From e56ae1426cb7a0a4a427cf8d6099a821fdaae428 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 10 Jun 2003 12:22:19 +0000 Subject: Daniel Kouril's patch that adds HTTP negotiation support to libcurl was added. --- lib/http_negotiate.c | 217 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 217 insertions(+) create mode 100644 lib/http_negotiate.c (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c new file mode 100644 index 000000000..9a2d46a1f --- /dev/null +++ b/lib/http_negotiate.c @@ -0,0 +1,217 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2003, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at http://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * $Id$ + ***************************************************************************/ +#include "setup.h" + +#ifdef GSSAPI + +#ifndef CURL_DISABLE_HTTP +/* -- WIN32 approved -- */ +#include +#include +#include +#include +#include + +#include "urldata.h" +#include "sendf.h" +#include "strequal.h" + +#include "http_negotiate.h" + +#define _MPRINTF_REPLACE /* use our functions only */ +#include + +/* The last #include file should be: */ +#ifdef MALLOCDEBUG +#include "memdebug.h" +#endif + +static int +get_gss_name(struct connectdata *conn, gss_name_t *server) +{ + OM_uint32 major_status, minor_status; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; + char name[2048]; + +#ifdef KRB5 + token.length = strlen("khttp@") + strlen(conn->hostname) + 1; +#els + token.length = strlen("host/") + strlen(conn->hostname) + 1; +#endif + if (token.length + 1 > sizeof(name)) + return EMSGSIZE; +#ifdef KRB5 + sprintf(name, "khttp@%s", conn->hostname); +#else + sprintf(name, "host/%s", conn->hostname); +#endif + token.value = (void *) name; + major_status = gss_import_name(&minor_status, + &token, + GSS_C_NT_HOSTBASED_SERVICE, + server); + return GSS_ERROR(major_status) ? -1 : 0; +} + +static void +log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) +{ + OM_uint32 maj_stat, min_stat; + OM_uint32 msg_ctx = 0; + gss_buffer_desc status_string; + char buf[1024]; + size_t len; + + snprintf(buf, sizeof(buf), "%s", prefix); + len = strlen(buf); + do { + maj_stat = gss_display_status (&min_stat, + error_status, + GSS_C_MECH_CODE, + GSS_C_NO_OID, + &msg_ctx, + &status_string); + if (sizeof(buf) > len + status_string.length + 1) { + sprintf(buf + len, ": %s", (char*) status_string.value); + len += status_string.length; + } + gss_release_buffer(&min_stat, &status_string); + } while (!GSS_ERROR(maj_stat) && msg_ctx != 0); + + infof(conn->data, buf); +} + +CURLcode Curl_input_negotiate(struct connectdata *conn, char *header) +{ + struct negotiatedata *neg_ctx = &conn->data->state.negotiate; + OM_uint32 major_status, minor_status, minor_status2; + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; + int ret; + size_t len; + + while(*header && isspace((int)*header)) + header++; + if(!checkprefix("GSS-Negotiate", header)) + return -1; + + if (neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) { + /* We finished succesfully our part of authentication, but server + * rejected it (since we're again here). Exit with an error since we + * can't invent anything better */ + Curl_cleanup_negotiate(conn->data); + return -1; + } + + if (neg_ctx->server_name == NULL && + (ret = get_gss_name(conn, &neg_ctx->server_name))) + return ret; + + header += strlen("GSS-Negotiate"); + while(*header && isspace((int)*header)) + header++; + + len = strlen(header); + if (len > 0) { + input_token.length = (len+3)/4 * 3; + input_token.value = malloc(input_token.length); + if (input_token.value == NULL) + return ENOMEM; + input_token.length = Curl_base64_decode(header, input_token.value); + if (input_token.length < 0) + return -1; + } + + major_status = gss_init_sec_context(&minor_status, + GSS_C_NO_CREDENTIAL, + &neg_ctx->context, + neg_ctx->server_name, + GSS_C_NO_OID, + GSS_C_DELEG_FLAG, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, + NULL, + &output_token, + NULL, + NULL); + if (input_token.length > 0) + gss_release_buffer(&minor_status2, &input_token); + neg_ctx->status = major_status; + if (GSS_ERROR(major_status)) { + /* Curl_cleanup_negotiate(conn->data) ??? */ + log_gss_error(conn, minor_status, "gss_init_sec_context() failed: "); + return -1; + } + + if (output_token.length == 0) { + return -1; + } + + neg_ctx->output_token = output_token; + /* conn->bits.close = FALSE; */ + + return 0; +} + + +CURLcode Curl_output_negotiate(struct connectdata *conn) +{ + struct negotiatedata *neg_ctx = &conn->data->state.negotiate; + OM_uint32 minor_status; + char *encoded = NULL; + size_t len; + + len = Curl_base64_encode(neg_ctx->output_token.value, + neg_ctx->output_token.length, + &encoded); + if (len < 0) + return -1; + + conn->allocptr.userpwd = + aprintf("Authorization: GSS-Negotiate %s\r\n", encoded); + free(encoded); + gss_release_buffer(&minor_status, &neg_ctx->output_token); + return (conn->allocptr.userpwd == NULL) ? ENOMEM : 0; +} + +void Curl_cleanup_negotiate(struct SessionHandle *data) +{ + OM_uint32 minor_status; + struct negotiatedata *neg_ctx = &data->state.negotiate; + + if (neg_ctx->context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor_status, &neg_ctx->context, GSS_C_NO_BUFFER); + + if (neg_ctx->output_token.length != 0) + gss_release_buffer(&minor_status, &neg_ctx->output_token); + + if (neg_ctx->server_name != GSS_C_NO_NAME) + gss_release_name(&minor_status, &neg_ctx->server_name); + + memset(neg_ctx, 0, sizeof(*neg_ctx)); +} + + +#endif +#endif -- cgit v1.2.1 From 898e067ccc01d86e23410247fe037b14c3296c8a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 26 Jun 2003 11:25:23 +0000 Subject: kill warnings --- lib/http_negotiate.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 9a2d46a1f..63aa7fa40 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -35,14 +35,14 @@ #include "urldata.h" #include "sendf.h" #include "strequal.h" - +#include "base64.h" #include "http_negotiate.h" #define _MPRINTF_REPLACE /* use our functions only */ #include /* The last #include file should be: */ -#ifdef MALLOCDEBUG +#ifdef CURLDEBUG #include "memdebug.h" #endif @@ -101,7 +101,7 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) infof(conn->data, buf); } -CURLcode Curl_input_negotiate(struct connectdata *conn, char *header) +int Curl_input_negotiate(struct connectdata *conn, char *header) { struct negotiatedata *neg_ctx = &conn->data->state.negotiate; OM_uint32 major_status, minor_status, minor_status2; @@ -133,13 +133,15 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, char *header) len = strlen(header); if (len > 0) { + int rawlen; input_token.length = (len+3)/4 * 3; input_token.value = malloc(input_token.length); if (input_token.value == NULL) return ENOMEM; - input_token.length = Curl_base64_decode(header, input_token.value); - if (input_token.length < 0) + rawlen = Curl_base64_decode(header, input_token.value); + if (rawlen < 0) return -1; + input_token.length = rawlen; } major_status = gss_init_sec_context(&minor_status, @@ -160,7 +162,8 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, char *header) neg_ctx->status = major_status; if (GSS_ERROR(major_status)) { /* Curl_cleanup_negotiate(conn->data) ??? */ - log_gss_error(conn, minor_status, "gss_init_sec_context() failed: "); + log_gss_error(conn, minor_status, + (char *)"gss_init_sec_context() failed: "); return -1; } @@ -180,19 +183,17 @@ CURLcode Curl_output_negotiate(struct connectdata *conn) struct negotiatedata *neg_ctx = &conn->data->state.negotiate; OM_uint32 minor_status; char *encoded = NULL; - size_t len; - - len = Curl_base64_encode(neg_ctx->output_token.value, - neg_ctx->output_token.length, - &encoded); + int len = Curl_base64_encode(neg_ctx->output_token.value, + neg_ctx->output_token.length, + &encoded); if (len < 0) - return -1; + return CURLE_OUT_OF_MEMORY; conn->allocptr.userpwd = aprintf("Authorization: GSS-Negotiate %s\r\n", encoded); free(encoded); gss_release_buffer(&minor_status, &neg_ctx->output_token); - return (conn->allocptr.userpwd == NULL) ? ENOMEM : 0; + return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; } void Curl_cleanup_negotiate(struct SessionHandle *data) -- cgit v1.2.1 From b47462bd68e5bfe8c168a38507bf46190e79ffae Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 23 Jul 2003 11:28:59 +0000 Subject: Daniel Kouril's fix to make the GSS-Negotiate work fine. --- lib/http_negotiate.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 63aa7fa40..1a0f2dba4 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -31,6 +31,7 @@ #include #include #include +#include #include "urldata.h" #include "sendf.h" @@ -53,18 +54,15 @@ get_gss_name(struct connectdata *conn, gss_name_t *server) gss_buffer_desc token = GSS_C_EMPTY_BUFFER; char name[2048]; -#ifdef KRB5 + /* GSSAPI implementation by Globus (known as GSI) requires the name to be + of form "/" instead of @ (ie. slash instead + of at-sign). Also GSI servers are often identified as 'host' not 'khttp'. + Change following lines if you want to use GSI */ token.length = strlen("khttp@") + strlen(conn->hostname) + 1; -#els - token.length = strlen("host/") + strlen(conn->hostname) + 1; -#endif if (token.length + 1 > sizeof(name)) return EMSGSIZE; -#ifdef KRB5 sprintf(name, "khttp@%s", conn->hostname); -#else - sprintf(name, "host/%s", conn->hostname); -#endif + token.value = (void *) name; major_status = gss_import_name(&minor_status, &token, -- cgit v1.2.1 From fd42247cacff58fddba6a2629aa2978241f68402 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 11 Sep 2003 22:21:11 +0000 Subject: Tim Bartley's patch that makes the GSSNEGOTIATE option work for Microsoft's "Negotiate" authentication as well. --- lib/http_negotiate.c | 41 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 5 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 1a0f2dba4..5012b0764 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -50,24 +50,35 @@ static int get_gss_name(struct connectdata *conn, gss_name_t *server) { + struct negotiatedata *neg_ctx = &conn->data->state.negotiate; OM_uint32 major_status, minor_status; gss_buffer_desc token = GSS_C_EMPTY_BUFFER; char name[2048]; + const char* service; /* GSSAPI implementation by Globus (known as GSI) requires the name to be of form "/" instead of @ (ie. slash instead of at-sign). Also GSI servers are often identified as 'host' not 'khttp'. Change following lines if you want to use GSI */ - token.length = strlen("khttp@") + strlen(conn->hostname) + 1; + + /* IIS uses the @ form but uses 'http' as the service name */ + + if (neg_ctx->gss) + service = "khttp"; + else + service = "http"; + + token.length = strlen(service) + 1 + strlen(conn->hostname) + 1; if (token.length + 1 > sizeof(name)) return EMSGSIZE; - sprintf(name, "khttp@%s", conn->hostname); + sprintf(name, "%s@%s", service, conn->hostname); token.value = (void *) name; major_status = gss_import_name(&minor_status, &token, GSS_C_NT_HOSTBASED_SERVICE, server); + return GSS_ERROR(major_status) ? -1 : 0; } @@ -107,12 +118,32 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; int ret; size_t len; + bool gss; + const char* protocol; while(*header && isspace((int)*header)) header++; - if(!checkprefix("GSS-Negotiate", header)) + if(checkprefix("GSS-Negotiate", header)) { + protocol = "GSS-Negotiate"; + gss = TRUE; + } + else if (checkprefix("Negotiate", header)) { + protocol = "Negotiate"; + gss = FALSE; + } + else return -1; + if (neg_ctx->context) { + if (neg_ctx->gss != gss) { + return -1; + } + } + else { + neg_ctx->protocol = protocol; + neg_ctx->gss = gss; + } + if (neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) { /* We finished succesfully our part of authentication, but server * rejected it (since we're again here). Exit with an error since we @@ -125,7 +156,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) (ret = get_gss_name(conn, &neg_ctx->server_name))) return ret; - header += strlen("GSS-Negotiate"); + header += strlen(neg_ctx->protocol); while(*header && isspace((int)*header)) header++; @@ -188,7 +219,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn) return CURLE_OUT_OF_MEMORY; conn->allocptr.userpwd = - aprintf("Authorization: GSS-Negotiate %s\r\n", encoded); + aprintf("Authorization: %s %s\r\n", neg_ctx->protocol, encoded); free(encoded); gss_release_buffer(&minor_status, &neg_ctx->output_token); return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; -- cgit v1.2.1 From 09ccfcdcd422fc0b0421562bbdcf53f78a3f3e4b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 19 Sep 2003 12:56:22 +0000 Subject: Markus Moeller's SPNEGO patch applied, with my edits, additions and minor cleanups. --- lib/http_negotiate.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 88 insertions(+), 4 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 5012b0764..fcbb3eadb 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -22,7 +22,10 @@ ***************************************************************************/ #include "setup.h" -#ifdef GSSAPI +#ifdef HAVE_GSSAPI +#ifdef HAVE_GSSMIT +#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +#endif #ifndef CURL_DISABLE_HTTP /* -- WIN32 approved -- */ @@ -171,6 +174,46 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) if (rawlen < 0) return -1; input_token.length = rawlen; + +#ifdef SPNEGO /* Handle SPNEGO */ + if (checkprefix("Negotiate", header)) { + ASN1_OBJECT * object = NULL; + int rc = 1; + unsigned char * spnegoToken = NULL; + size_t spnegoTokenLength = 0; + unsigned char * mechToken = NULL; + size_t mechTokenLength = 0; + + spnegoToken = malloc(input_token.length); + if (input_token.value == NULL) + return ENOMEM; + spnegoTokenLength = input_token.length; + + object = OBJ_txt2obj ("1.2.840.113554.1.2.2", 1); + if (!parseSpnegoTargetToken(spnegoToken, + spnegoTokenLength, + NULL, + NULL, + &mechToken, + &mechTokenLength, + NULL, + NULL)) { + free(spnegoToken); + spnegoToken = NULL; + infof(conn->data, "Parse SPNEGO Target Token failed\n"); + } + else { + free(input_token.value); + input_token.value = NULL; + input_token.value = malloc(mechTokenLength); + memcpy(input_token.value, mechToken,mechTokenLength); + input_token.length = mechTokenLength; + free(mechToken); + mechToken = NULL; + infof(conn->data, "Parse SPNEGO Target Token succeded\n"); + } + } +#endif } major_status = gss_init_sec_context(&minor_status, @@ -212,9 +255,50 @@ CURLcode Curl_output_negotiate(struct connectdata *conn) struct negotiatedata *neg_ctx = &conn->data->state.negotiate; OM_uint32 minor_status; char *encoded = NULL; - int len = Curl_base64_encode(neg_ctx->output_token.value, - neg_ctx->output_token.length, - &encoded); + int len; + +#ifdef SPNEGO /* Handle SPNEGO */ + if (checkprefix("Negotiate",neg_ctx->protocol)) { + ASN1_OBJECT * object = NULL; + int rc = 1; + unsigned char * spnegoToken = NULL; + size_t spnegoTokenLength = 0; + unsigned char * responseToken = NULL; + size_t responseTokenLength = 0; + + responseToken = malloc(neg_ctx->output_token.length); + if ( responseToken == NULL) + return CURLE_OUT_OF_MEMORY; + memcpy(responseToken, neg_ctx->output_token.value, + neg_ctx->output_token.length); + responseTokenLength = neg_ctx->output_token.length; + + object=OBJ_txt2obj ("1.2.840.113554.1.2.2", 1); + if (!makeSpnegoInitialToken (object, + responseToken, + responseTokenLength, + &spnegoToken, + &spnegoTokenLength)) { + free(responseToken); + responseToken = NULL; + infof(conn->data, "Make SPNEGO Initial Token failed\n"); + } + else { + free(neg_ctx->output_token.value); + responseToken = NULL; + neg_ctx->output_token.value = malloc(spnegoTokenLength); + memcpy(neg_ctx->output_token.value, spnegoToken,spnegoTokenLength); + neg_ctx->output_token.length = spnegoTokenLength; + free(spnegoToken); + spnegoToken = NULL; + infof(conn->data, "Make SPNEGO Initial Token succeded\n"); + } + } +#endif + len = Curl_base64_encode(neg_ctx->output_token.value, + neg_ctx->output_token.length, + &encoded); + if (len < 0) return CURLE_OUT_OF_MEMORY; -- cgit v1.2.1 From 471c30372b6ccd6cd24ae8b554c3dec9e2951c08 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 27 Nov 2003 09:52:44 +0000 Subject: Markus Moeller's change to check for HAVE_SPNEGO instead of the previous --- lib/http_negotiate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index fcbb3eadb..bc3609885 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -175,7 +175,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) return -1; input_token.length = rawlen; -#ifdef SPNEGO /* Handle SPNEGO */ +#ifdef HAVE_SPNEGO /* Handle SPNEGO */ if (checkprefix("Negotiate", header)) { ASN1_OBJECT * object = NULL; int rc = 1; @@ -257,7 +257,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn) char *encoded = NULL; int len; -#ifdef SPNEGO /* Handle SPNEGO */ +#ifdef HAVE_SPNEGO /* Handle SPNEGO */ if (checkprefix("Negotiate",neg_ctx->protocol)) { ASN1_OBJECT * object = NULL; int rc = 1; -- cgit v1.2.1 From 053f6c85efd0bf698f73343989474d672d0563a8 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 7 Jan 2004 09:19:33 +0000 Subject: updated year in the copyright string --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index bc3609885..2dc09eed3 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2003, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2004, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms -- cgit v1.2.1 From 4b9f8e766d0c4d989b0188a6dfd3c667e49a93a9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 27 Apr 2004 13:56:23 +0000 Subject: Made host name and proxy name get stored in a 'struct hostname' and set all things up to work with encoded host names internally, as well as keeping 'display names' to show in debug messages. IDN resolves work for me now using ipv6, ipv4 and ares resolving. Even cookies on IDN sites seem to do right. --- lib/http_negotiate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 2dc09eed3..df0d6ab84 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -71,10 +71,10 @@ get_gss_name(struct connectdata *conn, gss_name_t *server) else service = "http"; - token.length = strlen(service) + 1 + strlen(conn->hostname) + 1; + token.length = strlen(service) + 1 + strlen(conn->host.name) + 1; if (token.length + 1 > sizeof(name)) return EMSGSIZE; - sprintf(name, "%s@%s", service, conn->hostname); + sprintf(name, "%s@%s", service, conn->host.name); token.value = (void *) name; major_status = gss_import_name(&minor_status, -- cgit v1.2.1 From bbafb2eb27954c34967f91c705e74cc0c186970d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 11 May 2004 11:30:23 +0000 Subject: curl_global_init_mem() allows the memory functions to be replaced. memory.h is included everywhere for this. --- lib/http_negotiate.