krb5.c source code [Aseprite/third_party/curl/lib/krb5.c]

1	/ GSSAPI/krb5 support for FTP - loosely based on old krb4.c*
2	*
3	* Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
4	* (Royal Institute of Technology, Stockholm, Sweden).
5	* Copyright (c) 2004 - 2021 Daniel Stenberg
6	* All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in the
17	* documentation and/or other materials provided with the distribution.
18	*
19	* 3. Neither the name of the Institute nor the names of its contributors
20	* may be used to endorse or promote products derived from this software
21	* without specific prior written permission.
22	*
23	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33	* SUCH DAMAGE. */
34
35	#include "curl_setup.h"
36
37	#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_FTP)
38
39	#ifdef HAVE_NETDB_H
40	#include <netdb.h>
41	#endif
42
43	#include "urldata.h"
44	#include "curl_base64.h"
45	#include "ftp.h"
46	#include "curl_gssapi.h"
47	#include "sendf.h"
48	#include "curl_krb5.h"
49	#include "warnless.h"
50	#include "non-ascii.h"
51	#include "strcase.h"
52	#include "strdup.h"
53
54	/ The last 3 #include files should be in this order /
55	#include "curl_printf.h"
56	#include "curl_memory.h"
57	#include "memdebug.h"
58
59	static CURLcode ftpsend(struct Curl_easy data, struct* connectdata *conn,
60	const char *cmd)
61	{
62	ssize_t bytes_written;
63	#define SBUF_SIZE 1024
64	char s[SBUF_SIZE];
65	size_t write_len;
66	char *sptr = s;
67	CURLcode result = CURLE_OK;
68	#ifdef HAVE_GSSAPI
69	enum protection_level data_sec = conn->data_prot;
70	#endif
71
72	if(!cmd)
73	return CURLE_BAD_FUNCTION_ARGUMENT;
74
75	write_len = strlen(cmd);
76	if(!write_len \|\| write_len > (sizeof(s) -`3`))
77	return CURLE_BAD_FUNCTION_ARGUMENT;
78
79	memcpy(&s, cmd, write_len);
80	strcpy(&s[write_len], "\r\n"); / append a trailing CRLF /
81	write_len += `2`;
82	bytes_written = `0`;
83
84	result = Curl_convert_to_network(data, s, write_len);
85	/ Curl_convert_to_network calls failf if unsuccessful /
86	if(result)
87	return result;
88
89	for(;;) {
90	#ifdef HAVE_GSSAPI
91	conn->data_prot = PROT_CMD;
92	#endif
93	result = Curl_write(data, conn->sock[FIRSTSOCKET], sptr, write_len,
94	&bytes_written);
95	#ifdef HAVE_GSSAPI
96	DEBUGASSERT(data_sec > PROT_NONE && data_sec < PROT_LAST);
97	conn->data_prot = data_sec;
98	#endif
99
100	if(result)
101	break;
102
103	Curl_debug(data, CURLINFO_HEADER_OUT, sptr, (size_t)bytes_written);
104
105	if(bytes_written != (ssize_t)write_len) {
106	write_len -= bytes_written;
107	sptr += bytes_written;
108	}
109	else
110	break;
111	}
112
113	return result;
114	}
115
116	static int
117	krb5_init(void *app_data)
118	{
119	gss_ctx_id_t *context = app_data;
120	/ Make sure our context is initialized for krb5_end. /
121	*context = GSS_C_NO_CONTEXT;
122	return `0`;
123	}
124
125	static int
126	krb5_check_prot(void app_data, int* level)
127	{
128	(void)app_data; / unused /
129	if(level == PROT_CONFIDENTIAL)
130	return -`1`;
131	return `0`;
132	}
133
134	static int
135	krb5_decode(void app_data, void* buf, int* len,
136	int level UNUSED_PARAM,
137	struct connectdata *conn UNUSED_PARAM)
138	{
139	gss_ctx_id_t *context = app_data;
140	OM_uint32 maj, min;
141	gss_buffer_desc enc, dec;
142
143	(void)level;
144	(void)conn;
145
146	enc.value = buf;
147	enc.length = len;
148	maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
149	if(maj != GSS_S_COMPLETE) {
150	if(len >= `4`)
151	strcpy(buf, "599 ");
152	return -`1`;
153	}
154
155	memcpy(buf, dec.value, dec.length);
156	len = curlx_uztosi(dec.length);
157	gss_release_buffer(&min, &dec);
158
159	return len;
160	}
