diff options
Diffstat (limited to 'lib/krb5.c')
| -rw-r--r-- | lib/krb5.c | 139 |
1 files changed, 61 insertions, 78 deletions
@@ -1,8 +1,8 @@ /* GSSAPI/krb5 support for FTP - loosely based on old krb4.c * - * Copyright (c) 1995, 1996, 1997, 1998, 1999, 2010 Kungliga Tekniska Högskolan + * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). - * Copyright (c) 2004 - 2009 Daniel Stenberg + * Copyright (c) 2004 - 2015 Daniel Stenberg * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -32,44 +32,25 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ -#include "setup.h" +#include "curl_setup.h" -#ifndef CURL_DISABLE_FTP -#ifdef HAVE_GSSAPI +#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_FTP) -#ifdef HAVE_OLD_GSSMIT -#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name -#endif - -#include <stdlib.h> #ifdef HAVE_NETDB_H #include <netdb.h> #endif -#include <string.h> - -#ifdef HAVE_GSSGNU -# include <gss.h> -#elif defined HAVE_GSSMIT - /* MIT style */ -# include <gssapi/gssapi.h> -# include <gssapi/gssapi_generic.h> -# include <gssapi/gssapi_krb5.h> -#else - /* Heimdal-style */ -# include <gssapi.h> -#endif #include "urldata.h" #include "curl_base64.h" #include "ftp.h" +#include "curl_gssapi.h" #include "sendf.h" -#include "krb4.h" -#include "curl_memory.h" - -#define _MPRINTF_REPLACE /* use our functions only */ -#include <curl/mprintf.h> +#include "curl_sec.h" +#include "warnless.h" +#include "curl_printf.h" -/* The last #include file should be: */ +/* The last #include files should be: */ +#include "curl_memory.h" #include "memdebug.h" #define LOCAL_ADDR (&conn->local_addr) @@ -88,22 +69,22 @@ static int krb5_check_prot(void *app_data, int level) { (void)app_data; /* unused */ - if(level == prot_confidential) + if(level == PROT_CONFIDENTIAL) return -1; return 0; } static int -krb5_decode(void *app_data, void *buf, int len, int level, - struct connectdata *conn) +krb5_decode(void *app_data, void *buf, int len, + int level UNUSED_PARAM, + struct connectdata *conn UNUSED_PARAM) { gss_ctx_id_t *context = app_data; OM_uint32 maj, min; gss_buffer_desc enc, dec; - /* shut gcc up */ - level = 0; - conn = NULL; + (void)level; + (void)conn; enc.value = buf; enc.length = len; @@ -115,7 +96,7 @@ krb5_decode(void *app_data, void *buf, int len, int level, } memcpy(buf, dec.value, dec.length); - len = dec.length; + len = curlx_uztosi(dec.length); gss_release_buffer(&min, &dec); return len; @@ -124,16 +105,15 @@ krb5_decode(void *app_data, void *buf, int len, int level, static int krb5_overhead(void *app_data, int level, int len) { - /* no arguments are used, just init them to prevent compiler warnings */ - app_data = NULL; - level = 0; - len = 0; + /* no arguments are used */ + (void)app_data; + (void)level; + (void)len; return 0; } static int -krb5_encode(void *app_data, const void *from, int length, int level, void **to, - struct connectdata *conn) +krb5_encode(void *app_data, const void *from, int length, int level, void **to) { gss_ctx_id_t *context = app_data; gss_buffer_desc dec, enc; @@ -141,28 +121,26 @@ krb5_encode(void *app_data, const void *from, int length, int level, void **to, int state; int len; - /* shut gcc up */ - conn = NULL; - /* NOTE that the cast is safe, neither of the krb5, gnu gss and heimdal * libraries modify the input buffer in gss_seal() */ dec.value = (void*)from; dec.length = length; maj = gss_seal(&min, *context, - level == prot_private, + level == PROT_PRIVATE, GSS_C_QOP_DEFAULT, &dec, &state, &enc); if(maj != GSS_S_COMPLETE) return -1; - /* malloc a new buffer, in case gss_release_buffer doesn't work as expected */ + /* malloc a new buffer, in case gss_release_buffer doesn't work as + expected */ *to = malloc(enc.length); if(!