2003-06-10 20:22:19 +08:00
|
|
|
/***************************************************************************
|
2004-06-24 19:54:11 +08:00
|
|
|
* _ _ ____ _
|
|
|
|
* Project ___| | | | _ \| |
|
|
|
|
* / __| | | | |_) | |
|
|
|
|
* | (__| |_| | _ <| |___
|
2003-06-10 20:22:19 +08:00
|
|
|
* \___|\___/|_| \_\_____|
|
|
|
|
*
|
2023-01-02 20:51:48 +08:00
|
|
|
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
|
2003-06-10 20:22:19 +08:00
|
|
|
*
|
|
|
|
* This software is licensed as described in the file COPYING, which
|
|
|
|
* you should have received as part of this distribution. The terms
|
2020-11-04 21:02:01 +08:00
|
|
|
* are also available at https://curl.se/docs/copyright.html.
|
2004-06-24 19:54:11 +08:00
|
|
|
*
|
2003-06-10 20:22:19 +08:00
|
|
|
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
|
|
* copies of the Software, and permit persons to whom the Software is
|
|
|
|
* furnished to do so, under the terms of the COPYING file.
|
|
|
|
*
|
|
|
|
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
|
|
* KIND, either express or implied.
|
|
|
|
*
|
|
|
|
* SPDX-License-Identifier: curl
|
2022-05-17 17:16:50 +08:00
|
|
|
*
|
2003-06-10 20:22:19 +08:00
|
|
|
***************************************************************************/
|
2011-07-26 23:23:27 +08:00
|
|
|
|
2013-01-07 02:06:49 +08:00
|
|
|
#include "curl_setup.h"
|
2003-06-10 20:22:19 +08:00
|
|
|
|
2016-03-14 04:09:15 +08:00
|
|
|
#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
|
2003-06-10 20:22:19 +08:00
|
|
|
|
2013-01-04 09:50:28 +08:00
|
|
|
#include "urldata.h"
|
|
|
|
#include "sendf.h"
|
|
|
|
#include "http_negotiate.h"
|
2015-09-12 18:48:24 +08:00
|
|
|
#include "vauth/vauth.h"
|
2003-06-10 20:22:19 +08:00
|
|
|
|
2016-04-29 21:46:40 +08:00
|
|
|
/* The last 3 #include files should be in this order */
|
|
|
|
#include "curl_printf.h"
|
2015-03-25 06:12:03 +08:00
|
|
|
#include "curl_memory.h"
|
2013-01-04 09:50:28 +08:00
|
|
|
#include "memdebug.h"
|
2003-06-10 20:22:19 +08:00
|
|
|
|
2021-01-21 07:38:52 +08:00
|
|
|
CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
|
|
|
|
bool proxy, const char *header)
|
2004-06-24 19:54:11 +08:00
|
|
|
{
|
2016-11-09 21:37:34 +08:00
|
|
|
CURLcode result;
|
2016-03-14 04:09:15 +08:00
|
|
|
size_t len;
|
2015-01-19 01:36:59 +08:00
|
|
|
|
2016-03-14 04:09:15 +08:00
|
|
|
/* Point to the username, password, service and host */
|
|
|
|
const char *userp;
|
|
|
|
const char *passwdp;
|
2016-03-14 02:51:46 +08:00
|
|
|
const char *service;
|
|
|
|
const char *host;
|
2015-01-19 01:36:59 +08:00
|
|
|
|
2016-03-14 02:51:46 +08:00
|
|
|
/* Point to the correct struct with this */
|
|
|
|
struct negotiatedata *neg_ctx;
|
2019-05-14 04:42:35 +08:00
|
|
|
curlnegotiate state;
|
2015-01-19 01:36:59 +08:00
|
|
|
|
2016-03-14 02:51:46 +08:00
|
|
|
if(proxy) {
|
2020-05-27 17:51:34 +08:00
|
|
|
#ifndef CURL_DISABLE_PROXY
|
2016-11-17 01:49:15 +08:00
|
|
|
userp = conn->http_proxy.user;
|
|
|
|
passwdp = conn->http_proxy.passwd;
|
2016-04-09 01:41:41 +08:00
|
|
|
service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
|
|
|
|
data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
|
2016-11-17 01:49:15 +08:00
|
|
|
host = conn->http_proxy.host.name;
|
2018-09-10 15:18:01 +08:00
|
|
|
neg_ctx = &conn->proxyneg;
|
2019-05-14 04:42:35 +08:00
|
|
|
state = conn->proxy_negotiate_state;
|
2020-05-27 17:51:34 +08:00
|
|
|
#else
|
|
|
|
return CURLE_NOT_BUILT_IN;
|
|
|
|
#endif
|
2016-03-14 02:51:46 +08:00
|
|
|
}
|
|
|
|
else {
|
2016-03-14 04:09:15 +08:00
|
|
|
userp = conn->user;
|
|
|
|
passwdp = conn->passwd;
|
2016-04-09 01:41:41 +08:00
|
|
|
service = data->set.str[STRING_SERVICE_NAME] ?
