1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 ***************************************************************************/
23 #include "curl_setup.h"
25 #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
29 #include "http_negotiate.h"
30 #include "vauth/vauth.h"
32 /* The last 3 #include files should be in this order */
33 #include "curl_printf.h"
34 #include "curl_memory.h"
37 CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
38 bool proxy, const char *header)
43 /* Point to the username, password, service and host */
49 /* Point to the correct struct with this */
50 struct negotiatedata *neg_ctx;
54 #ifndef CURL_DISABLE_PROXY
55 userp = conn->http_proxy.user;
56 passwdp = conn->http_proxy.passwd;
57 service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
58 data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
59 host = conn->http_proxy.host.name;
60 neg_ctx = &conn->proxyneg;
61 state = conn->proxy_negotiate_state;
63 return CURLE_NOT_BUILT_IN;
68 passwdp = conn->passwd;
69 service = data->set.str[STRING_SERVICE_NAME] ?
70 data->set.str[STRING_SERVICE_NAME] : "HTTP";
71 host = conn->host.name;
72 neg_ctx = &conn->negotiate;
73 state = conn->http_negotiate_state;
76 /* Not set means empty */
83 /* Obtain the input token, if any */
84 header += strlen("Negotiate");
85 while(*header && ISSPACE(*header))
89 neg_ctx->havenegdata = len != 0;
91 if(state == GSS_AUTHSUCC) {
92 infof(data, "Negotiate auth restarted");
93 Curl_http_auth_cleanup_negotiate(conn);
95 else if(state != GSS_AUTHNONE) {
96 /* The server rejected our authentication and hasn't supplied any more
97 negotiation mechanisms */
98 Curl_http_auth_cleanup_negotiate(conn);
99 return CURLE_LOGIN_DENIED;
103 /* Supports SSL channel binding for Windows ISS extended protection */
104 #if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
105 neg_ctx->sslContext = conn->sslContext;
108 /* Initialize the security context and decode our challenge */
109 result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
110 host, header, neg_ctx);
113 Curl_http_auth_cleanup_negotiate(conn);
118 CURLcode Curl_output_negotiate(struct Curl_easy *data,
119 struct connectdata *conn, bool proxy)
121 struct negotiatedata *neg_ctx = proxy ? &conn->proxyneg :
123 struct auth *authp = proxy ? &data->state.authproxy : &data->state.authhost;
124 curlnegotiate *state = proxy ? &conn->proxy_negotiate_state :
125 &conn->http_negotiate_state;
133 if(*state == GSS_AUTHRECV) {
134 if(neg_ctx->havenegdata) {
135 neg_ctx->havemultiplerequests = TRUE;
138 else if(*state == GSS_AUTHSUCC) {
139 if(!neg_ctx->havenoauthpersist) {
140 neg_ctx->noauthpersist = !neg_ctx->havemultiplerequests;
144 if(neg_ctx->noauthpersist ||
145 (*state != GSS_AUTHDONE && *state != GSS_AUTHSUCC)) {
147 if(neg_ctx->noauthpersist && *state == GSS_AUTHSUCC) {
148 infof(data, "Curl_output_negotiate, "
149 "no persistent authentication: cleanup existing context");
150 Curl_http_auth_cleanup_negotiate(conn);
152 if(!neg_ctx->context) {
153 result = Curl_input_negotiate(data, conn, proxy, "Negotiate");
154 if(result == CURLE_AUTH_ERROR) {
155 /* negotiate auth failed, let's continue unauthenticated to stay
156 * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
164 result = Curl_auth_create_spnego_message(neg_ctx, &base64, &len);
168 userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
172 Curl_safefree(data->state.aptr.proxyuserpwd);
173 data->state.aptr.proxyuserpwd = userp;
176 Curl_safefree(data->state.aptr.userpwd);
177 data->state.aptr.userpwd = userp;
183 return CURLE_OUT_OF_MEMORY;
186 *state = GSS_AUTHSENT;
188 if(neg_ctx->status == GSS_S_COMPLETE ||
189 neg_ctx->status == GSS_S_CONTINUE_NEEDED) {
190 *state = GSS_AUTHDONE;
193 #ifdef USE_WINDOWS_SSPI
194 if(neg_ctx->status == SEC_E_OK ||
195 neg_ctx->status == SEC_I_CONTINUE_NEEDED) {
196 *state = GSS_AUTHDONE;
202 if(*state == GSS_AUTHDONE || *state == GSS_AUTHSUCC) {
203 /* connection is already authenticated,
204 * don't send a header in future requests */
208 neg_ctx->havenegdata = FALSE;
213 void Curl_http_auth_cleanup_negotiate(struct connectdata *conn)
215 conn->http_negotiate_state = GSS_AUTHNONE;
216 conn->proxy_negotiate_state = GSS_AUTHNONE;
218 Curl_auth_cleanup_spnego(&conn->negotiate);
219 Curl_auth_cleanup_spnego(&conn->proxyneg);
222 #endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */