socks_gssapi.c source code [ClickHouse/contrib/curl/lib/socks_gssapi.c]

1	/***************************************************************************
2	* _ _ ____ _
3	* Project ___\| \| \| \| _ \\| \|
4	* / __\| \| \| \| \|_) \| \|
5	* \| (__\| \|_\| \| _ <\| \|___
6	* \___\|\___/\|_\| \_\_____\|
7	*
8	* Copyright (C) 2009, Markus Moeller, <markus_moeller@compuserve.com>
9	* Copyright (C) 2012 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
10	*
11	* This software is licensed as described in the file COPYING, which
12	* you should have received as part of this distribution. The terms
13	* are also available at https://curl.haxx.se/docs/copyright.html.
14	*
15	* You may opt to use, copy, modify, merge, publish, distribute and/or sell
16	* copies of the Software, and permit persons to whom the Software is
17	* furnished to do so, under the terms of the COPYING file.
18	*
19	* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20	* KIND, either express or implied.
21	*
22	***************************************************************************/
23
24	#include "curl_setup.h"
25
26	#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_PROXY)
27
28	#include "curl_gssapi.h"
29	#include "urldata.h"
30	#include "sendf.h"
31	#include "connect.h"
32	#include "timeval.h"
33	#include "socks.h"
34	#include "warnless.h"
35
36	/ The last 3 #include files should be in this order /
37	#include "curl_printf.h"
38	#include "curl_memory.h"
39	#include "memdebug.h"
40
41	static gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
42
43	/*
44	* Helper GSS-API error functions.
45	*/
46	static int check_gss_err(struct Curl_easy *data,
47	OM_uint32 major_status,
48	OM_uint32 minor_status,
49	const char *function)
50	{
51	if(GSS_ERROR(major_status)) {
52	OM_uint32 maj_stat, min_stat;
53	OM_uint32 msg_ctx = `0`;
54	gss_buffer_desc status_string;
55	char buf[`1024`];
56	size_t len;
57
58	len = `0`;
59	msg_ctx = `0`;
60	while(!msg_ctx) {
61	/ convert major status code (GSS-API error) to text /
62	maj_stat = gss_display_status(&min_stat, major_status,
63	GSS_C_GSS_CODE,
64	GSS_C_NULL_OID,
65	&msg_ctx, &status_string);
66	if(maj_stat == GSS_S_COMPLETE) {
67	if(sizeof(buf) > len + status_string.length + `1`) {
68	strcpy(buf + len, (char *) status_string.value);
69	len += status_string.length;
70	}
71	gss_release_buffer(&min_stat, &status_string);
72	break;
73	}
74	gss_release_buffer(&min_stat, &status_string);
75	}
76	if(sizeof(buf) > len + `3`) {
77	strcpy(buf + len, ".\n");
78	len += `2`;
79	}
80	msg_ctx = `0`;
81	while(!msg_ctx) {
82	/ convert minor status code (underlying routine error) to text /
83	maj_stat = gss_display_status(&min_stat, minor_status,
84	GSS_C_MECH_CODE,
85	GSS_C_NULL_OID,
86	&msg_ctx, &status_string);
87	if(maj_stat == GSS_S_COMPLETE) {
88	if(sizeof(buf) > len + status_string.length)
89	strcpy(buf + len, (char *) status_string.value);
90	gss_release_buffer(&min_stat, &status_string);
91	break;
92	}
93	gss_release_buffer(&min_stat, &status_string);
94	}
95	failf(data, "GSS-API error: %s failed:\n%s", function, buf);
96	return `1`;
97	}
98
99	return `0`;
100	}
101
102	CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
103	struct connectdata *conn)
104	{
105	struct Curl_easy *data = conn->data;
106	curl_socket_t sock = conn->sock[sockindex];
107	CURLcode code;
108	ssize_t actualread;
109	ssize_t written;
110	int result;
111	OM_uint32 gss_major_status, gss_minor_status, gss_status;
112	OM_uint32 gss_ret_flags;
113	int gss_conf_state, gss_enc;
114	gss_buffer_desc service = GSS_C_EMPTY_BUFFER;
115	gss_buffer_desc gss_send_token = GSS_C_EMPTY_BUFFER;
116	gss_buffer_desc gss_recv_token = GSS_C_EMPTY_BUFFER;
117	gss_buffer_desc gss_w_token = GSS_C_EMPTY_BUFFER;
118	gss_buffer_desc* gss_token = GSS_C_NO_BUFFER;
119	gss_name_t server = GSS_C_NO_NAME;
120	gss_name_t gss_client_name = GSS_C_NO_NAME;
121	unsigned short us_length;
122	char *user = NULL;
123	unsigned char socksreq[`4`]; / room for GSS-API exchange header only /
124	const char *serviceptr = data->set.str[STRING_PROXY_SERVICE_NAME] ?
