| 1 | /*************************************************************************** |
|---|---|
| 2 | * _ _ ____ _ |
| 3 | * Project ___| | | | _ \| | |
| 4 | * / __| | | | |_) | | |
| 5 | * | (__| |_| | _ <| |___ |
| 6 | * \___|\___/|_| \_\_____| |
| 7 | * |
| 8 | * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. |
| 9 | * |
| 10 | * This software is licensed as described in the file COPYING, which |
| 11 | * you should have received as part of this distribution. The terms |
| 12 | * are also available at https://curl.se/docs/copyright.html. |
| 13 | * |
| 14 | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
| 15 | * copies of the Software, and permit persons to whom the Software is |
| 16 | * furnished to do so, under the terms of the COPYING file. |
| 17 | * |
| 18 | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
| 19 | * KIND, either express or implied. |
| 20 | * |
| 21 | * SPDX-License-Identifier: curl |
| 22 | * |
| 23 | ***************************************************************************/ |
| 24 | |
| 25 | #include "curl_setup.h" |
| 26 | |
| 27 | #if defined(USE_WINDOWS_SSPI) && defined(USE_NTLM) |
| 28 | |
| 29 | #include <curl/curl.h> |
| 30 | |
| 31 | #include "vauth/vauth.h" |
| 32 | #include "urldata.h" |
| 33 | #include "curl_ntlm_core.h" |
| 34 | #include "warnless.h" |
| 35 | #include "curl_multibyte.h" |
| 36 | #include "sendf.h" |
| 37 | |
| 38 | /* The last #include files should be: */ |
| 39 | #include "curl_memory.h" |
| 40 | #include "memdebug.h" |
| 41 | |
| 42 | /* |
| 43 | * Curl_auth_is_ntlm_supported() |
| 44 | * |
| 45 | * This is used to evaluate if NTLM is supported. |
| 46 | * |
| 47 | * Parameters: None |
| 48 | * |
| 49 | * Returns TRUE if NTLM is supported by Windows SSPI. |
| 50 | */ |
| 51 | bool Curl_auth_is_ntlm_supported(void) |
| 52 | { |
| 53 | PSecPkgInfo SecurityPackage; |
| 54 | SECURITY_STATUS status; |
| 55 | |
| 56 | /* Query the security package for NTLM */ |
| 57 | status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) TEXT(SP_NAME_NTLM), |
| 58 | &SecurityPackage); |
| 59 | |
| 60 | /* Release the package buffer as it is not required anymore */ |
| 61 | if(status == SEC_E_OK) { |
| 62 | s_pSecFn->FreeContextBuffer(SecurityPackage); |
| 63 | } |
| 64 | |
| 65 | return (status == SEC_E_OK ? TRUE : FALSE); |
| 66 | } |
| 67 | |
| 68 | /* |
| 69 | * Curl_auth_create_ntlm_type1_message() |
| 70 | * |
| 71 | * This is used to generate an already encoded NTLM type-1 message ready for |
| 72 | * sending to the recipient. |
| 73 | * |
| 74 | * Parameters: |
| 75 | * |
| 76 | * data [in] - The session handle. |
| 77 | * userp [in] - The user name in the format User or Domain\User. |
| 78 | * passwdp [in] - The user's password. |
| 79 | * service [in] - The service type such as http, smtp, pop or imap. |
| 80 | * host [in] - The host name. |
| 81 | * ntlm [in/out] - The NTLM data struct being used and modified. |
| 82 | * out [out] - The result storage. |
| 83 | * |
| 84 | * Returns CURLE_OK on success. |
| 85 | */ |
| 86 | CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data, |
| 87 | const char *userp, |
| 88 | const char *passwdp, |
| 89 | const char *service, |
| 90 | const char *host, |
| 91 | struct ntlmdata *ntlm, |
| 92 | struct bufref *out) |
| 93 | { |
| 94 | PSecPkgInfo SecurityPackage; |
| 95 | SecBuffer type_1_buf; |
| 96 | SecBufferDesc type_1_desc; |
