/src/curl/lib/vauth/vauth.h
Line | Count | Source |
1 | | #ifndef HEADER_CURL_VAUTH_H |
2 | | #define HEADER_CURL_VAUTH_H |
3 | | /*************************************************************************** |
4 | | * _ _ ____ _ |
5 | | * Project ___| | | | _ \| | |
6 | | * / __| | | | |_) | | |
7 | | * | (__| |_| | _ <| |___ |
8 | | * \___|\___/|_| \_\_____| |
9 | | * |
10 | | * Copyright (C) Steve Holme, <steve_holme@hotmail.com>. |
11 | | * |
12 | | * This software is licensed as described in the file COPYING, which |
13 | | * you should have received as part of this distribution. The terms |
14 | | * are also available at https://curl.se/docs/copyright.html. |
15 | | * |
16 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
17 | | * copies of the Software, and permit persons to whom the Software is |
18 | | * furnished to do so, under the terms of the COPYING file. |
19 | | * |
20 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
21 | | * KIND, either express or implied. |
22 | | * |
23 | | * SPDX-License-Identifier: curl |
24 | | * |
25 | | ***************************************************************************/ |
26 | | |
27 | | #include <curl/curl.h> |
28 | | |
29 | | #include "../bufref.h" |
30 | | #include "../curlx/dynbuf.h" |
31 | | |
32 | | struct Curl_easy; |
33 | | struct connectdata; |
34 | | |
35 | | #ifndef CURL_DISABLE_DIGEST_AUTH |
36 | | struct digestdata; |
37 | | #endif |
38 | | |
39 | | #ifdef USE_NTLM |
40 | | struct ntlmdata; |
41 | | #endif |
42 | | |
43 | | #if (defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)) && defined(USE_SPNEGO) |
44 | | struct negotiatedata; |
45 | | #endif |
46 | | |
47 | | #ifdef USE_GSASL |
48 | | struct gsasldata; |
49 | | #endif |
50 | | |
51 | | #ifdef USE_WINDOWS_SSPI |
52 | | #include "../curl_sspi.h" |
53 | | #define GSS_ERROR(status) ((status) & 0x80000000) |
54 | | #endif |
55 | | |
56 | | /* |
57 | | * Curl_auth_allowed_to_host() tells if authentication, cookies or other |
58 | | * "sensitive data" can (still) be sent to this host. |
59 | | */ |
60 | | bool Curl_auth_allowed_to_host(struct Curl_easy *data); |
61 | | |
62 | | /* This is used to build an SPN string */ |
63 | | #ifndef USE_WINDOWS_SSPI |
64 | | char *Curl_auth_build_spn(const char *service, const char *host, |
65 | | const char *realm); |
66 | | #else |
67 | | TCHAR *Curl_auth_build_spn(const char *service, const char *host, |
68 | | const char *realm); |
69 | | #endif |
70 | | |
71 | | /* This is used to test if the user contains a Windows domain name */ |
72 | | bool Curl_auth_user_contains_domain(const char *user); |
73 | | |
74 | | /* This is used to generate a PLAIN cleartext message */ |
75 | | CURLcode Curl_auth_create_plain_message(const char *authzid, |
76 | | const char *authcid, |
77 | | const char *passwd, |
78 | | struct bufref *out); |
79 | | |
80 | | /* This is used to generate a LOGIN cleartext message */ |
81 | | void Curl_auth_create_login_message(const char *value, struct bufref *out); |
82 | | |
83 | | /* This is used to generate an EXTERNAL cleartext message */ |
84 | | void Curl_auth_create_external_message(const char *user, struct bufref *out); |
85 | | |
86 | | #ifndef CURL_DISABLE_DIGEST_AUTH |
87 | | /* This is used to generate a CRAM-MD5 response message */ |
88 | | CURLcode Curl_auth_create_cram_md5_message(const struct bufref *chlg, |
89 | | const char *userp, |
90 | | const char *passwdp, |
91 | | struct bufref *out); |
92 | | |
93 | | /* This is used to evaluate if DIGEST is supported */ |
94 | | bool Curl_auth_is_digest_supported(void); |
95 | | |
96 | | /* This is used to generate a base64 encoded DIGEST-MD5 response message */ |
97 | | CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data, |
98 | | const struct bufref *chlg, |
99 | | const char *userp, |
100 | | const char *passwdp, |
101 | | const char *service, |
102 | | struct bufref *out); |
103 | | |
104 | | /* This is used to decode an HTTP DIGEST challenge message */ |
105 | | CURLcode Curl_auth_decode_digest_http_message(const char *chlg, |
106 | | struct digestdata *digest); |
107 | | |
108 | | /* This is used to generate an HTTP DIGEST response message */ |
109 | | CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, |
110 | | const char *userp, |
111 | | const char *passwdp, |
112 | | const unsigned char *request, |
113 | | const unsigned char *uri, |
114 | | struct digestdata *digest, |
115 | | char **outptr, size_t *outlen); |
116 | | |
117 | | /* This is used to clean up the digest specific data */ |
118 | | void Curl_auth_digest_cleanup(struct digestdata *digest); |
119 | | #else |
120 | | #define Curl_auth_is_digest_supported() FALSE |
121 | | #endif /* !CURL_DISABLE_DIGEST_AUTH */ |
122 | | |
123 | | #ifdef USE_GSASL |
124 | | |
125 | | /* meta key for storing GSASL meta at connection */ |
126 | | #define CURL_META_GSASL_CONN "meta:auth:gsasl:conn" |
127 | | |
128 | | #include <gsasl.h> |
129 | | struct gsasldata { |
130 | | Gsasl *ctx; |
131 | | Gsasl_session *client; |
132 | | }; |
133 | | |
134 | | struct gsasldata *Curl_auth_gsasl_get(struct connectdata *conn); |
135 | | |
136 | | /* This is used to evaluate if MECH is supported by gsasl */ |
137 | | bool Curl_auth_gsasl_is_supported(struct Curl_easy *data, |
138 | | const char *mech, |
139 | | struct gsasldata *gsasl); |
140 | | /* This is used to start a gsasl method */ |
141 | | CURLcode Curl_auth_gsasl_start(struct Curl_easy *data, |
142 | | const char *userp, |
143 | | const char *passwdp, |
144 | | struct gsasldata *gsasl); |
145 | | |
146 | | /* This is used to process and generate a new SASL token */ |
147 | | CURLcode Curl_auth_gsasl_token(struct Curl_easy *data, |
148 | | const struct bufref *chlg, |
149 | | struct gsasldata *gsasl, |
150 | | struct bufref *out); |
151 | | |
152 | | /* This is used to clean up the gsasl specific data */ |
153 | | void Curl_auth_gsasl_cleanup(struct gsasldata *digest); |
154 | | #endif |
155 | | |
156 | | #ifdef USE_NTLM |
157 | | |
158 | | /* meta key for storing NTML meta at connection */ |
159 | 0 | #define CURL_META_NTLM_CONN "meta:auth:ntml:conn" |
160 | | /* meta key for storing NTML-PROXY meta at connection */ |
161 | 0 | #define CURL_META_NTLM_PROXY_CONN "meta:auth:ntml-proxy:conn" |
162 | | |
163 | | struct ntlmdata { |
164 | | #ifdef USE_WINDOWS_SSPI |
165 | | /* The sslContext is used for the Schannel bindings. The |
166 | | * api is available on the Windows 7 SDK and later. |
167 | | */ |
168 | | #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS |
169 | | CtxtHandle *sslContext; |
170 | | #endif |
171 | | CredHandle *credentials; |
172 | | CtxtHandle *context; |
173 | | SEC_WINNT_AUTH_IDENTITY identity; |
174 | | SEC_WINNT_AUTH_IDENTITY *p_identity; |