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index df0d6ab84..ece40692b 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -41,14 +41,13 @@ #include "strequal.h" #include "base64.h" #include "http_negotiate.h" +#include "memory.h" #define _MPRINTF_REPLACE /* use our functions only */ #include /* The last #include file should be: */ -#ifdef CURLDEBUG #include "memdebug.h" -#endif static int get_gss_name(struct connectdata *conn, gss_name_t *server) -- cgit v1.2.1 From feb2dd283533f842c9b6e4cc2fcc7fd35638d5a0 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 24 Jun 2004 11:54:11 +0000 Subject: Replaced all uses of sprintf() with the safer snprintf(). It is just a precaution to prevent mistakes to lead to buffer overflows. --- lib/http_negotiate.c | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index ece40692b..71bd3513a 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -1,8 +1,8 @@ /*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * * Copyright (C) 1998 - 2004, Daniel Stenberg, , et al. @@ -10,7 +10,7 @@ * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms * are also available at http://curl.haxx.se/docs/copyright.html. - * + * * You may opt to use, copy, modify, merge, publish, distribute and/or sell * copies of the Software, and permit persons to whom the Software is * furnished to do so, under the terms of the COPYING file. @@ -28,7 +28,7 @@ #endif #ifndef CURL_DISABLE_HTTP -/* -- WIN32 approved -- */ + /* -- WIN32 approved -- */ #include #include #include @@ -64,8 +64,8 @@ get_gss_name(struct connectdata *conn, gss_name_t *server) Change following lines if you want to use GSI */ /* IIS uses the @ form but uses 'http' as the service name */ - - if (neg_ctx->gss) + + if (neg_ctx->gss) service = "khttp"; else service = "http"; @@ -73,7 +73,8 @@ get_gss_name(struct connectdata *conn, gss_name_t *server) token.length = strlen(service) + 1 + strlen(conn->host.name) + 1; if (token.length + 1 > sizeof(name)) return EMSGSIZE; - sprintf(name, "%s@%s", service, conn->host.name); + + snprintf(name, sizeof(name), "%s@%s", service, conn->host.name); token.value = (void *) name; major_status = gss_import_name(&minor_status, @@ -102,8 +103,9 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) GSS_C_NO_OID, &msg_ctx, &status_string); - if (sizeof(buf) > len + status_string.length + 1) { - sprintf(buf + len, ": %s", (char*) status_string.value); + if (sizeof(buf) > len + status_string.length + 1) { + snprintf(buf + len, sizeof(buf) - len, + ": %s", (char*) status_string.value); len += status_string.length; } gss_release_buffer(&min_stat, &status_string); @@ -113,7 +115,7 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) } int Curl_input_negotiate(struct connectdata *conn, char *header) -{ +{ struct negotiatedata *neg_ctx = &conn->data->state.negotiate; OM_uint32 major_status, minor_status, minor_status2; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; @@ -145,7 +147,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) neg_ctx->protocol = protocol; neg_ctx->gss = gss; } - + if (neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) { /* We finished succesfully our part of authentication, but server * rejected it (since we're again here). Exit with an error since we @@ -247,10 +249,10 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) return 0; } - + CURLcode Curl_output_negotiate(struct connectdata *conn) -{ +{ struct negotiatedata *neg_ctx = &conn->data->state.negotiate; OM_uint32 minor_status; char *encoded = NULL; @@ -264,7 +266,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn) size_t spnegoTokenLength = 0; unsigned char * responseToken = NULL; size_t responseTokenLength = 0; - + responseToken = malloc(neg_ctx->output_token.length); if ( responseToken == NULL) return CURLE_OUT_OF_MEMORY; @@ -309,7 +311,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn) } void Curl_cleanup_negotiate(struct SessionHandle *data) -{ +{ OM_uint32 minor_status; struct negotiatedata *neg_ctx = &data->state.negotiate; @@ -321,7 +323,7 @@ void Curl_cleanup_negotiate(struct SessionHandle *data) if (neg_ctx->server_name != GSS_C_NO_NAME) gss_release_name(&minor_status, &neg_ctx->server_name); - + memset(neg_ctx, 0, sizeof(*neg_ctx)); } -- cgit v1.2.1 From 9c4ffcc25097cedfa71dce42d4bdbcf273765313 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 5 Aug 2004 18:52:54 +0000 Subject: Enrico Scholz fixed the service name to be uppercase as reported in bug report #1004105 --- lib/http_negotiate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 71bd3513a..43f1da44b 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -66,9 +66,9 @@ get_gss_name(struct connectdata *conn, gss_name_t *server) /* IIS uses the @ form but uses 'http' as the service name */ if (neg_ctx->gss) - service = "khttp"; + service = "KHTTP"; else - service = "http"; + service = "HTTP"; token.length = strlen(service) + 1 + strlen(conn->host.name) + 1; if (token.length + 1 > sizeof(name)) -- cgit v1.2.1 From 527f70e540b68bcdb338cd5a133bbf17daf0105a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 22 Feb 2005 12:10:30 +0000 Subject: Curl_base64_decode() now returns an allocated buffer --- lib/http_negotiate.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 43f1da44b..68f769913 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -166,12 +166,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) len = strlen(header); if (len > 0) { - int rawlen; - input_token.length = (len+3)/4 * 3; - input_token.value = malloc(input_token.length); - if (input_token.value == NULL) - return ENOMEM; - rawlen = Curl_base64_decode(header, input_token.value); + int rawlen = Curl_base64_decode(header, &input_token.value); if (rawlen < 0) return -1; input_token.length = rawlen; -- cgit v1.2.1 From 9798432f567f1589f1da6216e2795ab10b733128 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Thu, 24 Feb 2005 18:54:23 +0000 Subject: Fixed some compiler warnings. Fixed a low incidence memory leak in the test server. --- lib/http_negotiate.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 68f769913..bfcef84ac 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -166,7 +166,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) len = strlen(header); if (len > 0) { - int rawlen = Curl_base64_decode(header, &input_token.value); + int rawlen = Curl_base64_decode(header, (unsigned char **)&input_token.value); if (rawlen < 0) return -1; input_token.length = rawlen; @@ -206,7 +206,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) input_token.length = mechTokenLength; free(mechToken); mechToken = NULL; - infof(conn->data, "Parse SPNEGO Target Token succeded\n"); + infof(conn->data, "Parse SPNEGO Target Token succeeded\n"); } } #endif @@ -287,7 +287,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn) neg_ctx->output_token.length = spnegoTokenLength; free(spnegoToken); spnegoToken = NULL; - infof(conn->data, "Make SPNEGO Initial Token succeded\n"); + infof(conn->data, "Make SPNEGO Initial Token succeeded\n"); } } #endif -- cgit v1.2.1 From ab4086bc244bf3267976e9f0193e5ed4430190d8 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 31 Mar 2005 07:02:02 +0000 Subject: Updated the copyright year since changes have been this year. --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index bfcef84ac..f859a8bee 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2004, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2005, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms -- cgit v1.2.1 From 10beb36b1cd1479d14b245a922e1ab49d9a8b1f9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 18 Feb 2006 22:27:01 +0000 Subject: =?UTF-8?q?Ulf=20H=E4rnhammar=20fixed=20a=20format=20string=20(pri?= =?UTF-8?q?ntf=20style)=20problem=20in=20the=20Negotiate=20code.=20It=20sh?= =?UTF-8?q?ould=20however=20not=20be=20the=20cause=20of=20any=20troubles.?= =?UTF-8?q?=20He=20also=20fixed=20a=20few=20similar=20problems=20in=20the?= =?UTF-8?q?=20HTTP=20test=20server=20code.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index f859a8bee..f407d5090 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -111,7 +111,7 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) gss_release_buffer(&min_stat, &status_string); } while (!GSS_ERROR(maj_stat) && msg_ctx != 0); - infof(conn->data, buf); + infof(conn->data, "%s", buf); } int Curl_input_negotiate(struct connectdata *conn, char *header) -- cgit v1.2.1 From e85e30546c89e17b6fb0cf383de25b7ed7f3bf3d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 4 May 2006 22:39:47 +0000 Subject: Roland Blom filed bug report #1481217 (http://curl.haxx.se/bug/view.cgi?id=1481217), with follow-ups by Michele Bini and David Byron. libcurl previously wrongly used GetLastError() on windows to get error details after socket-related function calls, when it really should use WSAGetLastError() instead. When changing to this, the former function Curl_ourerrno() is now instead called Curl_sockerrno() as it is necessary to only use it to get errno from socket-related functions as otherwise it won't work as intended on Windows. --- lib/http_negotiate.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index f407d5090..70062f85a 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2005, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2006, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -34,7 +34,6 @@ #include #include #include -#include #include "urldata.h" #include "sendf.h" -- cgit v1.2.1 From 44d84ac1646cf04ccc2c1a736f3c9d1644ccacec Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 17 Oct 2006 21:32:56 +0000 Subject: Avoid typecasting a signed char to an int when using is*() functions, as that could very well cause a negate number get passed in and thus cause reading outside of the array usually used for this purpose. We avoid this by using the uppercase macro versions introduced just now that does some extra crazy typecasts to avoid byte codes > 127 to cause negative int values. --- lib/http_negotiate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 70062f85a..eb5bd92d1 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -124,7 +124,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) bool gss; const char* protocol; - while(*header && isspace((int)*header)) + while(*header && ISSPACE(*header)) header++; if(checkprefix("GSS-Negotiate", header)) { protocol = "GSS-Negotiate"; @@ -160,7 +160,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) return ret; header += strlen(neg_ctx->protocol); - while(*header && isspace((int)*header)) + while(*header && ISSPACE(*header)) header++; len = strlen(header); -- cgit v1.2.1 From 359d5009089b8b9450ab54825c08448f9e51ed64 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 3 Jan 2007 23:04:38 +0000 Subject: - David McCreedy made changes to allow base64 encoding/decoding to work on non-ASCII platforms. --- lib/http_negotiate.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index eb5bd92d1..bdfeefa0a 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2006, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2007, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -290,7 +290,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn) } } #endif - len = Curl_base64_encode(neg_ctx->output_token.value, + len = Curl_base64_encode(conn->data, + neg_ctx->output_token.value, neg_ctx->output_token.length, &encoded); -- cgit v1.2.1 From c321b9f7046e96aa269635d9deafa357a118e88c Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Wed, 4 Apr 2007 23:41:35 +0000 Subject: Fixes some more out of memory handling bugs. --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index bdfeefa0a..ac93413cf 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -295,7 +295,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn) neg_ctx->output_token.length, &encoded); - if (len < 0) + if (len == 0) return CURLE_OUT_OF_MEMORY; conn->allocptr.userpwd = -- cgit v1.2.1 From 8cf0814a143d99de813fbd1653b785252b4c58a6 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Mon, 27 Aug 2007 06:31:28 +0000 Subject: Fixed some minor type mismatches and missing consts mainly found by splint. --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index ac93413cf..f504c12d8 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -113,7 +113,7 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) infof(conn->data, "%s", buf); } -int Curl_input_negotiate(struct connectdata *conn, char *header) +int Curl_input_negotiate(struct connectdata *conn, const char *header) { struct negotiatedata *neg_ctx = &conn->data->state.negotiate; OM_uint32 major_status, minor_status, minor_status2; -- cgit v1.2.1 From 015d5869d7e3daf81548e4d5d55209adfd4285bf Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 21 Sep 2007 11:05:31 +0000 Subject: Mark Davies fixed Negotiate authentication over proxy, and also introduced the --proxy-negotiate command line option to allow a user to explicitly select it. --- lib/http_negotiate.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index f504c12d8..f5cc6cc6c 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -49,7 +49,7 @@ #include "memdebug.h" static int -get_gss_name(struct connectdata *conn, gss_name_t *server) +get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server) { struct negotiatedata *neg_ctx = &conn->data->state.negotiate; OM_uint32 major_status, minor_status; @@ -69,11 +69,11 @@ get_gss_name(struct connectdata *conn, gss_name_t *server) else service = "HTTP"; - token.length = strlen(service) + 1 + strlen(conn->host.name) + 1; + token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name : conn->host.name) + 1; if (token.length + 1 > sizeof(name)) return EMSGSIZE; - snprintf(name, sizeof(name), "%s@%s", service, conn->host.name); + snprintf(name, sizeof(name), "%s@%s", service, proxy ? conn->proxy.name : conn->host.name); token.value = (void *) name; major_status = gss_import_name(&minor_status, @@ -113,7 +113,7 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) infof(conn->data, "%s", buf); } -int Curl_input_negotiate(struct connectdata *conn, const char *header) +int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header) { struct negotiatedata *neg_ctx = &conn->data->state.negotiate; OM_uint32 major_status, minor_status, minor_status2; @@ -156,7 +156,7 @@ int Curl_input_negotiate(struct connectdata *conn, const char *header) } if (neg_ctx->server_name == NULL && - (ret = get_gss_name(conn, &neg_ctx->server_name))) + (ret = get_gss_name(conn, proxy, &neg_ctx->server_name))) return ret; header += strlen(neg_ctx->protocol); @@ -245,7 +245,7 @@ int Curl_input_negotiate(struct connectdata *conn, const char *header) } -CURLcode Curl_output_negotiate(struct connectdata *conn) +CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) { struct negotiatedata *neg_ctx = &conn->data->state.negotiate; OM_uint32 minor_status; @@ -299,7 +299,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn) return CURLE_OUT_OF_MEMORY; conn->allocptr.userpwd = - aprintf("Authorization: %s %s\r\n", neg_ctx->protocol, encoded); + aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", neg_ctx->protocol, encoded); free(encoded); gss_release_buffer(&minor_status, &neg_ctx->output_token); return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; -- cgit v1.2.1 From ad6e28073c985a42e8b15d2234baa7ef67ffcb35 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 5 Nov 2007 09:45:09 +0000 Subject: removed space after if and while before the parenthesis for better source code consistency --- lib/http_negotiate.c | 48 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index f5cc6cc6c..e9230fcc2 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -64,13 +64,13 @@ get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server) /* IIS uses the @ form but uses 'http' as the service name */ - if (neg_ctx->gss) + if(neg_ctx->gss) service = "KHTTP"; else service = "HTTP"; token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name : conn->host.name) + 1; - if (token.length + 1 > sizeof(name)) + if(token.length + 1 > sizeof(name)) return EMSGSIZE; snprintf(name, sizeof(name), "%s@%s", service, proxy ? conn->proxy.name : conn->host.name); @@ -102,13 +102,13 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) GSS_C_NO_OID, &msg_ctx, &status_string); - if (sizeof(buf) > len + status_string.length + 1) { + if(sizeof(buf) > len + status_string.length + 1) { snprintf(buf + len, sizeof(buf) - len, ": %s", (char*) status_string.value); len += status_string.length; } gss_release_buffer(&min_stat, &status_string); - } while (!GSS_ERROR(maj_stat) && msg_ctx != 0); + } while(!GSS_ERROR(maj_stat) && msg_ctx != 0); infof(conn->data, "%s", buf); } @@ -130,15 +130,15 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *heade protocol = "GSS-Negotiate"; gss = TRUE; } - else if (checkprefix("Negotiate", header)) { + else if(checkprefix("Negotiate", header)) { protocol = "Negotiate"; gss = FALSE; } else return -1; - if (neg_ctx->context) { - if (neg_ctx->gss != gss) { + if(neg_ctx->context) { + if(neg_ctx->gss != gss) { return -1; } } @@ -147,7 +147,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *heade neg_ctx->gss = gss; } - if (neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) { + if(neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) { /* We finished succesfully our part of authentication, but server * rejected it (since we're again here). Exit with an error since we * can't invent anything better */ @@ -155,7 +155,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *heade return -1; } - if (neg_ctx->server_name == NULL && + if(neg_ctx->server_name == NULL && (ret = get_gss_name(conn, proxy, &neg_ctx->server_name))) return ret; @@ -164,14 +164,14 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *heade header++; len = strlen(header); - if (len > 0) { + if(len > 0) { int rawlen = Curl_base64_decode(header, (unsigned char **)&input_token.value); - if (rawlen < 0) + if(rawlen < 0) return -1; input_token.length = rawlen; #ifdef HAVE_SPNEGO /* Handle SPNEGO */ - if (checkprefix("Negotiate", header)) { + if(checkprefix("Negotiate", header)) { ASN1_OBJECT * object = NULL; int rc = 1; unsigned char * spnegoToken = NULL; @@ -180,12 +180,12 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *heade size_t mechTokenLength = 0; spnegoToken = malloc(input_token.length); - if (input_token.value == NULL) + if(input_token.value == NULL) return ENOMEM; spnegoTokenLength = input_token.length; object = OBJ_txt2obj ("1.2.840.113554.1.2.2", 1); - if (!parseSpnegoTargetToken(spnegoToken, + if(!parseSpnegoTargetToken(spnegoToken, spnegoTokenLength, NULL, NULL, @@ -224,17 +224,17 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *heade &output_token, NULL, NULL); - if (input_token.length > 0) + if(input_token.length > 0) gss_release_buffer(&minor_status2, &input_token); neg_ctx->status = major_status; - if (GSS_ERROR(major_status)) { + if(GSS_ERROR(major_status)) { /* Curl_cleanup_negotiate(conn->data) ??? */ log_gss_error(conn, minor_status, (char *)"gss_init_sec_context() failed: "); return -1; } - if (output_token.length == 0) { + if(output_token.length == 0) { return -1; } @@ -253,7 +253,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) int len; #ifdef HAVE_SPNEGO /* Handle SPNEGO */ - if (checkprefix("Negotiate",neg_ctx->protocol)) { + if(checkprefix("Negotiate",neg_ctx->protocol)) { ASN1_OBJECT * object = NULL; int rc = 1; unsigned char * spnegoToken = NULL; @@ -262,14 +262,14 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) size_t responseTokenLength = 0; responseToken = malloc(neg_ctx->output_token.length); - if ( responseToken == NULL) + if( responseToken == NULL) return CURLE_OUT_OF_MEMORY; memcpy(responseToken, neg_ctx->output_token.value, neg_ctx->output_token.length); responseTokenLength = neg_ctx->output_token.length; object=OBJ_txt2obj ("1.2.840.113554.1.2.2", 1); - if (!makeSpnegoInitialToken (object, + if(!makeSpnegoInitialToken (object, responseToken, responseTokenLength, &spnegoToken, @@ -295,7 +295,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) neg_ctx->output_token.length, &encoded); - if (len == 0) + if(len == 0) return CURLE_OUT_OF_MEMORY; conn->allocptr.userpwd = @@ -310,13 +310,13 @@ void Curl_cleanup_negotiate(struct SessionHandle *data) OM_uint32 minor_status; struct negotiatedata *neg_ctx = &data->state.negotiate; - if (neg_ctx->context != GSS_C_NO_CONTEXT) + if(neg_ctx->context != GSS_C_NO_CONTEXT) gss_delete_sec_context(&minor_status, &neg_ctx->context, GSS_C_NO_BUFFER); - if (neg_ctx->output_token.length != 0) + if(neg_ctx->output_token.length != 0) gss_release_buffer(&minor_status, &neg_ctx->output_token); - if (neg_ctx->server_name != GSS_C_NO_NAME) + if(neg_ctx->server_name != GSS_C_NO_NAME) gss_release_name(&minor_status, &neg_ctx->server_name); memset(neg_ctx, 0, sizeof(*neg_ctx)); -- cgit v1.2.1 From 86956c226130e4c9a088021047f79ef2c833697e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 20 Nov 2007 23:02:58 +0000 Subject: white space changes only to clean up indent and source width --- lib/http_negotiate.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index e9230fcc2..5e88dc0a0 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -69,11 +69,13 @@ get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server) else service = "HTTP"; - token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name : conn->host.name) + 1; + token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name : + conn->host.name) + 1; if(token.length + 1 > sizeof(name)) return EMSGSIZE; - snprintf(name, sizeof(name), "%s@%s", service, proxy ? conn->proxy.name : conn->host.name); + snprintf(name, sizeof(name), "%s@%s", service, proxy ? conn->proxy.name : + conn->host.name); token.value = (void *) name; major_status = gss_import_name(&minor_status, @@ -113,7 +115,8 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) infof(conn->data, "%s", buf); } -int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header) +int Curl_input_negotiate(struct connectdata *conn, bool proxy, + const char *header) { struct negotiatedata *neg_ctx = &conn->data->state.negotiate; OM_uint32 major_status, minor_status, minor_status2; @@ -165,7 +168,8 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *heade len = strlen(header); if(len > 0) { - int rawlen = Curl_base64_decode(header, (unsigned char **)&input_token.value); + int rawlen = Curl_base64_decode(header, + (unsigned char **)&input_token.value); if(rawlen < 0) return -1; input_token.length = rawlen; @@ -299,7 +303,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) return CURLE_OUT_OF_MEMORY; conn->allocptr.userpwd = - aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", neg_ctx->protocol, encoded); + aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", + neg_ctx->protocol, encoded); free(encoded); gss_release_buffer(&minor_status, &neg_ctx->output_token); return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; -- cgit v1.2.1 From b6575ce0b0fa74626c136a96b411f7baaca9c55b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 20 Nov 2007 23:17:08 +0000 Subject: While inspecting the Negotiate code, I noticed how the proxy auth was using the same state struct as the host auth, so both could never be used at the same time! I fixed it (without being able to check) to use two separate structs to allow authentication using Negotiate on host and proxy simultanouesly. --- lib/http_negotiate.c | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 5e88dc0a0..c584e28a6 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -51,7 +51,8 @@ static int get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server) { - struct negotiatedata *neg_ctx = &conn->data->state.negotiate; + struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg: + &conn->data->state.negotiate; OM_uint32 major_status, minor_status; gss_buffer_desc token = GSS_C_EMPTY_BUFFER; char name[2048]; @@ -98,12 +99,12 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) snprintf(buf, sizeof(buf), "%s", prefix); len = strlen(buf); do { - maj_stat = gss_display_status (&min_stat, - error_status, - GSS_C_MECH_CODE, - GSS_C_NO_OID, - &msg_ctx, - &status_string); + maj_stat = gss_display_status(&min_stat, + error_status, + GSS_C_MECH_CODE, + GSS_C_NO_OID, + &msg_ctx, + &status_string); if(sizeof(buf) > len + status_string.length + 1) { snprintf(buf + len, sizeof(buf) - len, ": %s", (char*) status_string.value); @@ -118,7 +119,8 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header) { - struct negotiatedata *neg_ctx = &conn->data->state.negotiate; + struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg: + &conn->data->state.negotiate; OM_uint32 major_status, minor_status, minor_status2; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; @@ -251,13 +253,14 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) { - struct negotiatedata *neg_ctx = &conn->data->state.negotiate; + struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg: + &conn->data->state.negotiate; OM_uint32 minor_status; char *encoded = NULL; int len; #ifdef HAVE_SPNEGO /* Handle SPNEGO */ - if(checkprefix("Negotiate",neg_ctx->protocol)) { + if(checkprefix("Negotiate", neg_ctx->protocol)) { ASN1_OBJECT * object = NULL; int rc = 1; unsigned char * spnegoToken = NULL; @@ -310,11 +313,9 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; } -void Curl_cleanup_negotiate(struct SessionHandle *data) +static void cleanup(struct negotiatedata *neg_ctx) { OM_uint32 minor_status; - struct negotiatedata *neg_ctx = &data->state.negotiate; - if(neg_ctx->context != GSS_C_NO_CONTEXT) gss_delete_sec_context(&minor_status, &neg_ctx->context, GSS_C_NO_BUFFER); @@ -327,6 +328,12 @@ void Curl_cleanup_negotiate(struct SessionHandle *data) memset(neg_ctx, 0, sizeof(*neg_ctx)); } +void Curl_cleanup_negotiate(struct SessionHandle *data) +{ + cleanup(&data->state.negotiate); + cleanup(&data->state.proxyneg); +} + #endif #endif -- cgit v1.2.1 From 590f0358d86c402f94b329f2ce0d612cbb749c95 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 1 Mar 2008 22:32:03 +0000 Subject: - Anatoli Tubman found and fixed a crash with Negotiate authentication used on a re-used connection where both requests used Negotiate. --- lib/http_negotiate.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index c584e28a6..5baa58426 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2007, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2008, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -255,7 +255,6 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) { struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg: &conn->data->state.negotiate; - OM_uint32 minor_status; char *encoded = NULL; int len; @@ -309,7 +308,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", neg_ctx->protocol, encoded); free(encoded); - gss_release_buffer(&minor_status, &neg_ctx->output_token); + Curl_cleanup_negotiate (conn->data); return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; } -- cgit v1.2.1 From d0a4b50e198ffdeb80c68d8ac497f50a5b5798c8 Mon Sep 17 00:00:00 2001 From: Michal Marek Date: Mon, 7 Apr 2008 09:26:30 +0000 Subject: - Fix the MIT / Heimdal check for good: Define HAVE_GSSMIT if are available, otherwise define HAVE_GSSHEIMDAL if is available. Only define GSS_C_NT_HOSTBASED_SERVICE to gss_nt_service_name if GSS_C_NT_HOSTBASED_SERVICE isn't declared by the gssapi headers. This should avoid breakage in case we wrongly recognize Heimdal as MIT again. --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 5baa58426..f4aab7de4 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -23,7 +23,7 @@ #include "setup.h" #ifdef HAVE_GSSAPI -#ifdef HAVE_GSSMIT +#ifdef HAVE_OLD_GSSMIT #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name #endif -- cgit v1.2.1 From 84eb9fee765d8614b5f4d56e1db3ea02322301fe Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 12 Apr 2008 11:50:51 +0000 Subject: - Andre Guibert de Bruet found and fixed a case where malloc() was called but was not checked for a NULL return, in the Negotiate code. --- lib/http_negotiate.