krb5.c@ 97138

最後變更在這個檔案從97138是 95312,由 vboxsync 提交於 3 年前
libs/{curl,libxml2}: OSE export fixes, bugref:8515
屬性 svn:eol-style 設為 `native`
檔案大小: 23.1 KB

行
1	/* GSSAPI/krb5 support for FTP - loosely based on old krb4.c
2	*
3	* Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
4	* (Royal Institute of Technology, Stockholm, Sweden).
5	* Copyright (c) 2004 - 2022 Daniel Stenberg
6	* All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in the
17	* documentation and/or other materials provided with the distribution.
18	*
19	* 3. Neither the name of the Institute nor the names of its contributors
20	* may be used to endorse or promote products derived from this software
21	* without specific prior written permission.
22	*
23	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33	* SUCH DAMAGE. */
34
35	#include "curl_setup.h"
36
37	#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_FTP)
38
39	#ifdef HAVE_NETDB_H
40	#include <netdb.h>
41	#endif
42
43	#include "urldata.h"
44	#include "curl_base64.h"
45	#include "ftp.h"
46	#include "curl_gssapi.h"
47	#include "sendf.h"
48	#include "curl_krb5.h"
49	#include "warnless.h"
50	#include "strcase.h"
51	#include "strdup.h"
52
53	/* The last 3 #include files should be in this order */
54	#include "curl_printf.h"
55	#include "curl_memory.h"
56	#include "memdebug.h"
57
58	static CURLcode ftpsend(struct Curl_easy data, struct connectdata conn,
59	const char *cmd)
60	{
61	ssize_t bytes_written;
62	#define SBUF_SIZE 1024
63	char s[SBUF_SIZE];
64	size_t write_len;
65	char *sptr = s;
66	CURLcode result = CURLE_OK;
67	#ifdef HAVE_GSSAPI
68	enum protection_level data_sec = conn->data_prot;
69	#endif
70
71	if(!cmd)
72	return CURLE_BAD_FUNCTION_ARGUMENT;
73
74	write_len = strlen(cmd);
75	if(!write_len \|\| write_len > (sizeof(s) -3))
76	return CURLE_BAD_FUNCTION_ARGUMENT;
77
78	memcpy(&s, cmd, write_len);
79	strcpy(&s[write_len], "\r\n"); /* append a trailing CRLF */
80	write_len += 2;
81	bytes_written = 0;
82
83	for(;;) {
84	#ifdef HAVE_GSSAPI
85	conn->data_prot = PROT_CMD;
86	#endif
87	result = Curl_write(data, conn->sock[FIRSTSOCKET], sptr, write_len,
88	&bytes_written);
89	#ifdef HAVE_GSSAPI
90	DEBUGASSERT(data_sec > PROT_NONE && data_sec < PROT_LAST);
91	conn->data_prot = data_sec;
92	#endif
93
94	if(result)
95	break;
96
97	Curl_debug(data, CURLINFO_HEADER_OUT, sptr, (size_t)bytes_written);
98
99	if(bytes_written != (ssize_t)write_len) {
100	write_len -= bytes_written;
101	sptr += bytes_written;
102	}
103	else
104	break;
105	}
106
107	return result;
108	}
109
110	static int
111	krb5_init(void *app_data)
112	{
113	gss_ctx_id_t *context = app_data;
114	/* Make sure our context is initialized for krb5_end. */
115	*context = GSS_C_NO_CONTEXT;
116	return 0;
117	}
118
119	static int
120	krb5_check_prot(void *app_data, int level)
121	{
122	(void)app_data; /* unused */
123	if(level == PROT_CONFIDENTIAL)
124	return -1;
125	return 0;
126	}
127
128	static int
129	krb5_decode(void app_data, void buf, int len,
130	int level UNUSED_PARAM,
131	struct connectdata *conn UNUSED_PARAM)
132	{
133	gss_ctx_id_t *context = app_data;
134	OM_uint32 maj, min;
135	gss_buffer_desc enc, dec;
136
137	(void)level;
138	(void)conn;
139
140	enc.value = buf;
141	enc.length = len;
142	maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
143	if(maj != GSS_S_COMPLETE) {
144	if(len >= 4)
