/src/curl/lib/vauth/vauth.c
Line | Count | Source |
1 | | /*************************************************************************** |
2 | | * _ _ ____ _ |
3 | | * Project ___| | | | _ \| | |
4 | | * / __| | | | |_) | | |
5 | | * | (__| |_| | _ <| |___ |
6 | | * \___|\___/|_| \_\_____| |
7 | | * |
8 | | * Copyright (C) Steve Holme, <steve_holme@hotmail.com>. |
9 | | * |
10 | | * This software is licensed as described in the file COPYING, which |
11 | | * you should have received as part of this distribution. The terms |
12 | | * are also available at https://curl.se/docs/copyright.html. |
13 | | * |
14 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | | * copies of the Software, and permit persons to whom the Software is |
16 | | * furnished to do so, under the terms of the COPYING file. |
17 | | * |
18 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | | * KIND, either express or implied. |
20 | | * |
21 | | * SPDX-License-Identifier: curl |
22 | | * |
23 | | ***************************************************************************/ |
24 | | |
25 | | #include "../curl_setup.h" |
26 | | |
27 | | #include <curl/curl.h> |
28 | | |
29 | | #include "vauth.h" |
30 | | #include "../strdup.h" |
31 | | #include "../urldata.h" |
32 | | #include "../curlx/multibyte.h" |
33 | | #include "../url.h" |
34 | | |
35 | | /* The last #include files should be: */ |
36 | | #include "../curl_memory.h" |
37 | | #include "../memdebug.h" |
38 | | |
39 | | /* |
40 | | * Curl_auth_build_spn() |
41 | | * |
42 | | * This is used to build an SPN string in the following formats: |
43 | | * |
44 | | * service/host@realm (Not currently used) |
45 | | * service/host (Not used by GSS-API) |
46 | | * service@realm (Not used by Windows SSPI) |
47 | | * |
48 | | * Parameters: |
49 | | * |
50 | | * service [in] - The service type such as http, smtp, pop or imap. |
51 | | * host [in] - The hostname. |
52 | | * realm [in] - The realm. |
53 | | * |
54 | | * Returns a pointer to the newly allocated SPN. |
55 | | */ |
56 | | #ifndef USE_WINDOWS_SSPI |
57 | | char *Curl_auth_build_spn(const char *service, const char *host, |
58 | | const char *realm) |
59 | 0 | { |
60 | 0 | char *spn = NULL; |
61 | | |
62 | | /* Generate our SPN */ |
63 | 0 | if(host && realm) |
64 | 0 | spn = curl_maprintf("%s/%s@%s", service, host, realm); |
65 | 0 | else if(host) |
66 | 0 | spn = curl_maprintf("%s/%s", service, host); |
67 | 0 | else if(realm) |
68 | 0 | spn = curl_maprintf("%s@%s", service, realm); |
69 | | |
70 | | /* Return our newly allocated SPN */ |
71 | 0 | return spn; |
72 | 0 | } |
73 | | #else |
74 | | TCHAR *Curl_auth_build_spn(const char *service, const char *host, |
75 | | const char *realm) |
76 | | { |
77 | | char *utf8_spn = NULL; |
78 | | TCHAR *tchar_spn = NULL; |
79 | | TCHAR *dupe_tchar_spn = NULL; |
80 | | |
81 | | (void)realm; |
82 | | |
83 | | /* Note: We could use DsMakeSPN() or DsClientMakeSpnForTargetServer() rather |
84 | | than doing this ourselves but the first is only available in Windows XP |
85 | | and Windows Server 2003 and the latter is only available in Windows 2000 |
86 | | but not Windows95/98/ME or Windows NT4.0 unless the Active Directory |
87 | | Client Extensions are installed. As such it is far simpler for us to |
88 | | formulate the SPN instead. */ |
