/src/curl/lib/curl_sasl.c
Line | Count | Source |
1 | | /*************************************************************************** |
2 | | * _ _ ____ _ |
3 | | * Project ___| | | | _ \| | |
4 | | * / __| | | | |_) | | |
5 | | * | (__| |_| | _ <| |___ |
6 | | * \___|\___/|_| \_\_____| |
7 | | * |
8 | | * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. |
9 | | * |
10 | | * This software is licensed as described in the file COPYING, which |
11 | | * you should have received as part of this distribution. The terms |
12 | | * are also available at https://curl.se/docs/copyright.html. |
13 | | * |
14 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | | * copies of the Software, and permit persons to whom the Software is |
16 | | * furnished to do so, under the terms of the COPYING file. |
17 | | * |
18 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | | * KIND, either express or implied. |
20 | | * |
21 | | * SPDX-License-Identifier: curl |
22 | | * |
23 | | * RFC2195 CRAM-MD5 authentication |
24 | | * RFC2617 Basic and Digest Access Authentication |
25 | | * RFC2831 DIGEST-MD5 authentication |
26 | | * RFC4422 Simple Authentication and Security Layer (SASL) |
27 | | * RFC4616 PLAIN authentication |
28 | | * RFC5802 SCRAM-SHA-1 authentication |
29 | | * RFC7677 SCRAM-SHA-256 authentication |
30 | | * RFC6749 OAuth 2.0 Authorization Framework |
31 | | * RFC7628 A Set of SASL Mechanisms for OAuth |
32 | | * Draft LOGIN SASL Mechanism <draft-murchison-sasl-login-00.txt> |
33 | | * |
34 | | ***************************************************************************/ |
35 | | #include "curl_setup.h" |
36 | | |
37 | | #if !defined(CURL_DISABLE_IMAP) || !defined(CURL_DISABLE_SMTP) || \ |
38 | | !defined(CURL_DISABLE_POP3) || \ |
39 | | (!defined(CURL_DISABLE_LDAP) && defined(USE_OPENLDAP)) |
40 | | |
41 | | #include "urldata.h" |
42 | | #include "curlx/base64.h" |
43 | | #include "vauth/vauth.h" |
44 | | #include "cfilters.h" |
45 | | #include "curl_sasl.h" |
46 | | #include "curl_trc.h" |
47 | | |
48 | | /* Supported mechanisms */ |
49 | | static const struct { |
50 | | const char *name; /* Name */ |
51 | | size_t len; /* Name length */ |
52 | | unsigned short bit; /* Flag bit */ |
53 | | } mechtable[] = { |
54 | | { "LOGIN", 5, SASL_MECH_LOGIN }, |
55 | | { "PLAIN", 5, SASL_MECH_PLAIN }, |
56 | | { "CRAM-MD5", 8, SASL_MECH_CRAM_MD5 }, |
57 | | { "DIGEST-MD5", 10, SASL_MECH_DIGEST_MD5 }, |
58 | | { "GSSAPI", 6, SASL_MECH_GSSAPI }, |
59 | | { "EXTERNAL", 8, SASL_MECH_EXTERNAL }, |
60 | | { "NTLM", 4, SASL_MECH_NTLM }, |
61 | | { "XOAUTH2", 7, SASL_MECH_XOAUTH2 }, |
62 | | { "OAUTHBEARER", 11, SASL_MECH_OAUTHBEARER }, |
63 | | { "SCRAM-SHA-1", 11, SASL_MECH_SCRAM_SHA_1 }, |
64 | | { "SCRAM-SHA-256",13, SASL_MECH_SCRAM_SHA_256 }, |
65 | | { ZERO_NULL, 0, 0 } |
66 | | }; |
67 | | |
68 | | /* |
69 | | * Curl_sasl_decode_mech() |
70 | | * |
71 | | * Convert a SASL mechanism name into a token. |
72 | | * |
73 | | * Parameters: |
74 | | * |
75 | | * ptr [in] - The mechanism string. |
76 | | * maxlen [in] - Maximum mechanism string length. |
77 | | * len [out] - If not NULL, effective name length. |
78 | | * |
79 | | * Returns the SASL mechanism token or 0 if no match. |
80 | | */ |
81 | | unsigned short Curl_sasl_decode_mech(const char *ptr, size_t maxlen, |
82 | | size_t *len) |
83 | 61.9k | { |
84 | 61.9k | unsigned int i; |
85 | 61.9k | char c; |
86 | | |
87 | 675k | for(i = 0; mechtable[i].name; i++) { |
88 | 624k | if(maxlen >= mechtable[i].len && |
89 | 334k | curl_strnequal(ptr, mechtable[i].name, mechtable[i].len)) { |
90 | 27.2k | if(len) |
91 | 27.2k | *len = mechtable[i].len; |
92 | | |
93 | 27.2k | if(maxlen == mechtable[i].len) |
94 | 2.27k | return mechtable[i].bit; |
95 | | |
96 | 24.9k | c = ptr[mechtable[i].len]; |
97 | 24.9k | if(!ISUPPER(c) && !ISDIGIT(c) && c != '-' && c != '_') |
98 | 8.07k | return mechtable[i].bit; |
99 | 24.9k | } |
100 | 624k | } |
101 | | |
102 | 51.5k | return 0; |
103 | 61.9k | } |
104 | | |
105 | | /* |
106 | | * Curl_sasl_parse_url_auth_option() |
107 | | * |
108 | | * Parse the URL login options. |
109 | | */ |
110 | | CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl, |
111 | | const char *value, size_t len) |
112 | 139 | { |
113 | 139 | CURLcode result = CURLE_OK; |
114 | 139 | size_t mechlen; |
115 | | |
116 | 139 | if(!len) |
117 | 25 | return CURLE_URL_MALFORMAT; |
118 | | |
119 | 114 | if(sasl->resetprefs) { |
