moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 23:58:49 -05:00
Code Issues Releases Wiki Activity

digest_sspi: Fix nonce-count generation in HTTP digest

Browse Source 
- on the first invocation: keep security context returned by
  InitializeSecurityContext()

- on subsequent invocations: use MakeSignature() instead of
  InitializeSecurityContext() to generate HTTP digest response

Bug: https://github.com/curl/curl/issues/870
Reported-by: Andreas Roth

Closes https://github.com/curl/curl/pull/1251
This commit is contained in:
Max Khon 2017-02-06 23:40:51 +06:00 committed by Jay Satiro
parent 889ca45ab8
commit f77dabefd8
4 changed files with 259 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/urldata.h
View File

@ -408,6 +408,7 @@ struct digestdata {
#if defined(USE_WINDOWS_SSPI) #if defined(USE_WINDOWS_SSPI)
BYTE *input_token; BYTE *input_token;
size_t input_token_len; size_t input_token_len;
CtxtHandle *http_context;
#else #else
char *nonce; char *nonce;
char *cnonce; char *cnonce;

121
lib/vauth/digest_sspi.c
View File

@ -379,21 +379,13 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
char **outptr, size_t *outlen) char **outptr, size_t *outlen)
{ {
size_t token_max; size_t token_max;
CredHandle credentials;
CtxtHandle context;
char *resp; char *resp;
BYTE *output_token; BYTE *output_token;
size_t output_token_len;
PSecPkgInfo SecurityPackage; PSecPkgInfo SecurityPackage;
SEC_WINNT_AUTH_IDENTITY identity; SecBuffer chlg_buf[5];
SEC_WINNT_AUTH_IDENTITY *p_identity;
SecBuffer chlg_buf[3];
SecBuffer resp_buf;
SecBufferDesc chlg_desc; SecBufferDesc chlg_desc;
SecBufferDesc resp_desc;
SECURITY_STATUS status; SECURITY_STATUS status;
unsigned long attrs;
TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
TCHAR *spn;
(void) data; (void) data;
@ -408,15 +400,67 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
/* Release the package buffer as it is not required anymore */ /* Release the package buffer as it is not required anymore */
s_pSecFn->FreeContextBuffer(SecurityPackage); s_pSecFn->FreeContextBuffer(SecurityPackage);
/* Allocate the output buffer according to the max token size as indicated
by the security package */
output_token = malloc(token_max);
if(!output_token) {
return CURLE_OUT_OF_MEMORY;
}
if(digest->http_context) {
chlg_desc.ulVersion = SECBUFFER_VERSION;
chlg_desc.cBuffers = 5;
chlg_desc.pBuffers = chlg_buf;
chlg_buf[0].BufferType = SECBUFFER_TOKEN;
chlg_buf[0].pvBuffer = NULL;
chlg_buf[0].cbBuffer = 0;
chlg_buf[1].BufferType = SECBUFFER_PKG_PARAMS;
chlg_buf[1].pvBuffer = (void *) request;
chlg_buf[1].cbBuffer = curlx_uztoul(strlen((const char *) request));
chlg_buf[2].BufferType = SECBUFFER_PKG_PARAMS;
chlg_buf[2].pvBuffer = (void *) uripath;
chlg_buf[2].cbBuffer = curlx_uztoul(strlen((const char *) uripath));
chlg_buf[3].BufferType = SECBUFFER_PKG_PARAMS;
chlg_buf[3].pvBuffer = NULL;
chlg_buf[3].cbBuffer = 0;
chlg_buf[4].BufferType = SECBUFFER_PADDING;
chlg_buf[4].pvBuffer = output_token;
chlg_buf[4].cbBuffer = curlx_uztoul(token_max);
status = s_pSecFn->MakeSignature(digest->http_context, 0, &chlg_desc, 0);
if(status == SEC_E_OK)
output_token_len = chlg_buf[4].cbBuffer;
else { /* delete the context so a new one can be made */
infof(data, "digest_sspi: MakeSignature failed, error 0x%08lx\n",
(long)status);
s_pSecFn->DeleteSecurityContext(digest->http_context);
Curl_safefree(digest->http_context);
}
}
if(!digest->http_context) {
CredHandle credentials;
SEC_WINNT_AUTH_IDENTITY identity;
SEC_WINNT_AUTH_IDENTITY *p_identity;
SecBuffer resp_buf;
SecBufferDesc resp_desc;
unsigned long attrs;
TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
TCHAR *spn;
if(userp && *userp) { if(userp && *userp) {
/* Populate our identity structure */ /* Populate our identity structure */
if(Curl_create_sspi_identity(userp, passwdp, &identity)) if(Curl_create_sspi_identity(userp, passwdp, &identity)) {
free(output_token);
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
}
/* Populate our identity domain */ /* Populate our identity domain */
if(Curl_override_sspi_http_realm((const char *) digest->input_token, if(Curl_override_sspi_http_realm((const char *) digest->input_token,
&identity)) &identity)) {
free(output_token);
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
}
/* Allow proper cleanup of the identity structure */ /* Allow proper cleanup of the identity structure */
p_identity = &identity; p_identity = &identity;
@ -433,21 +477,11 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
&credentials, &expiry); &credentials, &expiry);
if(status != SEC_E_OK) { if(status != SEC_E_OK) {
Curl_sspi_free_identity(p_identity); Curl_sspi_free_identity(p_identity);
free(output_token);
return CURLE_LOGIN_DENIED; return CURLE_LOGIN_DENIED;
} }
/* Allocate the output buffer according to the max token size as indicated
by the security package */
output_token = malloc(token_max);
if(!output_token) {
s_pSecFn->FreeCredentialsHandle(&credentials);
Curl_sspi_free_identity(p_identity);
return CURLE_OUT_OF_MEMORY;
}
/* Setup the challenge "input" security buffer if present */ /* Setup the challenge "input" security buffer if present */
chlg_desc.ulVersion = SECBUFFER_VERSION; chlg_desc.ulVersion = SECBUFFER_VERSION;
chlg_desc.cBuffers = 3; chlg_desc.cBuffers = 3;
@ -480,11 +514,17 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
} }
/* Allocate our new context handle */
digest->http_context = calloc(1, sizeof(CtxtHandle));
if(!digest->http_context)
return CURLE_OUT_OF_MEMORY;
/* Generate our reponse message */ /* Generate our reponse message */
status = s_pSecFn->InitializeSecurityContext(&credentials, NULL, status = s_pSecFn->InitializeSecurityContext(&credentials, NULL,
spn, spn,
ISC_REQ_USE_HTTP_STYLE, 0, 0, ISC_REQ_USE_HTTP_STYLE, 0, 0,
&chlg_desc, 0, &context, &chlg_desc, 0,
digest->http_context,
&resp_desc, &attrs, &expiry); &resp_desc, &attrs, &expiry);
Curl_unicodefree(spn); Curl_unicodefree(spn);
@ -497,34 +537,33 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
Curl_sspi_free_identity(p_identity); Curl_sspi_free_identity(p_identity);
free(output_token); free(output_token);
Curl_safefree(digest->http_context);
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
} }
resp = malloc(resp_buf.cbBuffer + 1); output_token_len = resp_buf.cbBuffer;
if(!resp) {
s_pSecFn->DeleteSecurityContext(&context);
s_pSecFn->FreeCredentialsHandle(&credentials);
s_pSecFn->FreeCredentialsHandle(&credentials);
Curl_sspi_free_identity(p_identity); Curl_sspi_free_identity(p_identity);
}
resp = malloc(output_token_len + 1);
if(!resp) {
free(output_token); free(output_token);
Curl_safefree(digest->http_context);
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
} }
/* Copy the generated reponse */ /* Copy the generated reponse */
memcpy(resp, resp_buf.pvBuffer, resp_buf.cbBuffer); memcpy(resp, output_token, output_token_len);
resp[resp_buf.cbBuffer] = 0x00; resp[output_token_len] = 0;
/* Return the response */ /* Return the response */
*outptr = resp; *outptr = resp;
*outlen = resp_buf.cbBuffer; *outlen = output_token_len;
/* Free our handles */
s_pSecFn->DeleteSecurityContext(&context);
s_pSecFn->FreeCredentialsHandle(&credentials);
/* Free the identity structure */
Curl_sspi_free_identity(p_identity);
/* Free the response buffer */ /* Free the response buffer */
free(output_token); free(output_token);
@ -549,6 +588,12 @@ void Curl_auth_digest_cleanup(struct digestdata *digest)
/* Reset any variables */ /* Reset any variables */
digest->input_token_len = 0; digest->input_token_len = 0;
/* Delete security context */
if(digest->http_context) {
s_pSecFn->DeleteSecurityContext(digest->http_context);
Curl_safefree(digest->http_context);
}
} }
#endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_CRYPTO_AUTH */ #endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_CRYPTO_AUTH */

2
tests/data/Makefile.inc
View File

@ -130,7 +130,7 @@ test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \
test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \ test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \
test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \ test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \
\ \
test1280 test1281 test1282 test1283 test1284 test1285 \ test1280 test1281 test1282 test1283 test1284 test1285 test1286 \
\ \
test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \
test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \

110
tests/data/test1286 Normal file
View File

@ -0,0 +1,110 @@
<testcase>
<info>
<keywords>
HTTP
HTTP GET
HTTP Digest auth
followlocation
</keywords>
</info>
# Server-side
<reply>
<data>
HTTP/1.1 401 authentication please swsbounce
Server: Microsoft-IIS/6.0
WWW-Authenticate: Digest realm="testrealm", nonce="1053604144", qop="auth"
Content-Type: text/html; charset=iso-8859-1
Content-Length: 0
</data>
<data1000>
HTTP/1.1 302 Thanks for this, but we want to redir you!
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Location: /12860001
Content-Length: 0
</data1000>
<data1001>
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 0
</data1001>
<datacheck>
HTTP/1.1 401 authentication please swsbounce
Server: Microsoft-IIS/6.0
WWW-Authenticate: Digest realm="testrealm", nonce="1053604144", qop="auth"
Content-Type: text/html; charset=iso-8859-1
Content-Length: 0
HTTP/1.1 302 Thanks for this, but we want to redir you!
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Location: /12860001
Content-Length: 0
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 0
</datacheck>
</reply>
# Client-side
<client>
#
<server>
http
</server>
<features>
crypto
</features>
<name>
HTTP GET --digest increasing nonce-count
</name>
# This test is to ensure the nonce-count (nc) increases
# https://github.com/curl/curl/pull/1251
<command>
-u auser:apasswd --location --digest http://%HOSTIP:%HTTPPORT/1286
</command>
</client>
# Verify data after the test has been "shot"
<verify>
<strip>
^User-Agent:.*
</strip>
# Reorder the fields in 'Authorization: Digest' header.
# Since regular and SSPI digest auth header fields may not have the same order
# or whitespace we homogenize so that both may be tested. Also:
# - Remove the unique value from cnonce if in RFC format
# - Remove the unique value from response if in RFC format
# - Remove quotes from qop="auth" used by SSPI
# The if statement is one line because runtests evaluates one line at a time.
<strippart>
if(s/^(Authorization: Digest )([^\r\n]+)(\r?\n)$//) { $_ = $1 . join(', ', map { s/^(cnonce=)"[a-zA-Z0-9+\/=]+"$/$1REMOVED/; s/^(response=)"[a-f0-9]{32}"$/$1REMOVED/; s/^qop="auth"$/qop=auth/; $_ } sort split(/, */, $2)) . $3; }
</strippart>
<protocol>
GET /1286 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Accept: */*
GET /1286 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Authorization: Digest cnonce=REMOVED, nc=00000001, nonce="1053604144", qop=auth, realm="testrealm", response=REMOVED, uri="/1286", username="auser"
Accept: */*
GET /12860001 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Authorization: Digest cnonce=REMOVED, nc=00000002, nonce="1053604144", qop=auth, realm="testrealm", response=REMOVED, uri="/12860001", username="auser"
Accept: */*
</protocol>
</verify>
</testcase>