socks_gssapi.c source code [Velox/build/_deps/curl-src/lib/socks_gssapi.c]

1	/***************************************************************************
2	* _ _ ____ _
3	* Project ___\| \| \| \| _ \\| \|
4	* / __\| \| \| \| \|_) \| \|
5	* \| (__\| \|_\| \| _ <\| \|___
6	* \___\|\___/\|_\| \_\_____\|
7	*
8	* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9	* Copyright (C) Markus Moeller, <markus_moeller@compuserve.com>
10	*
11	* This software is licensed as described in the file COPYING, which
12	* you should have received as part of this distribution. The terms
13	* are also available at https://curl.se/docs/copyright.html.
14	*
15	* You may opt to use, copy, modify, merge, publish, distribute and/or sell
16	* copies of the Software, and permit persons to whom the Software is
17	* furnished to do so, under the terms of the COPYING file.
18	*
19	* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20	* KIND, either express or implied.
21	*
22	* SPDX-License-Identifier: curl
23	*
24	***************************************************************************/
25
26	#include "curl_setup.h"
27
28	#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_PROXY)
29
30	#include "curl_gssapi.h"
31	#include "urldata.h"
32	#include "sendf.h"
33	#include "cfilters.h"
34	#include "connect.h"
35	#include "timeval.h"
36	#include "socks.h"
37	#include "warnless.h"
38
39	/ The last 3 #include files should be in this order /
40	#include "curl_printf.h"
41	#include "curl_memory.h"
42	#include "memdebug.h"
43
44	static gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
45
46	/*
47	* Helper GSS-API error functions.
48	*/
49	static int check_gss_err(struct Curl_easy *data,
50	OM_uint32 major_status,
51	OM_uint32 minor_status,
52	const char *function)
53	{
54	if(GSS_ERROR(major_status)) {
55	OM_uint32 maj_stat, min_stat;
56	OM_uint32 msg_ctx = `0`;
57	gss_buffer_desc status_string = GSS_C_EMPTY_BUFFER;
58	char buf[`1024`];
59	size_t len;
60
61	len = `0`;
62	msg_ctx = `0`;
63	while(!msg_ctx) {
64	/ convert major status code (GSS-API error) to text /
65	maj_stat = gss_display_status(&min_stat, major_status,
66	GSS_C_GSS_CODE,
67	GSS_C_NULL_OID,
68	&msg_ctx, &status_string);
69	if(maj_stat == GSS_S_COMPLETE) {
70	if(sizeof(buf) > len + status_string.length + `1`) {
71	strcpy(buf + len, (char *) status_string.value);
72	len += status_string.length;
73	}
74	gss_release_buffer(&min_stat, &status_string);
75	break;
76	}
77	gss_release_buffer(&min_stat, &status_string);
78	}
79	if(sizeof(buf) > len + `3`) {
80	strcpy(buf + len, ".\n");
81	len += `2`;
82	}
83	msg_ctx = `0`;
84	while(!msg_ctx) {
85	/ convert minor status code (underlying routine error) to text /
86	maj_stat = gss_display_status(&min_stat, minor_status,
87	GSS_C_MECH_CODE,
88	GSS_C_NULL_OID,
89	&msg_ctx, &status_string);
90	if(maj_stat == GSS_S_COMPLETE) {
91	if(sizeof(buf) > len + status_string.length)
92	strcpy(buf + len, (char *) status_string.value);
93	gss_release_buffer(&min_stat, &status_string);
94	break;
95	}
96	gss_release_buffer(&min_stat, &status_string);
97	}
98	failf(data, "GSS-API error: %s failed: %s", function, buf);
99	return `1`;
100	}
101
102	return `0`;
103	}
104
105	CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
106	struct Curl_easy *data)
107	{
108	struct connectdata *conn = cf->conn;
109	curl_socket_t sock = conn->sock[cf->sockindex];
110	CURLcode code;
111	ssize_t actualread;
112	ssize_t nwritten;
113	int result;
114	OM_uint32 gss_major_status, gss_minor_status, gss_status;
115	OM_uint32 gss_ret_flags;
116	int gss_conf_state, gss_enc;
117	gss_buffer_desc service = GSS_C_EMPTY_BUFFER;
118	gss_buffer_desc gss_send_token = GSS_C_EMPTY_BUFFER;
119	gss_buffer_desc gss_recv_token = GSS_C_EMPTY_BUFFER;
120	gss_buffer_desc gss_w_token = GSS_C_EMPTY_BUFFER;
121	gss_buffer_desc *gss_token = GSS_C_NO_BUFFER;
122	gss_name_t server = GSS_C_NO_NAME;
123	gss_name_t gss_client_name = GSS_C_NO_NAME;
124	unsigned short us_length;
125	char *user = NULL;
126	unsigned char socksreq[`4`]; / room for GSS-API exchange header only /
127	const char *serviceptr = data->set.str[STRING_PROXY_SERVICE_NAME] ?