120 | 74 | sasl->resetprefs = FALSE; |
121 | 74 | sasl->prefmech = SASL_AUTH_NONE; |
122 | 74 | } |
123 | | |
124 | 114 | if(!strncmp(value, "*", len)) |
125 | 32 | sasl->prefmech = SASL_AUTH_DEFAULT; |
126 | 82 | else { |
127 | 82 | unsigned short mechbit = Curl_sasl_decode_mech(value, len, &mechlen); |
128 | 82 | if(mechbit && mechlen == len) |
129 | 26 | sasl->prefmech |= mechbit; |
130 | 56 | else |
131 | 56 | result = CURLE_URL_MALFORMAT; |
132 | 82 | } |
133 | | |
134 | 114 | return result; |
135 | 139 | } |
136 | | |
137 | | /* |
138 | | * Curl_sasl_init() |
139 | | * |
140 | | * Initializes the SASL structure. |
141 | | */ |
142 | | void Curl_sasl_init(struct SASL *sasl, struct Curl_easy *data, |
143 | | const struct SASLproto *params) |
144 | 14.6k | { |
145 | 14.6k | unsigned long auth = data->set.httpauth; |
146 | | |
147 | 14.6k | sasl->params = params; /* Set protocol dependent parameters */ |
148 | 14.6k | sasl->state = SASL_STOP; /* Not yet running */ |
149 | 14.6k | sasl->curmech = NULL; /* No mechanism yet. */ |
150 | 14.6k | sasl->authmechs = SASL_AUTH_NONE; /* No known authentication mechanism yet */ |
151 | 14.6k | sasl->prefmech = params->defmechs; /* Default preferred mechanisms */ |
152 | 14.6k | sasl->authused = SASL_AUTH_NONE; /* The authentication mechanism used */ |
153 | 14.6k | sasl->resetprefs = TRUE; /* Reset prefmech upon AUTH parsing. */ |
154 | 14.6k | sasl->mutual_auth = FALSE; /* No mutual authentication (GSSAPI only) */ |
155 | 14.6k | sasl->force_ir = FALSE; /* Respect external option */ |
156 | | |
157 | 14.6k | if(auth != CURLAUTH_BASIC) { |
158 | 1.31k | unsigned short mechs = SASL_AUTH_NONE; |
159 | | |
160 | | /* If some usable http authentication options have been set, determine |
161 | | new defaults from them. */ |
162 | 1.31k | if(auth & CURLAUTH_BASIC) |
163 | 373 | mechs |= SASL_MECH_PLAIN | SASL_MECH_LOGIN; |
164 | 1.31k | if(auth & CURLAUTH_DIGEST) |
165 | 390 | mechs |= SASL_MECH_DIGEST_MD5; |
166 | 1.31k | if(auth & CURLAUTH_NTLM) |
167 | 188 | mechs |= SASL_MECH_NTLM; |
168 | 1.31k | if(auth & CURLAUTH_BEARER) |
169 | 208 | mechs |= SASL_MECH_OAUTHBEARER | SASL_MECH_XOAUTH2; |
170 | 1.31k | if(auth & CURLAUTH_GSSAPI) |
171 | 0 | mechs |= SASL_MECH_GSSAPI; |
172 | | |
173 | 1.31k | if(mechs != SASL_AUTH_NONE) |
174 | 467 | sasl->prefmech = mechs; |
175 | 1.31k | } |
176 | 14.6k | } |
177 | | |
178 | | /* |
179 | | * sasl_state() |
180 | | * |
181 | | * This is the ONLY way to change SASL state! |
182 | | */ |
183 | | static void sasl_state(struct SASL *sasl, struct Curl_easy *data, |
184 | | saslstate newstate) |
185 | 1.03k | { |
186 | 1.03k | #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) |
187 | | /* for debug purposes */ |
188 | 1.03k | static const char * const names[]={ |
189 | 1.03k | "STOP", |
190 | 1.03k | "PLAIN", |
191 | 1.03k | "LOGIN", |
192 | 1.03k | "LOGIN_PASSWD", |
193 | 1.03k | "EXTERNAL", |
194 | 1.03k | "CRAMMD5", |
195 | 1.03k | "DIGESTMD5", |
196 | 1.03k | "DIGESTMD5_RESP", |
197 | 1.03k | "NTLM", |
198 | 1.03k | "NTLM_TYPE2MSG", |
199 | 1.03k | "GSSAPI", |
200 | 1.03k | "GSSAPI_TOKEN", |
201 | 1.03k | "GSSAPI_NO_DATA", |
202 | 1.03k | "OAUTH2", |
203 | 1.03k | "OAUTH2_RESP", |
204 | 1.03k | "GSASL", |
205 | 1.03k | "CANCEL", |
206 | 1.03k | "FINAL", |
207 | | /* LAST */ |
208 | 1.03k | }; |
209 | | |
210 | 1.03k | if(sasl->state != newstate) |
211 | 1.03k | infof(data, "SASL %p state change from %s to %s", |
212 | 1.03k | (void *)sasl, names[sasl->state], names[newstate]); |
213 | | #else |
214 | | (void)data; |
215 | | #endif |
216 | | |
217 | 1.03k | sasl->state = newstate; |
218 | 1.03k | } |
219 | | |
220 | | #if defined(USE_NTLM) || defined(USE_GSASL) || defined(USE_KERBEROS5) || \ |
221 | | !defined(CURL_DISABLE_DIGEST_AUTH) |
222 | | /* Get the SASL server message and convert it to binary. */ |
223 | | static CURLcode get_server_message(struct SASL *sasl, struct Curl_easy *data, |
224 | | struct bufref *out) |
225 | 345 | { |
226 | 345 | CURLcode result = CURLE_OK; |
227 | | |
228 | 345 | result = sasl->params->getmessage(data, out); |
229 | 345 | if(!result && (sasl->params->flags & SASL_FLAG_BASE64)) { |
230 | 345 | unsigned char *msg; |
231 | 345 | size_t msglen; |
232 | 345 | const char *serverdata = Curl_bufref_ptr(out); |
233 | | |
234 | 345 | if(!*serverdata || *serverdata == '=') |
235 | 101 | Curl_bufref_set(out, NULL, 0, NULL); |
236 | 244 | else { |
237 | 244 | result = curlx_base64_decode(serverdata, &msg, &msglen); |
238 | 244 | if(!result) |
239 | 105 | Curl_bufref_set(out, msg, msglen, curl_free); |
240 | 244 | } |
241 | 345 | } |
242 | 345 | return result; |
243 | 345 | } |
244 | | #endif |
245 | | |
246 | | /* Encode the outgoing SASL message. */ |
247 | | static CURLcode build_message(struct SASL *sasl, struct bufref *msg) |
248 | 326 | { |
249 | 326 | CURLcode result = CURLE_OK; |
250 | | |
251 | 326 | if(sasl->params->flags & SASL_FLAG_BASE64) { |
252 | 326 | if(!Curl_bufref_ptr(msg)) /* Empty message. */ |
253 | 0 | Curl_bufref_set(msg, "", 0, NULL); |
254 | 326 | else if(!Curl_bufref_len(msg)) /* Explicit empty response. */ |
255 | 14 | Curl_bufref_set(msg, "=", 1, NULL); |
256 | 312 | else { |
257 | 312 | char *base64; |
258 | 312 | size_t base64len; |
259 | | |
260 | 312 | result = curlx_base64_encode(Curl_bufref_uptr(msg), |
261 | 312 | Curl_bufref_len(msg), &base64, &base64len); |
262 | 312 | if(!result) |
263 | 312 | Curl_bufref_set(msg, base64, base64len, curl_free); |
264 | 312 | } |
265 | 326 | } |
266 | | |
267 | 326 | return result; |
268 | 326 | } |
269 | | |
270 | | /* |
271 | | * Curl_sasl_can_authenticate() |
272 | | * |
273 | | * Check if we have enough auth data and capabilities to authenticate. |
274 | | */ |
275 | | bool Curl_sasl_can_authenticate(struct SASL *sasl, struct Curl_easy *data) |
276 | 2.84k | { |
277 | | /* Have credentials been provided? */ |
278 | 2.84k | if(data->conn->user[0]) |
279 | 450 | return TRUE; |
280 | | |
281 | | /* EXTERNAL can authenticate without a username and/or password */ |
282 | 2.39k | if(sasl->authmechs & sasl->prefmech & SASL_MECH_EXTERNAL) |
283 | 0 | return TRUE; |
284 | | |
285 | 2.39k | return FALSE; |
286 | 2.39k | } |
287 | | |
288 | | struct sasl_ctx { |
289 | | struct SASL *sasl; |
290 | | struct connectdata *conn; |
291 | | unsigned short enabledmechs; |
292 | | const char *mech; |
293 | | saslstate state1; |
294 | | saslstate state2; |
295 | | struct bufref resp; |
296 | | CURLcode result; |
297 | | }; |
298 | | |
299 | | static bool sasl_choose_external(struct Curl_easy *data, struct sasl_ctx *sctx) |
300 | 562 | { |
301 | 562 | if((sctx->enabledmechs & SASL_MECH_EXTERNAL) && !sctx->conn->passwd[0]) { |
302 | 0 | sctx->mech = SASL_MECH_STRING_EXTERNAL; |
303 | 0 | sctx->state1 = SASL_EXTERNAL; |
304 | 0 | sctx->sasl->authused = SASL_MECH_EXTERNAL; |
305 | |
|
306 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
307 | 0 | Curl_auth_create_external_message(sctx->conn->user, &sctx->resp); |
308 | 0 | return TRUE; |
309 | 0 | } |
310 | 562 | return FALSE; |
311 | 562 | } |
312 | | |
313 | | #ifdef USE_KERBEROS5 |
314 | | static bool sasl_choose_krb5(struct Curl_easy *data, struct sasl_ctx *sctx) |
315 | | { |
316 | | if((sctx->enabledmechs & SASL_MECH_GSSAPI) && |
317 | | Curl_auth_is_gssapi_supported() && |
318 | | Curl_auth_user_contains_domain(sctx->conn->user)) { |
319 | | const char *service = data->set.str[STRING_SERVICE_NAME] ? |
320 | | data->set.str[STRING_SERVICE_NAME] : |
321 | | sctx->sasl->params->service; |
322 | | |
323 | | sctx->sasl->mutual_auth = FALSE; |
324 | | sctx->mech = SASL_MECH_STRING_GSSAPI; |
325 | | sctx->state1 = SASL_GSSAPI; |
326 | | sctx->state2 = SASL_GSSAPI_TOKEN; |
327 | | sctx->sasl->authused = SASL_MECH_GSSAPI; |
328 | | |
329 | | if(sctx->sasl->force_ir || data->set.sasl_ir) { |
330 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(sctx->conn); |
331 | | sctx->result = !krb5 ? CURLE_OUT_OF_MEMORY : |
332 | | Curl_auth_create_gssapi_user_message(data, sctx->conn->user, |
333 | | sctx->conn->passwd, |
334 | | service, sctx->conn->host.name, |
335 | | sctx->sasl->mutual_auth, NULL, |
336 | | krb5, &sctx->resp); |
337 | | } |
338 | | return TRUE; |
339 | | } |
340 | | return FALSE; |
341 | | } |
342 | | #endif /* USE_KERBEROS5 */ |
343 | | |
344 | | #ifdef USE_GSASL |
345 | | static bool sasl_choose_gsasl(struct Curl_easy *data, struct sasl_ctx *sctx) |
346 | | { |
347 | | struct gsasldata *gsasl; |
348 | | struct bufref nullmsg; |
349 | | |
350 | | if((sctx->enabledmechs & |
351 | | (SASL_MECH_SCRAM_SHA_256 | SASL_MECH_SCRAM_SHA_1))) { |
352 | | gsasl = Curl_auth_gsasl_get(sctx->conn); |
353 | | if(!gsasl) { |
354 | | sctx->result = CURLE_OUT_OF_MEMORY; |
355 | | return TRUE; /* attempted, but failed */ |
356 | | } |
357 | | |
358 | | if((sctx->enabledmechs & SASL_MECH_SCRAM_SHA_256) && |
