VirtualBox

source: vbox/trunk/src/libs/curl-8.11.1/lib/http_negotiate.c

Last change on this file was 108048, checked in by vboxsync, 3 months ago

curl-8.11.1: Applied and adjusted our curl changes to 8.7.1. jiraref:VBP-1535
  • Property svn:eol-style set to native
File size: 7.0 KB
Line 
1/***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <[email protected]>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24
25#include "curl_setup.h"
26
27#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
28
29#include "urldata.h"
30#include "sendf.h"
31#include "http_negotiate.h"
32#include "vauth/vauth.h"
33#include "vtls/vtls.h"
34
35/* The last 3 #include files should be in this order */
36#include "curl_printf.h"
37#include "curl_memory.h"
38#include "memdebug.h"
39
40CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
41 bool proxy, const char *header)
42{
43 CURLcode result;
44 size_t len;
45
46 /* Point to the username, password, service and host */
47 const char *userp;
48 const char *passwdp;
49 const char *service;
50 const char *host;
51
52 /* Point to the correct struct with this */
53 struct negotiatedata *neg_ctx;
54 curlnegotiate state;
55
56 if(proxy) {
57#ifndef CURL_DISABLE_PROXY
58 userp = conn->http_proxy.user;
59 passwdp = conn->http_proxy.passwd;
60 service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
61 data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
62 host = conn->http_proxy.host.name;
63 neg_ctx = &conn->proxyneg;
64 state = conn->proxy_negotiate_state;
65#else
66 return CURLE_NOT_BUILT_IN;
67#endif
68 }
69 else {
70 userp = conn->user;
71 passwdp = conn->passwd;
72 service = data->set.str[STRING_SERVICE_NAME] ?
73 data->set.str[STRING_SERVICE_NAME] : "HTTP";
74 host = conn->host.name;
75 neg_ctx = &conn->negotiate;
76 state = conn->http_negotiate_state;
77 }
78
79 /* Not set means empty */
80 if(!userp)
81 userp = "";
82
83 if(!passwdp)
84 passwdp = "";
85
86 /* Obtain the input token, if any */
87 header += strlen("Negotiate");
88 while(*header && ISBLANK(*header))
89 header++;
90
91 len = strlen(header);
92 neg_ctx->havenegdata = len != 0;
93 if(!len) {
94 if(state == GSS_AUTHSUCC) {
95 infof(data, "Negotiate auth restarted");
96 Curl_http_auth_cleanup_negotiate(conn);
97 }
98 else if(state != GSS_AUTHNONE) {
99 /* The server rejected our authentication and has not supplied any more
100 negotiation mechanisms */
101 Curl_http_auth_cleanup_negotiate(conn);
102 return CURLE_LOGIN_DENIED;
103 }
104 }
105
106 /* Supports SSL channel binding for Windows ISS extended protection */
107#if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
108 neg_ctx->sslContext = conn->sslContext;
109#endif
110 /* Check if the connection is using SSL and get the channel binding data */
111#if defined(USE_SSL) && defined(HAVE_GSSAPI)
112 if(conn->handler->flags & PROTOPT_SSL) {
113 Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1);
114 result = Curl_ssl_get_channel_binding(
115 data, FIRSTSOCKET, &neg_ctx->channel_binding_data);
116 if(result) {
117 Curl_http_auth_cleanup_negotiate(conn);
118 return result;
119 }
120 }
121#endif
122
123 /* Initialize the security context and decode our challenge */
124 result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
125 host, header, neg_ctx);
126
127#if defined(USE_SSL) && defined(HAVE_GSSAPI)
128 Curl_dyn_free(&neg_ctx->channel_binding_data);
129#endif
130
131 if(result)
132 Curl_http_auth_cleanup_negotiate(conn);
133
134 return result;
135}
136
137CURLcode Curl_output_negotiate(struct Curl_easy *data,
138 struct connectdata *conn, bool proxy)
139{
140 struct negotiatedata *neg_ctx;
141 struct auth *authp;
142 curlnegotiate *state;
143 char *base64 = NULL;
144 size_t len = 0;
145 char *userp;
146 CURLcode result;
147
148 if(proxy) {
149#ifndef CURL_DISABLE_PROXY
150 neg_ctx = &conn->proxyneg;
151 authp = &data->state.authproxy;
152 state = &conn->proxy_negotiate_state;
153#else
154 return CURLE_NOT_BUILT_IN;
155#endif
156 }
157 else {
158 neg_ctx = &conn->negotiate;
159 authp = &data->state.authhost;
160 state = &conn->http_negotiate_state;
161 }
162
163 authp->done = FALSE;
164
165 if(*state == GSS_AUTHRECV) {
166 if(neg_ctx->havenegdata) {
167 neg_ctx->havemultiplerequests = TRUE;
168 }
169 }
170 else if(*state == GSS_AUTHSUCC) {
171 if(!neg_ctx->havenoauthpersist) {
172 neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
173 }
174 }
175
176 if(neg_ctx->noauthpersist ||
177 (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
178
179 if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
180 infof(data, "Curl_output_negotiate, "
181 "no persistent authentication: cleanup existing context");
182 Curl_http_auth_cleanup_negotiate(conn);
183 }
184 if(!neg_ctx->context) {
185 result = Curl_input_negotiate(data, conn, proxy, "Negotiate");
186 if(result == CURLE_AUTH_ERROR) {
187 /* negotiate auth failed, let's continue unauthenticated to stay
188 * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
189 authp->done = TRUE;
190 return CURLE_OK;
191 }
192 else if(result)
193 return result;
194 }
195
196 result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len);
197 if(result)
198 return result;
199
200 userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
201 base64);
202
203 if(proxy) {
204#ifndef CURL_DISABLE_PROXY
205 Curl_safefree(data->state.aptr.proxyuserpwd);
206 data->state.aptr.proxyuserpwd = userp;
207#endif
208 }
209 else {
210 Curl_safefree(data->state.aptr.userpwd);
211 data->state.aptr.userpwd = userp;
212 }
213
214 free(base64);
215
216 if(!userp) {
217 return CURLE_OUT_OF_MEMORY;
218 }
219
220 *state = GSS_AUTHSENT;
221 #ifdef HAVE_GSSAPI
222 if(neg_ctx->status == GSS_S_COMPLETE ||
223 neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
224 *state = GSS_AUTHDONE;
225 }
226 #else
227 #ifdef USE_WINDOWS_SSPI
228 if(neg_ctx->status == SEC_E_OK ||
229 neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
230 *state = GSS_AUTHDONE;
231 }
232 #endif
233 #endif
234 }
235
236 if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
237 /* connection is already authenticated,
238 * do not send a header in future requests */
239 authp->done = TRUE;
240 }
241
242 neg_ctx->havenegdata = FALSE;
243
244 return CURLE_OK;
245}
246
247void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
248{
249 conn->http_negotiate_state = GSS_AUTHNONE;
250 conn->proxy_negotiate_state = GSS_AUTHNONE;
251
252 Curl_auth_cleanup_spnego(&conn->negotiate);
253 Curl_auth_cleanup_spnego(&conn->proxyneg);
254}
255
256#endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette