1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 2014 - 2022, Steve Holme, <steve_holme@hotmail.com>.
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 * SPDX-License-Identifier: curl
23 * RFC4752 The Kerberos V5 ("GSSAPI") SASL Mechanism
25 ***************************************************************************/
27 #include "curl_setup.h"
29 #if defined(USE_WINDOWS_SSPI) && defined(USE_KERBEROS5)
31 #include <curl/curl.h>
33 #include "vauth/vauth.h"
36 #include "curl_multibyte.h"
39 /* The last #include files should be: */
40 #include "curl_memory.h"
44 * Curl_auth_is_gssapi_supported()
46 * This is used to evaluate if GSSAPI (Kerberos V5) is supported.
50 * Returns TRUE if Kerberos V5 is supported by Windows SSPI.
52 bool Curl_auth_is_gssapi_supported(void)
54 PSecPkgInfo SecurityPackage;
55 SECURITY_STATUS status;
57 /* Query the security package for Kerberos */
58 status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
59 TEXT(SP_NAME_KERBEROS),
62 /* Release the package buffer as it is not required anymore */
63 if(status == SEC_E_OK) {
64 s_pSecFn->FreeContextBuffer(SecurityPackage);
67 return (status == SEC_E_OK ? TRUE : FALSE);
71 * Curl_auth_create_gssapi_user_message()
73 * This is used to generate an already encoded GSSAPI (Kerberos V5) user token
74 * message ready for sending to the recipient.
78 * data [in] - The session handle.
79 * userp [in] - The user name in the format User or Domain\User.
80 * passwdp [in] - The user's password.
81 * service [in] - The service type such as http, smtp, pop or imap.
82 * host [in] - The host name.
83 * mutual_auth [in] - Flag specifying whether or not mutual authentication
85 * chlg [in] - Optional challenge message.
86 * krb5 [in/out] - The Kerberos 5 data struct being used and modified.
87 * out [out] - The result storage.
89 * Returns CURLE_OK on success.
91 CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
96 const bool mutual_auth,
97 const struct bufref *chlg,
98 struct kerberos5data *krb5,
101 CURLcode result = CURLE_OK;
103 PSecPkgInfo SecurityPackage;
106 SecBufferDesc chlg_desc;
107 SecBufferDesc resp_desc;
108 SECURITY_STATUS status;
110 TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
113 /* Generate our SPN */
114 krb5->spn = Curl_auth_build_spn(service, host, NULL);
116 return CURLE_OUT_OF_MEMORY;
119 if(!krb5->output_token) {
120 /* Query the security package for Kerberos */
121 status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
122 TEXT(SP_NAME_KERBEROS),
124 if(status != SEC_E_OK) {
125 failf(data, "SSPI: couldn't get auth info");
126 return CURLE_AUTH_ERROR;
129 krb5->token_max = SecurityPackage->cbMaxToken;
131 /* Release the package buffer as it is not required anymore */
132 s_pSecFn->FreeContextBuffer(SecurityPackage);
134 /* Allocate our response buffer */
135 krb5->output_token = malloc(krb5->token_max);
136 if(!krb5->output_token)
137 return CURLE_OUT_OF_MEMORY;
140 if(!krb5->credentials) {
141 /* Do we have credentials to use or are we using single sign-on? */
142 if(userp && *userp) {
143 /* Populate our identity structure */
144 result = Curl_create_sspi_identity(userp, passwdp, &krb5->identity);
148 /* Allow proper cleanup of the identity structure */
149 krb5->p_identity = &krb5->identity;
152 /* Use the current Windows user */
153 krb5->p_identity = NULL;
155 /* Allocate our credentials handle */
156 krb5->credentials = calloc(1, sizeof(CredHandle));
157 if(!krb5->credentials)
158 return CURLE_OUT_OF_MEMORY;
160 /* Acquire our credentials handle */
161 status = s_pSecFn->AcquireCredentialsHandle(NULL,
163 TEXT(SP_NAME_KERBEROS),
164 SECPKG_CRED_OUTBOUND, NULL,
165 krb5->p_identity, NULL, NULL,
166 krb5->credentials, &expiry);
167 if(status != SEC_E_OK)
168 return CURLE_LOGIN_DENIED;
170 /* Allocate our new context handle */
171 krb5->context = calloc(1, sizeof(CtxtHandle));
173 return CURLE_OUT_OF_MEMORY;
177 if(!Curl_bufref_len(chlg)) {