125	data->set.str[STRING_PROXY_SERVICE_NAME] : "rcmd";
126	const size_t serviceptr_length = strlen(serviceptr);
127
128	/ GSS-API request looks like*
129	* +----+------+-----+----------------+
130	* \|VER \| MTYP \| LEN \| TOKEN \|
131	* +----+------+----------------------+
132	* \| 1 \| 1 \| 2 \| up to 2^16 - 1 \|
133	* +----+------+-----+----------------+
134	*/
135
136	/ prepare service name /
137	if(strchr(serviceptr, `'/'`)) {
138	service.length = serviceptr_length;
139	service.value = malloc(service.length);
140	if(!service.value)
141	return CURLE_OUT_OF_MEMORY;
142	memcpy(service.value, serviceptr, service.length);
143
144	gss_major_status = gss_import_name(&gss_minor_status, &service,
145	(gss_OID) GSS_C_NULL_OID, &server);
146	}
147	else {
148	service.value = malloc(serviceptr_length +
149	strlen(conn->socks_proxy.host.name) + `2`);
150	if(!service.value)
151	return CURLE_OUT_OF_MEMORY;
152	service.length = serviceptr_length +
153	strlen(conn->socks_proxy.host.name) + `1`;
154	msnprintf(service.value, service.length + `1`, "%s@%s",
155	serviceptr, conn->socks_proxy.host.name);
156
157	gss_major_status = gss_import_name(&gss_minor_status, &service,
158	GSS_C_NT_HOSTBASED_SERVICE, &server);
159	}
160
161	gss_release_buffer(&gss_status, &service); / clear allocated memory /
162
163	if(check_gss_err(data, gss_major_status,
164	gss_minor_status, "gss_import_name()")) {
165	failf(data, "Failed to create service name.");
166	gss_release_name(&gss_status, &server);
167	return CURLE_COULDNT_CONNECT;
168	}
169
170	/ As long as we need to keep sending some context info, and there's no /
171	/ errors, keep sending it... /
172	for(;;) {
173	gss_major_status = Curl_gss_init_sec_context(data,
174	&gss_minor_status,
175	&gss_context,
176	server,
177	&Curl_krb5_mech_oid,
178	NULL,
179	gss_token,
180	&gss_send_token,
181	TRUE,
182	&gss_ret_flags);
183
184	if(gss_token != GSS_C_NO_BUFFER)
185	gss_release_buffer(&gss_status, &gss_recv_token);
186	if(check_gss_err(data, gss_major_status,
187	gss_minor_status, "gss_init_sec_context")) {
188	gss_release_name(&gss_status, &server);
189	gss_release_buffer(&gss_status, &gss_recv_token);
190	gss_release_buffer(&gss_status, &gss_send_token);
191	gss_delete_sec_context(&gss_status, &gss_context, NULL);
192	failf(data, "Failed to initial GSS-API token.");
193	return CURLE_COULDNT_CONNECT;
194	}
195
196	if(gss_send_token.length != `0`) {
197	socksreq[`0`] = `1`; / GSS-API subnegotiation version /
198	socksreq[`1`] = `1`; / authentication message type /
199	us_length = htons((short)gss_send_token.length);
200	memcpy(socksreq + `2`, &us_length, sizeof(short));
201
202	code = Curl_write_plain(conn, sock, (char *)socksreq, `4`, &written);
203	if(code \|\| (`4` != written)) {
204	failf(data, "Failed to send GSS-API authentication request.");
205	gss_release_name(&gss_status, &server);
206	gss_release_buffer(&gss_status, &gss_recv_token);
207	gss_release_buffer(&gss_status, &gss_send_token);
208	gss_delete_sec_context(&gss_status, &gss_context, NULL);
209	return CURLE_COULDNT_CONNECT;
210	}
211
212	code = Curl_write_plain(conn, sock, (char *)gss_send_token.value,
213	gss_send_token.length, &written);
214
215	if(code \|\| ((ssize_t)gss_send_token.length != written)) {
216	failf(data, "Failed to send GSS-API authentication token.");
217	gss_release_name(&gss_status, &server);
218	gss_release_buffer(&gss_status, &gss_recv_token);
219	gss_release_buffer(&gss_status, &gss_send_token);
220	gss_delete_sec_context(&gss_status, &gss_context, NULL);
221	return CURLE_COULDNT_CONNECT;
222	}
223
224	}
225
226	gss_release_buffer(&gss_status, &gss_send_token);
227	gss_release_buffer(&gss_status, &gss_recv_token);
228	if(gss_major_status != GSS_S_CONTINUE_NEEDED) break;
229