145	strcpy(buf, "599 ");
146	return -1;
147	}
148
149	memcpy(buf, dec.value, dec.length);
150	len = curlx_uztosi(dec.length);
151	gss_release_buffer(&min, &dec);
152
153	return len;
154	}
155
156	static int
157	krb5_encode(void app_data, const void from, int length, int level, void **to)
158	{
159	gss_ctx_id_t *context = app_data;
160	gss_buffer_desc dec, enc;
161	OM_uint32 maj, min;
162	int state;
163	int len;
164
165	/* NOTE that the cast is safe, neither of the krb5, gnu gss and heimdal
166	* libraries modify the input buffer in gss_wrap()
167	*/
168	dec.value = (void *)from;
169	dec.length = length;
170	maj = gss_wrap(&min, *context,
171	level == PROT_PRIVATE,
172	GSS_C_QOP_DEFAULT,
173	&dec, &state, &enc);
174
175	if(maj != GSS_S_COMPLETE)
176	return -1;
177
178	/* malloc a new buffer, in case gss_release_buffer doesn't work as
179	expected */
180	*to = malloc(enc.length);
181	if(!*to)
182	return -1;
183	memcpy(*to, enc.value, enc.length);
184	len = curlx_uztosi(enc.length);
185	gss_release_buffer(&min, &enc);
186	return len;
187	}
188
189	static int
190	krb5_auth(void app_data, struct Curl_easy data, struct connectdata *conn)
191	{
192	int ret = AUTH_OK;
193	char *p;
194	const char *host = conn->host.name;
195	ssize_t nread;
196	curl_socklen_t l = sizeof(conn->local_addr);
197	CURLcode result;
198	const char *service = data->set.str[STRING_SERVICE_NAME] ?
199	data->set.str[STRING_SERVICE_NAME] :
200	"ftp";
201	const char *srv_host = "host";
202	gss_buffer_desc input_buffer, output_buffer, _gssresp, *gssresp;
203	OM_uint32 maj, min;
204	gss_name_t gssname;
205	gss_ctx_id_t *context = app_data;
206	struct gss_channel_bindings_struct chan;
207	size_t base64_sz = 0;
208	struct sockaddr_in **remote_addr =
209	(struct sockaddr_in **)&conn->ip_addr->ai_addr;
210	char *stringp;
211
212	if(getsockname(conn->sock[FIRSTSOCKET],
213	(struct sockaddr *)&conn->local_addr, &l) < 0)
214	perror("getsockname()");
215
216	chan.initiator_addrtype = GSS_C_AF_INET;
217	chan.initiator_address.length = l - 4;
218	chan.initiator_address.value = &conn->local_addr.sin_addr.s_addr;
219	chan.acceptor_addrtype = GSS_C_AF_INET;
220	chan.acceptor_address.length = l - 4;
221	chan.acceptor_address.value = &(*remote_addr)->sin_addr.s_addr;
222	chan.application_data.length = 0;
223	chan.application_data.value = NULL;
224
225	/* this loop will execute twice (once for service, once for host) */
226	for(;;) {
227	/* this really shouldn't be repeated here, but can't help it */
228	if(service == srv_host) {
229	result = ftpsend(data, conn, "AUTH GSSAPI");
230	if(result)
231	return -2;
232
233	if(Curl_GetFTPResponse(data, &nread, NULL))
234	return -1;
235
236	if(data->state.buffer[0] != '3')
237	return -1;
238	}
239
240	stringp = aprintf("%s@%s", service, host);
241	if(!stringp)
242	return -2;
243
244	input_buffer.value = stringp;
245	input_buffer.length = strlen(stringp);
246	maj = gss_import_name(&min, &input_buffer, GSS_C_NT_HOSTBASED_SERVICE,
247	&gssname);
248	free(stringp);
249	if(maj != GSS_S_COMPLETE) {
250	gss_release_name(&min, &gssname);
251	if(service == srv_host) {
252	failf(data, "Error importing service name %s@%s", service, host);
253	return AUTH_ERROR;
254	}
255	service = srv_host;
256	continue;
257	}
258	/* We pass NULL as \|output_name_type\| to avoid a leak. */
259	gss_display_name(&min, gssname, &output_buffer, NULL);
