/src/curl/lib/curl_sasl.c
Line | Count | Source |
1 | | /*************************************************************************** |
2 | | * _ _ ____ _ |
3 | | * Project ___| | | | _ \| | |
4 | | * / __| | | | |_) | | |
5 | | * | (__| |_| | _ <| |___ |
6 | | * \___|\___/|_| \_\_____| |
7 | | * |
8 | | * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. |
9 | | * |
10 | | * This software is licensed as described in the file COPYING, which |
11 | | * you should have received as part of this distribution. The terms |
12 | | * are also available at https://curl.se/docs/copyright.html. |
13 | | * |
14 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | | * copies of the Software, and permit persons to whom the Software is |
16 | | * furnished to do so, under the terms of the COPYING file. |
17 | | * |
18 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | | * KIND, either express or implied. |
20 | | * |
21 | | * SPDX-License-Identifier: curl |
22 | | * |
23 | | * RFC2195 CRAM-MD5 authentication |
24 | | * RFC2617 Basic and Digest Access Authentication |
25 | | * RFC2831 DIGEST-MD5 authentication |
26 | | * RFC4422 Simple Authentication and Security Layer (SASL) |
27 | | * RFC4616 PLAIN authentication |
28 | | * RFC5802 SCRAM-SHA-1 authentication |
29 | | * RFC7677 SCRAM-SHA-256 authentication |
30 | | * RFC6749 OAuth 2.0 Authorization Framework |
31 | | * RFC7628 A Set of SASL Mechanisms for OAuth |
32 | | * Draft LOGIN SASL Mechanism <draft-murchison-sasl-login-00.txt> |
33 | | * |
34 | | ***************************************************************************/ |
35 | | #include "curl_setup.h" |
36 | | |
37 | | #if !defined(CURL_DISABLE_IMAP) || !defined(CURL_DISABLE_SMTP) || \ |
38 | | !defined(CURL_DISABLE_POP3) || \ |
39 | | (!defined(CURL_DISABLE_LDAP) && defined(USE_OPENLDAP)) |
40 | | |
41 | | #include "urldata.h" |
42 | | #include "curlx/base64.h" |
43 | | #include "vauth/vauth.h" |
44 | | #include "cfilters.h" |
45 | | #include "curl_sasl.h" |
46 | | #include "curl_trc.h" |
47 | | |
48 | | /* Supported mechanisms */ |
49 | | static const struct { |
50 | | const char *name; /* Name */ |
51 | | size_t len; /* Name length */ |
52 | | unsigned short bit; /* Flag bit */ |
53 | | } mechtable[] = { |
54 | | { "LOGIN", 5, SASL_MECH_LOGIN }, |
55 | | { "PLAIN", 5, SASL_MECH_PLAIN }, |
56 | | { "CRAM-MD5", 8, SASL_MECH_CRAM_MD5 }, |
57 | | { "DIGEST-MD5", 10, SASL_MECH_DIGEST_MD5 }, |
58 | | { "GSSAPI", 6, SASL_MECH_GSSAPI }, |
59 | | { "EXTERNAL", 8, SASL_MECH_EXTERNAL }, |
60 | | { "NTLM", 4, SASL_MECH_NTLM }, |
61 | | { "XOAUTH2", 7, SASL_MECH_XOAUTH2 }, |
62 | | { "OAUTHBEARER", 11, SASL_MECH_OAUTHBEARER }, |
63 | | { "SCRAM-SHA-1", 11, SASL_MECH_SCRAM_SHA_1 }, |
64 | | { "SCRAM-SHA-256",13, SASL_MECH_SCRAM_SHA_256 }, |
65 | | { ZERO_NULL, 0, 0 } |
66 | | }; |
67 | | |
68 | | /* |
69 | | * Curl_sasl_decode_mech() |
70 | | * |
71 | | * Convert a SASL mechanism name into a token. |
72 | | * |
73 | | * Parameters: |
74 | | * |
75 | | * ptr [in] - The mechanism string. |
76 | | * maxlen [in] - Maximum mechanism string length. |
77 | | * len [out] - If not NULL, effective name length. |
78 | | * |
79 | | * Returns the SASL mechanism token or 0 if no match. |
80 | | */ |
