krb5_sspi.c (15347B)
1 /*************************************************************************** 2 * _ _ ____ _ 3 * Project ___| | | | _ \| | 4 * / __| | | | |_) | | 5 * | (__| |_| | _ <| |___ 6 * \___|\___/|_| \_\_____| 7 * 8 * Copyright (C) Steve Holme, <steve_holme@hotmail.com>. 9 * 10 * This software is licensed as described in the file COPYING, which 11 * you should have received as part of this distribution. The terms 12 * are also available at https://curl.se/docs/copyright.html. 13 * 14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 15 * copies of the Software, and permit persons to whom the Software is 16 * furnished to do so, under the terms of the COPYING file. 17 * 18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 19 * KIND, either express or implied. 20 * 21 * SPDX-License-Identifier: curl 22 * 23 * RFC4752 The Kerberos V5 ("GSSAPI") SASL Mechanism 24 * 25 ***************************************************************************/ 26 27 #include "../curl_setup.h" 28 29 #if defined(USE_WINDOWS_SSPI) && defined(USE_KERBEROS5) 30 31 #include <curl/curl.h> 32 33 #include "vauth.h" 34 #include "../urldata.h" 35 #include "../curlx/warnless.h" 36 #include "../curlx/multibyte.h" 37 #include "../sendf.h" 38 39 /* The last #include files should be: */ 40 #include "../curl_memory.h" 41 #include "../memdebug.h" 42 43 /* 44 * Curl_auth_is_gssapi_supported() 45 * 46 * This is used to evaluate if GSSAPI (Kerberos V5) is supported. 47 * 48 * Parameters: None 49 * 50 * Returns TRUE if Kerberos V5 is supported by Windows SSPI. 51 */ 52 bool Curl_auth_is_gssapi_supported(void) 53 { 54 PSecPkgInfo SecurityPackage; 55 SECURITY_STATUS status; 56 57 /* Query the security package for Kerberos */ 58 status = Curl_pSecFn->QuerySecurityPackageInfo( 59 (TCHAR *)CURL_UNCONST(TEXT(SP_NAME_KERBEROS)), 60 &SecurityPackage); 61 62 /* Release the package buffer as it is not required anymore */ 63 if(status == SEC_E_OK) { 64 Curl_pSecFn->FreeContextBuffer(SecurityPackage); 65 } 66 67 return status == SEC_E_OK; 68 } 69 70 /* 71 * Curl_auth_create_gssapi_user_message() 72 * 73 * This is used to generate an already encoded GSSAPI (Kerberos V5) user token 74 * message ready for sending to the recipient. 75 * 76 * Parameters: 77 * 78 * data [in] - The session handle. 79 * userp [in] - The username in the format User or Domain\User. 80 * passwdp [in] - The user's password. 81 * service [in] - The service type such as http, smtp, pop or imap. 82 * host [in] - The hostname. 83 * mutual_auth [in] - Flag specifying whether or not mutual authentication 84 * is enabled. 85 * chlg [in] - Optional challenge message. 86 * krb5 [in/out] - The Kerberos 5 data struct being used and modified. 87 * out [out] - The result storage. 88 * 89 * Returns CURLE_OK on success. 90 */ 91 CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data, 92 const char *userp, 93 const char *passwdp, 94 const char *service, 95 const char *host, 96 const bool mutual_auth, 97 const struct bufref *chlg, 98 struct kerberos5data *krb5, 99 struct bufref *out) 100 { 101 CURLcode result = CURLE_OK; 102 CtxtHandle context; 103 PSecPkgInfo SecurityPackage; 104 SecBuffer chlg_buf; 105 SecBuffer resp_buf; 106 SecBufferDesc chlg_desc; 107 SecBufferDesc resp_desc; 108 SECURITY_STATUS status; 109 unsigned long attrs; 110 TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */ 111 112 if(!krb5->spn) { 113 /* Generate our SPN */ 114 krb5->spn = Curl_auth_build_spn(service, host, NULL); 115 if(!krb5->spn) 116 return CURLE_OUT_OF_MEMORY; 117 } 118 119 if(!krb5->output_token) { 120 /* Query the security