260	infof(data, "Trying against %s", output_buffer.value);
261	gssresp = GSS_C_NO_BUFFER;
262	*context = GSS_C_NO_CONTEXT;
263
264	do {
265	/* Release the buffer at each iteration to avoid leaking: the first time
266	we are releasing the memory from gss_display_name. The last item is
267	taken care by a final gss_release_buffer. */
268	gss_release_buffer(&min, &output_buffer);
269	ret = AUTH_OK;
270	maj = Curl_gss_init_sec_context(data,
271	&min,
272	context,
273	gssname,
274	&Curl_krb5_mech_oid,
275	&chan,
276	gssresp,
277	&output_buffer,
278	TRUE,
279	NULL);
280
281	if(gssresp) {
282	free(_gssresp.value);
283	gssresp = NULL;
284	}
285
286	if(GSS_ERROR(maj)) {
287	infof(data, "Error creating security context");
288	ret = AUTH_ERROR;
289	break;
290	}
291
292	if(output_buffer.length) {
293	char *cmd;
294
295	result = Curl_base64_encode((char *)output_buffer.value,
296	output_buffer.length, &p, &base64_sz);
297	if(result) {
298	infof(data, "base64-encoding: %s", curl_easy_strerror(result));
299	ret = AUTH_ERROR;
300	break;
301	}
302
303	cmd = aprintf("ADAT %s", p);
304	if(cmd)
305	result = ftpsend(data, conn, cmd);
306	else
307	result = CURLE_OUT_OF_MEMORY;
308
309	free(p);
310	free(cmd);
311
312	if(result) {
313	ret = -2;
314	break;
315	}
316
317	if(Curl_GetFTPResponse(data, &nread, NULL)) {
318	ret = -1;
319	break;
320	}
321
322	if(data->state.buffer[0] != '2' && data->state.buffer[0] != '3') {
323	infof(data, "Server didn't accept auth data");
324	ret = AUTH_ERROR;
325	break;
326	}
327
328	_gssresp.value = NULL; /* make sure it is initialized */
329	p = data->state.buffer + 4;
330	p = strstr(p, "ADAT=");
331	if(p) {
332	result = Curl_base64_decode(p + 5,
333	(unsigned char **)&_gssresp.value,
334	&_gssresp.length);
335	if(result) {
336	failf(data, "base64-decoding: %s", curl_easy_strerror(result));
337	ret = AUTH_CONTINUE;
338	break;
339	}
340	}
341
342	gssresp = &_gssresp;
343	}
344	} while(maj == GSS_S_CONTINUE_NEEDED);
345
346	gss_release_name(&min, &gssname);
347	gss_release_buffer(&min, &output_buffer);
348
349	if(gssresp)
350	free(_gssresp.value);
351
352	if(ret == AUTH_OK \|\| service == srv_host)
353	return ret;
354
355	service = srv_host;
356	}
357	return ret;
358	}
359
360	static void krb5_end(void *app_data)
361	{
362	OM_uint32 min;
363	gss_ctx_id_t *context = app_data;
364	if(*context != GSS_C_NO_CONTEXT) {
365	OM_uint32 maj = gss_delete_sec_context(&min, context, GSS_C_NO_BUFFER);
366	(void)maj;
367	DEBUGASSERT(maj == GSS_S_COMPLETE);
368	}
369	}
370
371	static const struct Curl_sec_client_mech Curl_krb5_client_mech = {
372	"GSSAPI",
373	sizeof(gss_ctx_id_t),
374	krb5_init,
375	krb5_auth,
376	krb5_end,
377	krb5_check_prot,
378
379	krb5_encode,
380	krb5_decode
381	};
382
383	static const struct {
384	enum protection_level level;
385	const char *name;
386	} level_names[] = {
387	{ PROT_CLEAR, "clear" },
388	{ PROT_SAFE, "safe" },
389	{ PROT_CONFIDENTIAL, "confidential" },
390	{ PROT_PRIVATE, "private" }
391	};
392
393	static enum protection_level
394	name_to_level(const char *name)
395	{
396	int i;
397	for(i = 0; i < (int)sizeof(level_names)/(int)sizeof(level_names[0]); i++)
398	if(curl_strequal(name, level_names[i].name))
399	return level_names[i].level;
400	return PROT_NONE;
401	}
402
403	/* Convert a protocol \|level\| to its char representation.
404	We take an int to catch programming mistakes. */
405	static char level_to_char(int level)
406	{
407	switch(level) {
408	case PROT_CLEAR:
409	return 'C';
410	case PROT_SAFE:
411	return 'S';
412	case PROT_CONFIDENTIAL:
413	return 'E';
414	case PROT_PRIVATE:
415	return 'P';
416	case PROT_CMD:
417	/* Fall through */
418	default:
419	/* Those 2 cases should not be reached! */
420	break;
421	}
422	DEBUGASSERT(0);
423	/* Default to the most secure alternative. */
424	return 'P';
425	}
426
427	/* Send an FTP command defined by \|message\| and the optional arguments. The
428	function returns the ftp_code. If an error occurs, -1 is returned. */
429	static int ftp_send_command(struct Curl_easy data, const char message, ...)
430	{
431	int ftp_code;
432	ssize_t nread = 0;
433	va_list args;
434	char print_buffer[50];
435
436	va_start(args, message);
437	mvsnprintf(print_buffer, sizeof(print_buffer), message, args);
438	va_end(args);
439
440	if(ftpsend(data, data->conn, print_buffer)) {
441	ftp_code = -1;
442	}
443	else {
444	if(Curl_GetFTPResponse(data, &nread, &ftp_code))
445	ftp_code = -1;
446	}
447
448	(void)nread; /* Unused */
449	return ftp_code;
450	}
451
452	/* Read \|len\| from the socket \|fd\| and store it in \|to\|. Return a CURLcode
453	saying whether an error occurred or CURLE_OK if \|len\| was read. */
454	static CURLcode
455	socket_read(curl_socket_t fd, void *to, size_t len)
456	{
457	char *to_p = to;
458	CURLcode result;
459	ssize_t nread = 0;
460
461	while(len > 0) {
462	result = Curl_read_plain(fd, to_p, len, &nread);
463	if(!result) {
464	len -= nread;
465	to_p += nread;
466	}
467	else {
468	if(result == CURLE_AGAIN)
469	continue;
470	return result;
471	}
472	}
473	return CURLE_OK;
474	}
475
476
477	/* Write \|len\| bytes from the buffer \|to\| to the socket \|fd\|. Return a
478	CURLcode saying whether an error occurred or CURLE_OK if \|len\| was
479	written. */
480	static CURLcode
481	socket_write(struct Curl_easy data, curl_socket_t fd, const void to,
482	size_t len)
483	{
484	const char *to_p = to;
485	CURLcode result;
486	ssize_t written;
487
488	while(len > 0) {
489	result = Curl_write_plain(data, fd, to_p, len, &written);
490	if(!result) {
491	len -= written;
492	to_p += written;
493	}
494	else {
495	if(result == CURLE_AGAIN)
496	continue;
497	return result;
498	}
499	}
500	return CURLE_OK;
501	}
502
503	static CURLcode read_data(struct connectdata *conn,
504	curl_socket_t fd,
505	struct krb5buffer *buf)
506	{
507	int len;
508	CURLcode result;
509
510	result = socket_read(fd, &len, sizeof(len));
511	if(result)
512	return result;
513
514	if(len) {
515	/* only realloc if there was a length */
516	len = ntohl(len);
517	buf->data = Curl_saferealloc(buf->data, len);
518	}
519	if(!len \|\| !buf->data)
520	return CURLE_OUT_OF_MEMORY;
521
522	result = socket_read(fd, buf->data, len);
523	if(result)
524	return result;
525	buf->size = conn->mech->decode(conn->app_data, buf->data, len,
526	conn->data_prot, conn);
527	buf->index = 0;
528	return CURLE_OK;
529	}
530
531	static size_t
532	buffer_read(struct krb5buffer buf, void data, size_t len)
533	{
534	if(buf->size - buf->index < len)
535	len = buf->size - buf->index;