161
162	static int
163	krb5_encode(void app_data, const* void from, int* length, int level, void **to)
164	{
165	gss_ctx_id_t *context = app_data;
166	gss_buffer_desc dec, enc;
167	OM_uint32 maj, min;
168	int state;
169	int len;
170
171	/ NOTE that the cast is safe, neither of the krb5, gnu gss and heimdal*
172	* libraries modify the input buffer in gss_wrap()
173	*/
174	dec.value = (void *)from;
175	dec.length = length;
176	maj = gss_wrap(&min, *context,
177	level == PROT_PRIVATE,
178	GSS_C_QOP_DEFAULT,
179	&dec, &state, &enc);
180
181	if(maj != GSS_S_COMPLETE)
182	return -`1`;
183
184	/ malloc a new buffer, in case gss_release_buffer doesn't work as*
185	expected /*
186	*to = malloc(enc.length);
187	if(!*to)
188	return -`1`;
189	memcpy(*to, enc.value, enc.length);
190	len = curlx_uztosi(enc.length);
191	gss_release_buffer(&min, &enc);
192	return len;
193	}
194
195	static int
196	krb5_auth(void app_data, struct* Curl_easy data, struct* connectdata *conn)
197	{
198	int ret = AUTH_OK;
199	char *p;
200	const char *host = conn->host.name;
201	ssize_t nread;
202	curl_socklen_t l = sizeof(conn->local_addr);
203	CURLcode result;
204	const char *service = data->set.str[STRING_SERVICE_NAME] ?
205	data->set.str[STRING_SERVICE_NAME] :
206	"ftp";
207	const char *srv_host = "host";
208	gss_buffer_desc input_buffer, output_buffer, _gssresp, *gssresp;
209	OM_uint32 maj, min;
210	gss_name_t gssname;
211	gss_ctx_id_t *context = app_data;
212	struct gss_channel_bindings_struct chan;
213	size_t base64_sz = `0`;
214	struct sockaddr_in **remote_addr =
215	(struct sockaddr_in **)&conn->ip_addr->ai_addr;
216	char *stringp;
217
218	if(getsockname(conn->sock[FIRSTSOCKET],
219	(struct sockaddr *)&conn->local_addr, &l) < `0`)
220	perror("getsockname()");
221
222	chan.initiator_addrtype = GSS_C_AF_INET;
223	chan.initiator_address.length = l - `4`;
224	chan.initiator_address.value = &conn->local_addr.sin_addr.s_addr;
225	chan.acceptor_addrtype = GSS_C_AF_INET;
226	chan.acceptor_address.length = l - `4`;
227	chan.acceptor_address.value = &(*remote_addr)->sin_addr.s_addr;
228	chan.application_data.length = `0`;
229	chan.application_data.value = NULL;
230
231	/ this loop will execute twice (once for service, once for host) /
232	for(;;) {
233	/ this really shouldn't be repeated here, but can't help it /
234	if(service == srv_host) {
235	result = ftpsend(data, conn, "AUTH GSSAPI");
236	if(result)
237	return -`2`;
238
239	if(Curl_GetFTPResponse(data, &nread, NULL))
240	return -`1`;
241
242	if(data->state.buffer[`0`] != `'3'`)
243	return -`1`;
244	}
245
246	stringp = aprintf("%s@%s", service, host);
247	if(!stringp)
248	return -`2`;
249
250	input_buffer.value = stringp;
251	input_buffer.length = strlen(stringp);
252	maj = gss_import_name(&min, &input_buffer, GSS_C_NT_HOSTBASED_SERVICE,
253	&gssname);
254	free(stringp);
255	if(maj != GSS_S_COMPLETE) {
256	gss_release_name(&min, &gssname);
257	if(service == srv_host) {
258	failf(data, "Error importing service name %s@%s", service, host);
259	return AUTH_ERROR;
260	}
261	service = srv_host;
262	continue;
263	}
264	/ We pass NULL as \|output_name_type\| to avoid a leak. /
265	gss_display_name(&min, gssname, &output_buffer, NULL);
266	infof(data, "Trying against %s", output_buffer.value);
267	gssresp = GSS_C_NO_BUFFER;
268	*context = GSS_C_NO_CONTEXT;
269
270	do {
271	/ Release the buffer at each iteration to avoid leaking: the first time*
272	we are releasing the memory from gss_display_name. The last item is
273	taken care by a final gss_release_buffer. /*
274	gss_release_buffer(&min, &output_buffer);
275	ret = AUTH_OK;
276	maj = Curl_gss_init_sec_context(data,
277	&min,
278	context,
279	gssname,
280	&Curl_krb5_mech_oid,
281	&chan,
282	gssresp,
283	&output_buffer,
284	TRUE,
285	NULL);
286
287	if(gssresp) {
288	free(_gssresp.value);
289	gssresp = NULL;
290	}
291
292	if(GSS_ERROR(maj)) {
293	infof(data, "Error creating security context");
294	ret = AUTH_ERROR;
295	break;
296	}
297
298	if(output_buffer.length) {
299	char *cmd;
300
301	result = Curl_base64_encode(data, (char *)output_buffer.value,
302	output_buffer.length, &p, &base64_sz);
303	if(result) {
304	infof(data, "base64-encoding: %s", curl_easy_strerror(result));
305	ret = AUTH_ERROR;
306	break;
307	}
308
309	cmd = aprintf("ADAT %s", p);
310	if(cmd)
311	result = ftpsend(data, conn, cmd);
312	else
313	result = CURLE_OUT_OF_MEMORY;
314
315	free(p);
316	free(cmd);
317
318	if(result) {
319	ret = -`2`;
320	break;
321	}
322
323	if(Curl_GetFTPResponse(data, &nread, NULL)) {
324	ret = -`1`;
325	break;
326	}
327
328	if(data->state.buffer[`0`] != `'2'` && data->state.buffer[`0`] != `'3'`) {
329	infof(data, "Server didn't accept auth data");
330	ret = AUTH_ERROR;
331	break;
332	}
333
334	_gssresp.value = NULL; / make sure it is initialized /
335	p = data->state.buffer + `4`;
336	p = strstr(p, "ADAT=");
337	if(p) {
338	result = Curl_base64_decode(p + `5`,
339	(unsigned char **)&_gssresp.value,
340	&_gssresp.length);
341	if(result) {
342	failf(data, "base64-decoding: %s", curl_easy_strerror(result));
343	ret = AUTH_CONTINUE;
344	break;
345	}
346	}
347
348	gssresp = &_gssresp;
349	}
350	} while(maj == GSS_S_CONTINUE_NEEDED);
351
352	gss_release_name(&min, &gssname);
353	gss_release_buffer(&min, &output_buffer);
354
355	if(gssresp)
356	free(_gssresp.value);
357
358	if(ret == AUTH_OK \|\| service == srv_host)
359	return ret;
360
361	service = srv_host;
362	}
363	return ret;
364	}
365
366	static void krb5_end(void *app_data)
367	{
368	OM_uint32 min;
369	gss_ctx_id_t *context = app_data;
370	if(*context != GSS_C_NO_CONTEXT) {
371	OM_uint32 maj = gss_delete_sec_context(&min, context, GSS_C_NO_BUFFER);
372	(void)maj;
373	DEBUGASSERT(maj == GSS_S_COMPLETE);
374	}
375	}
376
377	static struct Curl_sec_client_mech Curl_krb5_client_mech = {
378	"GSSAPI",
379	sizeof(gss_ctx_id_t),
380	krb5_init,
381	krb5_auth,
382	krb5_end,
383	krb5_check_prot,
384
385	krb5_encode,
386	krb5_decode
387	};
388
389	static const struct {
390	enum protection_level level;
391	const char *name;
392	} level_names[] = {
393	{ PROT_CLEAR, "clear" },
394	{ PROT_SAFE, "safe" },
395	{ PROT_CONFIDENTIAL, "confidential" },
396	{ PROT_PRIVATE, "private" }
397	};
398
399	static enum protection_level
400	name_to_level(const char *name)
401	{
402	int i;
403	for(i = `0`; i < (int)sizeof(level_names)/(int)sizeof(level_names[`0`]); i++)
404	if(curl_strequal(name, level_names[i].name))
405	return level_names[i].level;
406	return PROT_NONE;
407	}
408
409	/ Convert a protocol \|level\| to its char representation.*
410	We take an int to catch programming mistakes. /*
411	static char level_to_char(int level)
412	{
413	switch(level) {
414	case PROT_CLEAR:
415	return `'C'`;
416	case PROT_SAFE:
417	return `'S'`;
418	case PROT_CONFIDENTIAL:
419	return `'E'`;
420	case PROT_PRIVATE:
421	return `'P'`;
422	case PROT_CMD:
423	/ Fall through /
424	default:
425	/ Those 2 cases should not be reached! /
426	break;
427	}
428	DEBUGASSERT(`0`);
429	/ Default to the most secure alternative. /
430	return `'P'`;
431	}
432
433	/ Send an FTP command defined by \|message\| and the optional arguments. The*
434	function returns the ftp_code. If an error occurs, -1 is returned. /*
435	static int ftp_send_command(struct Curl_easy data, const* char *message, ...)