175 | | size_t token_max; |
176 | | BYTE *output_token; |
177 | | BYTE *input_token; |
178 | | size_t input_token_len; |
179 | | TCHAR *spn; |
180 | | #else |
181 | | unsigned int flags; |
182 | | unsigned char nonce[8]; |
183 | | unsigned int target_info_len; |
184 | | void *target_info; /* TargetInfo received in the NTLM type-2 message */ |
185 | | #endif |
186 | | }; |
187 | | |
188 | | /* This is used to evaluate if NTLM is supported */ |
189 | | bool Curl_auth_is_ntlm_supported(void); |
190 | | |
191 | | struct ntlmdata *Curl_auth_ntlm_get(struct connectdata *conn, bool proxy); |
192 | | void Curl_auth_ntlm_remove(struct connectdata *conn, bool proxy); |
193 | | |
194 | | /* This is used to clean up the NTLM specific data */ |
195 | | void Curl_auth_cleanup_ntlm(struct ntlmdata *ntlm); |
196 | | |
197 | | /* This is used to generate a base64 encoded NTLM type-1 message */ |
198 | | CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data, |
199 | | const char *userp, |
200 | | const char *passwdp, |
201 | | const char *service, |
202 | | const char *host, |
203 | | struct ntlmdata *ntlm, |
204 | | struct bufref *out); |
205 | | |
206 | | /* This is used to decode a base64 encoded NTLM type-2 message */ |
207 | | CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data, |
208 | | const struct bufref *type2, |
209 | | struct ntlmdata *ntlm); |
210 | | |
211 | | /* This is used to generate a base64 encoded NTLM type-3 message */ |
212 | | CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, |
213 | | const char *userp, |
214 | | const char *passwdp, |
215 | | struct ntlmdata *ntlm, |
216 | | struct bufref *out); |
217 | | |
218 | | #else |
219 | | #define Curl_auth_is_ntlm_supported() FALSE |
220 | | #endif /* USE_NTLM */ |
221 | | |
222 | | /* This is used to generate a base64 encoded OAuth 2.0 message */ |
223 | | CURLcode Curl_auth_create_oauth_bearer_message(const char *user, |
224 | | const char *host, |
225 | | const long port, |
226 | | const char *bearer, |
227 | | struct bufref *out); |
228 | | |
229 | | /* This is used to generate a base64 encoded XOAuth 2.0 message */ |
230 | | CURLcode Curl_auth_create_xoauth_bearer_message(const char *user, |
231 | | const char *bearer, |
232 | | struct bufref *out); |
233 | | |
234 | | #ifdef USE_KERBEROS5 |
235 | | |
236 | | #ifdef HAVE_GSSAPI |
237 | | # ifdef HAVE_GSSGNU |
238 | | # include <gss.h> |
239 | | # else |
240 | | # ifdef HAVE_GSSAPI_H |
241 | | # include <gssapi.h> |
242 | | # else |
243 | | # include <gssapi/gssapi.h> |
244 | | # endif |
245 | | # endif |
246 | | #endif |
247 | | |
248 | | /* meta key for storing KRB5 meta at connection */ |
249 | | #define CURL_META_KRB5_CONN "meta:auth:krb5:conn" |
250 | | |
251 | | struct kerberos5data { |
252 | | #ifdef USE_WINDOWS_SSPI |
253 | | CredHandle *credentials; |
254 | | CtxtHandle *context; |
255 | | TCHAR *spn; |
256 | | SEC_WINNT_AUTH_IDENTITY identity; |
257 | | SEC_WINNT_AUTH_IDENTITY *p_identity; |
258 | | size_t token_max; |
259 | | BYTE *output_token; |
260 | | #else |
261 | | gss_ctx_id_t context; |
262 | | gss_name_t spn; |
263 | | #endif |
264 | | }; |
265 | | |
266 | | struct kerberos5data *Curl_auth_krb5_get(struct connectdata *conn); |
267 | | |
268 | | /* This is used to evaluate if GSSAPI (Kerberos V5) is supported */ |
269 | | bool Curl_auth_is_gssapi_supported(void); |
270 | | |
