/src/curl/lib/vauth/vauth.c
Line | Count | Source |
1 | | /*************************************************************************** |
2 | | * _ _ ____ _ |
3 | | * Project ___| | | | _ \| | |
4 | | * / __| | | | |_) | | |
5 | | * | (__| |_| | _ <| |___ |
6 | | * \___|\___/|_| \_\_____| |
7 | | * |
8 | | * Copyright (C) Steve Holme, <steve_holme@hotmail.com>. |
9 | | * |
10 | | * This software is licensed as described in the file COPYING, which |
11 | | * you should have received as part of this distribution. The terms |
12 | | * are also available at https://curl.se/docs/copyright.html. |
13 | | * |
14 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | | * copies of the Software, and permit persons to whom the Software is |
16 | | * furnished to do so, under the terms of the COPYING file. |
17 | | * |
18 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | | * KIND, either express or implied. |
20 | | * |
21 | | * SPDX-License-Identifier: curl |
22 | | * |
23 | | ***************************************************************************/ |
24 | | #include "curl_setup.h" |
25 | | |
26 | | #include "vauth/vauth.h" |
27 | | #include "curlx/multibyte.h" |
28 | | #include "url.h" |
29 | | |
30 | | /* |
31 | | * Curl_auth_build_spn() |
32 | | * |
33 | | * This is used to build an SPN string in the following formats: |
34 | | * |
35 | | * service/host@realm (Not currently used) |
36 | | * service/host (Not used by GSS-API) |
37 | | * service@realm (Not used by Windows SSPI) |
38 | | * |
39 | | * Parameters: |
40 | | * |
41 | | * service [in] - The service type such as http, smtp, pop or imap. |
42 | | * host [in] - The hostname. |
43 | | * realm [in] - The realm. |
44 | | * |
45 | | * Returns a pointer to the newly allocated SPN. |
46 | | */ |
47 | | #ifndef USE_WINDOWS_SSPI |
48 | | char *Curl_auth_build_spn(const char *service, const char *host, |
49 | | const char *realm) |
50 | 0 | { |
51 | 0 | char *spn = NULL; |
52 | | |
53 | | /* Generate our SPN */ |
54 | 0 | if(host && realm) |
55 | 0 | spn = curl_maprintf("%s/%s@%s", service, host, realm); |
56 | 0 | else if(host) |
57 | 0 | spn = curl_maprintf("%s/%s", service, host); |
58 | 0 | else if(realm) |
59 | 0 | spn = curl_maprintf("%s@%s", service, realm); |
60 | | |
61 | | /* Return our newly allocated SPN */ |
62 | 0 | return spn; |
63 | 0 | } |
64 | | #else |
65 | | TCHAR *Curl_auth_build_spn(const char *service, const char *host, |
66 | | const char *realm) |
67 | | { |
68 | | char *utf8_spn = NULL; |
69 | | TCHAR *tchar_spn = NULL; |
70 | | |
71 | | (void)realm; |
72 | | |
73 | | /* Note: We could use DsMakeSPN() or DsClientMakeSpnForTargetServer() rather |
74 | | than doing this ourselves but the first is only available in Windows XP |
75 | | and Windows Server 2003 and the latter is only available in Windows 2000 |
76 | | but not Windows95/98/ME or Windows NT4.0 unless the Active Directory |
77 | | Client Extensions are installed. As such it is far simpler for us to |
78 | | formulate the SPN instead. */ |
79 | | |
80 | | /* Generate our UTF8 based SPN */ |
81 | | utf8_spn = curl_maprintf("%s/%s", service, host); |
82 | | if(!utf8_spn) |
83 | | return NULL; |
84 | | |
85 | | /* Allocate and return a TCHAR based SPN. */ |
86 | | tchar_spn = curlx_convert_UTF8_to_tchar(utf8_spn); |
87 | | curlx_free(utf8_spn); |
88 | | |
89 | | return tchar_spn; |
90 | | } |
91 | | #endif /* USE_WINDOWS_SSPI */ |
92 | | |
93 | | /* |
94 | | * Curl_auth_user_contains_domain() |
95 | | * |
96 | | * This is used to test if the specified user contains a Windows domain name as |
97 | | * follows: |
98 | | * |
99 | | * Domain\User (Down-level Logon Name) |
100 | | * Domain/User (curl Down-level format - for compatibility with existing code) |
101 | | * User@Domain (User Principal Name) |
102 | | * |
103 | | * Note: The username may be empty when using a GSS-API library or Windows |
104 | | * SSPI as the user and domain are either obtained from the credentials cache |
105 | | * when using GSS-API or via the currently logged in user's credentials when |
106 | | * using Windows SSPI. |
107 | | * |
108 | | * Parameters: |
109 | | * |
110 | | * user [in] - The username. |
111 | | * |
112 | | * Returns TRUE on success; otherwise FALSE. |
113 | | */ |
114 | | bool Curl_auth_user_contains_domain(const char *user) |
115 | 0 | { |
116 | 0 | bool valid = FALSE; |
117 | |
|
118 | 0 | if(user && *user) { |
119 | | /* Check we have a domain name or UPN present */ |
120 | 0 | const char *p = strpbrk(user, "\\/@"); |
121 | |
|
122 | 0 | valid = (p != NULL && p > user && p < user + strlen(user) - 1); |
123 | 0 | } |
124 | | #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) |
125 | | else |
126 | | /* User and domain are obtained from the GSS-API credentials cache or the |
127 | | currently logged in user from Windows */ |
128 | | valid = TRUE; |
129 | | #endif |
130 | |
|
131 | 0 | return valid; |
132 | 0 | } |
133 | | |
134 | | /* |
135 | | * Curl_auth_allowed_to_host() tells if authentication, cookies or other |
136 | | * "sensitive data" can (still) be sent to this host. |
137 | | */ |
138 | | bool Curl_auth_allowed_to_host(struct Curl_easy *data) |
139 | 0 | { |
140 | 0 | struct connectdata *conn = data->conn; |
141 | 0 | return !data->state.this_is_a_follow || |
142 | 0 | data->set.allow_auth_to_other_hosts || |
143 | 0 | (data->state.first_host && |
144 | 0 | curl_strequal(data->state.first_host, conn->host.name) && |
145 | 0 | (data->state.first_remote_port == conn->remote_port) && |
146 | 0 | (data->state.first_remote_protocol == conn->scheme->protocol)); |
147 | 0 | } |
148 | | |
149 | | #ifdef USE_NTLM |
150 | | static void ntlm_conn_dtor(void *key, size_t klen, void *entry) |
151 | 0 | { |
152 | 0 | struct ntlmdata *ntlm = entry; |
153 | 0 | (void)key; |
154 | 0 | (void)klen; |
155 | 0 | DEBUGASSERT(ntlm); |
156 | 0 | Curl_auth_cleanup_ntlm(ntlm); |
157 | 0 | curlx_free(ntlm); |
158 | 0 | } |
159 | | |
160 | | struct ntlmdata *Curl_auth_ntlm_get(struct connectdata *conn, bool proxy) |
161 | 0 | { |
