1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 23:58:49 -05:00
Commit Graph

61 Commits

Author SHA1 Message Date
Daniel Stenberg
46e852ce26
ntlm: remove unnecessary NULL-check to please scan-build 2017-11-21 09:02:40 +01:00
Florin
2b5b37cb91
auth: add support for RFC7616 - HTTP Digest access authentication
Signed-off-by: Florin <petriuc.florin@gmail.com>
2017-10-28 16:32:43 +02:00
Jay Satiro
953b5c4e26 ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
.. and include the core NTLM header in all NTLM-related source files.

Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
but did not include vtls.h where it was defined.

Closes https://github.com/curl/curl/pull/1911
2017-09-23 13:58:14 -04:00
Viktor Szakats
6f86022df2 ntlm: use strict order for SSL backend #if branches
With the recently introduced MultiSSL support multiple SSL backends
can be compiled into cURL That means that now the order of the SSL

One option would be to use the same SSL backend as was configured
via `curl_global_sslset()`, however, NTLMv2 support would appear
to be available only with some SSL backends. For example, when
eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
support for NTLMv1 using Windows' Crypt API, it specifically did
*not* introduce NTLMv2 support using Crypt API at the same time.

So let's select one specific SSL backend for NTLM support when
compiled with multiple SSL backends, using a priority order such
that we support NTLMv2 even if only one compiled-in SSL backend can
be used for that.

Ref: https://github.com/curl/curl/pull/1848
2017-09-22 19:01:28 +00:00
Gisle Vanem
61825be02b vtls: select ssl backend case-insensitive (follow-up)
- Do a case-insensitive comparison of CURL_SSL_BACKEND env as well.

- Change Curl_strcasecompare calls to strcasecompare
  (maps to the former but shorter).

Follow-up to c290b8f.

Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313

Co-authored-by: Jay Satiro
2017-09-06 02:27:33 -04:00
Patrick Monnerat
6869d65f54 Curl_base64_encode: always call with a real data handle.
Some calls in different modules were setting the data handle to NULL, causing
segmentation faults when using builds that enable character code conversions.
2017-09-02 12:49:59 +01:00
Jay Satiro
0b5665c98a digest_sspi: Don't reuse context if the user/passwd has changed
Bug: https://github.com/curl/curl/issues/1685
Reported-by: paulharris@users.noreply.github.com

Assisted-by: Isaac Boukris

Closes https://github.com/curl/curl/pull/1742
2017-08-10 01:40:05 -04:00
Isaac Boukris
0b11660234
gssapi: fix memory leak of output token in multi round context
When multiple rounds are needed to establish a security context
(usually ntlm), we overwrite old token with a new one without free.
Found by proposed gss tests using stub a gss implementation (by
valgrind error), though I have confirmed the leak with a real
gssapi implementation as well.

Closes https://github.com/curl/curl/pull/1733
2017-08-05 00:23:24 +02:00
Jay Satiro
1cafede9f2 rand: treat fake entropy the same regardless of endianness
When the random seed is purposely made predictable for testing purposes
by using the CURL_ENTROPY environment variable, process that data in an
endian agnostic way so the the initial random seed is the same
regardless of endianness.

- Change Curl_rand to write to a char array instead of int array.

- Add Curl_rand_hex to write random hex characters to a buffer.

Fixes #1315
Closes #1468

Co-authored-by: Daniel Stenberg
Reported-by: Michael Kaufmann
2017-05-08 23:24:29 +02:00
Marcel Raad
4a8cf6c404
lib: fix maybe-uninitialized warnings
With -Og, GCC complains:

easy.c:628:7: error: ‘mcode’ may be used uninitialized in this function [-Werror=maybe-uninitialized]

../lib/strcase.h:35:29: error: ‘tok_buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
vauth/digest.c:208:9: note: ‘tok_buf’ was declared here

../lib/strcase.h:35:29: error: ‘tok_buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
vauth/digest.c:566:15: note: ‘tok_buf’ was declared here

Fix this by initializing the variables.
2017-04-22 22:12:37 +02:00
Isaac Boukris
1f152a42ae
sspi: print out InitializeSecurityContext() error message
Reported-by: Carsten (talksinmath)

Fixes #1384
Closes #1395
2017-04-07 08:49:20 +02:00
Marcel Raad
9bc92eeb0e
NTLM: check for features with #ifdef instead of #if
Feature defines are normally checked with #ifdef instead of #if in the rest of
the codebase. Additionally, some compilers warn when a macro is implicitly
evaluated to 0 because it is not defined, which was the case here.