package for Kerberos */ 121 status = Curl_pSecFn->QuerySecurityPackageInfo( 122 (TCHAR *)CURL_UNCONST(TEXT(SP_NAME_KERBEROS)), 123 &SecurityPackage); 124 if(status != SEC_E_OK) { 125 failf(data, "SSPI: could not get auth info"); 126 return CURLE_AUTH_ERROR; 127 } 128 129 krb5->token_max = SecurityPackage->cbMaxToken; 130 131 /* Release the package buffer as it is not required anymore */ 132 Curl_pSecFn->FreeContextBuffer(SecurityPackage); 133 134 /* Allocate our response buffer */ 135 krb5->output_token = malloc(krb5->token_max); 136 if(!krb5->output_token) 137 return CURLE_OUT_OF_MEMORY; 138 } 139 140 if(!krb5->credentials) { 141 /* Do we have credentials to use or are we using single sign-on? */ 142 if(userp && *userp) { 143 /* Populate our identity structure */ 144 result = Curl_create_sspi_identity(userp, passwdp, &krb5->identity); 145 if(result) 146 return result; 147 148 /* Allow proper cleanup of the identity structure */ 149 krb5->p_identity = &krb5->identity; 150 } 151 else 152 /* Use the current Windows user */ 153 krb5->p_identity = NULL; 154 155 /* Allocate our credentials handle */ 156 krb5->credentials = calloc(1, sizeof(CredHandle)); 157 if(!krb5->credentials) 158 return CURLE_OUT_OF_MEMORY; 159 160 /* Acquire our credentials handle */ 161 status = Curl_pSecFn->AcquireCredentialsHandle(NULL, 162 (TCHAR *)CURL_UNCONST(TEXT(SP_NAME_KERBEROS)), 163 SECPKG_CRED_OUTBOUND, NULL, 164 krb5->p_identity, NULL, NULL, 165 krb5->credentials, &expiry); 166 if(status != SEC_E_OK) 167 return CURLE_LOGIN_DENIED; 168 169 /* Allocate our new context handle */ 170 krb5->context = calloc(1, sizeof(CtxtHandle)); 171 if(!krb5->context) 172 return CURLE_OUT_OF_MEMORY; 173 } 174 175 if(chlg) { 176 if(!Curl_bufref_len(chlg)) { 177 infof(data, "GSSAPI handshake failure (empty challenge message)"); 178 return CURLE_BAD_CONTENT_ENCODING; 179 } 180 181 /* Setup the challenge "input" security buffer */ 182 chlg_desc.ulVersion = SECBUFFER_VERSION; 183 chlg_desc.cBuffers = 1; 184 chlg_desc.pBuffers = &chlg_buf; 185 chlg_buf.BufferType = SECBUFFER_TOKEN; 186 chlg_buf.pvBuffer = CURL_UNCONST(Curl_bufref_ptr(chlg)); 187 chlg_buf.cbBuffer = curlx_uztoul(Curl_bufref_len(chlg)); 188 } 189 190 /* Setup the response "output" security buffer */ 191 resp_desc.ulVersion = SECBUFFER_VERSION; 192 resp_desc.cBuffers = 1; 193 resp_desc.pBuffers = &resp_buf; 194 resp_buf.BufferType = SECBUFFER_TOKEN; 195 resp_buf.pvBuffer = krb5->output_token; 196 resp_buf.cbBuffer = curlx_uztoul(krb5->token_max); 197 198 /* Generate our challenge-response message */ 199 status = Curl_pSecFn->InitializeSecurityContext(krb5->credentials, 200 chlg ? krb5->context : NULL, 201 krb5->spn, 202 (mutual_auth ? 203 ISC_REQ_MUTUAL_AUTH : 0), 204 0, SECURITY_NATIVE_DREP, 205 chlg ? &chlg_desc : NULL, 0, 206 &context, 207 &resp_desc, &attrs, 208 &expiry); 209 210 if(status == SEC_E_INSUFFICIENT_MEMORY) 211 return CURLE_OUT_OF_MEMORY; 212 213 if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED) 214 return CURLE_AUTH_ERROR; 215 216 if(memcmp(&context, krb5->context, sizeof(context))) { 217 Curl_pSecFn->DeleteSecurityContext(krb5->context); 218 219 memcpy(krb5->context, &context, sizeof(context)); 220 } 221 222 if(resp_buf.cbBuffer) { 223 result = Curl_bufref_memdup(out, resp_buf.pvBuffer, resp_buf.cbBuffer); 224 } 225 else if(mutual_auth) 226 Curl_bufref_set(out, "", 0, NULL); 227 else 228 Curl_bufref_set(out, NULL, 0, NULL); 229 230 return result; 231 } 232 233 /* 234 * Curl_auth_create_gssapi_security_message() 235 * 236 * This is used to generate an already encoded GSSAPI (Kerberos V5) security 237 * token message ready for sending to the recipient. 