89 | | |
90 | | /* Generate our UTF8 based SPN */ |
91 | | utf8_spn = curl_maprintf("%s/%s", service, host); |
92 | | if(!utf8_spn) |
93 | | return NULL; |
94 | | |
95 | | /* Allocate and return a TCHAR based SPN. Since curlx_convert_UTF8_to_tchar |
96 | | must be freed by curlx_unicodefree we will dupe the result so that the |
97 | | pointer this function returns can be normally free'd. */ |
98 | | tchar_spn = curlx_convert_UTF8_to_tchar(utf8_spn); |
99 | | free(utf8_spn); |
100 | | if(!tchar_spn) |
101 | | return NULL; |
102 | | dupe_tchar_spn = Curl_tcsdup(tchar_spn); |
103 | | curlx_unicodefree(tchar_spn); |
104 | | return dupe_tchar_spn; |
105 | | } |
106 | | #endif /* USE_WINDOWS_SSPI */ |
107 | | |
108 | | /* |
109 | | * Curl_auth_user_contains_domain() |
110 | | * |
111 | | * This is used to test if the specified user contains a Windows domain name as |
112 | | * follows: |
113 | | * |
114 | | * Domain\User (Down-level Logon Name) |
115 | | * Domain/User (curl Down-level format - for compatibility with existing code) |
116 | | * User@Domain (User Principal Name) |
117 | | * |
118 | | * Note: The username may be empty when using a GSS-API library or Windows |
119 | | * SSPI as the user and domain are either obtained from the credentials cache |
120 | | * when using GSS-API or via the currently logged in user's credentials when |
121 | | * using Windows SSPI. |
122 | | * |
123 | | * Parameters: |
124 | | * |
125 | | * user [in] - The username. |
126 | | * |
127 | | * Returns TRUE on success; otherwise FALSE. |
128 | | */ |
129 | | bool Curl_auth_user_contains_domain(const char *user) |
130 | 0 | { |
131 | 0 | bool valid = FALSE; |
132 | |
|
133 | 0 | if(user && *user) { |
134 | | /* Check we have a domain name or UPN present */ |
135 | 0 | char *p = strpbrk(user, "\\/@"); |
136 | |
|
137 | 0 | valid = (p != NULL && p > user && p < user + strlen(user) - 1); |
138 | 0 | } |
139 | | #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) |
140 | | else |
141 | | /* User and domain are obtained from the GSS-API credentials cache or the |
142 | | currently logged in user from Windows */ |
143 | | valid = TRUE; |
144 | | #endif |
145 | |
|
146 | 0 | return valid; |
147 | 0 | } |
148 | | |
149 | | /* |
150 | | * Curl_auth_ollowed_to_host() tells if authentication, cookies or other |
151 | | * "sensitive data" can (still) be sent to this host. |
152 | | */ |
153 | | bool Curl_auth_allowed_to_host(struct Curl_easy *data) |
154 | 47.6k | { |
155 | 47.6k | struct connectdata *conn = data->conn; |
156 | 47.6k | return !data->state.this_is_a_follow || |
157 | 7.85k | data->set.allow_auth_to_other_hosts || |
158 | 3.39k | (data->state.first_host && |
159 | 3.39k | curl_strequal(data->state.first_host, conn->host.name) && |
160 | 3.23k | (data->state.first_remote_port == conn->remote_port) && |
161 | 3.19k | (data->state.first_remote_protocol == conn->handler->protocol)); |
162 | 47.6k | } |
163 | | |
164 | | #ifdef USE_NTLM |
165 | | |
166 | | static void ntlm_conn_dtor(void *key, size_t klen, void *entry) |
167 | 1.29k | { |
168 | 1.29k | struct ntlmdata *ntlm = entry; |
169 | 1.29k | (void)key; |
170 | 1.29k | (void)klen; |
171 | 1.29k | DEBUGASSERT(ntlm); |
172 | 1.29k | Curl_auth_cleanup_ntlm(ntlm); |
173 | 1.29k | free(ntlm); |
