Merge branch 'upstream-curl' into update-curl

* upstream-curl:
  curl 2021-05-26 (6b951a69)

1 files changed, 32 insertions, 83 deletions

diff --git a/Utilities/cmcurl/lib/vauth/krb5_sspi.c b/Utilities/cmcurl/lib/vauth/krb5_sspi.c
index b2d1635..e110644 100644
--- a/Utilities/cmcurl/lib/vauth/krb5_sspi.c
+++ b/Utilities/cmcurl/lib/vauth/krb5_sspi.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 2014 - 2020, Steve Holme, <steve_holme@hotmail.com>.
+ * Copyright (C) 2014 - 2021, Steve Holme, <steve_holme@hotmail.com>.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -30,7 +30,6 @@
 
 #include "vauth/vauth.h"
 #include "urldata.h"
-#include "curl_base64.h"
 #include "warnless.h"
 #include "curl_multibyte.h"
 #include "sendf.h"
@@ -81,11 +80,9 @@ bool Curl_auth_is_gssapi_supported(void)
  * host        [in]     - The host name.
  * mutual_auth [in]     - Flag specifying whether or not mutual authentication
  *                        is enabled.
- * chlg64      [in]     - The optional base64 encoded challenge message.
+ * chlg        [in]     - Optional challenge message.
  * krb5        [in/out] - The Kerberos 5 data struct being used and modified.
- * outptr      [in/out] - The address where a pointer to newly allocated memory
- *                        holding the result will be stored upon completion.
- * outlen      [out]    - The length of the output message.
+ * out         [out]    - The result storage.
  *
  * Returns CURLE_OK on success.
  */
@@ -95,13 +92,11 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
                                               const char *service,
                                               const char *host,
                                               const bool mutual_auth,
-                                              const char *chlg64,
+                                              const struct bufref *chlg,
                                               struct kerberos5data *krb5,
-                                              char **outptr, size_t *outlen)
+                                              struct bufref *out)
 {
   CURLcode result = CURLE_OK;
-  size_t chlglen = 0;
-  unsigned char *chlg = NULL;
   CtxtHandle context;
   PSecPkgInfo SecurityPackage;
   SecBuffer chlg_buf;
@@ -176,18 +171,9 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
       return CURLE_OUT_OF_MEMORY;
   }
 
-  if(chlg64 && *chlg64) {
-    /* Decode the base-64 encoded challenge message */
-    if(*chlg64 != '=') {
-      result = Curl_base64_decode(chlg64, &chlg, &chlglen);
-      if(result)
-        return result;
-    }
-
-    /* Ensure we have a valid challenge message */
-    if(!chlg) {
+  if(chlg) {
+    if(!Curl_bufref_len(chlg)) {
       infof(data, "GSSAPI handshake failure (empty challenge message)\n");
-
       return CURLE_BAD_CONTENT_ENCODING;
     }
 
@@ -196,8 +182,8 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
     chlg_desc.cBuffers  = 1;
     chlg_desc.pBuffers  = &chlg_buf;
     chlg_buf.BufferType = SECBUFFER_TOKEN;
-    chlg_buf.pvBuffer   = chlg;
-    chlg_buf.cbBuffer   = curlx_uztoul(chlglen);
+    chlg_buf.pvBuffer   = (void *) Curl_bufref_ptr(chlg);
+    chlg_buf.cbBuffer   = curlx_uztoul(Curl_bufref_len(chlg));
   }
 
   /* Setup the response "output" security buffer */
@@ -220,16 +206,11 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
                                                &resp_desc, &attrs,
                                                &expiry);
 
-  /* Free the decoded challenge as it is not required anymore */
-  free(chlg);
-
-  if(status == SEC_E_INSUFFICIENT_MEMORY) {
+  if(status == SEC_E_INSUFFICIENT_MEMORY)
     return CURLE_OUT_OF_MEMORY;
-  }
 
-  if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED) {
+  if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED)
     return CURLE_AUTH_ERROR;
-  }
 
   if(memcmp(&context, krb5->context, sizeof(context))) {
     s_pSecFn->DeleteSecurityContext(krb5->context);
@@ -238,15 +219,12 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
   }
 
   if(resp_buf.cbBuffer) {
-    /* Base64 encode the response */
-    result = Curl_base64_encode(data, (char *) resp_buf.pvBuffer,
-                                resp_buf.cbBuffer, outptr, outlen);
-  }
-  else if(mutual_auth) {
-    *outptr = strdup("");
-    if(!*outptr)
-      result = CURLE_OUT_OF_MEMORY;
+    result = Curl_bufref_memdup(out, resp_buf.pvBuffer, resp_buf.cbBuffer);
   }
+  else if(mutual_auth)
+    Curl_bufref_set(out, "", 0, NULL);
+  else
+    Curl_bufref_set(out, NULL, 0, NULL);
 