238 * 239 * Parameters: 240 * 241 * data [in] - The session handle. 242 * authzid [in] - The authorization identity if some. 243 * chlg [in] - The optional challenge message. 244 * krb5 [in/out] - The Kerberos 5 data struct being used and modified. 245 * out [out] - The result storage. 246 * 247 * Returns CURLE_OK on success. 248 */ 249 CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data, 250 const char *authzid, 251 const struct bufref *chlg, 252 struct kerberos5data *krb5, 253 struct bufref *out) 254 { 255 size_t offset = 0; 256 size_t messagelen = 0; 257 size_t appdatalen = 0; 258 unsigned char *trailer = NULL; 259 unsigned char *message = NULL; 260 unsigned char *padding = NULL; 261 unsigned char *appdata = NULL; 262 SecBuffer input_buf[2]; 263 SecBuffer wrap_buf[3]; 264 SecBufferDesc input_desc; 265 SecBufferDesc wrap_desc; 266 unsigned char *indata; 267 unsigned long qop = 0; 268 unsigned long sec_layer = 0; 269 unsigned long max_size = 0; 270 SecPkgContext_Sizes sizes; 271 SECURITY_STATUS status; 272 273 #if defined(CURL_DISABLE_VERBOSE_STRINGS) 274 (void) data; 275 #endif 276 277 /* Ensure we have a valid challenge message */ 278 if(!Curl_bufref_len(chlg)) { 279 infof(data, "GSSAPI handshake failure (empty security message)"); 280 return CURLE_BAD_CONTENT_ENCODING; 281 } 282 283 /* Get our response size information */ 284 status = Curl_pSecFn->QueryContextAttributes(krb5->context, 285 SECPKG_ATTR_SIZES, 286 &sizes); 287 288 if(status == SEC_E_INSUFFICIENT_MEMORY) 289 return CURLE_OUT_OF_MEMORY; 290 291 if(status != SEC_E_OK) 292 return CURLE_AUTH_ERROR; 293 294 /* Setup the "input" security buffer */ 295 input_desc.ulVersion = SECBUFFER_VERSION; 296 input_desc.cBuffers = 2; 297 input_desc.pBuffers = input_buf; 298 input_buf[0].BufferType = SECBUFFER_STREAM; 299 input_buf[0].pvBuffer = CURL_UNCONST(Curl_bufref_ptr(chlg)); 300 input_buf[0].cbBuffer = curlx_uztoul(Curl_bufref_len(chlg)); 301 input_buf[1].BufferType = SECBUFFER_DATA; 302 input_buf[1].pvBuffer = NULL; 303 input_buf[1].cbBuffer = 0; 304 305 /* Decrypt the inbound challenge and obtain the qop */ 306 status = Curl_pSecFn->DecryptMessage(krb5->context, &input_desc, 0, &qop); 307 if(status != SEC_E_OK) { 308 infof(data, "GSSAPI handshake failure (empty security message)"); 309 return CURLE_BAD_CONTENT_ENCODING; 310 } 311 312 /* Not 4 octets long so fail as per RFC4752 Section 3.1 */ 313 if(input_buf[1].cbBuffer != 4) { 314 infof(data, "GSSAPI handshake failure (invalid security data)"); 315 return CURLE_BAD_CONTENT_ENCODING; 316 } 317 318 /* Extract the security layer and the maximum message size */ 319 indata = input_buf[1].pvBuffer; 320 sec_layer = indata[0]; 321 max_size = ((unsigned long)indata[1] << 16) | 322 ((unsigned long)indata[2] << 8) | indata[3]; 323 324 /* Free the challenge as it is not required anymore */ 325 Curl_pSecFn->FreeContextBuffer(input_buf[1].pvBuffer); 326 327 /* Process the security layer */ 328 if(!(sec_layer & KERB_WRAP_NO_ENCRYPT)) { 329 infof(data, "GSSAPI handshake failure (invalid security layer)"); 330 return CURLE_BAD_CONTENT_ENCODING; 331 } 332 sec_layer &= KERB_WRAP_NO_ENCRYPT; /* We do not support a security layer */ 333 334 /* Process the maximum message size the server can receive */ 335 if(max_size > 0) { 336 /* The server has told us it supports a maximum receive buffer, however, as 337 we do not require one unless we are encrypting data, we tell the server 338 our receive buffer is zero. */ 339 max_size = 0; 340 } 341 342 /* Allocate the trailer */ 343 trailer = malloc(sizes.cbSecurityTrailer); 