/src/curl/lib/vauth/vauth.h
Line | Count | Source |
1 | | #ifndef HEADER_CURL_VAUTH_H |
2 | | #define HEADER_CURL_VAUTH_H |
3 | | /*************************************************************************** |
4 | | * _ _ ____ _ |
5 | | * Project ___| | | | _ \| | |
6 | | * / __| | | | |_) | | |
7 | | * | (__| |_| | _ <| |___ |
8 | | * \___|\___/|_| \_\_____| |
9 | | * |
10 | | * Copyright (C) Steve Holme, <steve_holme@hotmail.com>. |
11 | | * |
12 | | * This software is licensed as described in the file COPYING, which |
13 | | * you should have received as part of this distribution. The terms |
14 | | * are also available at https://curl.se/docs/copyright.html. |
15 | | * |
16 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
17 | | * copies of the Software, and permit persons to whom the Software is |
18 | | * furnished to do so, under the terms of the COPYING file. |
19 | | * |
20 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
21 | | * KIND, either express or implied. |
22 | | * |
23 | | * SPDX-License-Identifier: curl |
24 | | * |
25 | | ***************************************************************************/ |
26 | | |
27 | | #include <curl/curl.h> |
28 | | |
29 | | #include "../bufref.h" |
30 | | #include "../curlx/dynbuf.h" |
31 | | #include "../urldata.h" |
32 | | |
33 | | struct Curl_easy; |
34 | | struct connectdata; |
35 | | |
36 | | #ifndef CURL_DISABLE_DIGEST_AUTH |
37 | | struct digestdata; |
38 | | #endif |
39 | | |
40 | | #ifdef USE_NTLM |
41 | | struct ntlmdata; |
42 | | #endif |
43 | | |
44 | | #if (defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)) && defined(USE_SPNEGO) |
45 | | struct negotiatedata; |
46 | | #endif |
47 | | |
48 | | #ifdef USE_GSASL |
49 | | struct gsasldata; |
50 | | #endif |
51 | | |
52 | | #ifdef USE_WINDOWS_SSPI |
53 | | #include "../curl_sspi.h" |
54 | | #define GSS_ERROR(status) ((status) & 0x80000000) |
55 | | #endif |
56 | | |
57 | | /* |
58 | | * Curl_auth_allowed_to_host() tells if authentication, cookies or other |
59 | | * "sensitive data" can (still) be sent to this host. |
60 | | */ |
61 | | bool Curl_auth_allowed_to_host(struct Curl_easy *data); |
62 | | |
63 | | /* This is used to build an SPN string */ |
64 | | #ifndef USE_WINDOWS_SSPI |
65 | | char *Curl_auth_build_spn(const char *service, const char *host, |
66 | | const char *realm); |
67 | | #else |
68 | | TCHAR *Curl_auth_build_spn(const char *service, const char *host, |
69 | | const char *realm); |
70 | | #endif |
71 | | |
72 | | /* This is used to test if the user contains a Windows domain name */ |
73 | | bool Curl_auth_user_contains_domain(const char *user); |
74 | | |
75 | | /* This is used to generate a PLAIN cleartext message */ |
76 | | CURLcode Curl_auth_create_plain_message(const char *authzid, |
77 | | const char *authcid, |
78 | | const char *passwd, |
79 | | struct bufref *out); |
80 | | |
81 | | /* This is used to generate a LOGIN cleartext message */ |
82 | | void Curl_auth_create_login_message(const char *value, struct bufref *out); |
83 | | |
84 | | /* This is used to generate an EXTERNAL cleartext message */ |
85 | | void Curl_auth_create_external_message(const char *user, struct bufref *out); |
86 | | |
87 | | #ifndef CURL_DISABLE_DIGEST_AUTH |
88 | | /* This is used to generate a CRAM-MD5 response message */ |