178 infof(data, "GSSAPI handshake failure (empty challenge message)");
179 return CURLE_BAD_CONTENT_ENCODING;
182 /* Setup the challenge "input" security buffer */
183 chlg_desc.ulVersion = SECBUFFER_VERSION;
184 chlg_desc.cBuffers = 1;
185 chlg_desc.pBuffers = &chlg_buf;
186 chlg_buf.BufferType = SECBUFFER_TOKEN;
187 chlg_buf.pvBuffer = (void *) Curl_bufref_ptr(chlg);
188 chlg_buf.cbBuffer = curlx_uztoul(Curl_bufref_len(chlg));
191 /* Setup the response "output" security buffer */
192 resp_desc.ulVersion = SECBUFFER_VERSION;
193 resp_desc.cBuffers = 1;
194 resp_desc.pBuffers = &resp_buf;
195 resp_buf.BufferType = SECBUFFER_TOKEN;
196 resp_buf.pvBuffer = krb5->output_token;
197 resp_buf.cbBuffer = curlx_uztoul(krb5->token_max);
199 /* Generate our challenge-response message */
200 status = s_pSecFn->InitializeSecurityContext(krb5->credentials,
201 chlg ? krb5->context : NULL,
204 ISC_REQ_MUTUAL_AUTH : 0),
205 0, SECURITY_NATIVE_DREP,
206 chlg ? &chlg_desc : NULL, 0,
211 if(status == SEC_E_INSUFFICIENT_MEMORY)
212 return CURLE_OUT_OF_MEMORY;
214 if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED)
215 return CURLE_AUTH_ERROR;
217 if(memcmp(&context, krb5->context, sizeof(context))) {
218 s_pSecFn->DeleteSecurityContext(krb5->context);
220 memcpy(krb5->context, &context, sizeof(context));
223 if(resp_buf.cbBuffer) {
224 result = Curl_bufref_memdup(out, resp_buf.pvBuffer, resp_buf.cbBuffer);
227 Curl_bufref_set(out, "", 0, NULL);
229 Curl_bufref_set(out, NULL, 0, NULL);
235 * Curl_auth_create_gssapi_security_message()
237 * This is used to generate an already encoded GSSAPI (Kerberos V5) security
238 * token message ready for sending to the recipient.
242 * data [in] - The session handle.
243 * authzid [in] - The authorization identity if some.
244 * chlg [in] - The optional challenge message.
245 * krb5 [in/out] - The Kerberos 5 data struct being used and modified.
246 * out [out] - The result storage.
248 * Returns CURLE_OK on success.
250 CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
252 const struct bufref *chlg,
253 struct kerberos5data *krb5,
257 size_t messagelen = 0;
258 size_t appdatalen = 0;
259 unsigned char *trailer = NULL;
260 unsigned char *message = NULL;
261 unsigned char *padding = NULL;
262 unsigned char *appdata = NULL;
263 SecBuffer input_buf[2];
264 SecBuffer wrap_buf[3];
265 SecBufferDesc input_desc;
266 SecBufferDesc wrap_desc;
267 unsigned char *indata;
268 unsigned long qop = 0;
269 unsigned long sec_layer = 0;
270 unsigned long max_size = 0;
271 SecPkgContext_Sizes sizes;
272 SECURITY_STATUS status;
274 #if defined(CURL_DISABLE_VERBOSE_STRINGS)
278 /* Ensure we have a valid challenge message */
279 if(!Curl_bufref_len(chlg)) {
280 infof(data, "GSSAPI handshake failure (empty security message)");
281 return CURLE_BAD_CONTENT_ENCODING;
284 /* Get our response size information */
285 status = s_pSecFn->QueryContextAttributes(krb5->context,
289 if(status == SEC_E_INSUFFICIENT_MEMORY)
290 return CURLE_OUT_OF_MEMORY;
292 if(status != SEC_E_OK)
293 return CURLE_AUTH_ERROR;
295 /* Setup the "input" security buffer */
296 input_desc.ulVersion = SECBUFFER_VERSION;
297 input_desc.cBuffers = 2;
298 input_desc.pBuffers = input_buf;
299 input_buf[0].BufferType = SECBUFFER_STREAM;
300 input_buf[0].pvBuffer = (void *) Curl_bufref_ptr(chlg);
301 input_buf[0].cbBuffer = curlx_uztoul(Curl_bufref_len(chlg));
302 input_buf[1].BufferType = SECBUFFER_DATA;
303 input_buf[1].pvBuffer = NULL;
304 input_buf[1].cbBuffer = 0;
306 /* Decrypt the inbound challenge and obtain the qop */
307 status = s_pSecFn->DecryptMessage(krb5->context, &input_desc, 0, &qop);
308 if(status != SEC_E_OK) {
309 infof(data, "GSSAPI handshake failure (empty security message)");
310 return CURLE_BAD_CONTENT_ENCODING;
313 /* Not 4 octets long so fail as per RFC4752 Section 3.1 */
314 if(input_buf[1].cbBuffer != 4) {
