spnego_gssapi.c@ 98341

最後變更在這個檔案從98341是 95312,由 vboxsync 提交於 3 年前
libs/{curl,libxml2}: OSE export fixes, bugref:8515
屬性 svn:eol-style 設為 `native`
檔案大小: 8.2 KB

行
1	/***************************************************************************
2	* _ _ ____ _
3	* Project ___\| \| \| \| _ \\| \|
4	* / __\| \| \| \| \|_) \| \|
5	* \| (__\| \|_\| \| _ <\| \|___
6	* \___\|\___/\|_\| \_\_____\|
7	*
8	* Copyright (C) 1998 - 2022, Daniel Stenberg, <[email protected]>, et al.
9	*
10	* This software is licensed as described in the file COPYING, which
11	* you should have received as part of this distribution. The terms
12	* are also available at https://curl.se/docs/copyright.html.
13	*
14	* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15	* copies of the Software, and permit persons to whom the Software is
16	* furnished to do so, under the terms of the COPYING file.
17	*
18	* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19	* KIND, either express or implied.
20	*
21	* RFC4178 Simple and Protected GSS-API Negotiation Mechanism
22	*
23	***************************************************************************/
24
25	#include "curl_setup.h"
26
27	#if defined(HAVE_GSSAPI) && defined(USE_SPNEGO)
28
29	#include <curl/curl.h>
30
31	#include "vauth/vauth.h"
32	#include "urldata.h"
33	#include "curl_base64.h"
34	#include "curl_gssapi.h"
35	#include "warnless.h"
36	#include "curl_multibyte.h"
37	#include "sendf.h"
38
39	/* The last #include files should be: */
40	#include "curl_memory.h"
41	#include "memdebug.h"
42
43	/*
44	* Curl_auth_is_spnego_supported()
45	*
46	* This is used to evaluate if SPNEGO (Negotiate) is supported.
47	*
48	* Parameters: None
49	*
50	* Returns TRUE if Negotiate supported by the GSS-API library.
51	*/
52	bool Curl_auth_is_spnego_supported(void)
53	{
54	return TRUE;
55	}
56
57	/*
58	* Curl_auth_decode_spnego_message()
59	*
60	* This is used to decode an already encoded SPNEGO (Negotiate) challenge
61	* message.
62	*
63	* Parameters:
64	*
65	* data [in] - The session handle.
66	* userp [in] - The user name in the format User or Domain\User.
67	* passwdp [in] - The user's password.
68	* service [in] - The service type such as http, smtp, pop or imap.
69	* host [in] - The host name.
70	* chlg64 [in] - The optional base64 encoded challenge message.
71	* nego [in/out] - The Negotiate data struct being used and modified.
72	*
73	* Returns CURLE_OK on success.
74	*/
75	CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
76	const char *user,
77	const char *password,
78	const char *service,
79	const char *host,
80	const char *chlg64,
81	struct negotiatedata *nego)
82	{
83	CURLcode result = CURLE_OK;
84	size_t chlglen = 0;
85	unsigned char *chlg = NULL;
86	OM_uint32 major_status;
87	OM_uint32 minor_status;
88	OM_uint32 unused_status;
89	gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER;
90	gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
91	gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
92
93	(void) user;
94	(void) password;
95
96	if(nego->context && nego->status == GSS_S_COMPLETE) {
97	/* We finished successfully our part of authentication, but server
98	* rejected it (since we're again here). Exit with an error since we
99	* can't invent anything better */
100	Curl_auth_cleanup_spnego(nego);
101	return CURLE_LOGIN_DENIED;
102	}
103
104	if(!nego->spn) {
105	/* Generate our SPN */
106	char *spn = Curl_auth_build_spn(service, NULL, host);
107	if(!spn)
108	return CURLE_OUT_OF_MEMORY;
109
110	/* Populate the SPN structure */
111	spn_token.value = spn;
112	spn_token.length = strlen(spn);
113
114	/* Import the SPN */
115	major_status = gss_import_name(&minor_status, &spn_token,
116	GSS_C_NT_HOSTBASED_SERVICE,
117	&nego->spn);
118	if(GSS_ERROR(major_status)) {
119	Curl_gss_log_error(data, "gss_import_name() failed: ",
120	major_status, minor_status);
121
122	free(spn);
123
124	return CURLE_AUTH_ERROR;
125	}
126
127	free(spn);
128	}
129
130	if(chlg64 && *chlg64) {
131	/* Decode the base-64 encoded challenge message */
132	if(*chlg64 != '=') {
133	result = Curl_base64_decode(chlg64, &chlg, &chlglen);
134	if(result)
135	return result;
136	}
137
138	/* Ensure we have a valid challenge message */
139	if(!chlg) {
140	infof(data, "SPNEGO handshake failure (empty challenge message)");
141	return CURLE_BAD_CONTENT_ENCODING;
142	}
143
144	/* Setup the challenge "input" security buffer */
145	input_token.value = chlg;
146	input_token.length = chlglen;
147	}
148
149	/* Generate our challenge-response message */
150	major_status = Curl_gss_init_sec_context(data,
151	&minor_status,
152	&nego->context,
153	nego->spn,
154	&Curl_spnego_mech_oid,
155	GSS_C_NO_CHANNEL_BINDINGS,
156	&input_token,
157	&output_token,
158	TRUE,
159	NULL);
160
161	/* Free the decoded challenge as it is not required anymore */
162	Curl_safefree(input_token.value);
163
164	nego->status = major_status;
165	if(GSS_ERROR(major_status)) {
166	if(output_token.value)
167	gss_release_buffer(&unused_status, &output_token);
168
169	Curl_gss_log_error(data, "gss_init_sec_context() failed: ",
170	major_status, minor_status);
171
172	return CURLE_AUTH_ERROR;
173	}
174
175	if(!output_token.value \|\| !output_token.length) {
176	if(output_token.value)
177	gss_release_buffer(&unused_status, &output_token);
178
179	return CURLE_AUTH_ERROR;
180	}
181
182	/* Free previous token */
183	if(nego->output_token.length && nego->output_token.value)
184	gss_release_buffer(&unused_status, &nego->output_token);
185
186	nego->output_token = output_token;
187
188	return CURLE_OK;
189	}
190
191	/*
192	* Curl_auth_create_spnego_message()
193	*
194	* This is used to generate an already encoded SPNEGO (Negotiate) response
195	* message ready for sending to the recipient.
196	*
197	* Parameters:
198	*
199	* data [in] - The session handle.
200	* nego [in/out] - The Negotiate data struct being used and modified.
201	* outptr [in/out] - The address where a pointer to newly allocated memory
202	* holding the result will be stored upon completion.
203	* outlen [out] - The length of the output message.
204	*
205	* Returns CURLE_OK on success.
206	*/
207	CURLcode Curl_auth_create_spnego_message(struct negotiatedata *nego,
208	char *outptr, size_t outlen)
209	{
210	CURLcode result;
211	OM_uint32 minor_status;
212
213	/* Base64 encode the already generated response */
214	result = Curl_base64_encode(nego->output_token.value,
215	nego->output_token.length,
216	outptr, outlen);
217
218	if(result) {
219	gss_release_buffer(&minor_status, &nego->output_token);
220	nego->output_token.value = NULL;
221	nego->output_token.length = 0;
222
223	return result;
224	}
225
226	if(!outptr \|\| !outlen) {
227	gss_release_buffer(&minor_status, &nego->output_token);
228	nego->output_token.value = NULL;
229	nego->output_token.length = 0;
230
231	return CURLE_REMOTE_ACCESS_DENIED;
232	}
233
234	return CURLE_OK;
235	}
236
237	/*
238	* Curl_auth_cleanup_spnego()
239	*
240	* This is used to clean up the SPNEGO (Negotiate) specific data.
241	*
242	* Parameters:
243	*
244	* nego [in/out] - The Negotiate data struct being cleaned up.
245	*
246	*/
247	void Curl_auth_cleanup_spnego(struct negotiatedata *nego)
248	{
249	OM_uint32 minor_status;
250
251	/* Free our security context */
252	if(nego->context != GSS_C_NO_CONTEXT) {
253	gss_delete_sec_context(&minor_status, &nego->context, GSS_C_NO_BUFFER);
254	nego->context = GSS_C_NO_CONTEXT;
255	}
256
257	/* Free the output token */
258	if(nego->output_token.value) {
259	gss_release_buffer(&minor_status, &nego->output_token);
260	nego->output_token.value = NULL;
261	nego->output_token.length = 0;
262
263	}
264
265	/* Free the SPN */
266	if(nego->spn != GSS_C_NO_NAME) {
267	gss_release_name(&minor_status, &nego->spn);
268	nego->spn = GSS_C_NO_NAME;
269	}
270
271	/* Reset any variables */
272	nego->status = 0;
273	nego->noauthpersist = FALSE;
274	nego->havenoauthpersist = FALSE;
275	nego->havenegdata = FALSE;
276	nego->havemultiplerequests = FALSE;
277	}
278
279	#endif /* HAVE_GSSAPI && USE_SPNEGO */

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/src/libs/curl-7.83.1/lib/vauth/spnego_gssapi.c@ 98341

以其他格式下載: