socks_gssapi.c source code [tensorflow/external/curl/lib/socks_gssapi.c]

1	/***************************************************************************
2	* _ _ ____ _
3	* Project ___\| \| \| \| _ \\| \|
4	* / __\| \| \| \| \|_) \| \|
5	* \| (__\| \|_\| \| _ <\| \|___
6	* \___\|\___/\|_\| \_\_____\|
7	*
8	* Copyright (C) 2012 - 2022, Daniel Stenberg, <[email protected]>, et al.
9	* Copyright (C) 2012, Markus Moeller, <[email protected]>
10	*
11	* This software is licensed as described in the file COPYING, which
12	* you should have received as part of this distribution. The terms
13	* are also available at https://curl.se/docs/copyright.html.
14	*
15	* You may opt to use, copy, modify, merge, publish, distribute and/or sell
16	* copies of the Software, and permit persons to whom the Software is
17	* furnished to do so, under the terms of the COPYING file.
18	*
19	* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20	* KIND, either express or implied.
21	*
22	* SPDX-License-Identifier: curl
23	*
24	***************************************************************************/
25
26	#include "curl_setup.h"
27
28	#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_PROXY)
29
30	#include "curl_gssapi.h"
31	#include "urldata.h"
32	#include "sendf.h"
33	#include "connect.h"
34	#include "timeval.h"
35	#include "socks.h"
36	#include "warnless.h"
37
38	/ The last 3 #include files should be in this order /
39	#include "curl_printf.h"
40	#include "curl_memory.h"
41	#include "memdebug.h"
42
43	static gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
44
45	/*
46	* Helper GSS-API error functions.
47	*/
48	static int check_gss_err(struct Curl_easy *data,
49	OM_uint32 major_status,
50	OM_uint32 minor_status,
51	const char *function)
52	{
53	if(GSS_ERROR(major_status)) {
54	OM_uint32 maj_stat, min_stat;
55	OM_uint32 msg_ctx = `0`;
56	gss_buffer_desc status_string = GSS_C_EMPTY_BUFFER;
57	char buf[`1024`];
58	size_t len;
59
60	len = `0`;
61	msg_ctx = `0`;
62	while(!msg_ctx) {
63	/ convert major status code (GSS-API error) to text /
64	maj_stat = gss_display_status(&min_stat, major_status,
65	GSS_C_GSS_CODE,
66	GSS_C_NULL_OID,
67	&msg_ctx, &status_string);
68	if(maj_stat == GSS_S_COMPLETE) {
69	if(sizeof(buf) > len + status_string.length + `1`) {
70	strcpy(buf + len, (char *) status_string.value);
71	len += status_string.length;
72	}
73	gss_release_buffer(&min_stat, &status_string);
74	break;
75	}
76	gss_release_buffer(&min_stat, &status_string);
77	}
78	if(sizeof(buf) > len + `3`) {
79	strcpy(buf + len, ".\n");
80	len += `2`;
81	}
82	msg_ctx = `0`;
83	while(!msg_ctx) {
84	/ convert minor status code (underlying routine error) to text /
85	maj_stat = gss_display_status(&min_stat, minor_status,
86	GSS_C_MECH_CODE,
87	GSS_C_NULL_OID,
88	&msg_ctx, &status_string);
89	if(maj_stat == GSS_S_COMPLETE) {
90	if(sizeof(buf) > len + status_string.length)
91	strcpy(buf + len, (char *) status_string.value);
92	gss_release_buffer(&min_stat, &status_string);
93	break;
94	}
95	gss_release_buffer(&min_stat, &status_string);
96	}
97	failf(data, "GSS-API error: %s failed: %s", function, buf);
98	return `1`;
99	}
100
101	return `0`;
102	}
103
104	CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
105	struct Curl_easy *data)
106	{
107	struct connectdata *conn = data->conn;
108	curl_socket_t sock = conn->sock[sockindex];
109	CURLcode code;
110	ssize_t actualread;
111	ssize_t written;
112	int result;
113	OM_uint32 gss_major_status, gss_minor_status, gss_status;
114	OM_uint32 gss_ret_flags;
115	int gss_conf_state, gss_enc;
116	gss_buffer_desc service = GSS_C_EMPTY_BUFFER;
117	gss_buffer_desc gss_send_token = GSS_C_EMPTY_BUFFER;
118	gss_buffer_desc gss_recv_token = GSS_C_EMPTY_BUFFER;
119	gss_buffer_desc gss_w_token = GSS_C_EMPTY_BUFFER;
120	gss_buffer_desc *gss_token = GSS_C_NO_BUFFER;
121	gss_name_t server = GSS_C_NO_NAME;
122	gss_name_t gss_client_name = GSS_C_NO_NAME;
123	unsigned short us_length;
124	char *user = NULL;
125	unsigned char socksreq[`4`]; / room for GSS-API exchange header only /
126	const char *serviceptr = data->set.str[STRING_PROXY_SERVICE_NAME] ?
