1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 1998 - 2003, Daniel Stenberg, <daniel@haxx.se>, et al.
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at http://curl.haxx.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
22 ***************************************************************************/
27 #ifndef CURL_DISABLE_HTTP
28 /* -- WIN32 approved -- */
40 #include "http_negotiate.h"
42 #define _MPRINTF_REPLACE /* use our functions only */
43 #include <curl/mprintf.h>
45 /* The last #include file should be: */
51 get_gss_name(struct connectdata *conn, gss_name_t *server)
53 struct negotiatedata *neg_ctx = &conn->data->state.negotiate;
54 OM_uint32 major_status, minor_status;
55 gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
59 /* GSSAPI implementation by Globus (known as GSI) requires the name to be
60 of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
61 of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
62 Change following lines if you want to use GSI */
64 /* IIS uses the <service>@<fqdn> form but uses 'http' as the service name */
71 token.length = strlen(service) + 1 + strlen(conn->hostname) + 1;
72 if (token.length + 1 > sizeof(name))
74 sprintf(name, "%s@%s", service, conn->hostname);
76 token.value = (void *) name;
77 major_status = gss_import_name(&minor_status,
79 GSS_C_NT_HOSTBASED_SERVICE,
82 return GSS_ERROR(major_status) ? -1 : 0;
86 log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix)
88 OM_uint32 maj_stat, min_stat;
89 OM_uint32 msg_ctx = 0;
90 gss_buffer_desc status_string;
94 snprintf(buf, sizeof(buf), "%s", prefix);
97 maj_stat = gss_display_status (&min_stat,
103 if (sizeof(buf) > len + status_string.length + 1) {
104 sprintf(buf + len, ": %s", (char*) status_string.value);
105 len += status_string.length;
107 gss_release_buffer(&min_stat, &status_string);
108 } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
110 infof(conn->data, buf);
113 int Curl_input_negotiate(struct connectdata *conn, char *header)
115 struct negotiatedata *neg_ctx = &conn->data->state.negotiate;
116 OM_uint32 major_status, minor_status, minor_status2;
117 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
118 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
122 const char* protocol;
124 while(*header && isspace((int)*header))
126 if(checkprefix("GSS-Negotiate", header)) {
127 protocol = "GSS-Negotiate";
130 else if (checkprefix("Negotiate", header)) {
131 protocol = "Negotiate";
137 if (neg_ctx->context) {
138 if (neg_ctx->gss != gss) {
143 neg_ctx->protocol = protocol;
147 if (neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) {
148 /* We finished succesfully our part of authentication, but server
149 * rejected it (since we're again here). Exit with an error since we
150 * can't invent anything better */
151 Curl_cleanup_negotiate(conn->data);
155 if (neg_ctx->server_name == NULL &&
156 (ret = get_gss_name(conn, &neg_ctx->server_name)))
159 header += strlen(neg_ctx->protocol);
160 while(*header && isspace((int)*header))
163 len = strlen(header);
166 input_token.length = (len+3)/4 * 3;
167 input_token.value = malloc(input_token.length);
168 if (input_token.value == NULL)
170 rawlen = Curl_base64_decode(header, input_token.value);
173 input_token.length = rawlen;
176 major_status = gss_init_sec_context(&minor_status,
179 neg_ctx->server_name,
183 GSS_C_NO_CHANNEL_BINDINGS,
189 if (input_token.length > 0)
190 gss_release_buffer(&minor_status2, &input_token);
191 neg_ctx->status = major_status;
192 if (GSS_ERROR(major_status)) {
193 /* Curl_cleanup_negotiate(conn->data) ??? */
194 log_gss_error(conn, minor_status,
195 (char *)"gss_init_sec_context() failed: ");
199 if (output_token.length == 0) {
203 neg_ctx->output_token = output_token;
204 /* conn->bits.close = FALSE; */
210 CURLcode Curl_output_negotiate(struct connectdata *conn)
212 struct negotiatedata *neg_ctx = &conn->data->state.negotiate;
213 OM_uint32 minor_status;
214 char *encoded = NULL;
215 int len = Curl_base64_encode(neg_ctx->output_token.value,
216 neg_ctx->output_token.length,
219 return CURLE_OUT_OF_MEMORY;
221 conn->allocptr.userpwd =
222 aprintf("Authorization: %s %s\r\n", neg_ctx->protocol, encoded);
224 gss_release_buffer(&minor_status, &neg_ctx->output_token);
225 return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
228 void Curl_cleanup_negotiate(struct SessionHandle *data)
230 OM_uint32 minor_status;
231 struct negotiatedata *neg_ctx = &data->state.negotiate;
233 if (neg_ctx->context != GSS_C_NO_CONTEXT)
234 gss_delete_sec_context(&minor_status, &neg_ctx->context, GSS_C_NO_BUFFER);
236 if (neg_ctx->output_token.length != 0)
237 gss_release_buffer(&minor_status, &neg_ctx->output_token);
239 if (neg_ctx->server_name != GSS_C_NO_NAME)
240 gss_release_name(&minor_status, &neg_ctx->server_name);
242 memset(neg_ctx, 0, sizeof(*neg_ctx));