| 97 | SECURITY_STATUS status; |
| 98 | unsigned long attrs; |
| 99 | TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */ |
| 100 | |
| 101 | /* Clean up any former leftovers and initialise to defaults */ |
| 102 | Curl_auth_cleanup_ntlm(ntlm); |
| 103 | |
| 104 | /* Query the security package for NTLM */ |
| 105 | status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) TEXT(SP_NAME_NTLM), |
| 106 | &SecurityPackage); |
| 107 | if(status != SEC_E_OK) { |
| 108 | failf(data, "SSPI: couldn't get auth info"); |
| 109 | return CURLE_AUTH_ERROR; |
| 110 | } |
| 111 | |
| 112 | ntlm->token_max = SecurityPackage->cbMaxToken; |
| 113 | |
| 114 | /* Release the package buffer as it is not required anymore */ |
| 115 | s_pSecFn->FreeContextBuffer(SecurityPackage); |
| 116 | |
| 117 | /* Allocate our output buffer */ |
| 118 | ntlm->output_token = malloc(ntlm->token_max); |
| 119 | if(!ntlm->output_token) |
| 120 | return CURLE_OUT_OF_MEMORY; |
| 121 | |
| 122 | if(userp && *userp) { |
| 123 | CURLcode result; |
| 124 | |
| 125 | /* Populate our identity structure */ |
| 126 | result = Curl_create_sspi_identity(userp, passwdp, &ntlm->identity); |
| 127 | if(result) |
| 128 | return result; |
| 129 | |
| 130 | /* Allow proper cleanup of the identity structure */ |
| 131 | ntlm->p_identity = &ntlm->identity; |
| 132 | } |
| 133 | else |
| 134 | /* Use the current Windows user */ |
| 135 | ntlm->p_identity = NULL; |
| 136 | |
| 137 | /* Allocate our credentials handle */ |
| 138 | ntlm->credentials = calloc(1, sizeof(CredHandle)); |
| 139 | if(!ntlm->credentials) |
| 140 | return CURLE_OUT_OF_MEMORY; |
| 141 | |
| 142 | /* Acquire our credentials handle */ |
| 143 | status = s_pSecFn->AcquireCredentialsHandle(NULL, |
| 144 | (TCHAR *) TEXT(SP_NAME_NTLM), |
| 145 | SECPKG_CRED_OUTBOUND, NULL, |
| 146 | ntlm->p_identity, NULL, NULL, |
| 147 | ntlm->credentials, &expiry); |
| 148 | if(status != SEC_E_OK) |
| 149 | return CURLE_LOGIN_DENIED; |
| 150 | |
| 151 | /* Allocate our new context handle */ |
| 152 | ntlm->context = calloc(1, sizeof(CtxtHandle)); |
| 153 | if(!ntlm->context) |
| 154 | return CURLE_OUT_OF_MEMORY; |
| 155 | |
| 156 | ntlm->spn = Curl_auth_build_spn(service, host, NULL); |
| 157 | if(!ntlm->spn) |
| 158 | return CURLE_OUT_OF_MEMORY; |
| 159 | |
| 160 | /* Setup the type-1 "output" security buffer */ |
| 161 | type_1_desc.ulVersion = SECBUFFER_VERSION; |
| 162 | type_1_desc.cBuffers = 1; |
| 163 | type_1_desc.pBuffers = &type_1_buf; |
| 164 | type_1_buf.BufferType = SECBUFFER_TOKEN; |
| 165 | type_1_buf.pvBuffer = ntlm->output_token; |
| 166 | type_1_buf.cbBuffer = curlx_uztoul(ntlm->token_max); |
| 167 | |
| 168 | /* Generate our type-1 message */ |
| 169 | status = s_pSecFn->InitializeSecurityContext(ntlm->credentials, NULL, |
| 170 | ntlm->spn, |
| 171 | 0, 0, SECURITY_NETWORK_DREP, |
| 172 | NULL, 0, |
| 173 | ntlm->context, &type_1_desc, |
| 174 | &attrs, &expiry); |
| 175 | if(status == SEC_I_COMPLETE_NEEDED || |
| 176 | status == SEC_I_COMPLETE_AND_CONTINUE) |
| 177 | s_pSecFn->CompleteAuthToken(ntlm->context, &type_1_desc); |
| 178 | else if(status == SEC_E_INSUFFICIENT_MEMORY) |
| 179 | return CURLE_OUT_OF_MEMORY; |
| 180 | else if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED) |
| 181 | return CURLE_AUTH_ERROR; |
| 182 | |
| 183 | /* Return the response. */ |
| 184 | Curl_bufref_set(out, ntlm->output_token, type_1_buf.cbBuffer, NULL); |