162 | 0 | const char *key = proxy ? CURL_META_NTLM_PROXY_CONN : CURL_META_NTLM_CONN; |
163 | 0 | struct ntlmdata *ntlm = Curl_conn_meta_get(conn, key); |
164 | 0 | if(!ntlm) { |
165 | 0 | ntlm = curlx_calloc(1, sizeof(*ntlm)); |
166 | 0 | if(!ntlm || Curl_conn_meta_set(conn, key, ntlm, ntlm_conn_dtor)) |
167 | 0 | return NULL; |
168 | 0 | } |
169 | 0 | return ntlm; |
170 | 0 | } |
171 | | |
172 | | void Curl_auth_ntlm_remove(struct connectdata *conn, bool proxy) |
173 | 0 | { |
174 | 0 | Curl_conn_meta_remove(conn, proxy ? CURL_META_NTLM_PROXY_CONN |
175 | 0 | : CURL_META_NTLM_CONN); |
176 | 0 | } |
177 | | #endif /* USE_NTLM */ |
178 | | |
179 | | #ifdef USE_KERBEROS5 |
180 | | static void krb5_conn_dtor(void *key, size_t klen, void *entry) |
181 | | { |
182 | | struct kerberos5data *krb5 = entry; |
183 | | (void)key; |
184 | | (void)klen; |
185 | | DEBUGASSERT(krb5); |
186 | | Curl_auth_cleanup_gssapi(krb5); |
187 | | curlx_free(krb5); |
188 | | } |
189 | | |
190 | | struct kerberos5data *Curl_auth_krb5_get(struct connectdata *conn) |
191 | | { |
192 | | struct kerberos5data *krb5 = Curl_conn_meta_get(conn, CURL_META_KRB5_CONN); |
193 | | if(!krb5) { |
194 | | krb5 = curlx_calloc(1, sizeof(*krb5)); |
195 | | if(!krb5 || |
196 | | Curl_conn_meta_set(conn, CURL_META_KRB5_CONN, krb5, krb5_conn_dtor)) |
197 | | return NULL; |
198 | | } |
199 | | return krb5; |
200 | | } |
201 | | #endif /* USE_KERBEROS5 */ |
202 | | |
203 | | #ifdef USE_GSASL |
204 | | static void gsasl_conn_dtor(void *key, size_t klen, void *entry) |
205 | | { |
206 | | struct gsasldata *gsasl = entry; |
207 | | (void)key; |
208 | | (void)klen; |
209 | | DEBUGASSERT(gsasl); |
210 | | Curl_auth_gsasl_cleanup(gsasl); |
211 | | curlx_free(gsasl); |
212 | | } |
213 | | |
214 | | struct gsasldata *Curl_auth_gsasl_get(struct connectdata *conn) |
215 | | { |
216 | | struct gsasldata *gsasl = Curl_conn_meta_get(conn, CURL_META_GSASL_CONN); |
217 | | if(!gsasl) { |
218 | | gsasl = curlx_calloc(1, sizeof(*gsasl)); |
219 | | if(!gsasl || |
220 | | Curl_conn_meta_set(conn, CURL_META_GSASL_CONN, gsasl, gsasl_conn_dtor)) |
221 | | return NULL; |
222 | | } |
223 | | return gsasl; |
224 | | } |
225 | | #endif /* USE_GSASL */ |
226 | | |
227 | | #ifdef USE_SPNEGO |
228 | | static void nego_conn_dtor(void *key, size_t klen, void *entry) |
229 | | { |
230 | | struct negotiatedata *nego = entry; |
231 | | (void)key; |
232 | | (void)klen; |
233 | | DEBUGASSERT(nego); |
234 | | Curl_auth_cleanup_spnego(nego); |
235 | | curlx_free(nego); |
236 | | } |
237 | | |
238 | | struct negotiatedata *Curl_auth_nego_get(struct connectdata *conn, bool proxy) |
239 | | { |
240 | | const char *key = proxy ? CURL_META_NEGO_PROXY_CONN : CURL_META_NEGO_CONN; |
241 | | struct negotiatedata *nego = Curl_conn_meta_get(conn, key); |
242 | | if(!nego) { |
243 | | nego = curlx_calloc(1, sizeof(*nego)); |
244 | | if(!nego || Curl_conn_meta_set(conn, key, nego, nego_conn_dtor)) |
245 | | return NULL; |
246 | | } |
247 | | return nego; |
248 | | } |
249 | | #endif /* USE_SPNEGO */ |