   return result;
 }
@@ -260,26 +238,20 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
  * Parameters:
  *
  * data    [in]     - The session handle.
- * chlg64  [in]     - The optional base64 encoded challenge message.
+ * chlg     [in]     - The optional challenge message.
  * krb5    [in/out] - The Kerberos 5 data struct being used and modified.
- * outptr  [in/out] - The address where a pointer to newly allocated memory
- *                    holding the result will be stored upon completion.
- * outlen  [out]    - The length of the output message.
+ * out     [out]    - The result storage.
  *
  * Returns CURLE_OK on success.
  */
 CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
-                                                  const char *chlg64,
+                                                  const struct bufref *chlg,
                                                   struct kerberos5data *krb5,
-                                                  char **outptr,
-                                                  size_t *outlen)
+                                                  struct bufref *out)
 {
-  CURLcode result = CURLE_OK;
   size_t offset = 0;
-  size_t chlglen = 0;
   size_t messagelen = 0;
   size_t appdatalen = 0;
-  unsigned char *chlg = NULL;
   unsigned char *trailer = NULL;
   unsigned char *message = NULL;
   unsigned char *padding = NULL;
@@ -298,17 +270,9 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   SECURITY_STATUS status;
   char *user_name;
 
-  /* Decode the base-64 encoded input message */
-  if(strlen(chlg64) && *chlg64 != '=') {
-    result = Curl_base64_decode(chlg64, &chlg, &chlglen);
-    if(result)
-      return result;
-  }
-
   /* Ensure we have a valid challenge message */
-  if(!chlg) {
+  if(!Curl_bufref_len(chlg)) {
     infof(data, "GSSAPI handshake failure (empty security message)\n");
-
     return CURLE_BAD_CONTENT_ENCODING;
   }
 
@@ -316,35 +280,31 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   status = s_pSecFn->QueryContextAttributes(krb5->context,
                                             SECPKG_ATTR_SIZES,
                                             &sizes);
-  if(status != SEC_E_OK) {
-    free(chlg);
 
-    if(status == SEC_E_INSUFFICIENT_MEMORY)
-      return CURLE_OUT_OF_MEMORY;
+  if(status == SEC_E_INSUFFICIENT_MEMORY)
+    return CURLE_OUT_OF_MEMORY;
 
+  if(status != SEC_E_OK)
     return CURLE_AUTH_ERROR;
-  }
 
   /* Get the fully qualified username back from the context */
   status = s_pSecFn->QueryCredentialsAttributes(krb5->credentials,
                                                 SECPKG_CRED_ATTR_NAMES,
                                                 &names);
-  if(status != SEC_E_OK) {
-    free(chlg);
 
-    if(status == SEC_E_INSUFFICIENT_MEMORY)
-      return CURLE_OUT_OF_MEMORY;
+  if(status == SEC_E_INSUFFICIENT_MEMORY)
+    return CURLE_OUT_OF_MEMORY;
 
+  if(status != SEC_E_OK)
     return CURLE_AUTH_ERROR;
-  }
 
   /* Setup the "input" security buffer */
   input_desc.ulVersion = SECBUFFER_VERSION;
   input_desc.cBuffers = 2;
   input_desc.pBuffers = input_buf;
   input_buf[0].BufferType = SECBUFFER_STREAM;
-  input_buf[0].pvBuffer = chlg;
-  input_buf[0].cbBuffer = curlx_uztoul(chlglen);
+  input_buf[0].pvBuffer = (void *) Curl_bufref_ptr(chlg);
+  input_buf[0].cbBuffer = curlx_uztoul(Curl_bufref_len(chlg));
   input_buf[1].BufferType = SECBUFFER_DATA;
   input_buf[1].pvBuffer = NULL;
   input_buf[1].cbBuffer = 0;
@@ -353,31 +313,23 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   status = s_pSecFn->DecryptMessage(krb5->context, &input_desc, 0, &qop);
   if(status != SEC_E_OK) {
     infof(data, "GSSAPI handshake failure (empty security message)\n");
-
-    free(chlg);
-
     return CURLE_BAD_CONTENT_ENCODING;
   }
 
   /* Not 4 octets long so fail as per RFC4752 Section 3.1 */
   if(input_buf[1].cbBuffer != 4) {
     infof(data, "GSSAPI handshake failure (invalid security data)\n");
-
-    free(chlg);
-
     return CURLE_BAD_CONTENT_ENCODING;
   }
 
   /* Copy the data out and free the challenge as it is not required anymore */
   memcpy(&indata, input_buf[1].pvBuffer, 4);
   s_pSecFn->FreeContextBuffer(input_buf[1].pvBuffer);
-  free(chlg);
 
   /* Extract the security layer */
   sec_layer = indata & 0x000000FF;
   if(!(sec_layer & KERB_WRAP_NO_ENCRYPT)) {
     infof(data, "GSSAPI handshake failure (invalid security layer)\n");
-
     return CURLE_BAD_CONTENT_ENCODING;
   }
 
@@ -479,17 +431,14 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   offset += wrap_buf[1].cbBuffer;
   memcpy(appdata + offset, wrap_buf[2].pvBuffer, wrap_buf[2].cbBuffer);
 
-  /* Base64 encode the response */
-  result = Curl_base64_encode(data, (char *) appdata, appdatalen, outptr,
-                              outlen);
-
   /* Free all of our local buffers */
-  free(appdata);
   free(padding);
   free(message);
   free(trailer);
 
-  return result;
+  /* Return the response. */
+  Curl_bufref_set(out, appdata, appdatalen, curl_free);
+  return CURLE_OK;
 }
 
 /*