230	/ analyse response /
231
232	/ GSS-API response looks like*
233	* +----+------+-----+----------------+
234	* \|VER \| MTYP \| LEN \| TOKEN \|
235	* +----+------+----------------------+
236	* \| 1 \| 1 \| 2 \| up to 2^16 - 1 \|
237	* +----+------+-----+----------------+
238	*/
239
240	result = Curl_blockread_all(conn, sock, (char *)socksreq, `4`, &actualread);
241	if(result \|\| (actualread != `4`)) {
242	failf(data, "Failed to receive GSS-API authentication response.");
243	gss_release_name(&gss_status, &server);
244	gss_delete_sec_context(&gss_status, &gss_context, NULL);
245	return CURLE_COULDNT_CONNECT;
246	}
247
248	/ ignore the first (VER) byte /
249	if(socksreq[`1`] == `255`) { / status / message type /
250	failf(data, "User was rejected by the SOCKS5 server (%d %d).",
251	socksreq[`0`], socksreq[`1`]);
252	gss_release_name(&gss_status, &server);
253	gss_delete_sec_context(&gss_status, &gss_context, NULL);
254	return CURLE_COULDNT_CONNECT;
255	}
256
257	if(socksreq[`1`] != `1`) { / status / messgae type /
258	failf(data, "Invalid GSS-API authentication response type (%d %d).",
259	socksreq[`0`], socksreq[`1`]);
260	gss_release_name(&gss_status, &server);
261	gss_delete_sec_context(&gss_status, &gss_context, NULL);
262	return CURLE_COULDNT_CONNECT;
263	}
264
265	memcpy(&us_length, socksreq + `2`, sizeof(short));
266	us_length = ntohs(us_length);
267
268	gss_recv_token.length = us_length;
269	gss_recv_token.value = malloc(us_length);
270	if(!gss_recv_token.value) {
271	failf(data,
272	"Could not allocate memory for GSS-API authentication "
273	"response token.");
274	gss_release_name(&gss_status, &server);
275	gss_delete_sec_context(&gss_status, &gss_context, NULL);
276	return CURLE_OUT_OF_MEMORY;
277	}
278
279	result = Curl_blockread_all(conn, sock, (char *)gss_recv_token.value,
280	gss_recv_token.length, &actualread);
281
282	if(result \|\| (actualread != us_length)) {
283	failf(data, "Failed to receive GSS-API authentication token.");
284	gss_release_name(&gss_status, &server);
285	gss_release_buffer(&gss_status, &gss_recv_token);
286	gss_delete_sec_context(&gss_status, &gss_context, NULL);
287	return CURLE_COULDNT_CONNECT;
288	}
289
290	gss_token = &gss_recv_token;
291	}
292
293	gss_release_name(&gss_status, &server);
294
295	/ Everything is good so far, user was authenticated! /
296	gss_major_status = gss_inquire_context(&gss_minor_status, gss_context,
297	&gss_client_name, NULL, NULL, NULL,
298	NULL, NULL, NULL);
299	if(check_gss_err(data, gss_major_status,
300	gss_minor_status, "gss_inquire_context")) {
301	gss_delete_sec_context(&gss_status, &gss_context, NULL);
302	gss_release_name(&gss_status, &gss_client_name);
303	failf(data, "Failed to determine user name.");
304	return CURLE_COULDNT_CONNECT;
305	}
306	gss_major_status = gss_display_name(&gss_minor_status, gss_client_name,
307	&gss_send_token, NULL);
308	if(check_gss_err(data, gss_major_status,
309	gss_minor_status, "gss_display_name")) {
310	gss_delete_sec_context(&gss_status, &gss_context, NULL);
311	gss_release_name(&gss_status, &gss_client_name);
312	gss_release_buffer(&gss_status, &gss_send_token);
313	failf(data, "Failed to determine user name.");
314	return CURLE_COULDNT_CONNECT;
315	}
316	user = malloc(gss_send_token.length + `1`);
317	if(!user) {
318	gss_delete_sec_context(&gss_status, &gss_context, NULL);
319	gss_release_name(&gss_status, &gss_client_name);
320	gss_release_buffer(&gss_status, &gss_send_token);
321	return CURLE_OUT_OF_MEMORY;
322	}
323
324	memcpy(user, gss_send_token.value, gss_send_token.length);
325	user[gss_send_token.length] = `'\0'`;
326	gss_release_name(&gss_status, &gss_client_name);
327	gss_release_buffer(&gss_status, &gss_send_token);
328	infof(data, "SOCKS5 server authencticated user %s with GSS-API.\n",user);