|
|
|
|
data->set.str[STRING_SERVICE_NAME] : "HTTP";
|
2016-04-02 04:48:35 +08:00
|
|
|
host = conn->host.name;
|
2018-09-10 15:18:01 +08:00
|
|
|
neg_ctx = &conn->negotiate;
|
2019-05-14 04:42:35 +08:00
|
|
|
state = conn->http_negotiate_state;
|
2015-01-19 01:36:59 +08:00
|
|
|
}
|
2003-06-10 20:22:19 +08:00
|
|
|
|
2016-03-14 04:09:15 +08:00
|
|
|
/* Not set means empty */
|
|
|
|
if(!userp)
|
|
|
|
userp = "";
|
|
|
|
|
|
|
|
if(!passwdp)
|
|
|
|
passwdp = "";
|
|
|
|
|
2016-03-14 02:51:46 +08:00
|
|
|
/* Obtain the input token, if any */
|
2014-07-21 15:53:44 +08:00
|
|
|
header += strlen("Negotiate");
|
2022-09-06 05:21:15 +08:00
|
|
|
while(*header && ISBLANK(*header))
|
2003-06-10 20:22:19 +08:00
|
|
|
header++;
|
|
|
|
|
2016-03-14 04:09:15 +08:00
|
|
|
len = strlen(header);
|
2018-09-10 15:18:01 +08:00
|
|
|
neg_ctx->havenegdata = len != 0;
|
2016-03-14 04:09:15 +08:00
|
|
|
if(!len) {
|
2019-05-14 04:42:35 +08:00
|
|
|
if(state == GSS_AUTHSUCC) {
|
2021-07-06 23:05:17 +08:00
|
|
|
infof(data, "Negotiate auth restarted");
|
2019-05-11 19:57:42 +08:00
|
|
|
Curl_http_auth_cleanup_negotiate(conn);
|
2018-09-10 15:18:01 +08:00
|
|
|
}
|
2019-05-14 04:42:35 +08:00
|
|
|
else if(state != GSS_AUTHNONE) {
|
2018-09-10 15:18:01 +08:00
|
|
|
/* The server rejected our authentication and hasn't supplied any more
|
2016-03-14 04:09:15 +08:00
|
|
|
negotiation mechanisms */
|
2019-05-11 19:57:42 +08:00
|
|
|
Curl_http_auth_cleanup_negotiate(conn);
|
2016-03-14 04:09:15 +08:00
|
|
|
return CURLE_LOGIN_DENIED;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-01-30 01:26:31 +08:00
|
|
|
/* Supports SSL channel binding for Windows ISS extended protection */
|
|
|
|
#if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
|
|
|
|
neg_ctx->sslContext = conn->sslContext;
|
|
|
|
#endif
|
|
|
|
|
2018-03-16 10:51:03 +08:00
|
|
|
/* Initialize the security context and decode our challenge */
|
2016-11-09 21:37:34 +08:00
|
|
|
result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
|
|
|
|
host, header, neg_ctx);
|
|
|
|
|
|
|
|
if(result)
|
2019-05-14 04:42:35 +08:00
|
|
|
Curl_http_auth_cleanup_negotiate(conn);
|
2016-11-09 21:37:34 +08:00
|
|
|
|
|
|
|
return result;
|
2015-01-17 19:56:27 +08:00
|
|
|
}
|
2003-06-10 20:22:19 +08:00
|
|
|
|
2021-01-21 07:38:52 +08:00
|
|
|
CURLcode Curl_output_negotiate(struct Curl_easy *data,
|
|
|
|
struct connectdata *conn, bool proxy)
|
2004-06-24 19:54:11 +08:00
|
|
|
{
|
2024-03-26 07:19:23 +08:00
|
|
|
struct negotiatedata *neg_ctx;
|
|
|
|