89 | | CURLcode Curl_auth_create_cram_md5_message(const struct bufref *chlg, |
90 | | const char *userp, |
91 | | const char *passwdp, |
92 | | struct bufref *out); |
93 | | |
94 | | /* This is used to evaluate if DIGEST is supported */ |
95 | | bool Curl_auth_is_digest_supported(void); |
96 | | |
97 | | /* This is used to generate a base64 encoded DIGEST-MD5 response message */ |
98 | | CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data, |
99 | | const struct bufref *chlg, |
100 | | const char *userp, |
101 | | const char *passwdp, |
102 | | const char *service, |
103 | | struct bufref *out); |
104 | | |
105 | | /* This is used to decode an HTTP DIGEST challenge message */ |
106 | | CURLcode Curl_auth_decode_digest_http_message(const char *chlg, |
107 | | struct digestdata *digest); |
108 | | |
109 | | /* This is used to generate an HTTP DIGEST response message */ |
110 | | CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, |
111 | | const char *userp, |
112 | | const char *passwdp, |
113 | | const unsigned char *request, |
114 | | const unsigned char *uri, |
115 | | struct digestdata *digest, |
116 | | char **outptr, size_t *outlen); |
117 | | |
118 | | /* This is used to clean up the digest specific data */ |
119 | | void Curl_auth_digest_cleanup(struct digestdata *digest); |
120 | | #else |
121 | | #define Curl_auth_is_digest_supported() FALSE |
122 | | #endif /* !CURL_DISABLE_DIGEST_AUTH */ |
123 | | |
124 | | #ifdef USE_GSASL |
125 | | |
126 | | /* meta key for storing GSASL meta at connection */ |
127 | | #define CURL_META_GSASL_CONN "meta:auth:gsasl:conn" |
128 | | |
129 | | #include <gsasl.h> |
130 | | struct gsasldata { |
131 | | Gsasl *ctx; |
132 | | Gsasl_session *client; |
133 | | }; |
134 | | |
135 | | struct gsasldata *Curl_auth_gsasl_get(struct connectdata *conn); |
136 | | |
137 | | /* This is used to evaluate if MECH is supported by gsasl */ |
138 | | bool Curl_auth_gsasl_is_supported(struct Curl_easy *data, |
139 | | const char *mech, |
140 | | struct gsasldata *gsasl); |
141 | | /* This is used to start a gsasl method */ |
142 | | CURLcode Curl_auth_gsasl_start(struct Curl_easy *data, |
143 | | const char *userp, |
144 | | const char *passwdp, |
145 | | struct gsasldata *gsasl); |
146 | | |
147 | | /* This is used to process and generate a new SASL token */ |
148 | | CURLcode Curl_auth_gsasl_token(struct Curl_easy *data, |
149 | | const struct bufref *chlg, |
150 | | struct gsasldata *gsasl, |
151 | | struct bufref *out); |
152 | | |
153 | | /* This is used to clean up the gsasl specific data */ |
154 | | void Curl_auth_gsasl_cleanup(struct gsasldata *digest); |
155 | | #endif |
156 | | |
157 | | #ifdef USE_NTLM |
158 | | |
159 | | /* meta key for storing NTML meta at connection */ |
160 | 0 | #define CURL_META_NTLM_CONN "meta:auth:ntml:conn" |
161 | | /* meta key for storing NTML-PROXY meta at connection */ |
162 | 0 | #define CURL_META_NTLM_PROXY_CONN "meta:auth:ntml-proxy:conn" |
163 | | |
164 | | struct ntlmdata { |
165 | | #ifdef USE_WINDOWS_SSPI |
166 | | /* The sslContext is used for the Schannel bindings. The |
167 | | * api is available on the Windows 7 SDK and later. |
168 | | */ |
169 | | #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS |
170 | | CtxtHandle *sslContext; |
171 | | #endif |