*to) return -1; memcpy(*to, enc.value, enc.length); - len = enc.length; + len = curlx_uztosi(enc.length); gss_release_buffer(&min, &enc); return len; } @@ -183,6 +161,7 @@ krb5_auth(void *app_data, struct connectdata *conn) gss_name_t gssname; gss_ctx_id_t *context = app_data; struct gss_channel_bindings_struct chan; + size_t base64_sz = 0; if(getsockname(conn->sock[FIRSTSOCKET], (struct sockaddr *)LOCAL_ADDR, &l) < 0) @@ -200,7 +179,7 @@ krb5_auth(void *app_data, struct connectdata *conn) chan.application_data.value = NULL; /* this loop will execute twice (once for service, once for host) */ - while(1) { + for(;;) { /* this really shouldn't be repeated here, but can't help it */ if(service == srv_host) { result = Curl_ftpsendf(conn, "AUTH GSSAPI"); @@ -222,7 +201,8 @@ krb5_auth(void *app_data, struct connectdata *conn) if(maj != GSS_S_COMPLETE) { gss_release_name(&min, &gssname); if(service == srv_host) { - Curl_failf(data, "Error importing service name %s", input_buffer.value); + Curl_failf(data, "Error importing service name %s", + input_buffer.value); return AUTH_ERROR; } service = srv_host; @@ -240,35 +220,34 @@ krb5_auth(void *app_data, struct connectdata *conn) taken care by a final gss_release_buffer. */ gss_release_buffer(&min, &output_buffer); ret = AUTH_OK; - maj = gss_init_sec_context(&min, - GSS_C_NO_CREDENTIAL, - context, - gssname, - GSS_C_NO_OID, - GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, - 0, - &chan, - gssresp, - NULL, - &output_buffer, - NULL, - NULL); + maj = Curl_gss_init_sec_context(data, + &min, + context, + gssname, + &Curl_krb5_mech_oid, + &chan, + gssresp, + &output_buffer, + TRUE, + NULL); if(gssresp) { free(_gssresp.value); gssresp = NULL; } - if(maj != GSS_S_COMPLETE && maj != GSS_S_CONTINUE_NEEDED) { - Curl_infof(data, "Error creating security context"); + if(GSS_ERROR(maj)) { + Curl_infof(data, "Error creating security context\n"); ret = AUTH_ERROR; break; } if(output_buffer.length != 0) { - if(Curl_base64_encode(data, (char *)output_buffer.value, - output_buffer.length, &p) < 1) { - Curl_infof(data, "Out of memory base64-encoding"); + result = Curl_base64_encode(data, (char *)output_buffer.value, + output_buffer.length, &p, &base64_sz); + if(result) { + Curl_infof(data, "base64-encoding: %s\n", + curl_easy_strerror(result)); ret = AUTH_CONTINUE; break; } @@ -287,7 +266,7 @@ krb5_auth(void *app_data, struct connectdata *conn) break; } - if(data->state.buffer[0] != '2' && data->state.buffer[0] != '3'){ + if(data->state.buffer[0] != '2' && data->state.buffer[0] != '3') { Curl_infof(data, "Server didn't accept auth data\n"); ret = AUTH_ERROR; break; @@ -296,10 +275,12 @@ krb5_auth(void *app_data, struct connectdata *conn) p = data->state.buffer + 4; p = strstr(p, "ADAT="); if(p) { - _gssresp.length = Curl_base64_decode(p + 5, (unsigned char **) - &_gssresp.value); - if(_gssresp.length < 1) { - Curl_failf(data, "Out of memory base64-encoding"); + result = Curl_base64_decode(p + 5, + (unsigned char **)&_gssresp.value, + &_gssresp.length); + if(result) { + Curl_failf(data, "base64-decoding: %s", + curl_easy_strerror(result)); ret = AUTH_CONTINUE; break; } @@ -325,10 +306,13 @@ krb5_auth(void *app_data, struct connectdata *conn) static void krb5_end(void *app_data) { - OM_uint32 maj, min; + OM_uint32 min; gss_ctx_id_t *context = app_data; - if (*context != GSS_C_NO_CONTEXT) { - maj = gss_delete_sec_context(&min, context, GSS_C_NO_BUFFER); + if(*context != GSS_C_NO_CONTEXT) { +#ifdef DEBUGBUILD + OM_uint32 maj = +#endif + gss_delete_sec_context(&min, context, GSS_C_NO_BUFFER); DEBUGASSERT(maj == GSS_S_COMPLETE); } } @@ -345,5 +329,4 @@ struct Curl_sec_client_mech Curl_krb5_client_mech = { krb5_decode }; -#endif /* HAVE_GSSAPI */ -#endif /* CURL_DISABLE_FTP */ +#endif /* HAVE_GSSAPI && !CURL_DISABLE_FTP */ |