315 infof(data, "GSSAPI handshake failure (invalid security data)");
316 return CURLE_BAD_CONTENT_ENCODING;
319 /* Extract the security layer and the maximum message size */
320 indata = input_buf[1].pvBuffer;
321 sec_layer = indata[0];
322 max_size = (indata[1] << 16) | (indata[2] << 8) | indata[3];
324 /* Free the challenge as it is not required anymore */
325 s_pSecFn->FreeContextBuffer(input_buf[1].pvBuffer);
327 /* Process the security layer */
328 if(!(sec_layer & KERB_WRAP_NO_ENCRYPT)) {
329 infof(data, "GSSAPI handshake failure (invalid security layer)");
330 return CURLE_BAD_CONTENT_ENCODING;
332 sec_layer &= KERB_WRAP_NO_ENCRYPT; /* We do not support a security layer */
334 /* Process the maximum message size the server can receive */
336 /* The server has told us it supports a maximum receive buffer, however, as
337 we don't require one unless we are encrypting data, we tell the server
338 our receive buffer is zero. */
342 /* Allocate the trailer */
343 trailer = malloc(sizes.cbSecurityTrailer);
345 return CURLE_OUT_OF_MEMORY;
347 /* Allocate our message */
350 messagelen += strlen(authzid);
351 message = malloc(messagelen);
355 return CURLE_OUT_OF_MEMORY;
358 /* Populate the message with the security layer and client supported receive
360 message[0] = sec_layer & 0xFF;
361 message[1] = (max_size >> 16) & 0xFF;
362 message[2] = (max_size >> 8) & 0xFF;
363 message[3] = max_size & 0xFF;
365 /* If given, append the authorization identity. */
367 if(authzid && *authzid)
368 memcpy(message + 4, authzid, messagelen - 4);
370 /* Allocate the padding */
371 padding = malloc(sizes.cbBlockSize);
376 return CURLE_OUT_OF_MEMORY;
379 /* Setup the "authentication data" security buffer */
380 wrap_desc.ulVersion = SECBUFFER_VERSION;
381 wrap_desc.cBuffers = 3;
382 wrap_desc.pBuffers = wrap_buf;
383 wrap_buf[0].BufferType = SECBUFFER_TOKEN;
384 wrap_buf[0].pvBuffer = trailer;
385 wrap_buf[0].cbBuffer = sizes.cbSecurityTrailer;
386 wrap_buf[1].BufferType = SECBUFFER_DATA;
387 wrap_buf[1].pvBuffer = message;
388 wrap_buf[1].cbBuffer = curlx_uztoul(messagelen);
389 wrap_buf[2].BufferType = SECBUFFER_PADDING;
390 wrap_buf[2].pvBuffer = padding;
391 wrap_buf[2].cbBuffer = sizes.cbBlockSize;
393 /* Encrypt the data */
394 status = s_pSecFn->EncryptMessage(krb5->context, KERB_WRAP_NO_ENCRYPT,
396 if(status != SEC_E_OK) {
401 if(status == SEC_E_INSUFFICIENT_MEMORY)
402 return CURLE_OUT_OF_MEMORY;
404 return CURLE_AUTH_ERROR;
407 /* Allocate the encryption (wrap) buffer */
408 appdatalen = wrap_buf[0].cbBuffer + wrap_buf[1].cbBuffer +
409 wrap_buf[2].cbBuffer;
410 appdata = malloc(appdatalen);
416 return CURLE_OUT_OF_MEMORY;
419 /* Populate the encryption buffer */
420 memcpy(appdata, wrap_buf[0].pvBuffer, wrap_buf[0].cbBuffer);
421 offset += wrap_buf[0].cbBuffer;
422 memcpy(appdata + offset, wrap_buf[1].pvBuffer, wrap_buf[1].cbBuffer);
423 offset += wrap_buf[1].cbBuffer;
424 memcpy(appdata + offset, wrap_buf[2].pvBuffer, wrap_buf[2].cbBuffer);
426 /* Free all of our local buffers */
431 /* Return the response. */
432 Curl_bufref_set(out, appdata, appdatalen, curl_free);
437 * Curl_auth_cleanup_gssapi()
439 * This is used to clean up the GSSAPI (Kerberos V5) specific data.
443 * krb5 [in/out] - The Kerberos 5 data struct being cleaned up.
446 void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5)
448 /* Free our security context */
450 s_pSecFn->DeleteSecurityContext(krb5->context);
452 krb5->context = NULL;
455 /* Free our credentials handle */
456 if(krb5->credentials) {
457 s_pSecFn->FreeCredentialsHandle(krb5->credentials);
458 free(krb5->credentials);
459 krb5->credentials = NULL;
462 /* Free our identity */
463 Curl_sspi_free_identity(krb5->p_identity);
464 krb5->p_identity = NULL;
466 /* Free the SPN and output token */
467 Curl_safefree(krb5->spn);
468 Curl_safefree(krb5->output_token);
470 /* Reset any variables */
474 #endif /* USE_WINDOWS_SSPI && USE_KERBEROS5*/