127	data->set.str[STRING_PROXY_SERVICE_NAME] : "rcmd";
128	const size_t serviceptr_length = strlen(serviceptr);
129
130	/ GSS-API request looks like*
131	* +----+------+-----+----------------+
132	* \|VER \| MTYP \| LEN \| TOKEN \|
133	* +----+------+----------------------+
134	* \| 1 \| 1 \| 2 \| up to 2^16 - 1 \|
135	* +----+------+-----+----------------+
136	*/
137
138	/ prepare service name /
139	if(strchr(serviceptr, `'/'`)) {
140	service.length = serviceptr_length;
141	service.value = malloc(service.length);
142	if(!service.value)
143	return CURLE_OUT_OF_MEMORY;
144	memcpy(service.value, serviceptr, service.length);
145
146	gss_major_status = gss_import_name(&gss_minor_status, &service,
147	(gss_OID) GSS_C_NULL_OID, &server);
148	}
149	else {
150	service.value = malloc(serviceptr_length +
151	strlen(conn->socks_proxy.host.name) + `2`);
152	if(!service.value)
153	return CURLE_OUT_OF_MEMORY;
154	service.length = serviceptr_length +
155	strlen(conn->socks_proxy.host.name) + `1`;
156	msnprintf(service.value, service.length + `1`, "%s@%s",
157	serviceptr, conn->socks_proxy.host.name);
158
159	gss_major_status = gss_import_name(&gss_minor_status, &service,
160	GSS_C_NT_HOSTBASED_SERVICE, &server);
161	}
162
163	gss_release_buffer(&gss_status, &service); / clear allocated memory /
164
165	if(check_gss_err(data, gss_major_status,
166	gss_minor_status, "gss_import_name()")) {
167	failf(data, "Failed to create service name.");
168	gss_release_name(&gss_status, &server);
169	return CURLE_COULDNT_CONNECT;
170	}
171
172	(void)curlx_nonblock(sock, FALSE);
173
174	/ As long as we need to keep sending some context info, and there's no /
175	/ errors, keep sending it... /
176	for(;;) {
177	gss_major_status = Curl_gss_init_sec_context(data,
178	&gss_minor_status,
179	&gss_context,
180	server,
181	&Curl_krb5_mech_oid,
182	NULL,
183	gss_token,
184	&gss_send_token,
185	TRUE,
186	&gss_ret_flags);
187
188	if(gss_token != GSS_C_NO_BUFFER)
189	gss_release_buffer(&gss_status, &gss_recv_token);
190	if(check_gss_err(data, gss_major_status,
191	gss_minor_status, "gss_init_sec_context")) {
192	gss_release_name(&gss_status, &server);
193	gss_release_buffer(&gss_status, &gss_recv_token);
194	gss_release_buffer(&gss_status, &gss_send_token);
195	gss_delete_sec_context(&gss_status, &gss_context, NULL);
196	failf(data, "Failed to initial GSS-API token.");
197	return CURLE_COULDNT_CONNECT;
198	}
199
200	if(gss_send_token.length) {
201	socksreq[`0`] = `1`; / GSS-API subnegotiation version /
202	socksreq[`1`] = `1`; / authentication message type /
203	us_length = htons((short)gss_send_token.length);
204	memcpy(socksreq + `2`, &us_length, sizeof(short));
205
206	code = Curl_write_plain(data, sock, (char *)socksreq, `4`, &written);
207	if(code \|\| (`4` != written)) {
208	failf(data, "Failed to send GSS-API authentication request.");
209	gss_release_name(&gss_status, &server);
210	gss_release_buffer(&gss_status, &gss_recv_token);
211	gss_release_buffer(&gss_status, &gss_send_token);
212	gss_delete_sec_context(&gss_status, &gss_context, NULL);
213	return CURLE_COULDNT_CONNECT;
214	}
215
216	code = Curl_write_plain(data, sock, (char *)gss_send_token.value,
217	gss_send_token.length, &written);
218
219	if(code \|\| ((ssize_t)gss_send_token.length != written)) {
220	failf(data, "Failed to send GSS-API authentication token.");
221	gss_release_name(&gss_status, &server);
222	gss_release_buffer(&gss_status, &gss_recv_token);
223	gss_release_buffer(&gss_status, &gss_send_token);
224	gss_delete_sec_context(&gss_status, &gss_context, NULL);
225	return CURLE_COULDNT_CONNECT;
226	}
227
228	}
229
230	gss_release_buffer(&gss_status, &gss_send_token);
231	gss_release_buffer(&gss_status, &gss_recv_token);
232	if(gss_major_status != GSS_S_CONTINUE_NEEDED)
233	break;
234
235	/ analyse response /
236
237	/ GSS-API response looks like*
238	* +----+------+-----+----------------+
239	* \|VER \| MTYP \| LEN \| TOKEN \|
240	* +----+------+----------------------+
241	* \| 1 \| 1 \| 2 \| up to 2^16 - 1 \|
242	* +----+------+-----+----------------+
243	*/
244
245	result = Curl_blockread_all(data, sock, (char *)socksreq, `4`, &actualread);
246	if(result \|\| (actualread != `4`)) {
247	failf(data, "Failed to receive GSS-API authentication response.");
248	gss_release_name(&gss_status, &server);
249	gss_delete_sec_context(&gss_status, &gss_context, NULL);
250	return CURLE_COULDNT_CONNECT;
251	}
252
253	/ ignore the first (VER) byte /
254	if(socksreq[`1`] == `255`) { / status / message type /
255	failf(data, "User was rejected by the SOCKS5 server (%d %d).",
256	socksreq[`0`], socksreq[`1`]);
257	gss_release_name(&gss_status, &server);
258	gss_delete_sec_context(&gss_status, &gss_context, NULL);
259	return CURLE_COULDNT_CONNECT;
260	}
261
262	if(socksreq[`1`] != `1`) { / status / message type /
263	failf(data, "Invalid GSS-API authentication response type (%d %d).",
264	socksreq[`0`], socksreq[`1`]);
265	gss_release_name(&gss_status, &server);
266	gss_delete_sec_context(&gss_status, &gss_context, NULL);
267	return CURLE_COULDNT_CONNECT;
268	}
269
270	memcpy(&us_length, socksreq + `2`, sizeof(short));
271	us_length = ntohs(us_length);
272
273	gss_recv_token.length = us_length;
274	gss_recv_token.value = malloc(us_length);
275	if(!gss_recv_token.value) {
276	failf(data,
277	"Could not allocate memory for GSS-API authentication "
278	"response token.");
279	gss_release_name(&gss_status, &server);
280	gss_delete_sec_context(&gss_status, &gss_context, NULL);
281	return CURLE_OUT_OF_MEMORY;
282	}
283
284	result = Curl_blockread_all(data, sock, (char *)gss_recv_token.value,
285	gss_recv_token.length, &actualread);
286
287	if(result \|\| (actualread != us_length)) {
288	failf(data, "Failed to receive GSS-API authentication token.");
289	gss_release_name(&gss_status, &server);
290	gss_release_buffer(&gss_status, &gss_recv_token);
291	gss_delete_sec_context(&gss_status, &gss_context, NULL);
292	return CURLE_COULDNT_CONNECT;
293	}
294
295	gss_token = &gss_recv_token;
296	}
297
298	gss_release_name(&gss_status, &server);
299
300	/ Everything is good so far, user was authenticated! /
301	gss_major_status = gss_inquire_context(&gss_minor_status, gss_context,
302	&gss_client_name, NULL, NULL, NULL,