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index f4aab7de4..ac8ad5802 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -116,6 +116,8 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) infof(conn->data, "%s", buf); } +/* returning zero (0) means success, everything else is treated as "failure" + with no care exactly what the failure was */ int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header) { @@ -185,9 +187,13 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, unsigned char * mechToken = NULL; size_t mechTokenLength = 0; - spnegoToken = malloc(input_token.length); if(input_token.value == NULL) - return ENOMEM; + return CURLE_OUT_OF_MEMORY; + + spnegoToken = malloc(input_token.length); + if(spnegoToken == NULL) + return CURLE_OUT_OF_MEMORY; + spnegoTokenLength = input_token.length; object = OBJ_txt2obj ("1.2.840.113554.1.2.2", 1); -- cgit v1.2.1 From e0c2a39ad4624f5c6ddae4ac535cdaa55dcb4ce1 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 14 Apr 2008 15:22:45 +0000 Subject: - Andre Guibert de Bruet fixed a second case of not checking the malloc() return code in the Negotiate code. --- lib/http_negotiate.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index ac8ad5802..e7f934824 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -211,8 +211,10 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, } else { free(input_token.value); - input_token.value = NULL; input_token.value = malloc(mechTokenLength); + if (input_token.value == NULL) + return CURLE_OUT_OF_MEMORY; + memcpy(input_token.value, mechToken,mechTokenLength); input_token.length = mechTokenLength; free(mechToken); -- cgit v1.2.1 From c57e748107935f94a16cda112f3b5dfce9a93481 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Mon, 26 May 2008 03:10:34 +0000 Subject: David Rosenstrauch reported that header files spnegohelp.h and openssl/objects.h were needed to compile SPNEGO support. --- lib/http_negotiate.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index e7f934824..9644a751c 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -42,6 +42,15 @@ #include "http_negotiate.h" #include "memory.h" +#ifdef HAVE_SPNEGO +# include +# if defined(USE_OPENSSL) && !defined(USE_YASSLEMUL) +# include +# else +# error "Can't compile SPNEGO support without OpenSSL." +# endif +#endif + #define _MPRINTF_REPLACE /* use our functions only */ #include -- cgit v1.2.1 From 3e4a8cb800983ee276bbc118dcd5749fc852401a Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Sat, 16 Aug 2008 03:27:07 +0000 Subject: Fix Use of conditional definition of USE_OPENSSL --- lib/http_negotiate.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 9644a751c..d47c9aecd 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -43,12 +43,16 @@ #include "memory.h" #ifdef HAVE_SPNEGO -# include -# if defined(USE_OPENSSL) && !defined(USE_YASSLEMUL) -# include -# else -# error "Can't compile SPNEGO support without OpenSSL." -# endif +# include +# ifdef USE_SSLEAY +# ifdef USE_OPENSSL +# include +# else +# include +# endif +# else +# error "Can't compile SPNEGO support without OpenSSL." +# endif #endif #define _MPRINTF_REPLACE /* use our functions only */ -- cgit v1.2.1 From ac18b471d253f8d5c69d1044a59753f32bcd663f Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Sun, 17 Aug 2008 00:25:38 +0000 Subject: libcurl internal base64.h header file renamed to curl_base64.h --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index d47c9aecd..80c00a171 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -38,7 +38,7 @@ #include "urldata.h" #include "sendf.h" #include "strequal.h" -#include "base64.h" +#include "curl_base64.h" #include "http_negotiate.h" #include "memory.h" -- cgit v1.2.1 From 934708d950617688c7d294ea1ab583667f383ab1 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Tue, 2 Sep 2008 17:41:20 +0000 Subject: Made some variables const which eliminated some casts --- lib/http_negotiate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 80c00a171..b3099a24a 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -101,7 +101,7 @@ get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server) } static void -log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) +log_gss_error(struct connectdata *conn, OM_uint32 error_status, const char *prefix) { OM_uint32 maj_stat, min_stat; OM_uint32 msg_ctx = 0; @@ -257,7 +257,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, if(GSS_ERROR(major_status)) { /* Curl_cleanup_negotiate(conn->data) ??? */ log_gss_error(conn, minor_status, - (char *)"gss_init_sec_context() failed: "); + "gss_init_sec_context() failed: "); return -1; } -- cgit v1.2.1 From b701ea36a723b2d7700e23ae53e2c3145dfe7bda Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 23 Oct 2008 11:49:19 +0000 Subject: moved the Curl_raw_ functions into the new lib/rawstr.c file for easier curlx_ inclusion by the curl tool without colliding with the curl_strequal functions. --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index b3099a24a..d8fb7a25d 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -37,7 +37,7 @@ #include "urldata.h" #include "sendf.h" -#include "strequal.h" +#include "rawstr.h" #include "curl_base64.h" #include "http_negotiate.h" #include "memory.h" -- cgit v1.2.1 From c621546bd608d5f836d165c2a33ff3d37e2e21e5 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Mon, 13 Apr 2009 07:18:39 +0000 Subject: fix compiler warning: implicit conversion shortens 64-bit value into a 32-bit value --- lib/http_negotiate.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index d8fb7a25d..814d6ed65 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2008, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -140,7 +140,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; int ret; - size_t len; + size_t len, rawlen; bool gss; const char* protocol; @@ -185,9 +185,9 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, len = strlen(header); if(len > 0) { - int rawlen = Curl_base64_decode(header, - (unsigned char **)&input_token.value); - if(rawlen < 0) + rawlen = Curl_base64_decode(header, + (unsigned char **)&input_token.value); + if(rawlen == 0) return -1; input_token.length = rawlen; @@ -277,7 +277,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg: &conn->data->state.negotiate; char *encoded = NULL; - int len; + size_t len; #ifdef HAVE_SPNEGO /* Handle SPNEGO */ if(checkprefix("Negotiate", neg_ctx->protocol)) { -- cgit v1.2.1 From 33a3753c3f41d546ebf3350685eb7201d25783f4 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Tue, 21 Apr 2009 11:46:16 +0000 Subject: libcurl's memory.h renamed to curl_memory.h --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 814d6ed65..515a3a3b3 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -40,7 +40,7 @@ #include "rawstr.h" #include "curl_base64.h" #include "http_negotiate.h" -#include "memory.h" +#include "curl_memory.h" #ifdef HAVE_SPNEGO # include -- cgit v1.2.1 From 2309b4e330b96bc2e1f8e36b6184015e59544037 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 24 Mar 2010 11:02:54 +0100 Subject: remove the CVSish $Id$ lines --- lib/http_negotiate.c | 1 - 1 file changed, 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 515a3a3b3..956f7342b 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -18,7 +18,6 @@ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY * KIND, either express or implied. * - * $Id$ ***************************************************************************/ #include "setup.h" -- cgit v1.2.1 From 9e480973eb6175bcf7ddacb5c0356e3c16373253 Mon Sep 17 00:00:00 2001 From: Julien Chaffraix Date: Tue, 25 May 2010 06:53:48 -0700 Subject: OOM fixes in http_negociate.c and lib/splay.c Fix 2 OOM errors: a missing NULL-check in lib/http_negociate.c and a potential NULL dereferencing in lib/splay.c --- lib/http_negotiate.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 956f7342b..d51d45631 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -308,6 +308,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) free(neg_ctx->output_token.value); responseToken = NULL; neg_ctx->output_token.value = malloc(spnegoTokenLength); + if(neg_ctx->output_token.value == NULL) + return CURLE_OUT_OF_MEMORY; memcpy(neg_ctx->output_token.value, spnegoToken,spnegoTokenLength); neg_ctx->output_token.length = spnegoTokenLength; free(spnegoToken); -- cgit v1.2.1 From 69d07feb145bd4e34c5740946ea0ef405f98f628 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Wed, 2 Jun 2010 12:44:46 +0200 Subject: fix spnego memory leak --- lib/http_negotiate.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index d51d45631..ab1296e5b 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -305,11 +305,15 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) infof(conn->data, "Make SPNEGO Initial Token failed\n"); } else { - free(neg_ctx->output_token.value); + free(responseToken); responseToken = NULL; + free(neg_ctx->output_token.value); neg_ctx->output_token.value = malloc(spnegoTokenLength); - if(neg_ctx->output_token.value == NULL) + if(neg_ctx->output_token.value == NULL) { + free(spnegoToken); + spnegoToken = NULL; return CURLE_OUT_OF_MEMORY; + } memcpy(neg_ctx->output_token.value, spnegoToken,spnegoTokenLength); neg_ctx->output_token.length = spnegoTokenLength; free(spnegoToken); -- cgit v1.2.1 From 13b8fc46a3fd6b202a7f2df5f9aff4f26fe6c4db Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 16 Aug 2010 22:19:38 +0200 Subject: negotiation: Wrong proxy authorization There's an error in http_negotiation.c where a mistake is using only userpwd even for proxy requests. Ludek provided a patch, but I decided to write the fix slightly different using his patch as inspiration. Reported by: Ludek Finstrle Bug: http://curl.haxx.se/bug/view.cgi?id=3046066 --- lib/http_negotiate.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index ab1296e5b..80b0b507d 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -277,6 +277,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) &conn->data->state.negotiate; char *encoded = NULL; size_t len; + char *userp; #ifdef HAVE_SPNEGO /* Handle SPNEGO */ if(checkprefix("Negotiate", neg_ctx->protocol)) { @@ -330,12 +331,16 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) if(len == 0) return CURLE_OUT_OF_MEMORY; - conn->allocptr.userpwd = - aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", - neg_ctx->protocol, encoded); + userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", + neg_ctx->protocol, encoded); + + if(proxy) + conn->allocptr.proxyuserpwd = userp; + else + conn->allocptr.userpwd = userp; free(encoded); Curl_cleanup_negotiate (conn->data); - return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; + return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; } static void cleanup(struct negotiatedata *neg_ctx) -- cgit v1.2.1 From 1702a2c08d3a0ed5945f34e6cd38436611f65164 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Tue, 19 Apr 2011 15:54:13 +0200 Subject: Fix a couple of spelling errors in lib/ Found with codespell. --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 80b0b507d..673f8c908 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -167,7 +167,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, } if(neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) { - /* We finished succesfully our part of authentication, but server + /* We finished successfully our part of authentication, but server * rejected it (since we're again here). Exit with an error since we * can't invent anything better */ Curl_cleanup_negotiate(conn->data); -- cgit v1.2.1 From b903186fa0189ff241d756d25d07fdfe9885ae49 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 20 Apr 2011 15:17:42 +0200 Subject: source cleanup: unify look, style and indent levels By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed. --- lib/http_negotiate.c | 79 ++++++++++++++++++++++++++-------------------------- 1 file changed, 40 insertions(+), 39 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 673f8c908..6f9c109c6 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -100,7 +100,8 @@ get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server) } static void -log_gss_error(struct connectdata *conn, OM_uint32 error_status, const char *prefix) +log_gss_error(struct connectdata *conn, OM_uint32 error_status, + const char *prefix) { OM_uint32 maj_stat, min_stat; OM_uint32 msg_ctx = 0; @@ -192,47 +193,47 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, #ifdef HAVE_SPNEGO /* Handle SPNEGO */ if(checkprefix("Negotiate", header)) { - ASN1_OBJECT * object = NULL; - int rc = 1; - unsigned char * spnegoToken = NULL; - size_t spnegoTokenLength = 0; - unsigned char * mechToken = NULL; - size_t mechTokenLength = 0; + ASN1_OBJECT * object = NULL; + int rc = 1; + unsigned char * spnegoToken = NULL; + size_t spnegoTokenLength = 0; + unsigned char * mechToken = NULL; + size_t mechTokenLength = 0; + + if(input_token.value == NULL) + return CURLE_OUT_OF_MEMORY; - if(input_token.value == NULL) - return CURLE_OUT_OF_MEMORY; + spnegoToken = malloc(input_token.length); + if(spnegoToken == NULL) + return CURLE_OUT_OF_MEMORY; - spnegoToken = malloc(input_token.length); - if(spnegoToken == NULL) + spnegoTokenLength = input_token.length; + + object = OBJ_txt2obj ("1.2.840.113554.1.2.2", 1); + if(!parseSpnegoTargetToken(spnegoToken, + spnegoTokenLength, + NULL, + NULL, + &mechToken, + &mechTokenLength, + NULL, + NULL)) { + free(spnegoToken); + spnegoToken = NULL; + infof(conn->data, "Parse SPNEGO Target Token failed\n"); + } + else { + free(input_token.value); + input_token.value = malloc(mechTokenLength); + if(input_token.value == NULL) return CURLE_OUT_OF_MEMORY; - spnegoTokenLength = input_token.length; - - object = OBJ_txt2obj ("1.2.840.113554.1.2.2", 1); - if(!parseSpnegoTargetToken(spnegoToken, - spnegoTokenLength, - NULL, - NULL, - &mechToken, - &mechTokenLength, - NULL, - NULL)) { - free(spnegoToken); - spnegoToken = NULL; - infof(conn->data, "Parse SPNEGO Target Token failed\n"); - } - else { - free(input_token.value); - input_token.value = malloc(mechTokenLength); - if (input_token.value == NULL) - return CURLE_OUT_OF_MEMORY; - - memcpy(input_token.value, mechToken,mechTokenLength); - input_token.length = mechTokenLength; - free(mechToken); - mechToken = NULL; - infof(conn->data, "Parse SPNEGO Target Token succeeded\n"); - } + memcpy(input_token.value, mechToken,mechTokenLength); + input_token.length = mechTokenLength; + free(mechToken); + mechToken = NULL; + infof(conn->data, "Parse SPNEGO Target Token succeeded\n"); + } } #endif } -- cgit v1.2.1 From 889d1e973fb718a77c5000141d724ce03863af23 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 22 Apr 2011 23:01:30 +0200 Subject: whitespace cleanup: no space first in conditionals "if(a)" is our style, not "if( a )" --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 6f9c109c6..202d69ecc 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -290,7 +290,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) size_t responseTokenLength = 0; responseToken = malloc(neg_ctx->output_token.length); - if( responseToken == NULL) + if(responseToken == NULL) return CURLE_OUT_OF_MEMORY; memcpy(responseToken, neg_ctx->output_token.value, neg_ctx->output_token.length); -- cgit v1.2.1 From 5c314c6bb449bfca06c1cdc383c84e7661faf42c Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 8 Jun 2011 00:10:26 +0200 Subject: Curl_input_negotiate: do not delegate GSSAPI credentials This is a security flaw. See curl advisory 20110623 for details. Reported by: Richard Silverman --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 202d69ecc..5127e6480 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -243,7 +243,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, &neg_ctx->context, neg_ctx->server_name, GSS_C_NO_OID, - GSS_C_DELEG_FLAG, + 0, 0, GSS_C_NO_CHANNEL_BINDINGS, &input_token, -- cgit v1.2.1 From 6488e03f4421a039d0882561e8f96b2ae16ed7c4 Mon Sep 17 00:00:00 2001 From: Julien Chaffraix Date: Mon, 27 Jun 2011 07:53:38 -0700 Subject: http_negociate: Be consistent in gss_init_sec_context attributes. This change makes this callsite match the rest of the code. --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 5127e6480..0bbe4364f 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -243,7 +243,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, &neg_ctx->context, neg_ctx->server_name, GSS_C_NO_OID, - 0, + GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, 0, GSS_C_NO_CHANNEL_BINDINGS, &input_token, -- cgit v1.2.1 From 20485a48858ea35351ca69060f56353eace0521c Mon Sep 17 00:00:00 2001 From: Julien Chaffraix Date: Fri, 10 Jun 2011 08:16:06 -0700 Subject: Added Curl_gss_init_sec_context. This function wraps our calls to gss_init_sec_context so that we have a unified way to talk to GSSAPI. --- lib/http_negotiate.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 0bbe4364f..075a52062 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -36,6 +36,7 @@ #include "urldata.h" #include "sendf.h" +#include "gssapi.h" #include "rawstr.h" #include "curl_base64.h" #include "http_negotiate.h" @@ -238,19 +239,20 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, #endif } - major_status = gss_init_sec_context(&minor_status, - GSS_C_NO_CREDENTIAL, - &neg_ctx->context, - neg_ctx->server_name, - GSS_C_NO_OID, - GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, - 0, - GSS_C_NO_CHANNEL_BINDINGS, - &input_token, - NULL, - &output_token, - NULL, - NULL); + major_status = Curl_gss_init_sec_context(&minor_status, + GSS_C_NO_CREDENTIAL, + &neg_ctx->context, + neg_ctx->server_name, + GSS_C_NO_OID, + GSS_C_MUTUAL_FLAG + | GSS_C_REPLAY_FLAG, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, + NULL, + &output_token, + NULL, + NULL); if(input_token.length > 0) gss_release_buffer(&minor_status2, &input_token); neg_ctx->status = major_status; -- cgit v1.2.1 From 2af0287856ca0ba7fc4d80bf94e46bb2d4c6d96c Mon Sep 17 00:00:00 2001 From: Julien Chaffraix Date: Fri, 10 Jun 2011 08:26:34 -0700 Subject: gssapi.c: Simplified the function. Removed the parameters that were common to all our invocation. --- lib/http_negotiate.c | 7 ------- 1 file changed, 7 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 075a52062..e4a8ff259 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -240,18 +240,11 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, } major_status = Curl_gss_init_sec_context(&minor_status, - GSS_C_NO_CREDENTIAL, &neg_ctx->context, neg_ctx->server_name, - GSS_C_NO_OID, - GSS_C_MUTUAL_FLAG - | GSS_C_REPLAY_FLAG, - 0, GSS_C_NO_CHANNEL_BINDINGS, &input_token, - NULL, &output_token, - NULL, NULL); if(input_token.length > 0) gss_release_buffer(&minor_status2, &input_token); -- cgit v1.2.1 From 44b58472378097faf9632d0dd9b4e478fb3433ed Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 13 Jul 2011 22:54:54 +0200 Subject: gssapi: rename our files to avoid conflicts gssapi.h is used as a header name by Heimdal-style GSSAPI so it would conflict with a private header using that name, and while renaming the header I figured we should name the .c file accordingly as well. Bug: http://curl.haxx.se/mail/lib-2011-07/0071.html Reported by: Ben Greear --- lib/http_negotiate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index e4a8ff259..36823f8cf 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -36,7 +36,7 @@ #include "urldata.h" #include "sendf.h" -#include "gssapi.h" +#include "curl_gssapi.h" #include "rawstr.h" #include "curl_base64.h" #include "http_negotiate.h" -- cgit v1.2.1 From f1586cb4775681810afd8e6626e7842d459f3b85 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Tue, 26 Jul 2011 17:23:27 +0200 Subject: stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.h --- lib/http_negotiate.