344 if(!trailer) 345 return CURLE_OUT_OF_MEMORY; 346 347 /* Allocate our message */ 348 messagelen = 4; 349 if(authzid) 350 messagelen += strlen(authzid); 351 message = malloc(messagelen); 352 if(!message) { 353 free(trailer); 354 355 return CURLE_OUT_OF_MEMORY; 356 } 357 358 /* Populate the message with the security layer and client supported receive 359 message size. */ 360 message[0] = sec_layer & 0xFF; 361 message[1] = (max_size >> 16) & 0xFF; 362 message[2] = (max_size >> 8) & 0xFF; 363 message[3] = max_size & 0xFF; 364 365 /* If given, append the authorization identity. */ 366 367 if(authzid && *authzid) 368 memcpy(message + 4, authzid, messagelen - 4); 369 370 /* Allocate the padding */ 371 padding = malloc(sizes.cbBlockSize); 372 if(!padding) { 373 free(message); 374 free(trailer); 375 376 return CURLE_OUT_OF_MEMORY; 377 } 378 379 /* Setup the "authentication data" security buffer */ 380 wrap_desc.ulVersion = SECBUFFER_VERSION; 381 wrap_desc.cBuffers = 3; 382 wrap_desc.pBuffers = wrap_buf; 383 wrap_buf[0].BufferType = SECBUFFER_TOKEN; 384 wrap_buf[0].pvBuffer = trailer; 385 wrap_buf[0].cbBuffer = sizes.cbSecurityTrailer; 386 wrap_buf[1].BufferType = SECBUFFER_DATA; 387 wrap_buf[1].pvBuffer = message; 388 wrap_buf[1].cbBuffer = curlx_uztoul(messagelen); 389 wrap_buf[2].BufferType = SECBUFFER_PADDING; 390 wrap_buf[2].pvBuffer = padding; 391 wrap_buf[2].cbBuffer = sizes.cbBlockSize; 392 393 /* Encrypt the data */ 394 status = Curl_pSecFn->EncryptMessage(krb5->context, KERB_WRAP_NO_ENCRYPT, 395 &wrap_desc, 0); 396 if(status != SEC_E_OK) { 397 free(padding); 398 free(message); 399 free(trailer); 400 401 if(status == SEC_E_INSUFFICIENT_MEMORY) 402 return CURLE_OUT_OF_MEMORY; 403 404 return CURLE_AUTH_ERROR; 405 } 406 407 /* Allocate the encryption (wrap) buffer */ 408 appdatalen = wrap_buf[0].cbBuffer + wrap_buf[1].cbBuffer + 409 wrap_buf[2].cbBuffer; 410 appdata = malloc(appdatalen); 411 if(!appdata) { 412 free(padding); 413 free(message); 414 free(trailer); 415 416 return CURLE_OUT_OF_MEMORY; 417 } 418 419 /* Populate the encryption buffer */ 420 memcpy(appdata, wrap_buf[0].pvBuffer, wrap_buf[0].cbBuffer); 421 offset += wrap_buf[0].cbBuffer; 422 memcpy(appdata + offset, wrap_buf[1].pvBuffer, wrap_buf[1].cbBuffer); 423 offset += wrap_buf[1].cbBuffer; 424 memcpy(appdata + offset, wrap_buf[2].pvBuffer, wrap_buf[2].cbBuffer); 425 426 /* Free all of our local buffers */ 427 free(padding); 428 free(message); 429 free(trailer); 430 431 /* Return the response. */ 432 Curl_bufref_set(out, appdata, appdatalen, curl_free); 433 return CURLE_OK; 434 } 435 436 /* 437 * Curl_auth_cleanup_gssapi() 438 * 439 * This is used to clean up the GSSAPI (Kerberos V5) specific data. 440 * 441 * Parameters: 442 * 443 * krb5 [in/out] - The Kerberos 5 data struct being cleaned up. 444 * 445 */ 446 void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5) 447 { 448 /* Free our security context */ 449 if(krb5->context) { 450 Curl_pSecFn->DeleteSecurityContext(krb5->context); 451 free(krb5->context); 452 krb5->context = NULL; 453 } 454 455 /* Free our credentials handle */ 456 if(krb5->credentials) { 457 Curl_pSecFn->FreeCredentialsHandle(krb5->credentials); 458 free(krb5->credentials); 459 krb5->credentials = NULL; 460 } 461 462 /* Free our identity */ 463 Curl_sspi_free_identity(krb5->p_identity); 464 krb5->p_identity = NULL; 465 466 /* Free the SPN and output token */ 467 Curl_safefree(krb5->spn); 468 Curl_safefree(krb5->output_token); 469 470 /* Reset any variables */ 471 krb5->token_max = 0; 472 } 473 474 #endif /* USE_WINDOWS_SSPI && USE_KERBEROS5 */