128	data->set.str[STRING_PROXY_SERVICE_NAME] : "rcmd";
129	const size_t serviceptr_length = strlen(serviceptr);
130
131	/ GSS-API request looks like*
132	* +----+------+-----+----------------+
133	* \|VER \| MTYP \| LEN \| TOKEN \|
134	* +----+------+----------------------+
135	* \| 1 \| 1 \| 2 \| up to 2^16 - 1 \|
136	* +----+------+-----+----------------+
137	*/
138
139	/ prepare service name /
140	if(strchr(serviceptr, `'/'`)) {
141	service.length = serviceptr_length;
142	service.value = malloc(service.length);
143	if(!service.value)
144	return CURLE_OUT_OF_MEMORY;
145	memcpy(service.value, serviceptr, service.length);
146
147	gss_major_status = gss_import_name(&gss_minor_status, &service,
148	(gss_OID) GSS_C_NULL_OID, &server);
149	}
150	else {
151	service.value = malloc(serviceptr_length +
152	strlen(conn->socks_proxy.host.name) + `2`);
153	if(!service.value)
154	return CURLE_OUT_OF_MEMORY;
155	service.length = serviceptr_length +
156	strlen(conn->socks_proxy.host.name) + `1`;
157	msnprintf(service.value, service.length + `1`, "%s@%s",
158	serviceptr, conn->socks_proxy.host.name);
159
160	gss_major_status = gss_import_name(&gss_minor_status, &service,
161	GSS_C_NT_HOSTBASED_SERVICE, &server);
162	}
163
164	gss_release_buffer(&gss_status, &service); / clear allocated memory /
165
166	if(check_gss_err(data, gss_major_status,
167	gss_minor_status, "gss_import_name()")) {
168	failf(data, "Failed to create service name.");
169	gss_release_name(&gss_status, &server);
170	return CURLE_COULDNT_CONNECT;
171	}
172
173	(void)curlx_nonblock(sock, FALSE);
174
175	/ As long as we need to keep sending some context info, and there's no /
176	/ errors, keep sending it... /
177	for(;;) {
178	gss_major_status = Curl_gss_init_sec_context(data,
179	&gss_minor_status,
180	&gss_context,
181	server,
182	&Curl_krb5_mech_oid,
183	NULL,
184	gss_token,
185	&gss_send_token,
186	TRUE,
187	&gss_ret_flags);
188
189	if(gss_token != GSS_C_NO_BUFFER)
190	gss_release_buffer(&gss_status, &gss_recv_token);
191	if(check_gss_err(data, gss_major_status,
192	gss_minor_status, "gss_init_sec_context")) {
193	gss_release_name(&gss_status, &server);
194	gss_release_buffer(&gss_status, &gss_recv_token);
195	gss_release_buffer(&gss_status, &gss_send_token);
196	gss_delete_sec_context(&gss_status, &gss_context, NULL);
197	failf(data, "Failed to initial GSS-API token.");
198	return CURLE_COULDNT_CONNECT;
199	}
200
201	if(gss_send_token.length) {
202	socksreq[`0`] = `1`; / GSS-API subnegotiation version /
203	socksreq[`1`] = `1`; / authentication message type /
204	us_length = htons((short)gss_send_token.length);
205	memcpy(socksreq + `2`, &us_length, sizeof(short));
206
207	nwritten = Curl_conn_cf_send(cf->next, data, (char *)socksreq, `4`, &code);
208	if(code \|\| (`4` != nwritten)) {
209	failf(data, "Failed to send GSS-API authentication request.");
210	gss_release_name(&gss_status, &server);
211	gss_release_buffer(&gss_status, &gss_recv_token);
212	gss_release_buffer(&gss_status, &gss_send_token);
213	gss_delete_sec_context(&gss_status, &gss_context, NULL);
214	return CURLE_COULDNT_CONNECT;
215	}
216