436	{
437	int ftp_code;
438	ssize_t nread = `0`;
439	va_list args;
440	char print_buffer[`50`];
441
442	va_start(args, message);
443	mvsnprintf(print_buffer, sizeof(print_buffer), message, args);
444	va_end(args);
445
446	if(ftpsend(data, data->conn, print_buffer)) {
447	ftp_code = -`1`;
448	}
449	else {
450	if(Curl_GetFTPResponse(data, &nread, &ftp_code))
451	ftp_code = -`1`;
452	}
453
454	(void)nread; / Unused /
455	return ftp_code;
456	}
457
458	/ Read \|len\| from the socket \|fd\| and store it in \|to\|. Return a CURLcode*
459	saying whether an error occurred or CURLE_OK if \|len\| was read. /*
460	static CURLcode
461	socket_read(curl_socket_t fd, void *to, size_t len)
462	{
463	char *to_p = to;
464	CURLcode result;
465	ssize_t nread = `0`;
466
467	while(len > `0`) {
468	result = Curl_read_plain(fd, to_p, len, &nread);
469	if(!result) {
470	len -= nread;
471	to_p += nread;
472	}
473	else {
474	if(result == CURLE_AGAIN)
475	continue;
476	return result;
477	}
478	}
479	return CURLE_OK;
480	}
481
482
483	/ Write \|len\| bytes from the buffer \|to\| to the socket \|fd\|. Return a*
484	CURLcode saying whether an error occurred or CURLE_OK if \|len\| was
485	written. /*
486	static CURLcode
487	socket_write(struct Curl_easy data, curl_socket_t fd, const* void *to,
488	size_t len)
489	{
490	const char *to_p = to;
491	CURLcode result;
492	ssize_t written;
493
494	while(len > `0`) {
495	result = Curl_write_plain(data, fd, to_p, len, &written);
496	if(!result) {
497	len -= written;
498	to_p += written;
499	}
500	else {
501	if(result == CURLE_AGAIN)
502	continue;
503	return result;
504	}
505	}
506	return CURLE_OK;
507	}
508
509	static CURLcode read_data(struct connectdata *conn,
510	curl_socket_t fd,
511	struct krb5buffer *buf)
512	{
513	int len;
514	CURLcode result;
515
516	result = socket_read(fd, &len, sizeof(len));
517	if(result)
518	return result;
519
520	if(len) {
521	/ only realloc if there was a length /
522	len = ntohl(len);
523	buf->data = Curl_saferealloc(buf->data, len);
524	}
525	if(!len \|\| !buf->data)
526	return CURLE_OUT_OF_MEMORY;
527
528	result = socket_read(fd, buf->data, len);
529	if(result)
530	return result;
531	buf->size = conn->mech->decode(conn->app_data, buf->data, len,
532	conn->data_prot, conn);
533	buf->index = `0`;
534	return CURLE_OK;
535	}
536
537	static size_t
538	buffer_read(struct krb5buffer buf, void* *data, size_t len)
539	{
540	if(buf->size - buf->index < len)
541	len = buf->size - buf->index;
542	memcpy(data, (char *)buf->data + buf->index, len);
543	buf->index += len;
544	return len;
545	}
546
547	/ Matches Curl_recv signature /
548	static ssize_t sec_recv(struct Curl_easy data, int* sockindex,
549	char buffer, size_t len, CURLcode err)
550	{
551	size_t bytes_read;
552	size_t total_read = `0`;
553	struct connectdata *conn = data->conn;
554	curl_socket_t fd = conn->sock[sockindex];
555
556	*err = CURLE_OK;
557
558	/ Handle clear text response. /
559	if(conn->sec_complete == `0` \|\| conn->data_prot == PROT_CLEAR)
560	return sread(fd, buffer, len);
561