359 | | Curl_auth_gsasl_is_supported(data, SASL_MECH_STRING_SCRAM_SHA_256, |
360 | | gsasl)) { |
361 | | sctx->mech = SASL_MECH_STRING_SCRAM_SHA_256; |
362 | | sctx->sasl->authused = SASL_MECH_SCRAM_SHA_256; |
363 | | } |
364 | | else if((sctx->enabledmechs & SASL_MECH_SCRAM_SHA_1) && |
365 | | Curl_auth_gsasl_is_supported(data, SASL_MECH_STRING_SCRAM_SHA_1, |
366 | | gsasl)) { |
367 | | sctx->mech = SASL_MECH_STRING_SCRAM_SHA_1; |
368 | | sctx->sasl->authused = SASL_MECH_SCRAM_SHA_1; |
369 | | } |
370 | | else |
371 | | return FALSE; |
372 | | |
373 | | Curl_bufref_init(&nullmsg); |
374 | | sctx->state1 = SASL_GSASL; |
375 | | sctx->state2 = SASL_GSASL; |
376 | | sctx->result = Curl_auth_gsasl_start(data, sctx->conn->user, |
377 | | sctx->conn->passwd, gsasl); |
378 | | if(!sctx->result && (sctx->sasl->force_ir || data->set.sasl_ir)) |
379 | | sctx->result = Curl_auth_gsasl_token(data, &nullmsg, gsasl, &sctx->resp); |
380 | | return TRUE; |
381 | | } |
382 | | return FALSE; |
383 | | } |
384 | | |
385 | | #endif /* USE_GSASL */ |
386 | | |
387 | | #ifndef CURL_DISABLE_DIGEST_AUTH |
388 | | static bool sasl_choose_digest(struct Curl_easy *data, struct sasl_ctx *sctx) |
389 | 562 | { |
390 | 562 | (void)data; |
391 | 562 | if((sctx->enabledmechs & SASL_MECH_DIGEST_MD5) && |
392 | 118 | Curl_auth_is_digest_supported()) { |
393 | 118 | sctx->mech = SASL_MECH_STRING_DIGEST_MD5; |
394 | 118 | sctx->state1 = SASL_DIGESTMD5; |
395 | 118 | sctx->sasl->authused = SASL_MECH_DIGEST_MD5; |
396 | 118 | return TRUE; |
397 | 118 | } |
398 | 444 | else if(sctx->enabledmechs & SASL_MECH_CRAM_MD5) { |
399 | 137 | sctx->mech = SASL_MECH_STRING_CRAM_MD5; |
400 | 137 | sctx->state1 = SASL_CRAMMD5; |
401 | 137 | sctx->sasl->authused = SASL_MECH_CRAM_MD5; |
402 | 137 | return TRUE; |
403 | 137 | } |
404 | 307 | return FALSE; |
405 | 562 | } |
406 | | #endif /* !CURL_DISABLE_DIGEST_AUTH */ |
407 | | |
408 | | #ifdef USE_NTLM |
409 | | static bool sasl_choose_ntlm(struct Curl_easy *data, struct sasl_ctx *sctx) |
410 | 307 | { |
411 | 307 | if((sctx->enabledmechs & SASL_MECH_NTLM) && |
412 | 107 | Curl_auth_is_ntlm_supported()) { |
413 | 107 | const char *service = data->set.str[STRING_SERVICE_NAME] ? |
414 | 53 | data->set.str[STRING_SERVICE_NAME] : |
415 | 107 | sctx->sasl->params->service; |
416 | 107 | const char *hostname; |
417 | 107 | int port; |
418 | | |
419 | 107 | Curl_conn_get_current_host(data, FIRSTSOCKET, &hostname, &port); |
420 | | |
421 | 107 | sctx->mech = SASL_MECH_STRING_NTLM; |
422 | 107 | sctx->state1 = SASL_NTLM; |
423 | 107 | sctx->state2 = SASL_NTLM_TYPE2MSG; |
424 | 107 | sctx->sasl->authused = SASL_MECH_NTLM; |
425 | | |
426 | 107 | if(sctx->sasl->force_ir || data->set.sasl_ir) { |
427 | 11 | struct ntlmdata *ntlm = Curl_auth_ntlm_get(sctx->conn, FALSE); |
428 | 11 | sctx->result = !ntlm ? CURLE_OUT_OF_MEMORY : |
429 | 11 | Curl_auth_create_ntlm_type1_message(data, |
430 | 11 | sctx->conn->user, |
431 | 11 | sctx->conn->passwd, |
432 | 11 | service, hostname, |
433 | 11 | ntlm, &sctx->resp); |
434 | 11 | } |
435 | 107 | return TRUE; |
436 | 107 | } |
437 | 200 | return FALSE; |
438 | 307 | } |
439 | | #endif /* USE_NTLM */ |
440 | | |
441 | | static bool sasl_choose_oauth(struct Curl_easy *data, struct sasl_ctx *sctx) |
442 | 200 | { |
443 | 200 | const char *oauth_bearer = |
444 | 200 | (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? |
445 | 200 | data->set.str[STRING_BEARER] : NULL; |
446 | | |
447 | 200 | if(oauth_bearer && (sctx->enabledmechs & SASL_MECH_OAUTHBEARER)) { |
448 | 0 | const char *hostname; |
449 | 0 | int port; |
450 | 0 | Curl_conn_get_current_host(data, FIRSTSOCKET, &hostname, &port); |
451 | |
|
452 | 0 | sctx->mech = SASL_MECH_STRING_OAUTHBEARER; |
453 | 0 | sctx->state1 = SASL_OAUTH2; |
454 | 0 | sctx->state2 = SASL_OAUTH2_RESP; |
455 | 0 | sctx->sasl->authused = SASL_MECH_OAUTHBEARER; |
456 | |
|
457 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
458 | 0 | sctx->result = |
459 | 0 | Curl_auth_create_oauth_bearer_message(sctx->conn->user, |
460 | 0 | hostname, port, |
461 | 0 | oauth_bearer, &sctx->resp); |
462 | 0 | return TRUE; |
463 | 0 | } |
464 | 200 | return FALSE; |
465 | 200 | } |
466 | | |
467 | | static bool sasl_choose_oauth2(struct Curl_easy *data, struct sasl_ctx *sctx) |
468 | 200 | { |
469 | 200 | const char *oauth_bearer = |
470 | 200 | (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? |
471 | 200 | data->set.str[STRING_BEARER] : NULL; |