217	nwritten = Curl_conn_cf_send(cf->next, data,
218	(char *)gss_send_token.value,
219	gss_send_token.length, &code);
220	if(code \|\| ((ssize_t)gss_send_token.length != nwritten)) {
221	failf(data, "Failed to send GSS-API authentication token.");
222	gss_release_name(&gss_status, &server);
223	gss_release_buffer(&gss_status, &gss_recv_token);
224	gss_release_buffer(&gss_status, &gss_send_token);
225	gss_delete_sec_context(&gss_status, &gss_context, NULL);
226	return CURLE_COULDNT_CONNECT;
227	}
228
229	}
230
231	gss_release_buffer(&gss_status, &gss_send_token);
232	gss_release_buffer(&gss_status, &gss_recv_token);
233	if(gss_major_status != GSS_S_CONTINUE_NEEDED)
234	break;
235
236	/ analyse response /
237
238	/ GSS-API response looks like*
239	* +----+------+-----+----------------+
240	* \|VER \| MTYP \| LEN \| TOKEN \|
241	* +----+------+----------------------+
242	* \| 1 \| 1 \| 2 \| up to 2^16 - 1 \|
243	* +----+------+-----+----------------+
244	*/
245
246	result = Curl_blockread_all(cf, data, (char *)socksreq, `4`, &actualread);
247	if(result \|\| (actualread != `4`)) {
248	failf(data, "Failed to receive GSS-API authentication response.");
249	gss_release_name(&gss_status, &server);
250	gss_delete_sec_context(&gss_status, &gss_context, NULL);
251	return CURLE_COULDNT_CONNECT;
252	}
253
254	/ ignore the first (VER) byte /
255	if(socksreq[`1`] == `255`) { / status / message type /
256	failf(data, "User was rejected by the SOCKS5 server (%d %d).",
257	socksreq[`0`], socksreq[`1`]);
258	gss_release_name(&gss_status, &server);
259	gss_delete_sec_context(&gss_status, &gss_context, NULL);
260	return CURLE_COULDNT_CONNECT;
261	}
262
263	if(socksreq[`1`] != `1`) { / status / message type /
264	failf(data, "Invalid GSS-API authentication response type (%d %d).",
265	socksreq[`0`], socksreq[`1`]);
266	gss_release_name(&gss_status, &server);
267	gss_delete_sec_context(&gss_status, &gss_context, NULL);
268	return CURLE_COULDNT_CONNECT;
269	}
270
271	memcpy(&us_length, socksreq + `2`, sizeof(short));
272	us_length = ntohs(us_length);
273
274	gss_recv_token.length = us_length;
275	gss_recv_token.value = malloc(us_length);
276	if(!gss_recv_token.value) {
277	failf(data,
278	"Could not allocate memory for GSS-API authentication "
279	"response token.");
280	gss_release_name(&gss_status, &server);
281	gss_delete_sec_context(&gss_status, &gss_context, NULL);
282	return CURLE_OUT_OF_MEMORY;
283	}
284
285	result = Curl_blockread_all(cf, data, (char *)gss_recv_token.value,
286	gss_recv_token.length, &actualread);
287
288	if(result \|\| (actualread != us_length)) {
289	failf(data, "Failed to receive GSS-API authentication token.");
290	gss_release_name(&gss_status, &server);
291	gss_release_buffer(&gss_status, &gss_recv_token);
292	gss_delete_sec_context(&gss_status, &gss_context, NULL);
293	return CURLE_COULDNT_CONNECT;
294	}
295
296	gss_token = &gss_recv_token;
297	}
298
299	gss_release_name(&gss_status, &server);
300
301	/ Everything is good so far, user was authenticated! /
302	gss_major_status = gss_inquire_context(&gss_minor_status, gss_context,
303	&gss_client_name, NULL, NULL, NULL,
304	NULL, NULL, NULL);
305	if(check_gss_err(data, gss_major_status,
306	gss_minor_status, "gss_inquire_context")) {
307	gss_delete_sec_context(&gss_status, &gss_context, NULL);
308	gss_release_name(&gss_status, &gss_client_name);
309	failf(data, "Failed to determine user name.");
310	return CURLE_COULDNT_CONNECT;
311	}
312	gss_major_status = gss_display_name(&gss_minor_status, gss_client_name,
313	&gss_send_token, NULL);
314	if(check_gss_err(data, gss_major_status,
315	gss_minor_status, "gss_display_name")) {
316	gss_delete_sec_context(&gss_status, &gss_context, NULL);
317	gss_release_name(&gss_status, &gss_client_name);
318	gss_release_buffer(&gss_status, &gss_send_token);
319	failf(data, "Failed to determine user name.");
320	return CURLE_COULDNT_CONNECT;
321	}
322	user = malloc(gss_send_token.length + `1`);
323	if(!user) {
324	gss_delete_sec_context(&gss_status, &gss_context, NULL);
325	gss_release_name(&gss_status, &gss_client_name);
326	gss_release_buffer(&gss_status, &gss_send_token);
327	return CURLE_OUT_OF_MEMORY;
328	}
329
330	memcpy(user, gss_send_token.value, gss_send_token.length);
331	user[gss_send_token.length] = `'\0'`;
332	gss_release_name(&gss_status, &gss_client_name);
333	gss_release_buffer(&gss_status, &gss_send_token);
334	infof(data, "SOCKS5 server authenticated user %s with GSS-API.",user);
335	free(user);
336	user = NULL;
337
338	/ Do encryption /
339	socksreq[`0`] = `1`; / GSS-API subnegotiation version /
340	socksreq[`1`] = `2`; / encryption message type /
341
342	gss_enc = `0`; / no data protection /
343	/ do confidentiality protection if supported /
344	if(gss_ret_flags & GSS_C_CONF_FLAG)
345	gss_enc = `2`;
346	/ else do integrity protection /
347	else if(gss_ret_flags & GSS_C_INTEG_FLAG)
348	gss_enc = `1`;
349
350	infof(data, "SOCKS5 server supports GSS-API %s data protection.",
351	(gss_enc == `0`)?"no":((gss_enc==`1`)?"integrity":"confidentiality"));
352	/ force for the moment to no data protection /
353	gss_enc = `0`;
354	/*
355	* Sending the encryption type in clear seems wrong. It should be
356	* protected with gss_seal()/gss_wrap(). See RFC1961 extract below
357	* The NEC reference implementations on which this is based is
358	* therefore at fault
359	*
360	* +------+------+------+.......................+
361	* + ver \| mtyp \| len \| token \|
362	* +------+------+------+.......................+
363	* + 0x01 \| 0x02 \| 0x02 \| up to 2^16 - 1 octets \|
364	* +------+------+------+.......................+
365	*
366	* Where:
367	*
368	* - "ver" is the protocol version number, here 1 to represent the
369	* first version of the SOCKS/GSS-API protocol
370	*
371	* - "mtyp" is the message type, here 2 to represent a protection
372	* -level negotiation message
373	*
374	* - "len" is the length of the "token" field in octets
375	*
376	* - "token" is the GSS-API encapsulated protection level
377	*
378	* The token is produced by encapsulating an octet containing the
379	* required protection level using gss_seal()/gss_wrap() with conf_req
380	* set to FALSE. The token is verified using gss_unseal()/
381	* gss_unwrap().