536	memcpy(data, (char *)buf->data + buf->index, len);
537	buf->index += len;
538	return len;
539	}
540
541	/* Matches Curl_recv signature */
542	static ssize_t sec_recv(struct Curl_easy *data, int sockindex,
543	char buffer, size_t len, CURLcode err)
544	{
545	size_t bytes_read;
546	size_t total_read = 0;
547	struct connectdata *conn = data->conn;
548	curl_socket_t fd = conn->sock[sockindex];
549
550	*err = CURLE_OK;
551
552	/* Handle clear text response. */
553	if(conn->sec_complete == 0 \|\| conn->data_prot == PROT_CLEAR)
554	return sread(fd, buffer, len);
555
556	if(conn->in_buffer.eof_flag) {
557	conn->in_buffer.eof_flag = 0;
558	return 0;
559	}
560
561	bytes_read = buffer_read(&conn->in_buffer, buffer, len);
562	len -= bytes_read;
563	total_read += bytes_read;
564	buffer += bytes_read;
565
566	while(len > 0) {
567	if(read_data(conn, fd, &conn->in_buffer))
568	return -1;
569	if(conn->in_buffer.size == 0) {
570	if(bytes_read > 0)
571	conn->in_buffer.eof_flag = 1;
572	return bytes_read;
573	}
574	bytes_read = buffer_read(&conn->in_buffer, buffer, len);
575	len -= bytes_read;
576	total_read += bytes_read;
577	buffer += bytes_read;
578	}
579	return total_read;
580	}
581
582	/* Send \|length\| bytes from \|from\| to the \|fd\| socket taking care of encoding
583	and negotiating with the server. \|from\| can be NULL. */
584	static void do_sec_send(struct Curl_easy data, struct connectdata conn,
585	curl_socket_t fd, const char *from, int length)
586	{
587	int bytes, htonl_bytes; /* 32-bit integers for htonl */
588	char *buffer = NULL;
589	char *cmd_buffer;
590	size_t cmd_size = 0;
591	CURLcode error;
592	enum protection_level prot_level = conn->data_prot;
593	bool iscmd = (prot_level == PROT_CMD)?TRUE:FALSE;
594
595	DEBUGASSERT(prot_level > PROT_NONE && prot_level < PROT_LAST);
596
597	if(iscmd) {
598	if(!strncmp(from, "PASS ", 5) \|\| !strncmp(from, "ACCT ", 5))
599	prot_level = PROT_PRIVATE;
600	else
601	prot_level = conn->command_prot;
602	}
603	bytes = conn->mech->encode(conn->app_data, from, length, prot_level,
604	(void **)&buffer);
605	if(!buffer \|\| bytes <= 0)
606	return; /* error */
607
608	if(iscmd) {
609	error = Curl_base64_encode(buffer, curlx_sitouz(bytes),
610	&cmd_buffer, &cmd_size);
611	if(error) {
612	free(buffer);
613	return; /* error */
614	}
615	if(cmd_size > 0) {
616	static const char *enc = "ENC ";
617	static const char *mic = "MIC ";
618	if(prot_level == PROT_PRIVATE)
619	socket_write(data, fd, enc, 4);
620	else
621	socket_write(data, fd, mic, 4);
622
623	socket_write(data, fd, cmd_buffer, cmd_size);
624	socket_write(data, fd, "\r\n", 2);
625	infof(data, "Send: %s%s", prot_level == PROT_PRIVATE?enc:mic,
626	cmd_buffer);
627	free(cmd_buffer);
628	}
629	}
630	else {
631	htonl_bytes = htonl(bytes);
632	socket_write(data, fd, &htonl_bytes, sizeof(htonl_bytes));
633	socket_write(data, fd, buffer, curlx_sitouz(bytes));
634	}
635	free(buffer);
636	}
637
638	static ssize_t sec_write(struct Curl_easy data, struct connectdata conn,
639	curl_socket_t fd, const char *buffer, size_t length)
640	{
641	ssize_t tx = 0, len = conn->buffer_size;
642
643	if(len <= 0)
644	len = length;
645	while(length) {
646	if(length < (size_t)len)
647	len = length;