172 | | CredHandle *credentials; |
173 | | CtxtHandle *context; |
174 | | SEC_WINNT_AUTH_IDENTITY identity; |
175 | | SEC_WINNT_AUTH_IDENTITY *p_identity; |
176 | | size_t token_max; |
177 | | BYTE *output_token; |
178 | | BYTE *input_token; |
179 | | size_t input_token_len; |
180 | | TCHAR *spn; |
181 | | #else |
182 | | unsigned int flags; |
183 | | unsigned char nonce[8]; |
184 | | unsigned int target_info_len; |
185 | | void *target_info; /* TargetInfo received in the NTLM type-2 message */ |
186 | | #endif |
187 | | }; |
188 | | |
189 | | /* This is used to evaluate if NTLM is supported */ |
190 | | bool Curl_auth_is_ntlm_supported(void); |
191 | | |
192 | | struct ntlmdata *Curl_auth_ntlm_get(struct connectdata *conn, bool proxy); |
193 | | void Curl_auth_ntlm_remove(struct connectdata *conn, bool proxy); |
194 | | |
195 | | /* This is used to clean up the NTLM specific data */ |
196 | | void Curl_auth_cleanup_ntlm(struct ntlmdata *ntlm); |
197 | | |
198 | | /* This is used to generate a base64 encoded NTLM type-1 message */ |
199 | | CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data, |
200 | | const char *userp, |
201 | | const char *passwdp, |
202 | | const char *service, |
203 | | const char *host, |
204 | | struct ntlmdata *ntlm, |
205 | | struct bufref *out); |
206 | | |
207 | | /* This is used to decode a base64 encoded NTLM type-2 message */ |
208 | | CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data, |
209 | | const struct bufref *type2, |
210 | | struct ntlmdata *ntlm); |
211 | | |
212 | | /* This is used to generate a base64 encoded NTLM type-3 message */ |
213 | | CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, |
214 | | const char *userp, |
215 | | const char *passwdp, |
216 | | struct ntlmdata *ntlm, |
217 | | struct bufref *out); |
218 | | |
219 | | #else |
220 | | #define Curl_auth_is_ntlm_supported() FALSE |
221 | | #endif /* USE_NTLM */ |
222 | | |
223 | | /* This is used to generate a base64 encoded OAuth 2.0 message */ |
224 | | CURLcode Curl_auth_create_oauth_bearer_message(const char *user, |
225 | | const char *host, |
226 | | const long port, |
227 | | const char *bearer, |
228 | | struct bufref *out); |
229 | | |
230 | | /* This is used to generate a base64 encoded XOAuth 2.0 message */ |
231 | | CURLcode Curl_auth_create_xoauth_bearer_message(const char *user, |
232 | | const char *bearer, |
233 | | struct bufref *out); |
234 | | |
235 | | #ifdef USE_KERBEROS5 |
236 | | |
237 | | /* meta key for storing KRB5 meta at connection */ |
238 | | #define CURL_META_KRB5_CONN "meta:auth:krb5:conn" |
239 | | |
240 | | struct kerberos5data { |
241 | | #ifdef USE_WINDOWS_SSPI |
242 | | CredHandle *credentials; |
243 | | CtxtHandle *context; |
244 | | TCHAR *spn; |
245 | | SEC_WINNT_AUTH_IDENTITY identity; |
246 | | SEC_WINNT_AUTH_IDENTITY *p_identity; |
247 | | size_t token_max; |
248 | | BYTE *output_token; |
249 | | #else |
250 | | gss_ctx_id_t context; |
251 | | gss_name_t spn; |
252 | | #endif |
253 | | }; |
254 | | |
255 | | struct kerberos5data *Curl_auth_krb5_get(struct connectdata *conn); |
256 | | |
257 | | /* This is used to evaluate if GSSAPI (Kerberos V5) is supported */ |
258 | | bool Curl_auth_is_gssapi_supported(void); |
259 | | |
260 | | /* This is used to generate a base64 encoded GSSAPI (Kerberos V5) user token |
261 | | message */ |
262 | | CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data, |
263 | | const char *userp, |
264 | | const char *passwdp, |
265 | | const char *service, |
266 | | const char *host, |
267 | | const bool mutual, |
268 | | const struct bufref *chlg, |
269 | | struct kerberos5data *krb5, |
270 | | struct bufref *out); |
271 | | |
272 | | /* This is used to generate a base64 encoded GSSAPI (Kerberos V5) security |
273 | | token message */ |
274 | | CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data, |
275 | | const char *authzid, |
276 | | const struct bufref *chlg, |
277 | | struct kerberos5data *krb5, |
278 | | struct bufref *out); |
279 | | |
280 | | /* This is used to clean up the GSSAPI specific data */ |
281 | | void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5); |
282 | | #else |
283 | 0 | #define Curl_auth_is_gssapi_supported() FALSE |
284 | | #endif /* USE_KERBEROS5 */ |
285 | | |
286 | | #ifdef USE_SPNEGO |
287 | | |
288 | | bool Curl_auth_is_spnego_supported(void); |
289 | | |
290 | | /* meta key for storing NEGO meta at connection */ |
291 | | #define CURL_META_NEGO_CONN "meta:auth:nego:conn" |
292 | | /* meta key for storing NEGO PROXY meta at connection */ |
293 | | #define CURL_META_NEGO_PROXY_CONN "meta:auth:nego-proxy:conn" |
294 | | |
295 | | /* Struct used for Negotiate (SPNEGO) authentication */ |
296 | | struct negotiatedata { |
297 | | #ifdef HAVE_GSSAPI |
298 | | OM_uint32 status; |
299 | | gss_ctx_id_t context; |
300 | | gss_name_t spn; |
301 | | gss_buffer_desc output_token; |
302 | | #ifdef GSS_C_CHANNEL_BOUND_FLAG |
303 | | struct dynbuf channel_binding_data; |
304 | | #endif |
305 | | #else |
306 | | #ifdef USE_WINDOWS_SSPI |
307 | | #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS |
308 | | CtxtHandle *sslContext; |
309 | | #endif |
310 | | SECURITY_STATUS status; |
311 | | CredHandle *credentials; |
312 | | CtxtHandle *context; |
313 | | SEC_WINNT_AUTH_IDENTITY identity; |
314 | | SEC_WINNT_AUTH_IDENTITY *p_identity; |
315 | | TCHAR *spn; |
316 | | size_t token_max; |
317 | | BYTE *output_token; |
318 | | size_t output_token_length; |
319 | | #endif |
320 | | #endif |
321 | | BIT(noauthpersist); |
322 | | BIT(havenoauthpersist); |
323 | | BIT(havenegdata); |
324 | | BIT(havemultiplerequests); |
325 | | }; |
326 | | |
327 | | struct negotiatedata * |
328 | | Curl_auth_nego_get(struct connectdata *conn, bool proxy); |
329 | | |
330 | | /* This is used to decode a base64 encoded SPNEGO (Negotiate) challenge |
331 | | message */ |
332 | | CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data, |
333 | | const char *user, |
334 | | const char *password, |
335 | | const char *service, |
336 | | const char *host, |
337 | | const char *chlg64, |
338 | | struct negotiatedata *nego); |
339 | | |
340 | | /* This is used to generate a base64 encoded SPNEGO (Negotiate) response |
341 | | message */ |
342 | | CURLcode Curl_auth_create_spnego_message(struct negotiatedata *nego, |
343 | | char **outptr, size_t *outlen); |
344 | | |
345 | | /* This is used to clean up the SPNEGO specific data */ |
346 | | void Curl_auth_cleanup_spnego(struct negotiatedata *nego); |
347 | | |
348 | | #endif /* USE_SPNEGO */ |
349 | | |
350 | | #endif /* HEADER_CURL_VAUTH_H */ |