382	*
383	*/
384	if(data->set.socks5_gssapi_nec) {
385	us_length = htons((short)`1`);
386	memcpy(socksreq + `2`, &us_length, sizeof(short));
387	}
388	else {
389	gss_send_token.length = `1`;
390	gss_send_token.value = malloc(`1`);
391	if(!gss_send_token.value) {
392	gss_delete_sec_context(&gss_status, &gss_context, NULL);
393	return CURLE_OUT_OF_MEMORY;
394	}
395	memcpy(gss_send_token.value, &gss_enc, `1`);
396
397	gss_major_status = gss_wrap(&gss_minor_status, gss_context, `0`,
398	GSS_C_QOP_DEFAULT, &gss_send_token,
399	&gss_conf_state, &gss_w_token);
400
401	if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_wrap")) {
402	gss_release_buffer(&gss_status, &gss_send_token);
403	gss_release_buffer(&gss_status, &gss_w_token);
404	gss_delete_sec_context(&gss_status, &gss_context, NULL);
405	failf(data, "Failed to wrap GSS-API encryption value into token.");
406	return CURLE_COULDNT_CONNECT;
407	}
408	gss_release_buffer(&gss_status, &gss_send_token);
409
410	us_length = htons((short)gss_w_token.length);
411	memcpy(socksreq + `2`, &us_length, sizeof(short));
412	}
413
414	nwritten = Curl_conn_cf_send(cf->next, data, (char *)socksreq, `4`, &code);
415	if(code \|\| (`4` != nwritten)) {
416	failf(data, "Failed to send GSS-API encryption request.");
417	gss_release_buffer(&gss_status, &gss_w_token);
418	gss_delete_sec_context(&gss_status, &gss_context, NULL);
419	return CURLE_COULDNT_CONNECT;
420	}
421
422	if(data->set.socks5_gssapi_nec) {
423	memcpy(socksreq, &gss_enc, `1`);
424	nwritten = Curl_conn_cf_send(cf->next, data, (char *)socksreq, `1`, &code);
425	if(code \|\| ( `1` != nwritten)) {
426	failf(data, "Failed to send GSS-API encryption type.");
427	gss_delete_sec_context(&gss_status, &gss_context, NULL);
428	return CURLE_COULDNT_CONNECT;
429	}
430	}
431	else {
432	nwritten = Curl_conn_cf_send(cf->next, data,
433	(char *)gss_w_token.value,
434	gss_w_token.length, &code);
435	if(code \|\| ((ssize_t)gss_w_token.length != nwritten)) {
436	failf(data, "Failed to send GSS-API encryption type.");
437	gss_release_buffer(&gss_status, &gss_w_token);
438	gss_delete_sec_context(&gss_status, &gss_context, NULL);
439	return CURLE_COULDNT_CONNECT;
440	}
441	gss_release_buffer(&gss_status, &gss_w_token);
442	}
443
444	result = Curl_blockread_all(cf, data, (char *)socksreq, `4`, &actualread);
445	if(result \|\| (actualread != `4`)) {
446	failf(data, "Failed to receive GSS-API encryption response.");
447	gss_delete_sec_context(&gss_status, &gss_context, NULL);
448	return CURLE_COULDNT_CONNECT;
449	}
450
451	/ ignore the first (VER) byte /
452	if(socksreq[`1`] == `255`) { / status / message type /
453	failf(data, "User was rejected by the SOCKS5 server (%d %d).",
454	socksreq[`0`], socksreq[`1`]);
455	gss_delete_sec_context(&gss_status, &gss_context, NULL);
456	return CURLE_COULDNT_CONNECT;
457	}
458
459	if(socksreq[`1`] != `2`) { / status / message type /