271 | | /* This is used to generate a base64 encoded GSSAPI (Kerberos V5) user token |
272 | | message */ |
273 | | CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data, |
274 | | const char *userp, |
275 | | const char *passwdp, |
276 | | const char *service, |
277 | | const char *host, |
278 | | const bool mutual, |
279 | | const struct bufref *chlg, |
280 | | struct kerberos5data *krb5, |
281 | | struct bufref *out); |
282 | | |
283 | | /* This is used to generate a base64 encoded GSSAPI (Kerberos V5) security |
284 | | token message */ |
285 | | CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data, |
286 | | const char *authzid, |
287 | | const struct bufref *chlg, |
288 | | struct kerberos5data *krb5, |
289 | | struct bufref *out); |
290 | | |
291 | | /* This is used to clean up the GSSAPI specific data */ |
292 | | void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5); |
293 | | #else |
294 | 0 | #define Curl_auth_is_gssapi_supported() FALSE |
295 | | #endif /* USE_KERBEROS5 */ |
296 | | |
297 | | #ifdef USE_SPNEGO |
298 | | |
299 | | bool Curl_auth_is_spnego_supported(void); |
300 | | |
301 | | /* meta key for storing NEGO meta at connection */ |
302 | | #define CURL_META_NEGO_CONN "meta:auth:nego:conn" |
303 | | /* meta key for storing NEGO PROXY meta at connection */ |
304 | | #define CURL_META_NEGO_PROXY_CONN "meta:auth:nego-proxy:conn" |
305 | | |
306 | | /* Struct used for Negotiate (SPNEGO) authentication */ |
307 | | struct negotiatedata { |
308 | | #ifdef HAVE_GSSAPI |
309 | | OM_uint32 status; |
310 | | gss_ctx_id_t context; |
311 | | gss_name_t spn; |
312 | | gss_buffer_desc output_token; |
313 | | #ifdef CURL_GSSAPI_HAS_CHANNEL_BINDING |
314 | | struct dynbuf channel_binding_data; |
315 | | #endif |
316 | | #else |
317 | | #ifdef USE_WINDOWS_SSPI |
318 | | #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS |
319 | | CtxtHandle *sslContext; |
320 | | #endif |
321 | | SECURITY_STATUS status; |
322 | | CredHandle *credentials; |
323 | | CtxtHandle *context; |
324 | | SEC_WINNT_AUTH_IDENTITY identity; |
325 | | SEC_WINNT_AUTH_IDENTITY *p_identity; |
326 | | TCHAR *spn; |
327 | | size_t token_max; |
328 | | BYTE *output_token; |
329 | | size_t output_token_length; |
330 | | #endif |
331 | | #endif |
332 | | BIT(noauthpersist); |
333 | | BIT(havenoauthpersist); |
334 | | BIT(havenegdata); |
335 | | BIT(havemultiplerequests); |
336 | | }; |
337 | | |
338 | | struct negotiatedata * |
339 | | Curl_auth_nego_get(struct connectdata *conn, bool proxy); |
340 | | |
341 | | /* This is used to decode a base64 encoded SPNEGO (Negotiate) challenge |
342 | | message */ |
343 | | CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data, |
344 | | const char *user, |
345 | | const char *password, |
346 | | const char *service, |
347 | | const char *host, |
348 | | const char *chlg64, |
349 | | struct negotiatedata *nego); |
350 | | |
351 | | /* This is used to generate a base64 encoded SPNEGO (Negotiate) response |
352 | | message */ |
353 | | CURLcode Curl_auth_create_spnego_message(struct negotiatedata *nego, |
354 | | char **outptr, size_t *outlen); |
355 | | |
356 | | /* This is used to clean up the SPNEGO specific data */ |
357 | | void Curl_auth_cleanup_spnego(struct negotiatedata *nego); |
358 | | |
359 | | #endif /* USE_SPNEGO */ |
360 | | |
361 | | #endif /* HEADER_CURL_VAUTH_H */ |