| 185 | return CURLE_OK; |
| 186 | } |
| 187 | |
| 188 | /* |
| 189 | * Curl_auth_decode_ntlm_type2_message() |
| 190 | * |
| 191 | * This is used to decode an already encoded NTLM type-2 message. |
| 192 | * |
| 193 | * Parameters: |
| 194 | * |
| 195 | * data [in] - The session handle. |
| 196 | * type2 [in] - The type-2 message. |
| 197 | * ntlm [in/out] - The NTLM data struct being used and modified. |
| 198 | * |
| 199 | * Returns CURLE_OK on success. |
| 200 | */ |
| 201 | CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data, |
| 202 | const struct bufref *type2, |
| 203 | struct ntlmdata *ntlm) |
| 204 | { |
| 205 | #if defined(CURL_DISABLE_VERBOSE_STRINGS) |
| 206 | (void) data; |
| 207 | #endif |
| 208 | |
| 209 | /* Ensure we have a valid type-2 message */ |
| 210 | if(!Curl_bufref_len(type2)) { |
| 211 | infof(data, "NTLM handshake failure (empty type-2 message)"); |
| 212 | return CURLE_BAD_CONTENT_ENCODING; |
| 213 | } |
| 214 | |
| 215 | /* Store the challenge for later use */ |
| 216 | ntlm->input_token = malloc(Curl_bufref_len(type2) + 1); |
| 217 | if(!ntlm->input_token) |
| 218 | return CURLE_OUT_OF_MEMORY; |
| 219 | memcpy(ntlm->input_token, Curl_bufref_ptr(type2), Curl_bufref_len(type2)); |
| 220 | ntlm->input_token[Curl_bufref_len(type2)] = '\0'; |
| 221 | ntlm->input_token_len = Curl_bufref_len(type2); |
| 222 | |
| 223 | return CURLE_OK; |
| 224 | } |
| 225 | |
| 226 | /* |
| 227 | * Curl_auth_create_ntlm_type3_message() |
| 228 | * Curl_auth_create_ntlm_type3_message() |
| 229 | * |
| 230 | * This is used to generate an already encoded NTLM type-3 message ready for |
| 231 | * sending to the recipient. |
| 232 | * |
| 233 | * Parameters: |
| 234 | * |
| 235 | * data [in] - The session handle. |
| 236 | * userp [in] - The user name in the format User or Domain\User. |
| 237 | * passwdp [in] - The user's password. |
| 238 | * ntlm [in/out] - The NTLM data struct being used and modified. |
| 239 | * out [out] - The result storage. |
| 240 | * |
| 241 | * Returns CURLE_OK on success. |
| 242 | */ |
| 243 | CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, |
| 244 | const char *userp, |
| 245 | const char *passwdp, |
| 246 | struct ntlmdata *ntlm, |
| 247 | struct bufref *out) |
| 248 | { |
| 249 | CURLcode result = CURLE_OK; |
| 250 | SecBuffer type_2_bufs[2]; |
| 251 | SecBuffer type_3_buf; |
| 252 | SecBufferDesc type_2_desc; |
| 253 | SecBufferDesc type_3_desc; |
| 254 | SECURITY_STATUS status; |
| 255 | unsigned long attrs; |
| 256 | TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */ |
| 257 | |
| 258 | #if defined(CURL_DISABLE_VERBOSE_STRINGS) |
| 259 | (void) data; |
| 260 | #endif |
| 261 | (void) passwdp; |
| 262 | (void) userp; |
| 263 | |
| 264 | /* Setup the type-2 "input" security buffer */ |
| 265 | type_2_desc.ulVersion = SECBUFFER_VERSION; |
| 266 | type_2_desc.cBuffers = 1; |
| 267 | type_2_desc.pBuffers = &type_2_bufs[0]; |
| 268 | type_2_bufs[0].BufferType = SECBUFFER_TOKEN; |
| 269 | type_2_bufs[0].pvBuffer = ntlm->input_token; |
| 270 | type_2_bufs[0].cbBuffer = curlx_uztoul(ntlm->input_token_len); |
| 271 | |
| 272 | #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS |
| 273 | /* ssl context comes from schannel. |
| 274 | * When extended protection is used in IIS server, |
| 275 | * we have to pass a second SecBuffer to the SecBufferDesc |
| 276 | * otherwise IIS will not pass the authentication (401 response). |