329	free(user);
330	user = NULL;
331
332	/ Do encryption /
333	socksreq[`0`] = `1`; / GSS-API subnegotiation version /
334	socksreq[`1`] = `2`; / encryption message type /
335
336	gss_enc = `0`; / no data protection /
337	/ do confidentiality protection if supported /
338	if(gss_ret_flags & GSS_C_CONF_FLAG)
339	gss_enc = `2`;
340	/ else do integrity protection /
341	else if(gss_ret_flags & GSS_C_INTEG_FLAG)
342	gss_enc = `1`;
343
344	infof(data, "SOCKS5 server supports GSS-API %s data protection.\n",
345	(gss_enc == `0`)?"no":((gss_enc==`1`)?"integrity":"confidentiality"));
346	/ force for the moment to no data protection /
347	gss_enc = `0`;
348	/*
349	* Sending the encryption type in clear seems wrong. It should be
350	* protected with gss_seal()/gss_wrap(). See RFC1961 extract below
351	* The NEC reference implementations on which this is based is
352	* therefore at fault
353	*
354	* +------+------+------+.......................+
355	* + ver \| mtyp \| len \| token \|
356	* +------+------+------+.......................+
357	* + 0x01 \| 0x02 \| 0x02 \| up to 2^16 - 1 octets \|
358	* +------+------+------+.......................+
359	*
360	* Where:
361	*
362	* - "ver" is the protocol version number, here 1 to represent the
363	* first version of the SOCKS/GSS-API protocol
364	*
365	* - "mtyp" is the message type, here 2 to represent a protection
366	* -level negotiation message
367	*
368	* - "len" is the length of the "token" field in octets
369	*
370	* - "token" is the GSS-API encapsulated protection level
371	*
372	* The token is produced by encapsulating an octet containing the
373	* required protection level using gss_seal()/gss_wrap() with conf_req
374	* set to FALSE. The token is verified using gss_unseal()/
375	* gss_unwrap().
376	*
377	*/
378	if(data->set.socks5_gssapi_nec) {
379	us_length = htons((short)`1`);
380	memcpy(socksreq + `2`, &us_length, sizeof(short));
381	}
382	else {
383	gss_send_token.length = `1`;
384	gss_send_token.value = malloc(`1`);
385	if(!gss_send_token.value) {
386	gss_delete_sec_context(&gss_status, &gss_context, NULL);
387	return CURLE_OUT_OF_MEMORY;
388	}
389	memcpy(gss_send_token.value, &gss_enc, `1`);
390
391	gss_major_status = gss_wrap(&gss_minor_status, gss_context, `0`,
392	GSS_C_QOP_DEFAULT, &gss_send_token,
393	&gss_conf_state, &gss_w_token);
394
395	if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_wrap")) {
396	gss_release_buffer(&gss_status, &gss_send_token);
397	gss_release_buffer(&gss_status, &gss_w_token);
398	gss_delete_sec_context(&gss_status, &gss_context, NULL);
399	failf(data, "Failed to wrap GSS-API encryption value into token.");
400	return CURLE_COULDNT_CONNECT;
401	}
402	gss_release_buffer(&gss_status, &gss_send_token);
403
404	us_length = htons((short)gss_w_token.length);
405	memcpy(socksreq + `2`, &us_length, sizeof(short));
406	}
407
408	code = Curl_write_plain(conn, sock, (char *)socksreq, `4`, &written);
409	if(code \|\| (`4` != written)) {
410	failf(data, "Failed to send GSS-API encryption request.");
411	gss_release_buffer(&gss_status, &gss_w_token);
412	gss_delete_sec_context(&gss_status, &gss_context, NULL);
413	return CURLE_COULDNT_CONNECT;
414	}
415
416	if(data->set.socks5_gssapi_nec) {
417	memcpy(socksreq, &gss_enc, `1`);
418	code = Curl_write_plain(conn, sock, socksreq, `1`, &written);
419	if(code \|\| ( `1` != written)) {
420	failf(data, "Failed to send GSS-API encryption type.");
421	gss_delete_sec_context(&gss_status, &gss_context, NULL);
422	return CURLE_COULDNT_CONNECT;
423	}
424	}
425	else {
426	code = Curl_write_plain(conn, sock, (char *)gss_w_token.value,
427	gss_w_token.length, &written);
428	if(code \|\| ((ssize_t)gss_w_token.length != written)) {