472 | | |
473 | 200 | if(oauth_bearer && (sctx->enabledmechs & SASL_MECH_XOAUTH2)) { |
474 | 0 | sctx->mech = SASL_MECH_STRING_XOAUTH2; |
475 | 0 | sctx->state1 = SASL_OAUTH2; |
476 | 0 | sctx->sasl->authused = SASL_MECH_XOAUTH2; |
477 | |
|
478 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
479 | 0 | sctx->result = Curl_auth_create_xoauth_bearer_message(sctx->conn->user, |
480 | 0 | oauth_bearer, |
481 | 0 | &sctx->resp); |
482 | 0 | return TRUE; |
483 | 0 | } |
484 | 200 | return FALSE; |
485 | 200 | } |
486 | | |
487 | | static bool sasl_choose_plain(struct Curl_easy *data, struct sasl_ctx *sctx) |
488 | 200 | { |
489 | 200 | if(sctx->enabledmechs & SASL_MECH_PLAIN) { |
490 | 22 | sctx->mech = SASL_MECH_STRING_PLAIN; |
491 | 22 | sctx->state1 = SASL_PLAIN; |
492 | 22 | sctx->sasl->authused = SASL_MECH_PLAIN; |
493 | | |
494 | 22 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
495 | 10 | sctx->result = |
496 | 10 | Curl_auth_create_plain_message(sctx->conn->sasl_authzid, |
497 | 10 | sctx->conn->user, sctx->conn->passwd, |
498 | 10 | &sctx->resp); |
499 | 22 | return TRUE; |
500 | 22 | } |
501 | 178 | return FALSE; |
502 | 200 | } |
503 | | |
504 | | static bool sasl_choose_login(struct Curl_easy *data, struct sasl_ctx *sctx) |
505 | 178 | { |
506 | 178 | if(sctx->enabledmechs & SASL_MECH_LOGIN) { |
507 | 37 | sctx->mech = SASL_MECH_STRING_LOGIN; |
508 | 37 | sctx->state1 = SASL_LOGIN; |
509 | 37 | sctx->state2 = SASL_LOGIN_PASSWD; |
510 | 37 | sctx->sasl->authused = SASL_MECH_LOGIN; |
511 | | |
512 | 37 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
513 | 17 | Curl_auth_create_login_message(sctx->conn->user, &sctx->resp); |
514 | 37 | return TRUE; |
515 | 37 | } |
516 | 141 | return FALSE; |
517 | 178 | } |
518 | | |
519 | | /* |
520 | | * Curl_sasl_start() |
521 | | * |
522 | | * Calculate the required login details for SASL authentication. |
523 | | */ |
524 | | CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data, |
525 | | bool force_ir, saslprogress *progress) |
526 | 562 | { |
527 | 562 | struct sasl_ctx sctx; |
528 | | |
529 | 562 | sasl->force_ir = force_ir; /* Latch for future use */ |
530 | 562 | sasl->authused = 0; /* No mechanism used yet */ |
531 | 562 | *progress = SASL_IDLE; |
532 | | |
533 | 562 | memset(&sctx, 0, sizeof(sctx)); |
534 | 562 | sctx.sasl = sasl; |
535 | 562 | sctx.conn = data->conn; |
536 | 562 | Curl_bufref_init(&sctx.resp); |
537 | 562 | sctx.enabledmechs = sasl->authmechs & sasl->prefmech; |
538 | 562 | sctx.state1 = SASL_STOP; |
539 | 562 | sctx.state2 = SASL_FINAL; |
540 | | |
541 | | /* Calculate the supported authentication mechanism, by decreasing order of |
542 | | security, as well as the initial response where appropriate */ |
543 | 562 | if(sasl_choose_external(data, &sctx) || |
544 | | #ifdef USE_KERBEROS5 |
545 | | sasl_choose_krb5(data, &sctx) || |
546 | | #endif |
547 | | #ifdef USE_GSASL |
548 | | sasl_choose_gsasl(data, &sctx) || |
549 | | #endif |
550 | 562 | #ifndef CURL_DISABLE_DIGEST_AUTH |
551 | 562 | sasl_choose_digest(data, &sctx) || |
552 | 307 | #endif |
553 | 307 | #ifdef USE_NTLM |
554 | 307 | sasl_choose_ntlm(data, &sctx) || |
555 | 200 | #endif |
556 | 200 | sasl_choose_oauth(data, &sctx) || |
557 | 200 | sasl_choose_oauth2(data, &sctx) || |
558 | 200 | sasl_choose_plain(data, &sctx) || |
559 | 421 | sasl_choose_login(data, &sctx)) { |
560 | | /* selected, either we have a mechanism or a failure */ |
561 | 421 | DEBUGASSERT(sctx.mech || sctx.result); |
562 | 421 | } |
563 | | |
564 | 562 | if(!sctx.result && sctx.mech) { |
565 | 421 | sasl->curmech = sctx.mech; |
566 | 421 | if(Curl_bufref_ptr(&sctx.resp)) |
567 | 38 | sctx.result = build_message(sasl, &sctx.resp); |
568 | | |
569 | 421 | if(sasl->params->maxirlen && |
570 | 421 | strlen(sctx.mech) + Curl_bufref_len(&sctx.resp) > |
571 | 421 | sasl->params->maxirlen) |
572 | 23 | Curl_bufref_free(&sctx.resp); |
573 | | |
574 | 421 | if(!sctx.result) |
575 | 421 | sctx.result = sasl->params->sendauth(data, sctx.mech, &sctx.resp); |
576 | | |
577 | 421 | if(!sctx.result) { |
578 | 421 | *progress = SASL_INPROGRESS; |
579 | 421 | sasl_state(sasl, data, Curl_bufref_ptr(&sctx.resp) ? |
580 | 406 | sctx.state2 : sctx.state1); |
581 | 421 | } |
582 | 421 | } |
583 | | |
584 | 562 | Curl_bufref_free(&sctx.resp); |
585 | 562 | return sctx.result; |
586 | 562 | } |
587 | | |
588 | | /* |
589 | | * Curl_sasl_continue() |