562	if(conn->in_buffer.eof_flag) {
563	conn->in_buffer.eof_flag = `0`;
564	return `0`;
565	}
566
567	bytes_read = buffer_read(&conn->in_buffer, buffer, len);
568	len -= bytes_read;
569	total_read += bytes_read;
570	buffer += bytes_read;
571
572	while(len > `0`) {
573	if(read_data(conn, fd, &conn->in_buffer))
574	return -`1`;
575	if(conn->in_buffer.size == `0`) {
576	if(bytes_read > `0`)
577	conn->in_buffer.eof_flag = `1`;
578	return bytes_read;
579	}
580	bytes_read = buffer_read(&conn->in_buffer, buffer, len);
581	len -= bytes_read;
582	total_read += bytes_read;
583	buffer += bytes_read;
584	}
585	return total_read;
586	}
587
588	/ Send \|length\| bytes from \|from\| to the \|fd\| socket taking care of encoding*
589	and negotiating with the server. \|from\| can be NULL. /*
590	static void do_sec_send(struct Curl_easy data, struct* connectdata *conn,
591	curl_socket_t fd, const char from, int* length)
592	{
593	int bytes, htonl_bytes; / 32-bit integers for htonl /
594	char *buffer = NULL;
595	char *cmd_buffer;
596	size_t cmd_size = `0`;
597	CURLcode error;
598	enum protection_level prot_level = conn->data_prot;
599	bool iscmd = (prot_level == PROT_CMD)?TRUE:FALSE;
600
601	DEBUGASSERT(prot_level > PROT_NONE && prot_level < PROT_LAST);
602
603	if(iscmd) {
604	if(!strncmp(from, "PASS ", `5`) \|\| !strncmp(from, "ACCT ", `5`))
605	prot_level = PROT_PRIVATE;
606	else
607	prot_level = conn->command_prot;
608	}
609	bytes = conn->mech->encode(conn->app_data, from, length, prot_level,
610	(void **)&buffer);
611	if(!buffer \|\| bytes <= `0`)
612	return; / error /
613
614	if(iscmd) {
615	error = Curl_base64_encode(data, buffer, curlx_sitouz(bytes),
616	&cmd_buffer, &cmd_size);
617	if(error) {
618	free(buffer);
619	return; / error /
620	}
621	if(cmd_size > `0`) {
622	static const char *enc = "ENC ";
623	static const char *mic = "MIC ";
624	if(prot_level == PROT_PRIVATE)
625	socket_write(data, fd, enc, `4`);
626	else
627	socket_write(data, fd, mic, `4`);
628
629	socket_write(data, fd, cmd_buffer, cmd_size);
630	socket_write(data, fd, "\r\n", `2`);
631	infof(data, "Send: %s%s", prot_level == PROT_PRIVATE?enc:mic,
632	cmd_buffer);
633	free(cmd_buffer);
634	}
635	}
636	else {
637	htonl_bytes = htonl(bytes);
638	socket_write(data, fd, &htonl_bytes, sizeof(htonl_bytes));
639	socket_write(data, fd, buffer, curlx_sitouz(bytes));
640	}
641	free(buffer);
642	}
643
644	static ssize_t sec_write(struct Curl_easy data, struct* connectdata *conn,
645	curl_socket_t fd, const char *buffer, size_t length)
646	{
647	ssize_t tx = `0`, len = conn->buffer_size;
648
649	if(len <= `0`)
650	len = length;
651	while(length) {
652	if(length < (size_t)len)
653	len = length;
654
655	do_sec_send(data, conn, fd, buffer, curlx_sztosi(len));
656	length -= len;
657	buffer += len;
658	tx += len;
659	}
660	return tx;
661	}
662
663	/ Matches Curl_send signature /
664	static ssize_t sec_send(struct Curl_easy data, int* sockindex,
665	const void buffer, size_t len, CURLcode err)
666	{
667	struct connectdata *conn = data->conn;