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 36823f8cf..d7bc67955 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -19,6 +19,7 @@ * KIND, either express or implied. * ***************************************************************************/ + #include "setup.h" #ifdef HAVE_GSSAPI @@ -27,12 +28,6 @@ #endif #ifndef CURL_DISABLE_HTTP - /* -- WIN32 approved -- */ -#include -#include -#include -#include -#include #include "urldata.h" #include "sendf.h" -- cgit v1.2.1 From c01c000b1631591a2b7d78450fee5bf21990e993 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Thu, 28 Jul 2011 14:03:07 -0700 Subject: Avoid a "shadows global declaration" warning on old MIT Kerberos Defining NCOMPAT eliminates the backwards-compatibility macros that are the source of the problem and which we don't need, anyway. --- lib/http_negotiate.c | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index d7bc67955..695ab167e 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -25,6 +25,7 @@ #ifdef HAVE_GSSAPI #ifdef HAVE_OLD_GSSMIT #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +#define NCOMPAT 1 #endif #ifndef CURL_DISABLE_HTTP -- cgit v1.2.1 From ebf42c4be76df40ec6d3bf32f229bbb274e2c32f Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Tue, 19 Jul 2011 19:10:43 +0200 Subject: Add new CURLOPT_GSSAPI_DELEGATION option. Curl_gss_init_sec_context got new parameter - SessionHandle. Signed-off-by: Adam Tkac --- lib/http_negotiate.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 695ab167e..b3d870c9c 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -131,8 +131,9 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header) { - struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg: - &conn->data->state.negotiate; + struct SessionHandle *data = conn->data; + struct negotiatedata *neg_ctx = proxy?&data->state.proxyneg: + &data->state.negotiate; OM_uint32 major_status, minor_status, minor_status2; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; @@ -168,7 +169,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, /* We finished successfully our part of authentication, but server * rejected it (since we're again here). Exit with an error since we * can't invent anything better */ - Curl_cleanup_negotiate(conn->data); + Curl_cleanup_negotiate(data); return -1; } @@ -217,7 +218,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, NULL)) { free(spnegoToken); spnegoToken = NULL; - infof(conn->data, "Parse SPNEGO Target Token failed\n"); + infof(data, "Parse SPNEGO Target Token failed\n"); } else { free(input_token.value); @@ -229,13 +230,14 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, input_token.length = mechTokenLength; free(mechToken); mechToken = NULL; - infof(conn->data, "Parse SPNEGO Target Token succeeded\n"); + infof(data, "Parse SPNEGO Target Token succeeded\n"); } } #endif } - major_status = Curl_gss_init_sec_context(&minor_status, + major_status = Curl_gss_init_sec_context(data, + &minor_status, &neg_ctx->context, neg_ctx->server_name, GSS_C_NO_CHANNEL_BINDINGS, @@ -246,7 +248,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, gss_release_buffer(&minor_status2, &input_token); neg_ctx->status = major_status; if(GSS_ERROR(major_status)) { - /* Curl_cleanup_negotiate(conn->data) ??? */ + /* Curl_cleanup_negotiate(data) ??? */ log_gss_error(conn, minor_status, "gss_init_sec_context() failed: "); return -1; -- cgit v1.2.1 From fd00b382b2d33ef90c6f5c840a32b66c8ceb1662 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Wed, 24 Aug 2011 08:07:36 +0200 Subject: base64: fix Curl_base64_encode and Curl_base64_decode interfaces Previous interfaces for these libcurl internal functions did not allow to tell apart a legitimate zero size result from an error condition. These functions now return a CURLcode indicating function success or otherwise specific error. Output size is returned using a pointer argument. All usage of these two functions, and others closely related, has been adapted to the new interfaces. Relative error and OOM handling adapted or added where missing. Unit test 1302 also adapted. --- lib/http_negotiate.c | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index b3d870c9c..f0cf16b9e 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -138,9 +138,11 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; int ret; - size_t len, rawlen; + size_t len; + size_t rawlen = 0; bool gss; const char* protocol; + CURLcode error; while(*header && ISSPACE(*header)) header++; @@ -183,9 +185,9 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, len = strlen(header); if(len > 0) { - rawlen = Curl_base64_decode(header, - (unsigned char **)&input_token.value); - if(rawlen == 0) + error = Curl_base64_decode(header, + (unsigned char **)&input_token.value, &rawlen); + if(error || rawlen == 0) return -1; input_token.length = rawlen; @@ -270,8 +272,9 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg: &conn->data->state.negotiate; char *encoded = NULL; - size_t len; + size_t len = 0; char *userp; + CURLcode error; #ifdef HAVE_SPNEGO /* Handle SPNEGO */ if(checkprefix("Negotiate", neg_ctx->protocol)) { @@ -317,13 +320,21 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) } } #endif - len = Curl_base64_encode(conn->data, - neg_ctx->output_token.value, - neg_ctx->output_token.length, - &encoded); + error = Curl_base64_encode(conn->data, + neg_ctx->output_token.value, + neg_ctx->output_token.length, + &encoded, &len); + if(error) { + Curl_safefree(neg_ctx->output_token.value); + neg_ctx->output_token.value = NULL; + return error; + } - if(len == 0) - return CURLE_OUT_OF_MEMORY; + if(len == 0) { + Curl_safefree(neg_ctx->output_token.value); + neg_ctx->output_token.value = NULL; + return CURLE_REMOTE_ACCESS_DENIED; + } userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", neg_ctx->protocol, encoded); -- cgit v1.2.1 From cb5e72bf62cdea7e8866f09633aff1ce95f3517d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 24 Aug 2011 11:55:49 +0200 Subject: safefree use: fix compiler warning include the prototype header --- lib/http_negotiate.c | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index f0cf16b9e..4e68ab762 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -37,6 +37,7 @@ #include "curl_base64.h" #include "http_negotiate.h" #include "curl_memory.h" +#include "url.h" #ifdef HAVE_SPNEGO # include -- cgit v1.2.1 From 0ce2bca741ae596a346b2ab767dfbf5be9bc7dae Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Mon, 16 Jan 2012 21:14:05 +0100 Subject: add LF termination to infof() trace string --- lib/http_negotiate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 4e68ab762..c03faf94d 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -124,7 +124,7 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, gss_release_buffer(&min_stat, &status_string); } while(!GSS_ERROR(maj_stat) && msg_ctx != 0); - infof(conn->data, "%s", buf); + infof(conn->data, "%s\n", buf); } /* returning zero (0) means success, everything else is treated as "failure" -- cgit v1.2.1 From ba41ecfa176edeb158b4971bcfead764f52bf331 Mon Sep 17 00:00:00 2001 From: Marc Hoersken Date: Fri, 14 Sep 2012 15:50:24 +0200 Subject: http_negotiate.c: Fxied warning: unused variable 'rc' --- lib/http_negotiate.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'lib/http_negotiate.c') diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index c03faf94d..92c363d7c 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -195,7 +195,6 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, #ifdef HAVE_SPNEGO /* Handle SPNEGO */ if(checkprefix("Negotiate", header)) { ASN1_OBJECT * object = NULL; - int rc = 1; unsigned char * spnegoToken = NULL; size_t spnegoTokenLength = 0; unsigned char * mechToken = NULL; @@ -280,7 +279,6 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) #ifdef HAVE_SPNEGO /* Handle SPNEGO */ if(checkprefix("Negotiate", neg_ctx->protocol)) { ASN1_OBJECT * object = NULL; - int rc = 1; unsigned char * spnegoToken = NULL; size_t spnegoTokenLength = 0; unsigned char * responseToken = NULL; -- cgit v1.2.1