vauth: factor base64 conversions out of authentication procedures

Input challenges and returned messages are now in binary.
Conversions from/to base64 are performed by callers (currently curl_sasl.c
and http_ntlm.c).

Closes #6654

1 files changed, 21 insertions, 79 deletions

diff --git a/lib/vauth/krb5_gssapi.c b/lib/vauth/krb5_gssapi.c
index 0412815e9..b43982b9b 100644
--- a/lib/vauth/krb5_gssapi.c
+++ b/lib/vauth/krb5_gssapi.c
@@ -6,7 +6,7 @@
  *                             \___|\___/|_| \_\_____|
  *
  * Copyright (C) 2014 - 2019, Steve Holme, <steve_holme@hotmail.com>.
- * Copyright (C) 2015 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2015 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -32,7 +32,6 @@
 #include "vauth/vauth.h"
 #include "curl_sasl.h"
 #include "urldata.h"
-#include "curl_base64.h"
 #include "curl_gssapi.h"
 #include "sendf.h"
 #include "curl_printf.h"
@@ -70,12 +69,9 @@ bool Curl_auth_is_gssapi_supported(void)
  * host        [in[     - The host name.
  * mutual_auth [in]     - Flag specifying whether or not mutual authentication
  *                        is enabled.
- * chlg64      [in]     - Pointer to the optional base64 encoded challenge
- *                        message.
+ * chlg        [in]     - Optional challenge message.
  * krb5        [in/out] - The Kerberos 5 data struct being used and modified.
- * outptr      [in/out] - The address where a pointer to newly allocated memory
- *                        holding the result will be stored upon completion.
- * outlen      [out]    - The length of the output message.
+ * out         [out]    - The result storage.
  *
  * Returns CURLE_OK on success.
  */
@@ -85,13 +81,11 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
                                               const char *service,
                                               const char *host,
                                               const bool mutual_auth,
-                                              const char *chlg64,
+                                              const struct bufref *chlg,
                                               struct kerberos5data *krb5,
-                                              char **outptr, size_t *outlen)
+                                              struct bufref *out)
 {
   CURLcode result = CURLE_OK;
-  size_t chlglen = 0;
-  unsigned char *chlg = NULL;
   OM_uint32 major_status;
   OM_uint32 minor_status;
   OM_uint32 unused_status;
@@ -127,24 +121,13 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
     free(spn);
   }
 
-  if(chlg64 && *chlg64) {
-    /* Decode the base-64 encoded challenge message */
-    if(*chlg64 != '=') {
-      result = Curl_base64_decode(chlg64, &chlg, &chlglen);
-      if(result)
-        return result;
-    }
-
-    /* Ensure we have a valid challenge message */
-    if(!chlg) {
+  if(chlg) {
+    if(!Curl_bufref_len(chlg)) {
       infof(data, "GSSAPI handshake failure (empty challenge message)\n");
-
       return CURLE_BAD_CONTENT_ENCODING;
     }
-
-    /* Setup the challenge "input" security buffer */
-    input_token.value = chlg;
-    input_token.length = chlglen;
+    input_token.value = (void *) Curl_bufref_ptr(chlg);
+    input_token.length = Curl_bufref_len(chlg);
   }
 
   major_status = Curl_gss_init_sec_context(data,
@@ -158,9 +141,6 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
                                            mutual_auth,
                                            NULL);
 
-  /* Free the decoded challenge as it is not required anymore */
-  free(input_token.value);
-
   if(GSS_ERROR(major_status)) {
     if(output_token.value)
       gss_release_buffer(&unused_status, &output_token);
@@ -172,17 +152,11 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
   }
 
   if(output_token.value && output_token.length) {
-    /* Base64 encode the response */
-    result = Curl_base64_encode(data, (char *) output_token.value,
-                                output_token.length, outptr, outlen);
-
+    result = Curl_bufref_memdup(out, output_token.value, output_token.length);
     gss_release_buffer(&unused_status, &output_token);
   }
-  else if(mutual_auth) {
-    *outptr = strdup("");
-    if(!*outptr)
-      result = CURLE_OUT_OF_MEMORY;
-  }
+  else
+    Curl_bufref_set(out, mutual_auth? "": NULL, 0, NULL);
 