struct auth *authp;
|
|
|
|
curlnegotiate *state;
|
2016-03-14 02:51:46 +08:00
|
|
|
char *base64 = NULL;
|
2011-08-24 14:07:36 +08:00
|
|
|
size_t len = 0;
|
2010-08-17 04:19:38 +08:00
|
|
|
char *userp;
|
2014-10-27 00:34:44 +08:00
|
|
|
CURLcode result;
|
2003-09-19 20:56:22 +08:00
|
|
|
|
2024-03-26 07:19:23 +08:00
|
|
|
if(proxy) {
|
|
|
|
#ifndef CURL_DISABLE_PROXY
|
|
|
|
neg_ctx = &conn->proxyneg;
|
|
|
|
authp = &data->state.authproxy;
|
|
|
|
state = &conn->proxy_negotiate_state;
|
|
|
|
#else
|
|
|
|
return CURLE_NOT_BUILT_IN;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
neg_ctx = &conn->negotiate;
|
|
|
|
authp = &data->state.authhost;
|
|
|
|
state = &conn->http_negotiate_state;
|
|
|
|
}
|
|
|
|
|
2018-09-10 15:18:01 +08:00
|
|
|
authp->done = FALSE;
|
|
|
|
|
2019-05-14 04:42:35 +08:00
|
|
|
if(*state == GSS_AUTHRECV) {
|
2018-09-10 15:18:01 +08:00
|
|
|
if(neg_ctx->havenegdata) {
|
|
|
|
neg_ctx->havemultiplerequests = TRUE;
|
|
|
|
}
|
|
|
|
}
|
2019-05-14 04:42:35 +08:00
|
|
|
else if(*state == GSS_AUTHSUCC) {
|
2018-09-10 15:18:01 +08:00
|
|
|
if(!neg_ctx->havenoauthpersist) {
|
|
|
|
neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
|
|
|
|
}
|
|
|
|
}
|
2003-06-10 20:22:19 +08:00
|
|
|
|
2018-09-10 15:18:01 +08:00
|
|
|
if(neg_ctx->noauthpersist ||
|
2021-07-06 23:05:17 +08:00
|
|
|
(*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
|
2016-03-14 02:51:46 +08:00
|
|
|
|
2019-05-14 04:42:35 +08:00
|
|
|
if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
|
2021-01-21 07:38:52 +08:00
|
|
|
infof(data, "Curl_output_negotiate, "
|
2021-07-06 23:05:17 +08:00
|
|
|
"no persistent authentication: cleanup existing context");
|
2019-05-14 04:42:35 +08:00
|
|
|
Curl_http_auth_cleanup_negotiate(conn);
|
2018-09-10 15:18:01 +08:00
|
|
|
}
|
|
|
|
if(!neg_ctx->context) {
|
2021-01-21 07:38:52 +08:00
|
|
|
result = Curl_input_negotiate(data, conn, proxy, "Negotiate");
|
2019-08-14 15:47:17 +08:00
|
|
|
if(result == CURLE_AUTH_ERROR) {
|
2019-05-06 20:32:00 +08:00
|
|
|
/* negotiate auth failed, let's continue unauthenticated to stay
|
|
|
|
* compatible with the behavior before curl-7_64_0-158-g6c6035532 */
|
2019-07-30 18:59:35 +08:00
|
|
|
authp->done = TRUE;
|
2019-05-06 20:32:00 +08:00
|
|
|
return CURLE_OK;
|
|
|
|
}
|
|
|
|
else if(result)
|
2018-09-10 15:18:01 +08:00
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
2022-02-03 20:04:30 +08:00
|
|
|
result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len);
|
2018-09-10 15:18:01 +08:00
|
|
|
if(result)
|