303	NULL, NULL, NULL);
304	if(check_gss_err(data, gss_major_status,
305	gss_minor_status, "gss_inquire_context")) {
306	gss_delete_sec_context(&gss_status, &gss_context, NULL);
307	gss_release_name(&gss_status, &gss_client_name);
308	failf(data, "Failed to determine user name.");
309	return CURLE_COULDNT_CONNECT;
310	}
311	gss_major_status = gss_display_name(&gss_minor_status, gss_client_name,
312	&gss_send_token, NULL);
313	if(check_gss_err(data, gss_major_status,
314	gss_minor_status, "gss_display_name")) {
315	gss_delete_sec_context(&gss_status, &gss_context, NULL);
316	gss_release_name(&gss_status, &gss_client_name);
317	gss_release_buffer(&gss_status, &gss_send_token);
318	failf(data, "Failed to determine user name.");
319	return CURLE_COULDNT_CONNECT;
320	}
321	user = malloc(gss_send_token.length + `1`);
322	if(!user) {
323	gss_delete_sec_context(&gss_status, &gss_context, NULL);
324	gss_release_name(&gss_status, &gss_client_name);
325	gss_release_buffer(&gss_status, &gss_send_token);
326	return CURLE_OUT_OF_MEMORY;
327	}
328
329	memcpy(user, gss_send_token.value, gss_send_token.length);
330	user[gss_send_token.length] = `'\0'`;
331	gss_release_name(&gss_status, &gss_client_name);
332	gss_release_buffer(&gss_status, &gss_send_token);
333	infof(data, "SOCKS5 server authenticated user %s with GSS-API.",user);
334	free(user);
335	user = NULL;
336
337	/ Do encryption /
338	socksreq[`0`] = `1`; / GSS-API subnegotiation version /
339	socksreq[`1`] = `2`; / encryption message type /
340
341	gss_enc = `0`; / no data protection /
342	/ do confidentiality protection if supported /
343	if(gss_ret_flags & GSS_C_CONF_FLAG)
344	gss_enc = `2`;
345	/ else do integrity protection /
346	else if(gss_ret_flags & GSS_C_INTEG_FLAG)
347	gss_enc = `1`;
348
349	infof(data, "SOCKS5 server supports GSS-API %s data protection.",
350	(gss_enc == `0`)?"no":((gss_enc==`1`)?"integrity":"confidentiality"));
351	/ force for the moment to no data protection /
352	gss_enc = `0`;
353	/*
354	* Sending the encryption type in clear seems wrong. It should be
355	* protected with gss_seal()/gss_wrap(). See RFC1961 extract below
356	* The NEC reference implementations on which this is based is
357	* therefore at fault
358	*
359	* +------+------+------+.......................+
360	* + ver \| mtyp \| len \| token \|
361	* +------+------+------+.......................+
362	* + 0x01 \| 0x02 \| 0x02 \| up to 2^16 - 1 octets \|
363	* +------+------+------+.......................+
364	*
365	* Where:
366	*
367	* - "ver" is the protocol version number, here 1 to represent the
368	* first version of the SOCKS/GSS-API protocol
369	*
370	* - "mtyp" is the message type, here 2 to represent a protection
371	* -level negotiation message
372	*
373	* - "len" is the length of the "token" field in octets
374	*
375	* - "token" is the GSS-API encapsulated protection level
376	*
377	* The token is produced by encapsulating an octet containing the
378	* required protection level using gss_seal()/gss_wrap() with conf_req
379	* set to FALSE. The token is verified using gss_unseal()/
380	* gss_unwrap().