Ref: https://github.com/curl/curl/pull/1362#discussion_r108605101
Closes https://github.com/curl/curl/pull/1367
2017-03-29 20:16:09 +02:00
klemens
f7df67cff0 spelling fixes
Closes #1356
2017-03-26 23:56:23 +02:00
Marcel Raad
727917555d
digest_sspi: fix compilation warning
MSVC complains:
warning C4701: potentially uninitialized local variable 'output_token_len' used
2017-02-27 13:05:22 +01:00
Jay Satiro
af5fbb14bb digest_sspi: Handle 'stale=TRUE' directive in HTTP digest
- If the server has provided another challenge use it as the replacement
  input token if stale=TRUE. Otherwise previous credentials have failed
  so return CURLE_LOGIN_DENIED.

Prior to this change the stale directive was ignored and if another
challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING.

Ref: https://tools.ietf.org/html/rfc2617#page-10

Bug: https://github.com/curl/curl/issues/928
Reported-by: tarek112@users.noreply.github.com
2017-02-21 01:04:59 -05:00
Max Khon
f77dabefd8 digest_sspi: Fix nonce-count generation in HTTP digest
- on the first invocation: keep security context returned by
  InitializeSecurityContext()

- on subsequent invocations: use MakeSignature() instead of
  InitializeSecurityContext() to generate HTTP digest response

Bug: https://github.com/curl/curl/issues/870
Reported-by: Andreas Roth

Closes https://github.com/curl/curl/pull/1251
2017-02-20 00:53:01 -05:00
Viktor Szakats
88bdd7cf6f use *.sourceforge.io and misc URL updates
Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/
Closes: https://github.com/curl/curl/pull/1247
2017-02-06 19:21:05 +00:00
Max Khon
89b7898846 digest_sspi: copy terminating NUL as well
Curl_auth_decode_digest_http_message(): copy terminating NUL as later
Curl_override_sspi_http_realm() expects a NUL-terminated string.

Fixes #1180
2016-12-29 00:21:14 +01:00
Daniel Stenberg
8657c268e1 checksrc: white space edits to comply to stricter checksrc 2016-11-24 23:58:22 +01:00
Patrick Monnerat
945f60e8a7 Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.
See CRL-01-006.
2016-11-24 14:28:39 +01:00
Daniel Stenberg
f682156a4f Curl_rand: fixed and moved to rand.c
Now Curl_rand() is made to fail if it cannot get the necessary random
level.

Changed the proto of Curl_rand() slightly to provide a number of ints at
once.

Moved out from vtls, since it isn't a TLS function and vtls provides
Curl_ssl_random() for this to use.

Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
2016-11-14 08:23:52 +01:00
Marcel Raad
4f97d9832c
digest_sspi: fix include
Fix compile break from 811a693b80
2016-10-31 12:51:27 +01:00
Daniel Stenberg
811a693b80 strcasecompare: all case insensitive string compares ignore locale now
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
502acba2af strcasecompare: is the new name for strequal()
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
2016-10-31 08:46:35 +01:00
Steve Holme
a78c61a4bf sasl: Don't use GSSAPI authentication when domain name not specified
Only choose the GSSAPI authentication mechanism when the user name
contains a Windows domain name or the user is a valid UPN.

Fixes #718
2016-08-21 11:56:23 +01:00
Steve Holme
43dbd76616 vauth: Added check for supported SSPI based authentication mechanisms
Completing commit 00417fd66c and 2708d4259b.
2016-08-21 10:27:09 +01:00
Miroslav Franc
0796a99317 spnego_sspi: fix memory leak in case *outlen is zero (#970) 2016-08-19 14:46:07 +02:00
Steve Holme
a0f212946b vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
As Windows SSPI authentication calls fail when a particular mechanism
isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
and Negotiate to allow both HTTP and SASL authentication the opportunity
to query support for a supported mechanism before selecting it.

For now each function returns TRUE to maintain compatability with the
existing code when called.
2016-08-18 20:31:20 +01:00
Steve Holme
3fc845914a vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
As SPNEGO is only defined when these pre-processor variables are defined
there is no need to query them explicitly.
2016-07-23 21:29:16 +01:00
Steve Holme
25bf71ab07 spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
Typo introduced in commit ad5e9bfd5d.
2016-07-23 21:29:16 +01:00
Jay Satiro
c5cffce56e vauth: Fix memleak by freeing credentials if out of memory
This is a follow up to the parent commit dcdd4be which fixes one leak
but creates another by failing to free the credentials handle if out of
memory. Also there's a second location a few lines down where we fail to
do same. This commit fixes both of those issues.
2016-07-20 22:00:45 -04:00
Saurav Babu
dcdd4be352 vauth: Fixed memory leak due to function returning without free
This patch allocates memory to "output_token" only when it is required
so that memory is not leaked if function returns.
2016-07-20 23:21:49 +02:00
Daniel Stenberg
434f8d0389 internals: rename the SessionHandle struct to Curl_easy 2016-06-22 10:28:41 +02:00
Viktor Szakats
a24f71aac4 URLs: change http to https in many places
Closes #754
2016-04-06 11:58:34 +02:00
Steve Holme
cbc52ff341 vauth: Corrected a number of typos in comments
Reported-by: Michael Osipov
2016-04-06 00:21:07 +01:00
Daniel Stenberg
a71012c03e code: style updates 2016-04-03 22:38:36 +02:00
Steve Holme
9feb2676a4 vauth: Removed the need for a separate GSS-API based SPN function 2016-04-03 20:26:03 +01:00
Steve Holme
7a7cdf264d spnego: Small code tidy up
* Prefer dereference of string pointer rather than strlen()
* Free challenge pointer in one place
* Additional comments
2016-04-03 17:32:10 +01:00
Steve Holme
1d451bdd99 krb5: Small code tidy up
* Prefer dereference of string pointer rather than strlen()
* Free challenge pointer in one place
* Additional comments
2016-04-03 17:30:51 +01:00
Steve Holme
156b8287a7 krb5_gssapi: Only process challenge when present
This wouldn't cause a problem because of the way the function is called,
but prior to this change, we were processing the challenge message when
the credentials were NULL rather than when the challenge message was
populated.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.
2016-04-03 17:17:20 +01:00
Steve Holme
73f1096335 krb5: Fixed missing client response when mutual authentication enabled
Although mutual authentication is currently turned off and can only be
enabled by changing libcurl source code, authentication using Kerberos
5 has been broken since commit 79543caf90 in this use case.
2016-04-03 17:02:44 +01:00
Steve Holme
61152e7d94 krb5_sspi: Only process challenge when present
This wouldn't cause a problem because of the way the function is called,
but prior to this change, we were processing the challenge message when
the credentials were NULL rather than when the challenge message was
populated.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.
2016-04-03 11:45:02 +01:00
Steve Holme
228cd71c6f krb5_sspi: Only generate the output token when its not allocated
Prior to this change, we were generating the output token when the
credentials were NULL rather than when the output token was NULL.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.
2016-04-03 11:25:12 +01:00
Steve Holme
2d2c67e3ed krb5: Only generate a SPN when its not known
Prior to this change, we were generating the SPN in the SSPI code when
the credentials were NULL and in the GSS-API code when the context was
empty. It is better to decouple the SPN generation from these checks
and only generate it when the SPN itself is NULL.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.
2016-04-03 11:15:03 +01:00
Steve Holme
2aaa63b555 spnego: Renamed the context's SPN variable
To be consistent with the Kerberos 5 context and other authentication
code.
2016-04-02 06:41:29 +01:00
Steve Holme
9173dc0682 krb5_gssapi: Renamed the status variables
For consistency with the spnego code.
2016-04-02 06:25:30 +01:00
Steve Holme
ced0cbb5b7 krb5: Moved host from Curl_auth_create_gssapi_user_message() to be argument
For consistency with the spnego and oauth2 code moved the setting of
the host name outside of the Curl_auth_create_gssapi_user_messag()
function.

This will allow us to more easily override it in the future.
2016-04-02 06:15:29 +01:00
Steve Holme
5bdb4c13c2 spnego: Corrected some typos in comments
Corrected typos from commit ad5e9bfd5d and 6d6f9ca1d9.
2016-04-01 19:07:49 +01:00
Isaac Boukris
d5fc6e14b0 GSS: make Curl_gss_log_error more verbose
Also display the GSS_C_GSS_CODE (major code) when specified instead of
only GSS_C_MECH_CODE (minor code).

In addition, the old code was printing a colon twice after the prefix
and also miscalculated the length of the buffer in between calls to
gss_display_status (the length of ": " was missing).

Also, gss_buffer is not guaranteed to be NULL terminated and thus need
to restrict reading by its length.

Closes #738
2016-03-29 16:51:29 +02:00
Steve Holme
6d6f9ca1d9 vauth: Moved the Negotiate authentication code to the new vauth directory
Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
2016-03-26 17:21:22 +00:00