
---|
476 | }
|
---|
477 |
|
---|
478 | if(!data->set.socks5_gssapi_nec) {
|
---|
479 | gss_major_status = gss_unwrap(&gss_minor_status, gss_context,
|
---|
480 | &gss_recv_token, &gss_w_token,
|
---|
481 | 0, GSS_C_QOP_DEFAULT);
|
---|
482 |
|
---|
483 | if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_unwrap")) {
|
---|
484 | gss_release_buffer(&gss_status, &gss_recv_token);
|
---|
485 | gss_release_buffer(&gss_status, &gss_w_token);
|
---|
486 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
487 | failf(data, "Failed to unwrap GSS-API encryption value into token.");
|
---|
488 | return CURLE_COULDNT_CONNECT;
|
---|
489 | }
|
---|
490 | gss_release_buffer(&gss_status, &gss_recv_token);
|
---|
491 |
|
---|
492 | if(gss_w_token.length != 1) {
|
---|
493 | failf(data, "Invalid GSS-API encryption response length (%d).",
|
---|
494 | gss_w_token.length);
|
---|
495 | gss_release_buffer(&gss_status, &gss_w_token);
|
---|
496 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
497 | return CURLE_COULDNT_CONNECT;
|
---|
498 | }
|
---|
499 |
|
---|
500 | memcpy(socksreq, gss_w_token.value, gss_w_token.length);
|
---|
501 | gss_release_buffer(&gss_status, &gss_w_token);
|
---|
502 | }
|
---|
503 | else {
|
---|
504 | if(gss_recv_token.length != 1) {
|
---|
505 | failf(data, "Invalid GSS-API encryption response length (%d).",
|
---|
506 | gss_recv_token.length);
|
---|
507 | gss_release_buffer(&gss_status, &gss_recv_token);
|
---|
508 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
509 | return CURLE_COULDNT_CONNECT;
|
---|
510 | }
|
---|
511 |
|
---|
512 | memcpy(socksreq, gss_recv_token.value, gss_recv_token.length);
|
---|
513 | gss_release_buffer(&gss_status, &gss_recv_token);
|
---|
514 | }
|
---|
515 |
|
---|
516 | infof(data, "SOCKS5 access with%s protection granted.\n",
|
---|
517 | (socksreq[0] == 0)?"out GSS-API data":
|
---|
518 | ((socksreq[0] == 1)?" GSS-API integrity":" GSS-API confidentiality"));
|
---|
519 |
|
---|
520 | conn->socks5_gssapi_enctype = socksreq[0];
|
---|
521 | if(socksreq[0] == 0)
|
---|
522 | gss_delete_sec_context(&gss_status, &gss_context, NULL);
|
---|
523 |
|
---|
524 | return CURLE_OK;
|
---|
525 | }
|
---|
526 |
|
---|
527 | #endif /* HAVE_GSSAPI && !CURL_DISABLE_PROXY */
|
---|