648
649	do_sec_send(data, conn, fd, buffer, curlx_sztosi(len));
650	length -= len;
651	buffer += len;
652	tx += len;
653	}
654	return tx;
655	}
656
657	/* Matches Curl_send signature */
658	static ssize_t sec_send(struct Curl_easy *data, int sockindex,
659	const void buffer, size_t len, CURLcode err)
660	{
661	struct connectdata *conn = data->conn;
662	curl_socket_t fd = conn->sock[sockindex];
663	*err = CURLE_OK;
664	return sec_write(data, conn, fd, buffer, len);
665	}
666
667	int Curl_sec_read_msg(struct Curl_easy data, struct connectdata conn,
668	char *buffer, enum protection_level level)
669	{
670	/* decoded_len should be size_t or ssize_t but conn->mech->decode returns an
671	int */
672	int decoded_len;
673	char *buf;
674	int ret_code = 0;
675	size_t decoded_sz = 0;
676	CURLcode error;
677
678	(void) data;
679
680	if(!conn->mech)
681	/* not initialized, return error */
682	return -1;
683
684	DEBUGASSERT(level > PROT_NONE && level < PROT_LAST);
685
686	error = Curl_base64_decode(buffer + 4, (unsigned char **)&buf, &decoded_sz);
687	if(error \|\| decoded_sz == 0)
688	return -1;
689
690	if(decoded_sz > (size_t)INT_MAX) {
691	free(buf);
692	return -1;
693	}
694	decoded_len = curlx_uztosi(decoded_sz);
695
696	decoded_len = conn->mech->decode(conn->app_data, buf, decoded_len,
697	level, conn);
698	if(decoded_len <= 0) {
699	free(buf);
700	return -1;
701	}
702
703	{
704	buf[decoded_len] = '\n';
705	Curl_debug(data, CURLINFO_HEADER_IN, buf, decoded_len + 1);
706	}
707
708	buf[decoded_len] = '\0';
709	if(decoded_len <= 3)
710	/* suspiciously short */
711	return 0;
712
713	if(buf[3] != '-')
714	/* safe to ignore return code */
715	(void)sscanf(buf, "%d", &ret_code);
716
717	if(buf[decoded_len - 1] == '\n')
718	buf[decoded_len - 1] = '\0';
719	strcpy(buffer, buf);
720	free(buf);
721	return ret_code;
722	}
723
724	static int sec_set_protection_level(struct Curl_easy *data)
725	{
726	int code;
727	struct connectdata *conn = data->conn;
728	enum protection_level level = conn->request_data_prot;
729
730	DEBUGASSERT(level > PROT_NONE && level < PROT_LAST);
731
732	if(!conn->sec_complete) {
733	infof(data, "Trying to change the protection level after the"
734	" completion of the data exchange.");
735	return -1;
736	}
737
738	/* Bail out if we try to set up the same level */
739	if(conn->data_prot == level)
740	return 0;
741
742	if(level) {
743	char *pbsz;
744	unsigned int buffer_size = 1 << 20; /* 1048576 */
745
746	code = ftp_send_command(data, "PBSZ %u", buffer_size);
747	if(code < 0)
748	return -1;
749
750	if(code/100 != 2) {
751	failf(data, "Failed to set the protection's buffer size.");
752	return -1;
753	}
754	conn->buffer_size = buffer_size;
755
756	pbsz = strstr(data->state.buffer, "PBSZ=");
757	if(pbsz) {
758	/* ignore return code, use default value if it fails */
759	(void)sscanf(pbsz, "PBSZ=%u", &buffer_size);
760	if(buffer_size < conn->buffer_size)
761	conn->buffer_size = buffer_size;
762	}
763	}
764
765	/* Now try to negotiate the protection level. */
766	code = ftp_send_command(data, "PROT %c", level_to_char(level));
767
768	if(code < 0)
769	return -1;
770
771	if(code/100 != 2) {
772	failf(data, "Failed to set the protection level.");