| 277 | * Minimum supported version is Windows 7. |
| 278 | * https://docs.microsoft.com/en-us/security-updates |
| 279 | * /SecurityAdvisories/2009/973811 |
| 280 | */ |
| 281 | if(ntlm->sslContext) { |
| 282 | SEC_CHANNEL_BINDINGS channelBindings; |
| 283 | SecPkgContext_Bindings pkgBindings; |
| 284 | pkgBindings.Bindings = &channelBindings; |
| 285 | status = s_pSecFn->QueryContextAttributes( |
| 286 | ntlm->sslContext, |
| 287 | SECPKG_ATTR_ENDPOINT_BINDINGS, |
| 288 | &pkgBindings |
| 289 | ); |
| 290 | if(status == SEC_E_OK) { |
| 291 | type_2_desc.cBuffers++; |
| 292 | type_2_bufs[1].BufferType = SECBUFFER_CHANNEL_BINDINGS; |
| 293 | type_2_bufs[1].cbBuffer = pkgBindings.BindingsLength; |
| 294 | type_2_bufs[1].pvBuffer = pkgBindings.Bindings; |
| 295 | } |
| 296 | } |
| 297 | #endif |
| 298 | |
| 299 | /* Setup the type-3 "output" security buffer */ |
| 300 | type_3_desc.ulVersion = SECBUFFER_VERSION; |
| 301 | type_3_desc.cBuffers = 1; |
| 302 | type_3_desc.pBuffers = &type_3_buf; |
| 303 | type_3_buf.BufferType = SECBUFFER_TOKEN; |
| 304 | type_3_buf.pvBuffer = ntlm->output_token; |
| 305 | type_3_buf.cbBuffer = curlx_uztoul(ntlm->token_max); |
| 306 | |
| 307 | /* Generate our type-3 message */ |
| 308 | status = s_pSecFn->InitializeSecurityContext(ntlm->credentials, |
| 309 | ntlm->context, |
| 310 | ntlm->spn, |
| 311 | 0, 0, SECURITY_NETWORK_DREP, |
| 312 | &type_2_desc, |
| 313 | 0, ntlm->context, |
| 314 | &type_3_desc, |
| 315 | &attrs, &expiry); |
| 316 | if(status != SEC_E_OK) { |
| 317 | infof(data, "NTLM handshake failure (type-3 message): Status=%x", |
| 318 | status); |
| 319 | |
| 320 | if(status == SEC_E_INSUFFICIENT_MEMORY) |
| 321 | return CURLE_OUT_OF_MEMORY; |
| 322 | |
| 323 | return CURLE_AUTH_ERROR; |
| 324 | } |
| 325 | |
| 326 | /* Return the response. */ |
| 327 | result = Curl_bufref_memdup(out, ntlm->output_token, type_3_buf.cbBuffer); |
| 328 | Curl_auth_cleanup_ntlm(ntlm); |
| 329 | return result; |
| 330 | } |
| 331 | |
| 332 | /* |
| 333 | * Curl_auth_cleanup_ntlm() |
| 334 | * |
| 335 | * This is used to clean up the NTLM specific data. |
| 336 | * |
| 337 | * Parameters: |
| 338 | * |
| 339 | * ntlm [in/out] - The NTLM data struct being cleaned up. |
| 340 | * |
| 341 | */ |
| 342 | void Curl_auth_cleanup_ntlm(struct ntlmdata *ntlm) |
| 343 | { |
| 344 | /* Free our security context */ |
| 345 | if(ntlm->context) { |
| 346 | s_pSecFn->DeleteSecurityContext(ntlm->context); |
| 347 | free(ntlm->context); |
| 348 | ntlm->context = NULL; |
| 349 | } |
| 350 | |
| 351 | /* Free our credentials handle */ |
| 352 | if(ntlm->credentials) { |
| 353 | s_pSecFn->FreeCredentialsHandle(ntlm->credentials); |
| 354 | free(ntlm->credentials); |
| 355 | ntlm->credentials = NULL; |
| 356 | } |
| 357 | |
| 358 | /* Free our identity */ |
| 359 | Curl_sspi_free_identity(ntlm->p_identity); |
| 360 | ntlm->p_identity = NULL; |
| 361 | |
| 362 | /* Free the input and output tokens */ |
| 363 | Curl_safefree(ntlm->input_token); |
| 364 | Curl_safefree(ntlm->output_token); |
| 365 | |
| 366 | /* Reset any variables */ |
| 367 | ntlm->token_max = 0; |
| 368 | |
| 369 | Curl_safefree(ntlm->spn); |
| 370 | } |
| 371 | |
| 372 | #endif /* USE_WINDOWS_SSPI && USE_NTLM */ |
| 373 |
Generated on 2024-Jan-11 from project Velox revision 1.0.1
Powered by 
Code Browser 2.1
Generator usage only permitted with license.