590 | | * |
591 | | * Continue the authentication. |
592 | | */ |
593 | | CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, |
594 | | int code, saslprogress *progress) |
595 | 748 | { |
596 | 748 | CURLcode result = CURLE_OK; |
597 | 748 | struct connectdata *conn = data->conn; |
598 | 748 | saslstate newstate = SASL_FINAL; |
599 | 748 | struct bufref resp; |
600 | 748 | const char *hostname; |
601 | 748 | int port; |
602 | 748 | #if defined(USE_KERBEROS5) || defined(USE_NTLM) || \ |
603 | 748 | !defined(CURL_DISABLE_DIGEST_AUTH) |
604 | 748 | const char *service = data->set.str[STRING_SERVICE_NAME] ? |
605 | 157 | data->set.str[STRING_SERVICE_NAME] : |
606 | 748 | sasl->params->service; |
607 | 748 | #endif |
608 | 748 | const char *oauth_bearer = data->set.str[STRING_BEARER]; |
609 | 748 | struct bufref serverdata; |
610 | | |
611 | 748 | Curl_conn_get_current_host(data, FIRSTSOCKET, &hostname, &port); |
612 | 748 | Curl_bufref_init(&serverdata); |
613 | 748 | Curl_bufref_init(&resp); |
614 | 748 | *progress = SASL_INPROGRESS; |
615 | | |
616 | 748 | if(sasl->state == SASL_FINAL) { |
617 | 73 | if(code != sasl->params->finalcode) |
618 | 52 | result = CURLE_LOGIN_DENIED; |
619 | 73 | *progress = SASL_DONE; |
620 | 73 | sasl_state(sasl, data, SASL_STOP); |
621 | 73 | return result; |
622 | 73 | } |
623 | | |
624 | 675 | if(sasl->state != SASL_CANCEL && sasl->state != SASL_OAUTH2_RESP && |
625 | 539 | code != sasl->params->contcode) { |
626 | 14 | *progress = SASL_DONE; |
627 | 14 | sasl_state(sasl, data, SASL_STOP); |
628 | 14 | return CURLE_LOGIN_DENIED; |
629 | 14 | } |
630 | | |
631 | 661 | switch(sasl->state) { |
632 | 0 | case SASL_STOP: |
633 | 0 | *progress = SASL_DONE; |
634 | 0 | return result; |
635 | 21 | case SASL_PLAIN: |
636 | 21 | result = Curl_auth_create_plain_message(conn->sasl_authzid, |
637 | 21 | conn->user, conn->passwd, &resp); |
638 | 21 | break; |
639 | 33 | case SASL_LOGIN: |
640 | 33 | Curl_auth_create_login_message(conn->user, &resp); |
641 | 33 | newstate = SASL_LOGIN_PASSWD; |
642 | 33 | break; |
643 | 33 | case SASL_LOGIN_PASSWD: |
644 | 33 | Curl_auth_create_login_message(conn->passwd, &resp); |
645 | 33 | break; |
646 | 0 | case SASL_EXTERNAL: |
647 | 0 | Curl_auth_create_external_message(conn->user, &resp); |
648 | 0 | break; |
649 | | #ifdef USE_GSASL |
650 | | case SASL_GSASL: |
651 | | result = get_server_message(sasl, data, &serverdata); |
652 | | if(!result) { |
653 | | struct gsasldata *gsasl = Curl_auth_gsasl_get(conn); |
654 | | result = !gsasl ? CURLE_OUT_OF_MEMORY : |
655 | | Curl_auth_gsasl_token(data, &serverdata, gsasl, &resp); |
656 | | } |
657 | | if(!result && Curl_bufref_len(&resp) > 0) |
658 | | newstate = SASL_GSASL; |
659 | | break; |
660 | | #endif |
661 | 0 | #ifndef CURL_DISABLE_DIGEST_AUTH |
662 | 126 | case SASL_CRAMMD5: |
663 | 126 | result = get_server_message(sasl, data, &serverdata); |
664 | 126 | if(!result) |
665 | 79 | result = Curl_auth_create_cram_md5_message(&serverdata, conn->user, |
666 | 79 | conn->passwd, &resp); |
667 | 126 | break; |
668 | 117 | case SASL_DIGESTMD5: |
669 | 117 | result = get_server_message(sasl, data, &serverdata); |
670 | 117 | if(!result) |
671 | 55 | result = Curl_auth_create_digest_md5_message(data, &serverdata, |
672 | 55 | conn->user, conn->passwd, |
673 | 55 | service, &resp); |
674 | 117 | if(!result && (sasl->params->flags & SASL_FLAG_BASE64)) |
675 | 0 | newstate = SASL_DIGESTMD5_RESP; |
676 | 117 | break; |
677 | 0 | case SASL_DIGESTMD5_RESP: |
678 | | /* Keep response NULL to output an empty line. */ |
679 | 0 | break; |
680 | 0 | #endif |
681 | | |
682 | 0 | #ifdef USE_NTLM |
683 | 93 | case SASL_NTLM: { |
684 | | /* Create the type-1 message */ |
685 | 93 | struct ntlmdata *ntlm = Curl_auth_ntlm_get(conn, FALSE); |
686 | 93 | result = !ntlm ? CURLE_OUT_OF_MEMORY : |
687 | 93 | Curl_auth_create_ntlm_type1_message(data, |
688 | 93 | conn->user, conn->passwd, |
689 | 93 | service, hostname, |
690 | 93 | ntlm, &resp); |
691 | 93 | newstate = SASL_NTLM_TYPE2MSG; |
692 | 93 | break; |
693 | 0 | } |
694 | 102 | case SASL_NTLM_TYPE2MSG: { |
695 | | /* Decode the type-2 message */ |
696 | 102 | struct ntlmdata *ntlm = Curl_auth_ntlm_get(conn, FALSE); |
697 | 102 | result = !ntlm ? CURLE_OUT_OF_MEMORY : |
698 | 102 | get_server_message(sasl, data, &serverdata); |
699 | 102 | if(!result) |
700 | 72 | result = Curl_auth_decode_ntlm_type2_message(data, &serverdata, ntlm); |