|
|
|
return result;
|
|
|
|
|
|
|
|
userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
|
2020-06-15 17:28:17 +08:00
|
|
|
base64);
|
2018-09-10 15:18:01 +08:00
|
|
|
|
|
|
|
if(proxy) {
|
2024-04-10 16:49:12 +08:00
|
|
|
#ifndef CURL_DISABLE_PROXY
|
2020-06-15 17:28:17 +08:00
|
|
|
Curl_safefree(data->state.aptr.proxyuserpwd);
|
|
|
|
data->state.aptr.proxyuserpwd = userp;
|
2024-04-10 16:49:12 +08:00
|
|
|
#endif
|
2018-09-10 15:18:01 +08:00
|
|
|
}
|
|
|
|
else {
|
2020-06-15 17:28:17 +08:00
|
|
|
Curl_safefree(data->state.aptr.userpwd);
|
|
|
|
data->state.aptr.userpwd = userp;
|
2018-09-10 15:18:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
free(base64);
|
|
|
|
|
2021-04-19 16:46:11 +08:00
|
|
|
if(!userp) {
|
2018-09-10 15:18:01 +08:00
|
|
|
return CURLE_OUT_OF_MEMORY;
|
|
|
|
}
|
|
|
|
|
2019-05-14 04:42:35 +08:00
|
|
|
*state = GSS_AUTHSENT;
|
2018-09-10 15:18:01 +08:00
|
|
|
#ifdef HAVE_GSSAPI
|
|
|
|
if(neg_ctx->status == GSS_S_COMPLETE ||
|
|
|
|
neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
|
2019-05-14 04:42:35 +08:00
|
|
|
*state = GSS_AUTHDONE;
|
2018-09-10 15:18:01 +08:00
|
|
|
}
|
|
|
|
#else
|
|
|
|
#ifdef USE_WINDOWS_SSPI
|
|
|
|
if(neg_ctx->status == SEC_E_OK ||
|
|
|
|
neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
|
2019-05-14 04:42:35 +08:00
|
|
|
*state = GSS_AUTHDONE;
|
2018-09-10 15:18:01 +08:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
#endif
|
2013-04-04 07:57:25 +08:00
|
|
|
}
|
2018-09-10 15:18:01 +08:00
|
|
|
|
2019-05-14 04:42:35 +08:00
|
|
|
if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
|
2018-09-10 15:18:01 +08:00
|
|
|
/* connection is already authenticated,
|
|
|
|
* don't send a header in future requests */
|
|
|
|
authp->done = TRUE;
|
2013-04-04 07:57:25 +08:00
|
|
|
}
|
|
|
|
|
2018-09-10 15:18:01 +08:00
|
|
|
neg_ctx->havenegdata = FALSE;
|
2013-04-04 07:57:25 +08:00
|
|
|
|
2018-09-10 15:18:01 +08:00
|
|
|
return CURLE_OK;
|
2003-06-10 20:22:19 +08:00
|
|
|
}
|
|
|
|
|
2019-05-11 19:57:42 +08:00
|
|
|
void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
|
2007-11-21 07:17:08 +08:00
|
|
|
{
|
2019-05-14 04:42:35 +08:00
|
|
|
conn->http_negotiate_state = GSS_AUTHNONE;
|
|
|
|
conn->proxy_negotiate_state = GSS_AUTHNONE;
|
|
|
|
|
2019-05-11 19:57:42 +08:00
|
|
|
Curl_auth_cleanup_spnego(&conn->negotiate);
|
|
|
|
Curl_auth_cleanup_spnego(&conn->proxyneg);
|
2007-11-21 07:17:08 +08:00
|
|
|
}
|
|
|
|
|
2016-03-14 04:09:15 +08:00
|
|
|
#endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
|