460	failf(data, "Invalid GSS-API encryption response type (%d %d).",
461	socksreq[`0`], socksreq[`1`]);
462	gss_delete_sec_context(&gss_status, &gss_context, NULL);
463	return CURLE_COULDNT_CONNECT;
464	}
465
466	memcpy(&us_length, socksreq + `2`, sizeof(short));
467	us_length = ntohs(us_length);
468
469	gss_recv_token.length = us_length;
470	gss_recv_token.value = malloc(gss_recv_token.length);
471	if(!gss_recv_token.value) {
472	gss_delete_sec_context(&gss_status, &gss_context, NULL);
473	return CURLE_OUT_OF_MEMORY;
474	}
475	result = Curl_blockread_all(cf, data, (char *)gss_recv_token.value,
476	gss_recv_token.length, &actualread);
477
478	if(result \|\| (actualread != us_length)) {
479	failf(data, "Failed to receive GSS-API encryptrion type.");
480	gss_release_buffer(&gss_status, &gss_recv_token);
481	gss_delete_sec_context(&gss_status, &gss_context, NULL);
482	return CURLE_COULDNT_CONNECT;
483	}
484
485	if(!data->set.socks5_gssapi_nec) {
486	gss_major_status = gss_unwrap(&gss_minor_status, gss_context,
487	&gss_recv_token, &gss_w_token,
488	`0`, GSS_C_QOP_DEFAULT);
489
490	if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_unwrap")) {
491	gss_release_buffer(&gss_status, &gss_recv_token);
492	gss_release_buffer(&gss_status, &gss_w_token);
493	gss_delete_sec_context(&gss_status, &gss_context, NULL);
494	failf(data, "Failed to unwrap GSS-API encryption value into token.");
495	return CURLE_COULDNT_CONNECT;
496	}
497	gss_release_buffer(&gss_status, &gss_recv_token);
498
499	if(gss_w_token.length != `1`) {
500	failf(data, "Invalid GSS-API encryption response length (%zu).",
501	gss_w_token.length);
502	gss_release_buffer(&gss_status, &gss_w_token);
503	gss_delete_sec_context(&gss_status, &gss_context, NULL);
504	return CURLE_COULDNT_CONNECT;
505	}
506
507	memcpy(socksreq, gss_w_token.value, gss_w_token.length);
508	gss_release_buffer(&gss_status, &gss_w_token);
509	}
510	else {
511	if(gss_recv_token.length != `1`) {
512	failf(data, "Invalid GSS-API encryption response length (%zu).",
513	gss_recv_token.length);
514	gss_release_buffer(&gss_status, &gss_recv_token);
515	gss_delete_sec_context(&gss_status, &gss_context, NULL);
516	return CURLE_COULDNT_CONNECT;
517	}
518
519	memcpy(socksreq, gss_recv_token.value, gss_recv_token.length);
520	gss_release_buffer(&gss_status, &gss_recv_token);
521	}
522
523	(void)curlx_nonblock(sock, TRUE);
524
525	infof(data, "SOCKS5 access with%s protection granted.",
526	(socksreq[`0`] == `0`)?"out GSS-API data":
527	((socksreq[`0`] == `1`)?" GSS-API integrity":" GSS-API confidentiality"));
528
529	conn->socks5_gssapi_enctype = socksreq[`0`];
530	if(socksreq[`0`] == `0`)
531	gss_delete_sec_context(&gss_status, &gss_context, NULL);
532
533	return CURLE_OK;
534	}
535
536	#endif /* HAVE_GSSAPI && !CURL_DISABLE_PROXY */
537

Browse the source code of Velox/build/_deps/curl-src/lib/socks_gssapi.c