174 | 1.29k | } |
175 | | |
176 | | struct ntlmdata *Curl_auth_ntlm_get(struct connectdata *conn, bool proxy) |
177 | 10.7k | { |
178 | 10.7k | const char *key = proxy ? CURL_META_NTLM_PROXY_CONN : |
179 | 10.7k | CURL_META_NTLM_CONN; |
180 | 10.7k | struct ntlmdata *ntlm = Curl_conn_meta_get(conn, key); |
181 | 10.7k | if(!ntlm) { |
182 | 1.29k | ntlm = calloc(1, sizeof(*ntlm)); |
183 | 1.29k | if(!ntlm || |
184 | 1.29k | Curl_conn_meta_set(conn, key, ntlm, ntlm_conn_dtor)) |
185 | 0 | return NULL; |
186 | 1.29k | } |
187 | 10.7k | return ntlm; |
188 | 10.7k | } |
189 | | |
190 | | void Curl_auth_ntlm_remove(struct connectdata *conn, bool proxy) |
191 | 0 | { |
192 | 0 | Curl_conn_meta_remove(conn, proxy ? |
193 | 0 | CURL_META_NTLM_PROXY_CONN : CURL_META_NTLM_CONN); |
194 | 0 | } |
195 | | |
196 | | #endif /* USE_NTLM */ |
197 | | |
198 | | #ifdef USE_KERBEROS5 |
199 | | |
200 | | static void krb5_conn_dtor(void *key, size_t klen, void *entry) |
201 | | { |
202 | | struct kerberos5data *krb5 = entry; |
203 | | (void)key; |
204 | | (void)klen; |
205 | | DEBUGASSERT(krb5); |
206 | | Curl_auth_cleanup_gssapi(krb5); |
207 | | free(krb5); |
208 | | } |
209 | | |
210 | | struct kerberos5data *Curl_auth_krb5_get(struct connectdata *conn) |
211 | | { |
212 | | struct kerberos5data *krb5 = Curl_conn_meta_get(conn, CURL_META_KRB5_CONN); |
213 | | if(!krb5) { |
214 | | krb5 = calloc(1, sizeof(*krb5)); |
215 | | if(!krb5 || |
216 | | Curl_conn_meta_set(conn, CURL_META_KRB5_CONN, krb5, krb5_conn_dtor)) |
217 | | return NULL; |
218 | | } |
219 | | return krb5; |
220 | | } |
221 | | |
222 | | #endif /* USE_KERBEROS5 */ |
223 | | |
224 | | #ifdef USE_GSASL |
225 | | |
226 | | static void gsasl_conn_dtor(void *key, size_t klen, void *entry) |
227 | | { |
228 | | struct gsasldata *gsasl = entry; |
229 | | (void)key; |
230 | | (void)klen; |
231 | | DEBUGASSERT(gsasl); |
232 | | Curl_auth_gsasl_cleanup(gsasl); |
233 | | free(gsasl); |
234 | | } |
235 | | |
236 | | struct gsasldata *Curl_auth_gsasl_get(struct connectdata *conn) |
237 | | { |
238 | | struct gsasldata *gsasl = Curl_conn_meta_get(conn, CURL_META_GSASL_CONN); |
239 | | if(!gsasl) { |
240 | | gsasl = calloc(1, sizeof(*gsasl)); |
241 | | if(!gsasl || |
242 | | Curl_conn_meta_set(conn, CURL_META_GSASL_CONN, gsasl, gsasl_conn_dtor)) |
243 | | return NULL; |
244 | | } |
245 | | return gsasl; |
246 | | } |
247 | | |
248 | | #endif /* USE_GSASL */ |
249 | | |
250 | | #ifdef USE_SPNEGO |
251 | | |
252 | | static void nego_conn_dtor(void *key, size_t klen, void *entry) |
253 | | { |
254 | | struct negotiatedata *nego = entry; |
255 | | (void)key; |
256 | | (void)klen; |
257 | | DEBUGASSERT(nego); |
258 | | Curl_auth_cleanup_spnego(nego); |
259 | | free(nego); |
260 | | } |
261 | | |
262 | | struct negotiatedata *Curl_auth_nego_get(struct connectdata *conn, bool proxy) |
263 | | { |
264 | | const char *key = proxy ? CURL_META_NEGO_PROXY_CONN : |
265 | | CURL_META_NEGO_CONN; |
266 | | struct negotiatedata *nego = Curl_conn_meta_get(conn, key); |
267 | | if(!nego) { |
268 | | nego = calloc(1, sizeof(*nego)); |
269 | | if(!nego || |
270 | | Curl_conn_meta_set(conn, key, nego, nego_conn_dtor)) |
271 | | return NULL; |
272 | | } |
273 | | return nego; |
274 | | } |
275 | | |
276 | | #endif /* USE_SPNEGO */ |