381	*
382	*/
383	if(data->set.socks5_gssapi_nec) {
384	us_length = htons((short)`1`);
385	memcpy(socksreq + `2`, &us_length, sizeof(short));
386	}
387	else {
388	gss_send_token.length = `1`;
389	gss_send_token.value = malloc(`1`);
390	if(!gss_send_token.value) {
391	gss_delete_sec_context(&gss_status, &gss_context, NULL);
392	return CURLE_OUT_OF_MEMORY;
393	}
394	memcpy(gss_send_token.value, &gss_enc, `1`);
395
396	gss_major_status = gss_wrap(&gss_minor_status, gss_context, `0`,
397	GSS_C_QOP_DEFAULT, &gss_send_token,
398	&gss_conf_state, &gss_w_token);
399
400	if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_wrap")) {
401	gss_release_buffer(&gss_status, &gss_send_token);
402	gss_release_buffer(&gss_status, &gss_w_token);
403	gss_delete_sec_context(&gss_status, &gss_context, NULL);
404	failf(data, "Failed to wrap GSS-API encryption value into token.");
405	return CURLE_COULDNT_CONNECT;
406	}
407	gss_release_buffer(&gss_status, &gss_send_token);
408
409	us_length = htons((short)gss_w_token.length);
410	memcpy(socksreq + `2`, &us_length, sizeof(short));
411	}
412
413	code = Curl_write_plain(data, sock, (char *)socksreq, `4`, &written);
414	if(code \|\| (`4` != written)) {
415	failf(data, "Failed to send GSS-API encryption request.");
416	gss_release_buffer(&gss_status, &gss_w_token);
417	gss_delete_sec_context(&gss_status, &gss_context, NULL);
418	return CURLE_COULDNT_CONNECT;
419	}
420
421	if(data->set.socks5_gssapi_nec) {
422	memcpy(socksreq, &gss_enc, `1`);
423	code = Curl_write_plain(data, sock, socksreq, `1`, &written);
424	if(code \|\| ( `1` != written)) {
425	failf(data, "Failed to send GSS-API encryption type.");
426	gss_delete_sec_context(&gss_status, &gss_context, NULL);
427	return CURLE_COULDNT_CONNECT;
428	}
429	}
430	else {
431	code = Curl_write_plain(data, sock, (char *)gss_w_token.value,
432	gss_w_token.length, &written);
433	if(code \|\| ((ssize_t)gss_w_token.length != written)) {
434	failf(data, "Failed to send GSS-API encryption type.");
435	gss_release_buffer(&gss_status, &gss_w_token);
436	gss_delete_sec_context(&gss_status, &gss_context, NULL);
437	return CURLE_COULDNT_CONNECT;
438	}
439	gss_release_buffer(&gss_status, &gss_w_token);
440	}
441
442	result = Curl_blockread_all(data, sock, (char *)socksreq, `4`, &actualread);
443	if(result \|\| (actualread != `4`)) {
444	failf(data, "Failed to receive GSS-API encryption response.");
445	gss_delete_sec_context(&gss_status, &gss_context, NULL);
446	return CURLE_COULDNT_CONNECT;
447	}
448
449	/ ignore the first (VER) byte /
450	if(socksreq[`1`] == `255`) { / status / message type /
451	failf(data, "User was rejected by the SOCKS5 server (%d %d).",
452	socksreq[`0`], socksreq[`1`]);
453	gss_delete_sec_context(&gss_status, &gss_context, NULL);
454	return CURLE_COULDNT_CONNECT;
455	}
456
457	if(socksreq[`1`] != `2`) { / status / message type /