701 | 102 | if(!result) |
702 | 29 | result = Curl_auth_create_ntlm_type3_message(data, conn->user, |
703 | 29 | conn->passwd, ntlm, |
704 | 29 | &resp); |
705 | 102 | break; |
706 | 0 | } |
707 | 0 | #endif |
708 | | |
709 | | #ifdef USE_KERBEROS5 |
710 | | case SASL_GSSAPI: { |
711 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(conn); |
712 | | result = !krb5 ? CURLE_OUT_OF_MEMORY : |
713 | | Curl_auth_create_gssapi_user_message(data, conn->user, conn->passwd, |
714 | | service, conn->host.name, |
715 | | sasl->mutual_auth, NULL, |
716 | | krb5, &resp); |
717 | | newstate = SASL_GSSAPI_TOKEN; |
718 | | break; |
719 | | } |
720 | | case SASL_GSSAPI_TOKEN: |
721 | | result = get_server_message(sasl, data, &serverdata); |
722 | | if(!result) { |
723 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(conn); |
724 | | if(!krb5) |
725 | | result = CURLE_OUT_OF_MEMORY; |
726 | | else if(sasl->mutual_auth) { |
727 | | /* Decode the user token challenge and create the optional response |
728 | | message */ |
729 | | result = Curl_auth_create_gssapi_user_message(data, NULL, NULL, |
730 | | NULL, NULL, |
731 | | sasl->mutual_auth, |
732 | | &serverdata, |
733 | | krb5, &resp); |
734 | | newstate = SASL_GSSAPI_NO_DATA; |
735 | | } |
736 | | else |
737 | | /* Decode the security challenge and create the response message */ |
738 | | result = Curl_auth_create_gssapi_security_message(data, |
739 | | conn->sasl_authzid, |
740 | | &serverdata, |
741 | | krb5, &resp); |
742 | | } |
743 | | break; |
744 | | case SASL_GSSAPI_NO_DATA: |
745 | | /* Decode the security challenge and create the response message */ |
746 | | result = get_server_message(sasl, data, &serverdata); |
747 | | if(!result) { |
748 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(conn); |
749 | | if(!krb5) |
750 | | result = CURLE_OUT_OF_MEMORY; |
751 | | else |
752 | | result = Curl_auth_create_gssapi_security_message(data, |
753 | | conn->sasl_authzid, |
754 | | &serverdata, |
755 | | krb5, &resp); |
756 | | } |
757 | | break; |
758 | | #endif |
759 | | |
760 | 0 | case SASL_OAUTH2: |
761 | | /* Create the authorization message */ |
762 | 0 | if(sasl->authused == SASL_MECH_OAUTHBEARER) { |
763 | 0 | result = Curl_auth_create_oauth_bearer_message(conn->user, |
764 | 0 | hostname, |
765 | 0 | port, |
766 | 0 | oauth_bearer, |
767 | 0 | &resp); |
768 | | |
769 | | /* Failures maybe sent by the server as continuations for OAUTHBEARER */ |
770 | 0 | newstate = SASL_OAUTH2_RESP; |
771 | 0 | } |
772 | 0 | else |
773 | 0 | result = Curl_auth_create_xoauth_bearer_message(conn->user, |
774 | 0 | oauth_bearer, |
775 | 0 | &resp); |
776 | 0 | break; |
777 | | |
778 | 0 | case SASL_OAUTH2_RESP: |
779 | | /* The continuation is optional so check the response code */ |
780 | 0 | if(code == sasl->params->finalcode) { |
781 | | /* Final response was received so we are done */ |
782 | 0 | *progress = SASL_DONE; |
783 | 0 | sasl_state(sasl, data, SASL_STOP); |
784 | 0 | return result; |
785 | 0 | } |
786 | 0 | else if(code == sasl->params->contcode) { |
787 | | /* Acknowledge the continuation by sending a 0x01 response. */ |
788 | 0 | Curl_bufref_set(&resp, "\x01", 1, NULL); |
789 | 0 | break; |
790 | 0 | } |
791 | 0 | else { |
792 | 0 | *progress = SASL_DONE; |
793 | 0 | sasl_state(sasl, data, SASL_STOP); |
794 | 0 | return CURLE_LOGIN_DENIED; |
795 | 0 | } |
796 | | |
797 | 136 | case SASL_CANCEL: |
798 | | /* Remove the offending mechanism from the supported list */ |
799 | 136 | sasl->authmechs &= (unsigned short)~sasl->authused; |
800 | 136 | sasl->authused = SASL_AUTH_NONE; |
801 | 136 | sasl->curmech = NULL; |
802 | | |
803 | | /* Start an alternative SASL authentication */ |
804 | 136 | return Curl_sasl_start(sasl, data, sasl->force_ir, progress); |
805 | 0 | default: |
806 | 0 | failf(data, "Unsupported SASL authentication mechanism"); |
807 | 0 | result = CURLE_UNSUPPORTED_PROTOCOL; /* Should not happen */ |
808 | 0 | break; |
809 | 661 | } |
810 | | |
811 | 525 | Curl_bufref_free(&serverdata); |
812 | | |
813 | 525 | switch(result) { |
814 | 237 | case CURLE_BAD_CONTENT_ENCODING: |
815 | | /* Cancel dialog */ |
816 | 237 | result = sasl->params->cancelauth(data, sasl->curmech); |
817 | 237 | newstate = SASL_CANCEL; |
818 | 237 | break; |
819 | 288 | case CURLE_OK: |
820 | 288 | result = build_message(sasl, &resp); |
821 | 288 | if(!result) |
822 | 288 | result = sasl->params->contauth(data, sasl->curmech, &resp); |