773	return -1;
774	}
775
776	conn->data_prot = level;
777	if(level == PROT_PRIVATE)
778	conn->command_prot = level;
779
780	return 0;
781	}
782
783	int
784	Curl_sec_request_prot(struct connectdata conn, const char level)
785	{
786	enum protection_level l = name_to_level(level);
787	if(l == PROT_NONE)
788	return -1;
789	DEBUGASSERT(l > PROT_NONE && l < PROT_LAST);
790	conn->request_data_prot = l;
791	return 0;
792	}
793
794	static CURLcode choose_mech(struct Curl_easy data, struct connectdata conn)
795	{
796	int ret;
797	void *tmp_allocation;
798	const struct Curl_sec_client_mech *mech = &Curl_krb5_client_mech;
799
800	tmp_allocation = realloc(conn->app_data, mech->size);
801	if(!tmp_allocation) {
802	failf(data, "Failed realloc of size %zu", mech->size);
803	mech = NULL;
804	return CURLE_OUT_OF_MEMORY;
805	}
806	conn->app_data = tmp_allocation;
807
808	if(mech->init) {
809	ret = mech->init(conn->app_data);
810	if(ret) {
811	infof(data, "Failed initialization for %s. Skipping it.",
812	mech->name);
813	return CURLE_FAILED_INIT;
814	}
815	}
816
817	infof(data, "Trying mechanism %s...", mech->name);
818	ret = ftp_send_command(data, "AUTH %s", mech->name);
819	if(ret < 0)
820	return CURLE_COULDNT_CONNECT;
821
822	if(ret/100 != 3) {
823	switch(ret) {
824	case 504:
825	infof(data, "Mechanism %s is not supported by the server (server "
826	"returned ftp code: 504).", mech->name);
827	break;
828	case 534:
829	infof(data, "Mechanism %s was rejected by the server (server returned "
830	"ftp code: 534).", mech->name);
831	break;
832	default:
833	if(ret/100 == 5) {
834	infof(data, "server does not support the security extensions");
835	return CURLE_USE_SSL_FAILED;
836	}
837	break;
838	}
839	return CURLE_LOGIN_DENIED;
840	}
841
842	/* Authenticate */
843	ret = mech->auth(conn->app_data, data, conn);
844
845	if(ret != AUTH_CONTINUE) {
846	if(ret != AUTH_OK) {
847	/* Mechanism has dumped the error to stderr, don't error here. */
848	return CURLE_USE_SSL_FAILED;
849	}
850	DEBUGASSERT(ret == AUTH_OK);
851
852	conn->mech = mech;
853	conn->sec_complete = 1;
854	conn->recv[FIRSTSOCKET] = sec_recv;
855	conn->send[FIRSTSOCKET] = sec_send;
856	conn->recv[SECONDARYSOCKET] = sec_recv;
857	conn->send[SECONDARYSOCKET] = sec_send;
858	conn->command_prot = PROT_SAFE;
859	/* Set the requested protection level */
860	/* BLOCKING */
861	(void)sec_set_protection_level(data);
862	}
863
864	return CURLE_OK;
865	}
866
867	CURLcode
868	Curl_sec_login(struct Curl_easy data, struct connectdata conn)
869	{
870	return choose_mech(data, conn);
871	}
872
873
874	void
875	Curl_sec_end(struct connectdata *conn)
876	{
877	if(conn->mech && conn->mech->end)
878	conn->mech->end(conn->app_data);
879	free(conn->app_data);
880	conn->app_data = NULL;
881	if(conn->in_buffer.data) {
882	free(conn->in_buffer.data);
883	conn->in_buffer.data = NULL;
884	conn->in_buffer.size = 0;
885	conn->in_buffer.index = 0;
886	conn->in_buffer.eof_flag = 0;
887	}
888	conn->sec_complete = 0;
889	conn->data_prot = PROT_CLEAR;
890	conn->mech = NULL;
891	}
892
893	#endif /* HAVE_GSSAPI && !CURL_DISABLE_FTP */

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/src/libs/curl-7.83.1/lib/krb5.c@ 97138

以其他格式下載: