moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2025-03-01 01:41:50 -05:00
Code Issues Releases Wiki Activity
curl/lib/http_negotiate.c

207 lines
5.7 KiB
C
Raw Normal View History

Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
/***************************************************************************
Replaced all uses of sprintf() with the safer snprintf(). It is just a precaution to prevent mistakes to lead to buffer overflows.
2004-06-24 11:54:11 +00:00
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
* \___|\___/|_| \_\_____|
*
Revert "http_negotiate: do not close connection until negotiation is completed" This reverts commit 07ebaf837843124ee670e5b8c218b80b92e06e47. This also reopens PR #3275 which brought the change now reverted. Fixes #3384 Closes #3439
2019-01-04 23:34:50 +01:00
* Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
URLs: change all http:// URLs to https://
2016-02-03 00:19:02 +01:00
* are also available at https://curl.haxx.se/docs/copyright.html.
Replaced all uses of sprintf() with the safer snprintf(). It is just a precaution to prevent mistakes to lead to buffer overflows.
2004-06-24 11:54:11 +00:00
*
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
***************************************************************************/
stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.h
2011-07-26 17:23:27 +02:00
build: fix circular header inclusion with other packages This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
2013-01-06 19:06:49 +01:00
#include "curl_setup.h"
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
http_negotiate: Combine GSS-API and SSPI source files As the GSS-API and SSPI based source files are no longer library/API specific, following the extraction of that authentication code to the vauth directory, combine these files rather than maintain two separate versions.
2016-03-13 20:09:15 +00:00
#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
Revert changes relative to lib/*.[ch] recent renaming This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
2013-01-04 02:50:28 +01:00
#include "urldata.h"
#include "sendf.h"
#include "http_negotiate.h"
vauth: Moved Curl_sasl_build_spn() to create the initial vauth source files
2015-09-12 11:48:24 +01:00
#include "vauth/vauth.h"
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
lib: include curl_printf.h as one of the last headers curl_printf.h defines printf to curl_mprintf, etc. This can cause problems with external headers which may use __attribute__((format(printf, ...))) markers etc. To avoid that they cause problems with system includes, we include curl_printf.h after any system headers. That makes the three last headers to always be, and we keep them in this order: curl_printf.h curl_memory.h memdebug.h None of them include system headers, they all do funny #defines. Reported-by: David Benjamin Fixes #743
2016-04-29 15:46:40 +02:00
/* The last 3 #include files should be in this order */
#include "curl_printf.h"
curl_memory: make curl_memory.h the second-last header file loaded This header file must be included after all header files except memdebug.h, as it does similar memory function redefinitions and can be similarly affected by conflicting definitions in system or dependent library headers.
2015-03-24 23:12:03 +01:00
#include "curl_memory.h"
Revert changes relative to lib/*.[ch] recent renaming This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
2013-01-04 02:50:28 +01:00
#include "memdebug.h"
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
2015-01-17 11:56:27 +00:00
CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
const char *header)
Replaced all uses of sprintf() with the safer snprintf(). It is just a precaution to prevent mistakes to lead to buffer overflows.
2004-06-24 11:54:11 +00:00
{
SPNEGO: Fix memory leak when authentication fails If SPNEGO fails, cleanup the negotiate handle right away. Fixes #1115 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reported-by: ashman-p
2016-11-09 15:37:34 +02:00
CURLcode result;
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 15:47:12 +02:00
struct Curl_easy *data = conn->data;
http_negotiate: Combine GSS-API and SSPI source files As the GSS-API and SSPI based source files are no longer library/API specific, following the extraction of that authentication code to the vauth directory, combine these files rather than maintain two separate versions.
2016-03-13 20:09:15 +00:00
size_t len;
http_negotiate: Use dynamic buffer for SPN generation Use a dynamicly allocated buffer for the temporary SPN variable similar to how the SASL GSS-API code does, rather than using a fixed buffer of 2048 characters.
2015-01-18 17:36:59 +00:00
http_negotiate: Combine GSS-API and SSPI source files As the GSS-API and SSPI based source files are no longer library/API specific, following the extraction of that authentication code to the vauth directory, combine these files rather than maintain two separate versions.
2016-03-13 20:09:15 +00:00
/* Point to the username, password, service and host */
const char *userp;
const char *passwdp;
vauth: Moved the Negotiate authentication code to the new vauth directory Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
2016-03-13 18:51:46 +00:00
const char *service;
const char *host;
http_negotiate: Use dynamic buffer for SPN generation Use a dynamicly allocated buffer for the temporary SPN variable similar to how the SASL GSS-API code does, rather than using a fixed buffer of 2048 characters.
2015-01-18 17:36:59 +00:00
vauth: Moved the Negotiate authentication code to the new vauth directory Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
2016-03-13 18:51:46 +00:00
/* Point to the correct struct with this */
struct negotiatedata *neg_ctx;
http_negotiate: Use dynamic buffer for SPN generation Use a dynamicly allocated buffer for the temporary SPN variable similar to how the SASL GSS-API code does, rather than using a fixed buffer of 2048 characters.
2015-01-18 17:36:59 +00:00
vauth: Moved the Negotiate authentication code to the new vauth directory Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
2016-03-13 18:51:46 +00:00
if(proxy) {
proxy: Support HTTPS proxy and SOCKS+HTTP(s) * HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-16 10:49:15 -07:00
userp = conn->http_proxy.user;
passwdp = conn->http_proxy.passwd;
http_negotiate: Calculate service name and proxy service name locally Calculate the service name and proxy service names locally, rather than in url.c which will allow for us to support overriding the service name for other protocols such as FTP, IMAP, POP3 and SMTP.
2016-04-08 18:41:41 +01:00
service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
proxy: Support HTTPS proxy and SOCKS+HTTP(s) * HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-16 10:49:15 -07:00
host = conn->http_proxy.host.name;
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
neg_ctx = &conn->proxyneg;
vauth: Moved the Negotiate authentication code to the new vauth directory Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
2016-03-13 18:51:46 +00:00
}
else {
http_negotiate: Combine GSS-API and SSPI source files As the GSS-API and SSPI based source files are no longer library/API specific, following the extraction of that authentication code to the vauth directory, combine these files rather than maintain two separate versions.
2016-03-13 20:09:15 +00:00
userp = conn->user;
passwdp = conn->passwd;
http_negotiate: Calculate service name and proxy service name locally Calculate the service name and proxy service names locally, rather than in url.c which will allow for us to support overriding the service name for other protocols such as FTP, IMAP, POP3 and SMTP.
2016-04-08 18:41:41 +01:00
service = data->set.str[STRING_SERVICE_NAME] ?
data->set.str[STRING_SERVICE_NAME] : "HTTP";
http_negotiate: Corrected host and proxy host name being wrong way round I had accidentally used the proxy server name for the host and the host server name for the proxy in commit ad5e9bfd5d and 6d6f9ca1d9. Whilst Windows SSPI was quite happy with this, GSS-API wasn't. Thanks-to: Michael Osipov
2016-04-01 21:48:35 +01:00
host = conn->host.name;
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
neg_ctx = &conn->negotiate;
http_negotiate: Use dynamic buffer for SPN generation Use a dynamicly allocated buffer for the temporary SPN variable similar to how the SASL GSS-API code does, rather than using a fixed buffer of 2048 characters.
2015-01-18 17:36:59 +00:00
}
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
http_negotiate: Combine GSS-API and SSPI source files As the GSS-API and SSPI based source files are no longer library/API specific, following the extraction of that authentication code to the vauth directory, combine these files rather than maintain two separate versions.
2016-03-13 20:09:15 +00:00
/* Not set means empty */
if(!userp)
userp = "";
if(!passwdp)
passwdp = "";
vauth: Moved the Negotiate authentication code to the new vauth directory Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
2016-03-13 18:51:46 +00:00
/* Obtain the input token, if any */
HTTP: Remove checkprefix("GSS-Negotiate") That auth mech has never existed neither on MS nor on Unix side. There is only Negotiate over SPNEGO.
2014-07-21 09:53:44 +02:00
header += strlen("Negotiate");
Avoid typecasting a signed char to an int when using is*() functions, as that could very well cause a negate number get passed in and thus cause reading outside of the array usually used for this purpose. We avoid this by using the uppercase macro versions introduced just now that does some extra crazy typecasts to avoid byte codes > 127 to cause negative int values.
2006-10-17 21:32:56 +00:00
while(*header && ISSPACE(*header))
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
header++;
http_negotiate: Combine GSS-API and SSPI source files As the GSS-API and SSPI based source files are no longer library/API specific, following the extraction of that authentication code to the vauth directory, combine these files rather than maintain two separate versions.
2016-03-13 20:09:15 +00:00
len = strlen(header);
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
neg_ctx->havenegdata = len != 0;
http_negotiate: Combine GSS-API and SSPI source files As the GSS-API and SSPI based source files are no longer library/API specific, following the extraction of that authentication code to the vauth directory, combine these files rather than maintain two separate versions.
2016-03-13 20:09:15 +00:00
if(!len) {
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
if(neg_ctx->state == GSS_AUTHSUCC) {
infof(conn->data, "Negotiate auth restarted\n");
Curl_cleanup_negotiate(conn);
}
else if(neg_ctx->state != GSS_AUTHNONE) {
/* The server rejected our authentication and hasn't supplied any more
http_negotiate: Combine GSS-API and SSPI source files As the GSS-API and SSPI based source files are no longer library/API specific, following the extraction of that authentication code to the vauth directory, combine these files rather than maintain two separate versions.
2016-03-13 20:09:15 +00:00
negotiation mechanisms */
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
Curl_cleanup_negotiate(conn);
http_negotiate: Combine GSS-API and SSPI source files As the GSS-API and SSPI based source files are no longer library/API specific, following the extraction of that authentication code to the vauth directory, combine these files rather than maintain two separate versions.
2016-03-13 20:09:15 +00:00
return CURLE_LOGIN_DENIED;
}
}
spnego_sspi: add support for channel binding Attempt to add support for Secure Channel binding when negotiate authentication is used. The problem to solve is that by default IIS accepts channel binding and curl doesn't utilise them. The result was a 401 response. Scope affects only the Schannel(winssl)-SSPI combination. Fixes https://github.com/curl/curl/issues/3503 Closes https://github.com/curl/curl/pull/3509
2019-01-29 18:26:31 +01:00
/* Supports SSL channel binding for Windows ISS extended protection */
#if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
neg_ctx->sslContext = conn->sslContext;
#endif
cleanup: misc typos in strings and comments Found via `codespell` Closes #2389
2018-03-15 22:51:03 -04:00
/* Initialize the security context and decode our challenge */
SPNEGO: Fix memory leak when authentication fails If SPNEGO fails, cleanup the negotiate handle right away. Fixes #1115 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reported-by: ashman-p
2016-11-09 15:37:34 +02:00
result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
host, header, neg_ctx);
if(result)
Curl_auth_spnego_cleanup(neg_ctx);
return result;
http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
2015-01-17 11:56:27 +00:00
}
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
Mark Davies fixed Negotiate authentication over proxy, and also introduced the --proxy-negotiate command line option to allow a user to explicitly select it.
2007-09-21 11:05:31 +00:00
CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
Replaced all uses of sprintf() with the safer snprintf(). It is just a precaution to prevent mistakes to lead to buffer overflows.
2004-06-24 11:54:11 +00:00
{
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
struct negotiatedata *neg_ctx = proxy ? &conn->proxyneg :
&conn->negotiate;
struct auth *authp = proxy ? &conn->data->state.authproxy :
&conn->data->state.authhost;
vauth: Moved the Negotiate authentication code to the new vauth directory Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
2016-03-13 18:51:46 +00:00
char *base64 = NULL;
base64: fix Curl_base64_encode and Curl_base64_decode interfaces Previous interfaces for these libcurl internal functions did not allow to tell apart a legitimate zero size result from an error condition. These functions now return a CURLcode indicating function success or otherwise specific error. Output size is returned using a pointer argument. All usage of these two functions, and others closely related, has been adapted to the new interfaces. Relative error and OOM handling adapted or added where missing. Unit test 1302 also adapted.
2011-08-24 08:07:36 +02:00
size_t len = 0;
negotiation: Wrong proxy authorization There's an error in http_negotiation.c where a mistake is using only userpwd even for proxy requests. Ludek provided a patch, but I decided to write the fix slightly different using his patch as inspiration. Reported by: Ludek Finstrle Bug: http://curl.haxx.se/bug/view.cgi?id=3046066
2010-08-16 22:19:38 +02:00
char *userp;
http_negotiate: We prefer 'CURLcode result' Continuing commit 0eb3d15ccb more return code variable name changes.