668	curl_socket_t fd = conn->sock[sockindex];
669	*err = CURLE_OK;
670	return sec_write(data, conn, fd, buffer, len);
671	}
672
673	int Curl_sec_read_msg(struct Curl_easy data, struct* connectdata *conn,
674	char buffer, enum* protection_level level)
675	{
676	/ decoded_len should be size_t or ssize_t but conn->mech->decode returns an*
677	int /*
678	int decoded_len;
679	char *buf;
680	int ret_code = `0`;
681	size_t decoded_sz = `0`;
682	CURLcode error;
683
684	(void) data;
685
686	if(!conn->mech)
687	/ not inititalized, return error /
688	return -`1`;
689
690	DEBUGASSERT(level > PROT_NONE && level < PROT_LAST);
691
692	error = Curl_base64_decode(buffer + `4`, (unsigned char **)&buf, &decoded_sz);
693	if(error \|\| decoded_sz == `0`)
694	return -`1`;
695
696	if(decoded_sz > (size_t)INT_MAX) {
697	free(buf);
698	return -`1`;
699	}
700	decoded_len = curlx_uztosi(decoded_sz);
701
702	decoded_len = conn->mech->decode(conn->app_data, buf, decoded_len,
703	level, conn);
704	if(decoded_len <= `0`) {
705	free(buf);
706	return -`1`;
707	}
708
709	{
710	buf[decoded_len] = `'\n'`;
711	Curl_debug(data, CURLINFO_HEADER_IN, buf, decoded_len + `1`);
712	}
713
714	buf[decoded_len] = `'\0'`;
715	if(decoded_len <= `3`)
716	/ suspiciously short /
717	return `0`;
718
719	if(buf[`3`] != `'-'`)
720	/ safe to ignore return code /
721	(void)sscanf(buf, "%d", &ret_code);
722
723	if(buf[decoded_len - `1`] == `'\n'`)
724	buf[decoded_len - `1`] = `'\0'`;
725	strcpy(buffer, buf);
726	free(buf);
727	return ret_code;
728	}
729
730	static int sec_set_protection_level(struct Curl_easy *data)
731	{
732	int code;
733	struct connectdata *conn = data->conn;
734	enum protection_level level = conn->request_data_prot;
735
736	DEBUGASSERT(level > PROT_NONE && level < PROT_LAST);
737
738	if(!conn->sec_complete) {
739	infof(data, "Trying to change the protection level after the"
740	" completion of the data exchange.");
741	return -`1`;
742	}
743
744	/ Bail out if we try to set up the same level /
745	if(conn->data_prot == level)
746	return `0`;
747
748	if(level) {
749	char *pbsz;
750	unsigned int buffer_size = `1` << `20`; / 1048576 /
751
752	code = ftp_send_command(data, "PBSZ %u", buffer_size);
753	if(code < `0`)
754	return -`1`;
755
756	if(code/`100` != `2`) {
757	failf(data, "Failed to set the protection's buffer size.");
758	return -`1`;
759	}
760	conn->buffer_size = buffer_size;
761
762	pbsz = strstr(data->state.buffer, "PBSZ=");
763	if(pbsz) {
764	/ ignore return code, use default value if it fails /
765	(void)sscanf(pbsz, "PBSZ=%u", &buffer_size);
766	if(buffer_size < conn->buffer_size)
767	conn->buffer_size = buffer_size;
768	}
769	}
770
771	/ Now try to negiociate the protection level. /
772	code = ftp_send_command(data, "PROT %c", level_to_char(level));
773
774	if(code < `0`)
775	return -`1`;
776
777	if(code/`100` != `2`) {
778	failf(data, "Failed to set the protection level.");
779	return -`1`;
780	}
781
782	conn->data_prot = level;
783	if(level == PROT_PRIVATE)
784	conn->command_prot = level;
785
786	return `0`;
787	}
788
789	int