458	failf(data, "Invalid GSS-API encryption response type (%d %d).",
459	socksreq[`0`], socksreq[`1`]);
460	gss_delete_sec_context(&gss_status, &gss_context, NULL);
461	return CURLE_COULDNT_CONNECT;
462	}
463
464	memcpy(&us_length, socksreq + `2`, sizeof(short));
465	us_length = ntohs(us_length);
466
467	gss_recv_token.length = us_length;
468	gss_recv_token.value = malloc(gss_recv_token.length);
469	if(!gss_recv_token.value) {
470	gss_delete_sec_context(&gss_status, &gss_context, NULL);
471	return CURLE_OUT_OF_MEMORY;
472	}
473	result = Curl_blockread_all(data, sock, (char *)gss_recv_token.value,
474	gss_recv_token.length, &actualread);
475
476	if(result \|\| (actualread != us_length)) {
477	failf(data, "Failed to receive GSS-API encryptrion type.");
478	gss_release_buffer(&gss_status, &gss_recv_token);
479	gss_delete_sec_context(&gss_status, &gss_context, NULL);
480	return CURLE_COULDNT_CONNECT;
481	}
482
483	if(!data->set.socks5_gssapi_nec) {
484	gss_major_status = gss_unwrap(&gss_minor_status, gss_context,
485	&gss_recv_token, &gss_w_token,
486	`0`, GSS_C_QOP_DEFAULT);
487
488	if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_unwrap")) {
489	gss_release_buffer(&gss_status, &gss_recv_token);
490	gss_release_buffer(&gss_status, &gss_w_token);
491	gss_delete_sec_context(&gss_status, &gss_context, NULL);
492	failf(data, "Failed to unwrap GSS-API encryption value into token.");
493	return CURLE_COULDNT_CONNECT;
494	}
495	gss_release_buffer(&gss_status, &gss_recv_token);
496
497	if(gss_w_token.length != `1`) {
498	failf(data, "Invalid GSS-API encryption response length (%zu).",
499	gss_w_token.length);
500	gss_release_buffer(&gss_status, &gss_w_token);
501	gss_delete_sec_context(&gss_status, &gss_context, NULL);
502	return CURLE_COULDNT_CONNECT;
503	}
504
505	memcpy(socksreq, gss_w_token.value, gss_w_token.length);
506	gss_release_buffer(&gss_status, &gss_w_token);
507	}
508	else {
509	if(gss_recv_token.length != `1`) {
510	failf(data, "Invalid GSS-API encryption response length (%zu).",
511	gss_recv_token.length);
512	gss_release_buffer(&gss_status, &gss_recv_token);
513	gss_delete_sec_context(&gss_status, &gss_context, NULL);
514	return CURLE_COULDNT_CONNECT;
515	}
516
517	memcpy(socksreq, gss_recv_token.value, gss_recv_token.length);
518	gss_release_buffer(&gss_status, &gss_recv_token);
519	}
520
521	(void)curlx_nonblock(sock, TRUE);
522
523	infof(data, "SOCKS5 access with%s protection granted.",
524	(socksreq[`0`] == `0`)?"out GSS-API data":
525	((socksreq[`0`] == `1`)?" GSS-API integrity":" GSS-API confidentiality"));
526
527	conn->socks5_gssapi_enctype = socksreq[`0`];
528	if(socksreq[`0`] == `0`)
529	gss_delete_sec_context(&gss_status, &gss_context, NULL);
530
531	return CURLE_OK;
532	}
533
534	#endif /* HAVE_GSSAPI && !CURL_DISABLE_PROXY */
535

Browse the source code of tensorflow/external/curl/lib/socks_gssapi.c