summaryrefslogtreecommitdiff
path: root/lib/vauth/krb5_gssapi.c
diff options
context:
space:
mode:
authorPatrick Monnerat <patrick@monnerat.net>2021-03-17 20:09:55 +0100
committerDaniel Stenberg <daniel@haxx.se>2021-04-22 09:06:07 +0200
commit19ea52da4df3c3ebc399ae25e705c7a8b5d45d95 (patch)
treea24d58a91383624c6fefb1295829b1e3b284feb7 /lib/vauth/krb5_gssapi.c
parent34cf40321c3cfa5160e34a87a816b7c6030c0296 (diff)
downloadcurl-19ea52da4df3c3ebc399ae25e705c7a8b5d45d95.tar.gz
vauth: factor base64 conversions out of authentication procedures
Input challenges and returned messages are now in binary. Conversions from/to base64 are performed by callers (currently curl_sasl.c and http_ntlm.c). Closes #6654
Diffstat (limited to 'lib/vauth/krb5_gssapi.c')
-rw-r--r--lib/vauth/krb5_gssapi.c100
1 files changed, 21 insertions, 79 deletions
diff --git a/lib/vauth/krb5_gssapi.c b/lib/vauth/krb5_gssapi.c
index 0412815e9..b43982b9b 100644
--- a/lib/vauth/krb5_gssapi.c
+++ b/lib/vauth/krb5_gssapi.c
@@ -6,7 +6,7 @@
* \___|\___/|_| \_\_____|
*
* Copyright (C) 2014 - 2019, Steve Holme, <steve_holme@hotmail.com>.
- * Copyright (C) 2015 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2015 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -32,7 +32,6 @@
#include "vauth/vauth.h"
#include "curl_sasl.h"
#include "urldata.h"
-#include "curl_base64.h"
#include "curl_gssapi.h"
#include "sendf.h"
#include "curl_printf.h"
@@ -70,12 +69,9 @@ bool Curl_auth_is_gssapi_supported(void)
* host [in[ - The host name.
* mutual_auth [in] - Flag specifying whether or not mutual authentication
* is enabled.
- * chlg64 [in] - Pointer to the optional base64 encoded challenge
- * message.
+ * chlg [in] - Optional challenge message.
* krb5 [in/out] - The Kerberos 5 data struct being used and modified.
- * outptr [in/out] - The address where a pointer to newly allocated memory
- * holding the result will be stored upon completion.
- * outlen [out] - The length of the output message.
+ * out [out] - The result storage.
*
* Returns CURLE_OK on success.
*/
@@ -85,13 +81,11 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
const char *service,
const char *host,
const bool mutual_auth,
- const char *chlg64,
+ const struct bufref *chlg,
struct kerberos5data *krb5,
- char **outptr, size_t *outlen)
+ struct bufref *out)
{
CURLcode result = CURLE_OK;
- size_t chlglen = 0;
- unsigned char *chlg = NULL;
OM_uint32 major_status;
OM_uint32 minor_status;
OM_uint32 unused_status;
@@ -127,24 +121,13 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
free(spn);
}
- if(chlg64 && *chlg64) {
- /* Decode the base-64 encoded challenge message */
- if(*chlg64 != '=') {
- result = Curl_base64_decode(chlg64, &chlg, &chlglen);
- if(result)
- return result;
- }
-
- /* Ensure we have a valid challenge message */
- if(!chlg) {
+ if(chlg) {
+ if(!Curl_bufref_len(chlg)) {
infof(data, "GSSAPI handshake failure (empty challenge message)\n");
-
return CURLE_BAD_CONTENT_ENCODING;
}
-
- /* Setup the challenge "input" security buffer */
- input_token.value = chlg;
- input_token.length = chlglen;
+ input_token.value = (void *) Curl_bufref_ptr(chlg);
+ input_token.length = Curl_bufref_len(chlg);
}
major_status = Curl_gss_init_sec_context(data,
@@ -158,9 +141,6 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
mutual_auth,
NULL);
- /* Free the decoded challenge as it is not required anymore */
- free(input_token.value);
-
if(GSS_ERROR(major_status)) {
if(output_token.value)
gss_release_buffer(&unused_status, &output_token);
@@ -172,17 +152,11 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
}
if(output_token.value && output_token.length) {
- /* Base64 encode the response */
- result = Curl_base64_encode(data, (char *) output_token.value,
- output_token.length, outptr, outlen);
-
+ result = Curl_bufref_memdup(out, output_token.value, output_token.length);
gss_release_buffer(&unused_status, &output_token);
}
- else if(mutual_auth) {
- *outptr = strdup("");
- if(!*outptr)
- result = CURLE_OUT_OF_MEMORY;
- }
+ else
+ Curl_bufref_set(out, mutual_auth? "": NULL, 0, NULL);
return result;
}
@@ -196,24 +170,19 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
* Parameters:
*
* data [in] - The session handle.