2014-10-26 16:34:44 +00:00
CURLcode result;
Markus Moeller's SPNEGO patch applied, with my edits, additions and minor cleanups.
2003-09-19 12:56:22 +00:00
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
authp->done = FALSE;
if(neg_ctx->state == GSS_AUTHRECV) {
if(neg_ctx->havenegdata) {
neg_ctx->havemultiplerequests = TRUE;
}
}
else if(neg_ctx->state == GSS_AUTHSUCC) {
if(!neg_ctx->havenoauthpersist) {
neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
}
}
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
if(neg_ctx->noauthpersist ||
(neg_ctx->state != GSS_AUTHDONE && neg_ctx->state != GSS_AUTHSUCC)) {
vauth: Moved the Negotiate authentication code to the new vauth directory Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
2016-03-13 18:51:46 +00:00
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
if(neg_ctx->noauthpersist && neg_ctx->state == GSS_AUTHSUCC) {
infof(conn->data, "Curl_output_negotiate, "
"no persistent authentication: cleanup existing context");
Curl_auth_spnego_cleanup(neg_ctx);
}
if(!neg_ctx->context) {
result = Curl_input_negotiate(conn, proxy, "Negotiate");
if(result)
return result;
}
result = Curl_auth_create_spnego_message(conn->data,
neg_ctx, &base64, &len);
if(result)
return result;
userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
base64);
if(proxy) {
Curl_safefree(conn->allocptr.proxyuserpwd);
conn->allocptr.proxyuserpwd = userp;
}
else {
Curl_safefree(conn->allocptr.userpwd);
conn->allocptr.userpwd = userp;
}
free(base64);
if(userp == NULL) {
return CURLE_OUT_OF_MEMORY;
}
neg_ctx->state = GSS_AUTHSENT;
#ifdef HAVE_GSSAPI
if(neg_ctx->status == GSS_S_COMPLETE ||
neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
neg_ctx->state = GSS_AUTHDONE;
}
#else
#ifdef USE_WINDOWS_SSPI
if(neg_ctx->status == SEC_E_OK ||
neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
neg_ctx->state = GSS_AUTHDONE;
}
#endif
#endif
http_negotiate.c: fix several SPNEGO memory handling issues
2013-04-04 01:57:25 +02:00
}
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
if(neg_ctx->state == GSS_AUTHDONE || neg_ctx->state == GSS_AUTHSUCC) {
/* connection is already authenticated,
* don't send a header in future requests */
authp->done = TRUE;
http_negotiate.c: fix several SPNEGO memory handling issues
2013-04-04 01:57:25 +02:00
}
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
neg_ctx->havenegdata = FALSE;
http_negotiate.c: fix several SPNEGO memory handling issues
2013-04-04 01:57:25 +02:00
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
return CURLE_OK;
Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added.
2003-06-10 12:22:19 +00:00
}
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
void Curl_cleanup_negotiate(struct connectdata *conn)
While inspecting the Negotiate code, I noticed how the proxy auth was using the same state struct as the host auth, so both could never be used at the same time! I fixed it (without being able to check) to use two separate structs to allow authentication using Negotiate on host and proxy simultanouesly.
2007-11-20 23:17:08 +00:00
{
Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2018-09-10 09:18:01 +02:00
Curl_auth_spnego_cleanup(&conn->negotiate);
Curl_auth_spnego_cleanup(&conn->proxyneg);
While inspecting the Negotiate code, I noticed how the proxy auth was using the same state struct as the host auth, so both could never be used at the same time! I fixed it (without being able to check) to use two separate structs to allow authentication using Negotiate on host and proxy simultanouesly.
2007-11-20 23:17:08 +00:00
}
http_negotiate: Combine GSS-API and SSPI source files As the GSS-API and SSPI based source files are no longer library/API specific, following the extraction of that authentication code to the vauth directory, combine these files rather than maintain two separate versions.
2016-03-13 20:09:15 +00:00
#endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
Reference in New Issue Copy Permalink