790	Curl_sec_request_prot(struct connectdata conn, const* char *level)
791	{
792	enum protection_level l = name_to_level(level);
793	if(l == PROT_NONE)
794	return -`1`;
795	DEBUGASSERT(l > PROT_NONE && l < PROT_LAST);
796	conn->request_data_prot = l;
797	return `0`;
798	}
799
800	static CURLcode choose_mech(struct Curl_easy data, struct* connectdata *conn)
801	{
802	int ret;
803	void *tmp_allocation;
804	const struct Curl_sec_client_mech *mech = &Curl_krb5_client_mech;
805
806	tmp_allocation = realloc(conn->app_data, mech->size);
807	if(!tmp_allocation) {
808	failf(data, "Failed realloc of size %zu", mech->size);
809	mech = NULL;
810	return CURLE_OUT_OF_MEMORY;
811	}
812	conn->app_data = tmp_allocation;
813
814	if(mech->init) {
815	ret = mech->init(conn->app_data);
816	if(ret) {
817	infof(data, "Failed initialization for %s. Skipping it.",
818	mech->name);
819	return CURLE_FAILED_INIT;
820	}
821	}
822
823	infof(data, "Trying mechanism %s...", mech->name);
824	ret = ftp_send_command(data, "AUTH %s", mech->name);
825	if(ret < `0`)
826	return CURLE_COULDNT_CONNECT;
827
828	if(ret/`100` != `3`) {
829	switch(ret) {
830	case `504`:
831	infof(data, "Mechanism %s is not supported by the server (server "
832	"returned ftp code: 504).", mech->name);
833	break;
834	case `534`:
835	infof(data, "Mechanism %s was rejected by the server (server returned "
836	"ftp code: 534).", mech->name);
837	break;
838	default:
839	if(ret/`100` == `5`) {
840	infof(data, "server does not support the security extensions");
841	return CURLE_USE_SSL_FAILED;
842	}
843	break;
844	}
845	return CURLE_LOGIN_DENIED;
846	}
847
848	/ Authenticate /
849	ret = mech->auth(conn->app_data, data, conn);
850
851	if(ret != AUTH_CONTINUE) {
852	if(ret != AUTH_OK) {
853	/ Mechanism has dumped the error to stderr, don't error here. /
854	return CURLE_USE_SSL_FAILED;
855	}
856	DEBUGASSERT(ret == AUTH_OK);
857
858	conn->mech = mech;
859	conn->sec_complete = `1`;
860	conn->recv[FIRSTSOCKET] = sec_recv;
861	conn->send[FIRSTSOCKET] = sec_send;
862	conn->recv[SECONDARYSOCKET] = sec_recv;
863	conn->send[SECONDARYSOCKET] = sec_send;
864	conn->command_prot = PROT_SAFE;
865	/ Set the requested protection level /
866	/ BLOCKING /
867	(void)sec_set_protection_level(data);
868	}
869
870	return CURLE_OK;
871	}
872
873	CURLcode
874	Curl_sec_login(struct Curl_easy data, struct* connectdata *conn)
875	{
876	return choose_mech(data, conn);
877	}
878
879
880	void
881	Curl_sec_end(struct connectdata *conn)
882	{
883	if(conn->mech != NULL && conn->mech->end)
884	conn->mech->end(conn->app_data);
885	free(conn->app_data);
886	conn->app_data = NULL;
887	if(conn->in_buffer.data) {
888	free(conn->in_buffer.data);
889	conn->in_buffer.data = NULL;
890	conn->in_buffer.size = `0`;
891	conn->in_buffer.index = `0`;
892	conn->in_buffer.eof_flag = `0`;
893	}
894	conn->sec_complete = `0`;
895	conn->data_prot = PROT_CLEAR;
896	conn->mech = NULL;
897	}
898
899	#endif /* HAVE_GSSAPI && !CURL_DISABLE_FTP */
900

Browse the source code of Aseprite/third_party/curl/lib/krb5.c