- * chlg64 [in] - Pointer to the optional base64 encoded challenge message.
+ * chlg [in] - Optional challenge message.
* krb5 [in/out] - The Kerberos 5 data struct being used and modified.
- * outptr [in/out] - The address where a pointer to newly allocated memory
- * holding the result will be stored upon completion.
- * outlen [out] - The length of the output message.
+ * out [out] - The result storage.
*
* Returns CURLE_OK on success.
*/
CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
- const char *chlg64,
+ const struct bufref *chlg,
struct kerberos5data *krb5,
- char **outptr,
- size_t *outlen)
+ struct bufref *out)
{
CURLcode result = CURLE_OK;
- size_t chlglen = 0;
size_t messagelen = 0;
- unsigned char *chlg = NULL;
unsigned char *message = NULL;
OM_uint32 major_status;
OM_uint32 minor_status;
@@ -228,17 +197,9 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
gss_name_t username = GSS_C_NO_NAME;
gss_buffer_desc username_token;
- /* Decode the base-64 encoded input message */
- if(strlen(chlg64) && *chlg64 != '=') {
- result = Curl_base64_decode(chlg64, &chlg, &chlglen);
- if(result)
- return result;
- }
-
/* Ensure we have a valid challenge message */
- if(!chlg) {
+ if(!Curl_bufref_len(chlg)) {
infof(data, "GSSAPI handshake failure (empty security message)\n");
-
return CURLE_BAD_CONTENT_ENCODING;
}
@@ -249,9 +210,6 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
if(GSS_ERROR(major_status)) {
Curl_gss_log_error(data, "gss_inquire_context() failed: ",
major_status, minor_status);
-
- free(chlg);
-
return CURLE_AUTH_ERROR;
}
@@ -261,15 +219,12 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
if(GSS_ERROR(major_status)) {
Curl_gss_log_error(data, "gss_display_name() failed: ",
major_status, minor_status);
-
- free(chlg);
-
return CURLE_AUTH_ERROR;
}
/* Setup the challenge "input" security buffer */
- input_token.value = chlg;
- input_token.length = chlglen;
+ input_token.value = (void *) Curl_bufref_ptr(chlg);
+ input_token.length = Curl_bufref_len(chlg);
/* Decrypt the inbound challenge and obtain the qop */
major_status = gss_unwrap(&minor_status, krb5->context, &input_token,
@@ -277,27 +232,20 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
if(GSS_ERROR(major_status)) {
Curl_gss_log_error(data, "gss_unwrap() failed: ",
major_status, minor_status);
-
gss_release_buffer(&unused_status, &username_token);
- free(chlg);
-
return CURLE_BAD_CONTENT_ENCODING;
}
/* Not 4 octets long so fail as per RFC4752 Section 3.1 */
if(output_token.length != 4) {
infof(data, "GSSAPI handshake failure (invalid security data)\n");
-
gss_release_buffer(&unused_status, &username_token);
- free(chlg);
-
return CURLE_BAD_CONTENT_ENCODING;
}
/* Copy the data out and free the challenge as it is not required anymore */
memcpy(&indata, output_token.value, 4);
gss_release_buffer(&unused_status, &output_token);
- free(chlg);
/* Extract the security layer */
sec_layer = indata & 0x000000FF;
@@ -305,7 +253,6 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
infof(data, "GSSAPI handshake failure (invalid security layer)\n");
gss_release_buffer(&unused_status, &username_token);
-
return CURLE_BAD_CONTENT_ENCODING;
}
@@ -323,7 +270,6 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
message = malloc(messagelen);
if(!message) {
gss_release_buffer(&unused_status, &username_token);
-
return CURLE_OUT_OF_MEMORY;
}
@@ -352,16 +298,12 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
if(GSS_ERROR(major_status)) {
Curl_gss_log_error(data, "gss_wrap() failed: ",
major_status, minor_status);
-
free(message);
-
return CURLE_AUTH_ERROR;
}
- /* Base64 encode the response */
- result = Curl_base64_encode(data, (char *) output_token.value,
- output_token.length, outptr, outlen);
-
+ /* Return the response. */
+ result = Curl_bufref_memdup(out, output_token.value, output_token.length);
/* Free the output buffer */
gss_release_buffer(&unused_status, &output_token);