   return result;
 }
@@ -196,24 +170,19 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
  * Parameters:
  *
  * data    [in]     - The session handle.
- * chlg64  [in]     - Pointer to the optional base64 encoded challenge message.
+ * chlg    [in]     - Optional challenge message.
  * krb5    [in/out] - The Kerberos 5 data struct being used and modified.
- * outptr  [in/out] - The address where a pointer to newly allocated memory
- *                    holding the result will be stored upon completion.
- * outlen  [out]    - The length of the output message.
+ * out     [out]    - The result storage.
  *
  * Returns CURLE_OK on success.
  */
 CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
-                                                  const char *chlg64,
+                                                  const struct bufref *chlg,
                                                   struct kerberos5data *krb5,
-                                                  char **outptr,
-                                                  size_t *outlen)
+                                                  struct bufref *out)
 {
   CURLcode result = CURLE_OK;
-  size_t chlglen = 0;
   size_t messagelen = 0;
-  unsigned char *chlg = NULL;
   unsigned char *message = NULL;
   OM_uint32 major_status;
   OM_uint32 minor_status;
@@ -228,17 +197,9 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   gss_name_t username = GSS_C_NO_NAME;
   gss_buffer_desc username_token;
 
-  /* Decode the base-64 encoded input message */
-  if(strlen(chlg64) && *chlg64 != '=') {
-    result = Curl_base64_decode(chlg64, &chlg, &chlglen);
-    if(result)
-      return result;
-  }
-
   /* Ensure we have a valid challenge message */
-  if(!chlg) {
+  if(!Curl_bufref_len(chlg)) {
     infof(data, "GSSAPI handshake failure (empty security message)\n");
-
     return CURLE_BAD_CONTENT_ENCODING;
   }
 
@@ -249,9 +210,6 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   if(GSS_ERROR(major_status)) {
     Curl_gss_log_error(data, "gss_inquire_context() failed: ",
                        major_status, minor_status);
-
-    free(chlg);
-
     return CURLE_AUTH_ERROR;
   }
 
@@ -261,15 +219,12 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   if(GSS_ERROR(major_status)) {
     Curl_gss_log_error(data, "gss_display_name() failed: ",
                        major_status, minor_status);
-
-    free(chlg);
-
     return CURLE_AUTH_ERROR;
   }
 
   /* Setup the challenge "input" security buffer */
-  input_token.value = chlg;
-  input_token.length = chlglen;
+  input_token.value = (void *) Curl_bufref_ptr(chlg);
+  input_token.length = Curl_bufref_len(chlg);
 
   /* Decrypt the inbound challenge and obtain the qop */
   major_status = gss_unwrap(&minor_status, krb5->context, &input_token,
@@ -277,27 +232,20 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   if(GSS_ERROR(major_status)) {
     Curl_gss_log_error(data, "gss_unwrap() failed: ",
                        major_status, minor_status);
-
     gss_release_buffer(&unused_status, &username_token);
-    free(chlg);
-
     return CURLE_BAD_CONTENT_ENCODING;
   }
 
   /* Not 4 octets long so fail as per RFC4752 Section 3.1 */
   if(output_token.length != 4) {
     infof(data, "GSSAPI handshake failure (invalid security data)\n");
-
     gss_release_buffer(&unused_status, &username_token);
-    free(chlg);
-
     return CURLE_BAD_CONTENT_ENCODING;
   }
 
   /* Copy the data out and free the challenge as it is not required anymore */
   memcpy(&indata, output_token.value, 4);
   gss_release_buffer(&unused_status, &output_token);
-  free(chlg);
 
   /* Extract the security layer */
   sec_layer = indata & 0x000000FF;
@@ -305,7 +253,6 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
     infof(data, "GSSAPI handshake failure (invalid security layer)\n");
 
     gss_release_buffer(&unused_status, &username_token);
-
     return CURLE_BAD_CONTENT_ENCODING;
   }
 
@@ -323,7 +270,6 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   message = malloc(messagelen);
   if(!message) {
     gss_release_buffer(&unused_status, &username_token);
-
     return CURLE_OUT_OF_MEMORY;
   }
 
@@ -352,16 +298,12 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   if(GSS_ERROR(major_status)) {
     Curl_gss_log_error(data, "gss_wrap() failed: ",
                        major_status, minor_status);
-
     free(message);
-
     return CURLE_AUTH_ERROR;
   }
 
-  /* Base64 encode the response */
-  result = Curl_base64_encode(data, (char *) output_token.value,
-                              output_token.length, outptr, outlen);
-
+  /* Return the response. */
+  result = Curl_bufref_memdup(out, output_token.value, output_token.length);
   /* Free the output buffer */
   gss_release_buffer(&unused_status, &output_token);