429	failf(data, "Failed to send GSS-API encryption type.");
430	gss_release_buffer(&gss_status, &gss_w_token);
431	gss_delete_sec_context(&gss_status, &gss_context, NULL);
432	return CURLE_COULDNT_CONNECT;
433	}
434	gss_release_buffer(&gss_status, &gss_w_token);
435	}
436
437	result = Curl_blockread_all(conn, sock, (char *)socksreq, `4`, &actualread);
438	if(result \|\| (actualread != `4`)) {
439	failf(data, "Failed to receive GSS-API encryption response.");
440	gss_delete_sec_context(&gss_status, &gss_context, NULL);
441	return CURLE_COULDNT_CONNECT;
442	}
443
444	/ ignore the first (VER) byte /
445	if(socksreq[`1`] == `255`) { / status / message type /
446	failf(data, "User was rejected by the SOCKS5 server (%d %d).",
447	socksreq[`0`], socksreq[`1`]);
448	gss_delete_sec_context(&gss_status, &gss_context, NULL);
449	return CURLE_COULDNT_CONNECT;
450	}
451
452	if(socksreq[`1`] != `2`) { / status / messgae type /
453	failf(data, "Invalid GSS-API encryption response type (%d %d).",
454	socksreq[`0`], socksreq[`1`]);
455	gss_delete_sec_context(&gss_status, &gss_context, NULL);
456	return CURLE_COULDNT_CONNECT;
457	}
458
459	memcpy(&us_length, socksreq + `2`, sizeof(short));
460	us_length = ntohs(us_length);
461
462	gss_recv_token.length = us_length;
463	gss_recv_token.value = malloc(gss_recv_token.length);
464	if(!gss_recv_token.value) {
465	gss_delete_sec_context(&gss_status, &gss_context, NULL);
466	return CURLE_OUT_OF_MEMORY;
467	}
468	result = Curl_blockread_all(conn, sock, (char *)gss_recv_token.value,
469	gss_recv_token.length, &actualread);
470
471	if(result \|\| (actualread != us_length)) {
472	failf(data, "Failed to receive GSS-API encryptrion type.");
473	gss_release_buffer(&gss_status, &gss_recv_token);
474	gss_delete_sec_context(&gss_status, &gss_context, NULL);
475	return CURLE_COULDNT_CONNECT;
476	}
477
478	if(!data->set.socks5_gssapi_nec) {
479	gss_major_status = gss_unwrap(&gss_minor_status, gss_context,
480	&gss_recv_token, &gss_w_token,
481	`0`, GSS_C_QOP_DEFAULT);
482
483	if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_unwrap")) {
484	gss_release_buffer(&gss_status, &gss_recv_token);
485	gss_release_buffer(&gss_status, &gss_w_token);
486	gss_delete_sec_context(&gss_status, &gss_context, NULL);
487	failf(data, "Failed to unwrap GSS-API encryption value into token.");
488	return CURLE_COULDNT_CONNECT;
489	}
490	gss_release_buffer(&gss_status, &gss_recv_token);
491
492	if(gss_w_token.length != `1`) {
493	failf(data, "Invalid GSS-API encryption response length (%d).",
494	gss_w_token.length);
495	gss_release_buffer(&gss_status, &gss_w_token);
496	gss_delete_sec_context(&gss_status, &gss_context, NULL);
497	return CURLE_COULDNT_CONNECT;
498	}
499
500	memcpy(socksreq, gss_w_token.value, gss_w_token.length);
501	gss_release_buffer(&gss_status, &gss_w_token);
502	}
503	else {
504	if(gss_recv_token.length != `1`) {
505	failf(data, "Invalid GSS-API encryption response length (%d).",
506	gss_recv_token.length);
507	gss_release_buffer(&gss_status, &gss_recv_token);
508	gss_delete_sec_context(&gss_status, &gss_context, NULL);
509	return CURLE_COULDNT_CONNECT;
510	}
511
512	memcpy(socksreq, gss_recv_token.value, gss_recv_token.length);
513	gss_release_buffer(&gss_status, &gss_recv_token);
514	}
515
516	infof(data, "SOCKS5 access with%s protection granted.\n",
517	(socksreq[`0`] == `0`)?"out GSS-API data":
518	((socksreq[`0`] == `1`)?" GSS-API integrity":" GSS-API confidentiality"));
519
520	conn->socks5_gssapi_enctype = socksreq[`0`];
521	if(socksreq[`0`] == `0`)
522	gss_delete_sec_context(&gss_status, &gss_context, NULL);
523
524	return CURLE_OK;
525	}
526
527	#endif /* HAVE_GSSAPI && !CURL_DISABLE_PROXY */
528

Browse the source code of ClickHouse/contrib/curl/lib/socks_gssapi.c