src/protocol/http/http_negotiate.c

   1 /*
   2  * HTTP Negotiate authentication method -- based on GSSAPI
   3  *
   4  * The Microsoft version with SPNEGO is unsupported. If you look for way how
   5  * extend this code with SPNEGO see libcurl or firefox source code where is
   6  * supported GSSAPI+SPNEGO.
   7  *
   8  * Copyright (C) 2006 Red Hat, Inc.
   9  * Karel Zak <kzak@redhat.com>
  10  */
  11
  12 #ifdef HAVE_CONFIG_H
  13 #include "config.h"
  14 #endif
  15
  16 #include <stdio.h>
  17 #include <string.h>
  18 #include <stdarg.h>
  19 #include <stdlib.h>
  20 #include <ctype.h>
  21 #include <errno.h>
  22
  23 #include <gssapi/gssapi.h>
  24
  25 #include "elinks.h"
  26 #include "network/connection.h"
  27 #include "protocol/uri.h"
  28 #include "protocol/http/http.h"
  29 #include "protocol/http/http_negotiate.h"
  30 #include "util/base64.h"
  31 #include "main/object.h"
  32 #include "util/lists.h"
  33
  34 struct negotiate {
  35         OBJECT_HEAD(struct negotiate);
  36
  37         struct uri      *uri;
  38
  39         int             type;                   /* GSS-Negotiate or Negotiate or zero */
  40         OM_uint32       status;
  41         gss_ctx_id_t    context;
  42         gss_name_t      server_name;
  43         gss_buffer_desc output_token;
  44         gss_buffer_desc input_token;
  45 };
  46
  47 static INIT_LIST_OF(struct negotiate, negotiate_list);
  48
  49 static struct negotiate *
  50 http_negotiate_get(struct uri *uri, int *isnew, int alloc)
  51 {
  52         struct negotiate *neg;
  53
  54         foreach (neg, negotiate_list) {
  55                 if (compare_uri(neg->uri, uri, URI_HTTP_REFERRER_HOST))
  56                         return neg;
  57         }
  58         if (!alloc)
  59                 return NULL;
  60
  61         neg = mem_calloc(1, sizeof(*neg));
  62         if (!neg)
  63                 return NULL;
  64
  65         neg->uri = get_uri_reference(uri);
  66
  67         if (isnew)
  68                 *isnew = 1;
  69
  70         return neg;
  71 }
  72
  73 static void
  74 http_negotiate_save(struct negotiate *neg)
  75 {
  76         add_to_list(negotiate_list, neg);
  77 }
  78
  79 static void
  80 http_negotiate_cleanup(struct negotiate *neg, int full)
  81 {
  82         OM_uint32 minor_status;
  83
  84         if (neg->context != GSS_C_NO_CONTEXT)
  85                 gss_delete_sec_context(&minor_status, &neg->context, GSS_C_NO_BUFFER);
  86
  87         if (neg->output_token.length != 0)
  88                 gss_release_buffer(&minor_status, &neg->output_token);
  89
  90         if (full) {
  91                 if (neg->server_name)
  92                         gss_release_name(&minor_status, &neg->server_name);
  93
  94                 if (neg->input_token.length != 0) {
  95                         /* allocated by mem_free().. so beter not use gss_release_buffer() */
  96                         mem_free(neg->input_token.value);
  97                         neg->input_token.length = 0;
  98                 }
  99
 100                 memset(neg, 0, sizeof(*neg));
 101         }
 102 }
 103
 104 static int
 105 http_negotiate_get_name(struct connection *conn, struct negotiate *neg)
 106 {
 107         OM_uint32 major_status, minor_status;
 108         gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
 109         char name[2048];
 110         const char *service;
 111         struct uri *uri = conn->proxied_uri;
 112
 113         /* GSSAPI implementation by Globus (known as GSI) requires the name to be
 114          * of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
 115          * of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
 116          * Change following lines if you want to use GSI
 117          *
 118          * IIS uses the <service>@<fqdn> form but uses 'http' as the service name
 119          */
 120         if (neg->type == HTTPNEG_GSS)
 121                 service = "KHTTP";
 122         else
 123                 service = "HTTP";
 124
 125         token.length = strlen(service) + 1 + uri->hostlen + 1;
 126         if (token.length + 1 > sizeof(name))
 127                 return -1;
 128
 129         snprintf(name, token.length, "%s@%*s", service, uri->hostlen, uri->host);
 130
 131         token.value = (void *) name;
 132         major_status = gss_import_name(&minor_status, &token,
 133                                        GSS_C_NT_HOSTBASED_SERVICE,
 134                                        &neg->server_name);
 135
 136         return GSS_ERROR(major_status) ? -1 : 0;
 137 }
 138
 139 static int
 140 http_negotiate_parse_data(unsigned char *data, int type,
 141                           gss_buffer_desc *token)
 142 {
 143         int len = 0;
 144         unsigned char *end;
 145         int bytelen = 0;
 146
 147         if (data == NULL || *data == '\0')
 148                 return 0;
 149
 150         if (type == HTTPNEG_GSS)
 151                 data += HTTPNEG_GSS_STRLEN;
 152         else
 153                 data += HTTPNEG_NEG_STRLEN;
 154
 155         while (*data && isspace((int) *data))
 156                 data++;
 157
 158         if (*data == '\0' || *data == ASCII_CR || *data == ASCII_LF)
 159                 return 0;       /* no data */
 160
 161         end = data;
 162         while (isalnum((int) *end) || *end == '=')
 163                 end++;
 164
 165         /* Ignore line if we encountered an unexpected char. */
 166         if (*end != ASCII_CR && *end != ASCII_LF)
 167                 return 0;
 168
 169         len = end - data;
 170
 171         if (!len)
 172                 return 0;
 173
 174         token->value = (void *) base64_decode_bin(data, len, &bytelen);
 175         token->length = bytelen; /* convert int to size_t */
 176
 177         if (!token->value)
 178                 return -1;
 179
 180         return 0;
 181 }
 182
 183 static int
 184 http_negotiate_create_context(struct negotiate *neg)
 185 {
 186         OM_uint32 major_status, minor_status;
 187
 188         major_status = gss_init_sec_context(&minor_status,
 189                                             GSS_C_NO_CREDENTIAL,
 190                                             &neg->context,
 191                                             neg->server_name,
 192                                             GSS_C_NO_OID,
 193                                             0,
 194                                             0,
 195                                             GSS_C_NO_CHANNEL_BINDINGS,
 196                                             &neg->input_token,
 197                                             NULL,
 198                                             &neg->output_token,
 199                                             NULL,
 200                                             NULL);
 201         neg->status = major_status;
 202
 203         if (GSS_ERROR(major_status) || neg->output_token.length == 0)
 204                 return -1;
 205
 206         return 0;
 207 }
 208
 209 /*
 210  * Register new negotiate-auth request
 211  *
 212  * It's possible that server sends to client input token (at least
 213  * libcurl supports it) in WWW-Authenticate header, but ususaly
 214  * is this input token undefined.
 215  */
 216 int
 217 http_negotiate_input(struct connection *conn, struct uri *uri,
 218                      int type, unsigned char *data)
 219 {
 220         struct negotiate *neg;
 221         int ret = 0, isnew = 0;
 222
 223         neg = http_negotiate_get(uri, &isnew, 1);
 224
 225         if (neg->context && type != HTTPNEG_GSS)
 226                 return -1;
 227
 228         neg->type = type;
 229
 230         if (neg->context && neg->status == GSS_S_COMPLETE) {
 231                 /* We finished succesfully our part of authentication, but
 232                  * server rejected it (since we're again here). Exit with an
 233                  * error since we can't invent anything better
 234                  */
 235                 http_negotiate_cleanup(neg, 1);
 236                 return -1;
 237         }
 238
 239         if (neg->server_name == NULL && http_negotiate_get_name(conn, neg) < 0)
 240                 return -1;
 241
 242         if (data && http_negotiate_parse_data(data, type, &neg->input_token))
 243                 return -1;
 244
 245         ret = http_negotiate_create_context(neg);
 246         if (ret == 0 && isnew)
 247                 http_negotiate_save(neg);
 248
 249         return ret;
 250 }
 251
 252 /*
 253  * Fill output token to "Authorization: Negotiate <token>".
 254  */
 255 int
 256 http_negotiate_output(struct uri *uri, struct string *header)
 257 {
 258         struct negotiate *neg;
 259         char *encoded = NULL;
 260         int len = 0;
 261
 262         neg = http_negotiate_get(uri, NULL, 0);
 263         if (!neg)
 264                 return -1;
 265
 266         if (neg->output_token.length == 0) {
 267                 if (http_negotiate_create_context(neg) < 0) {
 268                         /* full cleanup on error and ask for
 269                          * new WWW-Authenticate from server
 270                          */
 271                         http_negotiate_cleanup(neg, 1);
 272                         return -1;
 273                 }
 274         }
 275
 276         encoded = base64_encode_bin((unsigned char *) neg->output_token.value,
 277                                     neg->output_token.length, &len);
 278
 279         if (encoded == NULL || len == 0)
 280                 return -1;
 281
 282         add_to_string(header, "Authorization: ");
 283         add_to_string(header, neg->type == HTTPNEG_GSS ?
 284                       HTTPNEG_GSS_STR : HTTPNEG_NEG_STR);
 285         add_char_to_string(header, ' ');
 286         add_to_string(header, encoded);
 287         add_crlf_to_string(header);
 288
 289         http_negotiate_cleanup(neg, 0);
 290
 291         mem_free(encoded);
 292
 293         return 0;
 294 }