823 | 288 | break; |
824 | 0 | default: |
825 | 0 | newstate = SASL_STOP; /* Stop on error */ |
826 | 0 | *progress = SASL_DONE; |
827 | 0 | break; |
828 | 525 | } |
829 | | |
830 | 525 | Curl_bufref_free(&resp); |
831 | | |
832 | 525 | sasl_state(sasl, data, newstate); |
833 | | |
834 | 525 | return result; |
835 | 525 | } |
836 | | |
837 | | #ifndef CURL_DISABLE_VERBOSE_STRINGS |
838 | | static void sasl_unchosen(struct Curl_easy *data, unsigned short mech, |
839 | | unsigned short enabledmechs, |
840 | | bool built_in, bool platform, |
841 | | const char *param_missing) |
842 | 24 | { |
843 | 24 | const char *mname = NULL; |
844 | 24 | size_t i; |
845 | | |
846 | 24 | if(!(enabledmechs & mech)) |
847 | 21 | return; |
848 | | |
849 | 18 | for(i = 0; mechtable[i].name; ++i) { |
850 | 18 | if(mechtable[i].bit == mech) { |
851 | 3 | mname = mechtable[i].name; |
852 | 3 | break; |
853 | 3 | } |
854 | 18 | } |
855 | 3 | if(!mname) /* should not happen */ |
856 | 0 | return; |
857 | 3 | if(!built_in) |
858 | 2 | infof(data, "SASL: %s not builtin", mname); |
859 | 1 | else if(!platform) |
860 | 0 | infof(data, "SASL: %s not supported by the platform/libraries", mname); |
861 | 1 | else { |
862 | 1 | if(param_missing) |
863 | 1 | infof(data, "SASL: %s is missing %s", mname, param_missing); |
864 | 1 | if(!data->conn->user[0]) |
865 | 0 | infof(data, "SASL: %s is missing username", mname); |
866 | 1 | } |
867 | 3 | } |
868 | | #endif /* CURL_DISABLE_VERBOSE_STRINGS */ |
869 | | |
870 | | CURLcode Curl_sasl_is_blocked(struct SASL *sasl, struct Curl_easy *data) |
871 | 10 | { |
872 | 10 | #ifndef CURL_DISABLE_VERBOSE_STRINGS |
873 | | #ifdef USE_KERBEROS5 |
874 | | #define CURL_SASL_KERBEROS5 TRUE |
875 | | #else |
876 | 10 | #define CURL_SASL_KERBEROS5 FALSE |
877 | 10 | #endif |
878 | | #ifdef USE_GSASL |
879 | | #define CURL_SASL_GASL TRUE |
880 | | #else |
881 | 10 | #define CURL_SASL_GASL FALSE |
882 | 10 | #endif |
883 | | #ifdef CURL_DISABLE_DIGEST_AUTH |
884 | | #define CURL_SASL_DIGEST TRUE |
885 | | #else |
886 | 10 | #define CURL_SASL_DIGEST FALSE |
887 | 10 | #endif |
888 | | #ifndef USE_NTLM |
889 | | #define CURL_SASL_NTLM TRUE |
890 | | #else |
891 | 10 | #define CURL_SASL_NTLM FALSE |
892 | 10 | #endif |
893 | | /* Failing SASL authentication is a pain. Give a helping hand if |
894 | | * we were unable to select an AUTH mechanism. |
895 | | * `sasl->authmechs` are mechanisms offered by the peer |
896 | | * `sasl->prefmech` are mechanisms preferred by us */ |
897 | 10 | unsigned short enabledmechs = sasl->authmechs & sasl->prefmech; |
898 | | |
899 | 10 | if(!sasl->authmechs) |
900 | 5 | infof(data, "SASL: no auth mechanism was offered or recognized"); |
901 | 5 | else if(!enabledmechs) |
902 | 2 | infof(data, "SASL: no overlap between offered and configured " |
903 | 5 | "auth mechanisms"); |
904 | 3 | else { |
905 | 3 | infof(data, "SASL: no auth mechanism offered could be selected"); |
906 | 3 | if((enabledmechs & SASL_MECH_EXTERNAL) && data->conn->passwd[0]) |
907 | 0 | infof(data, "SASL: auth EXTERNAL not chosen with password"); |
908 | 3 | sasl_unchosen(data, SASL_MECH_GSSAPI, enabledmechs, |
909 | 3 | CURL_SASL_KERBEROS5, Curl_auth_is_gssapi_supported(), NULL); |
910 | 3 | sasl_unchosen(data, SASL_MECH_SCRAM_SHA_256, enabledmechs, |
911 | 3 | CURL_SASL_GASL, FALSE, NULL); |
912 | 3 | sasl_unchosen(data, SASL_MECH_SCRAM_SHA_1, enabledmechs, |
913 | 3 | CURL_SASL_GASL, FALSE, NULL); |
914 | 3 | sasl_unchosen(data, SASL_MECH_DIGEST_MD5, enabledmechs, |
915 | 3 | CURL_SASL_DIGEST, Curl_auth_is_digest_supported(), NULL); |
916 | 3 | sasl_unchosen(data, SASL_MECH_CRAM_MD5, enabledmechs, |
917 | 3 | CURL_SASL_DIGEST, TRUE, NULL); |
918 | 3 | sasl_unchosen(data, SASL_MECH_NTLM, enabledmechs, |
919 | 3 | CURL_SASL_NTLM, Curl_auth_is_ntlm_supported(), NULL); |
920 | 3 | sasl_unchosen(data, SASL_MECH_OAUTHBEARER, enabledmechs, TRUE, TRUE, |
921 | 3 | data->set.str[STRING_BEARER] ? |
922 | 3 | NULL : "CURLOPT_XOAUTH2_BEARER"); |
923 | 3 | sasl_unchosen(data, SASL_MECH_XOAUTH2, enabledmechs, TRUE, TRUE, |
924 | 3 | data->set.str[STRING_BEARER] ? |
925 | 3 | NULL : "CURLOPT_XOAUTH2_BEARER"); |
926 | 3 | } |
927 | 10 | #endif /* CURL_DISABLE_VERBOSE_STRINGS */ |
928 | 10 | (void)sasl; |
929 | 10 | (void)data; |
930 | 10 | return CURLE_LOGIN_DENIED; |
931 | 10 | } |
932 | | |
933 | | #endif /* protocols are enabled that use SASL */ |