81 | | unsigned short Curl_sasl_decode_mech(const char *ptr, size_t maxlen, |
82 | | size_t *len) |
83 | 50.8k | { |
84 | 50.8k | unsigned int i; |
85 | 50.8k | char c; |
86 | | |
87 | 554k | for(i = 0; mechtable[i].name; i++) { |
88 | 512k | if(maxlen >= mechtable[i].len && |
89 | 234k | curl_strnequal(ptr, mechtable[i].name, mechtable[i].len)) { |
90 | 23.7k | if(len) |
91 | 23.7k | *len = mechtable[i].len; |
92 | | |
93 | 23.7k | if(maxlen == mechtable[i].len) |
94 | 2.16k | return mechtable[i].bit; |
95 | | |
96 | 21.6k | c = ptr[mechtable[i].len]; |
97 | 21.6k | if(!ISUPPER(c) && !ISDIGIT(c) && c != '-' && c != '_') |
98 | 6.39k | return mechtable[i].bit; |
99 | 21.6k | } |
100 | 512k | } |
101 | | |
102 | 42.2k | return 0; |
103 | 50.8k | } |
104 | | |
105 | | /* |
106 | | * Curl_sasl_parse_url_auth_option() |
107 | | * |
108 | | * Parse the URL login options. |
109 | | */ |
110 | | CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl, |
111 | | const char *value, size_t len) |
112 | 138 | { |
113 | 138 | CURLcode result = CURLE_OK; |
114 | 138 | size_t mechlen; |
115 | | |
116 | 138 | if(!len) |
117 | 25 | return CURLE_URL_MALFORMAT; |
118 | | |
119 | 113 | if(sasl->resetprefs) { |
120 | 75 | sasl->resetprefs = FALSE; |
121 | 75 | sasl->prefmech = SASL_AUTH_NONE; |
122 | 75 | } |
123 | | |
124 | 113 | if(!strncmp(value, "*", len)) |
125 | 31 | sasl->prefmech = SASL_AUTH_DEFAULT; |
126 | 82 | else { |
127 | 82 | unsigned short mechbit = Curl_sasl_decode_mech(value, len, &mechlen); |
128 | 82 | if(mechbit && mechlen == len) |
129 | 24 | sasl->prefmech |= mechbit; |
130 | 58 | else |
131 | 58 | result = CURLE_URL_MALFORMAT; |
132 | 82 | } |
133 | | |
134 | 113 | return result; |
135 | 138 | } |
136 | | |
137 | | /* |
138 | | * Curl_sasl_init() |
139 | | * |
140 | | * Initializes the SASL structure. |
141 | | */ |
142 | | void Curl_sasl_init(struct SASL *sasl, struct Curl_easy *data, |
143 | | const struct SASLproto *params) |
144 | 13.3k | { |
145 | 13.3k | unsigned long auth = data->set.httpauth; |
146 | | |
147 | 13.3k | sasl->params = params; /* Set protocol dependent parameters */ |
148 | 13.3k | sasl->state = SASL_STOP; /* Not yet running */ |
149 | 13.3k | sasl->curmech = NULL; /* No mechanism yet. */ |
150 | 13.3k | sasl->authmechs = SASL_AUTH_NONE; /* No known authentication mechanism yet */ |
151 | 13.3k | sasl->prefmech = params->defmechs; /* Default preferred mechanisms */ |
152 | 13.3k | sasl->authused = SASL_AUTH_NONE; /* The authentication mechanism used */ |
153 | 13.3k | sasl->resetprefs = TRUE; /* Reset prefmech upon AUTH parsing. */ |
154 | 13.3k | sasl->mutual_auth = FALSE; /* No mutual authentication (GSSAPI only) */ |
155 | 13.3k | sasl->force_ir = FALSE; /* Respect external option */ |
156 | | |
157 | 13.3k | if(auth != CURLAUTH_BASIC) { |
158 | 1.26k | unsigned short mechs = SASL_AUTH_NONE; |
159 | | |
160 | | /* If some usable http authentication options have been set, determine |
161 | | new defaults from them. */ |
162 | 1.26k | if(auth & CURLAUTH_BASIC) |
163 | 382 | mechs |= SASL_MECH_PLAIN | SASL_MECH_LOGIN; |
164 | 1.26k | if(auth & CURLAUTH_DIGEST) |
165 | 395 | mechs |= SASL_MECH_DIGEST_MD5; |
166 | 1.26k | if(auth & CURLAUTH_NTLM) |
167 | 208 | mechs |= SASL_MECH_NTLM; |
168 | 1.26k | if(auth & CURLAUTH_BEARER) |
169 | 200 | mechs |= SASL_MECH_OAUTHBEARER | SASL_MECH_XOAUTH2; |
170 | 1.26k | if(auth & CURLAUTH_GSSAPI) |
171 | 0 | mechs |= SASL_MECH_GSSAPI; |
172 | | |
173 | 1.26k | if(mechs != SASL_AUTH_NONE) |
174 | 499 | sasl->prefmech = mechs; |
175 | 1.26k | } |
176 | 13.3k | } |
177 | | |
178 | | /* |
179 | | * sasl_state() |
180 | | * |
181 | | * This is the ONLY way to change SASL state! |
182 | | */ |
183 | | static void sasl_state(struct SASL *sasl, struct Curl_easy *data, |
184 | | saslstate newstate) |
185 | 889 | { |
186 | 889 | #if defined(DEBUGBUILD) && defined(CURLVERBOSE) |
187 | | /* for debug purposes */ |
188 | 889 | static const char * const names[] = { |
189 | 889 | "STOP", |
190 | 889 | "PLAIN", |
191 | 889 | "LOGIN", |
192 | 889 | "LOGIN_PASSWD", |
193 | 889 | "EXTERNAL", |
194 | 889 | "CRAMMD5", |
195 | 889 | "DIGESTMD5", |
196 | 889 | "DIGESTMD5_RESP", |
197 | 889 | "NTLM", |
198 | 889 | "NTLM_TYPE2MSG", |
199 | 889 | "GSSAPI", |
200 | 889 | "GSSAPI_TOKEN", |
201 | 889 | "GSSAPI_NO_DATA", |
202 | 889 | "OAUTH2", |
203 | 889 | "OAUTH2_RESP", |
204 | 889 | "GSASL", |
205 | 889 | "CANCEL", |
206 | 889 | "FINAL", |
207 | | /* LAST */ |
208 | 889 | }; |
209 | | |
210 | 889 | if(sasl->state != newstate) |
211 | 889 | infof(data, "SASL %p state change from %s to %s", |
212 | 889 | (void *)sasl, names[sasl->state], names[newstate]); |
213 | | #else |
214 | | (void)data; |
215 | | #endif |
216 | | |
217 | 889 | sasl->state = newstate; |
218 | 889 | } |
219 | | |
220 | | #if defined(USE_NTLM) || defined(USE_GSASL) || defined(USE_KERBEROS5) || \ |
221 | | !defined(CURL_DISABLE_DIGEST_AUTH) |
222 | | /* Get the SASL server message and convert it to binary. */ |
223 | | static CURLcode get_server_message(struct SASL *sasl, struct Curl_easy *data, |
224 | | struct bufref *out) |
225 | 297 | { |
226 | 297 | CURLcode result = CURLE_OK; |
227 | | |
228 | 297 | result = sasl->params->getmessage(data, out); |
229 | 297 | if(!result && (sasl->params->flags & SASL_FLAG_BASE64)) { |
230 | 297 | const char *serverdata = Curl_bufref_ptr(out); |
231 | | |
232 | 297 | if(!*serverdata || *serverdata == '=') |
233 | 85 | Curl_bufref_set(out, NULL, 0, NULL); |
234 | 212 | else { |
235 | 212 | unsigned char *msg; |
236 | 212 | size_t msglen; |
237 | | |
238 | 212 | result = curlx_base64_decode(serverdata, &msg, &msglen); |
239 | 212 | if(!result) |
240 | 96 | Curl_bufref_set(out, msg, msglen, curl_free); |
241 | 212 | } |
242 | 297 | } |
243 | 297 | return result; |
244 | 297 | } |
245 | | #endif |
246 | | |
247 | | /* Encode the outgoing SASL message. */ |
248 | | static CURLcode build_message(struct SASL *sasl, struct bufref *msg) |
249 | 292 | { |
250 | 292 | CURLcode result = CURLE_OK; |
251 | | |
252 | 292 | if(sasl->params->flags & SASL_FLAG_BASE64) { |
253 | 292 | if(!Curl_bufref_ptr(msg)) /* Empty message. */ |
254 | 0 | Curl_bufref_set(msg, "", 0, NULL); |
255 | 292 | else if(!Curl_bufref_len(msg)) /* Explicit empty response. */ |
256 | 8 | Curl_bufref_set(msg, "=", 1, NULL); |
257 | 284 | else { |
258 | 284 | char *base64; |
259 | 284 | size_t base64len; |
260 | | |
261 | 284 | result = curlx_base64_encode(Curl_bufref_uptr(msg), |
262 | 284 | Curl_bufref_len(msg), &base64, &base64len); |
263 | 284 | if(!result) |
264 | 284 | Curl_bufref_set(msg, base64, base64len, curl_free); |
265 | 284 | } |
266 | 292 | } |
267 | | |
268 | 292 | return result; |
269 | 292 | } |
270 | | |
271 | | /* |
272 | | * Curl_sasl_can_authenticate() |
273 | | * |
274 | | * Check if we have enough auth data and capabilities to authenticate. |
275 | | */ |
276 | | bool Curl_sasl_can_authenticate(struct SASL *sasl, struct Curl_easy *data) |
277 | 2.56k | { |
278 | | /* Have credentials been provided? */ |
279 | 2.56k | if(data->conn->user[0]) |
280 | 405 | return TRUE; |
281 | | |
282 | | /* EXTERNAL can authenticate without a username and/or password */ |
283 | 2.16k | if(sasl->authmechs & sasl->prefmech & SASL_MECH_EXTERNAL) |
284 | 0 | return TRUE; |
285 | | |
286 | 2.16k | return FALSE; |
287 | 2.16k | } |
288 | | |
289 | | struct sasl_ctx { |
290 | | struct SASL *sasl; |
291 | | struct connectdata *conn; |
292 | | unsigned short enabledmechs; |
293 | | const char *mech; |
294 | | saslstate state1; |
295 | | saslstate state2; |
296 | | struct bufref resp; |
297 | | CURLcode result; |
298 | | }; |
299 | | |
300 | | static bool sasl_choose_external(struct Curl_easy *data, struct sasl_ctx *sctx) |
301 | 479 | { |
302 | 479 | if((sctx->enabledmechs & SASL_MECH_EXTERNAL) && !sctx->conn->passwd[0]) { |
303 | 0 | sctx->mech = SASL_MECH_STRING_EXTERNAL; |
304 | 0 | sctx->state1 = SASL_EXTERNAL; |
305 | 0 | sctx->sasl->authused = SASL_MECH_EXTERNAL; |
306 | |
|
307 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
308 | 0 | Curl_auth_create_external_message(sctx->conn->user, &sctx->resp); |
309 | 0 | return TRUE; |
310 | 0 | } |
311 | 479 | return FALSE; |
312 | 479 | } |
313 | | |
314 | | #ifdef USE_KERBEROS5 |
315 | | static bool sasl_choose_krb5(struct Curl_easy *data, struct sasl_ctx *sctx) |
316 | | { |
317 | | if((sctx->enabledmechs & SASL_MECH_GSSAPI) && |
318 | | Curl_auth_is_gssapi_supported() && |
319 | | Curl_auth_user_contains_domain(sctx->conn->user)) { |
320 | | const char *service = data->set.str[STRING_SERVICE_NAME] ? |
321 | | data->set.str[STRING_SERVICE_NAME] : |
322 | | sctx->sasl->params->service; |
323 | | |
324 | | sctx->sasl->mutual_auth = FALSE; |
325 | | sctx->mech = SASL_MECH_STRING_GSSAPI; |
326 | | sctx->state1 = SASL_GSSAPI; |
327 | | sctx->state2 = SASL_GSSAPI_TOKEN; |
328 | | sctx->sasl->authused = SASL_MECH_GSSAPI; |
329 | | |
330 | | if(sctx->sasl->force_ir || data->set.sasl_ir) { |
331 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(sctx->conn); |
332 | | sctx->result = !krb5 ? CURLE_OUT_OF_MEMORY : |
333 | | Curl_auth_create_gssapi_user_message(data, sctx->conn->user, |
334 | | sctx->conn->passwd, |
335 | | service, sctx->conn->host.name, |
336 | | (bool)sctx->sasl->mutual_auth, |
337 | | NULL, krb5, &sctx->resp); |
338 | | } |
339 | | return TRUE; |
340 | | } |
341 | | return FALSE; |
342 | | } |
343 | | #endif /* USE_KERBEROS5 */ |
344 | | |
345 | | #ifdef USE_GSASL |
346 | | static bool sasl_choose_gsasl(struct Curl_easy *data, struct sasl_ctx *sctx) |
347 | | { |
348 | | struct gsasldata *gsasl; |
349 | | struct bufref nullmsg; |
350 | | |
351 | | if((sctx->enabledmechs & |
352 | | (SASL_MECH_SCRAM_SHA_256 | SASL_MECH_SCRAM_SHA_1))) { |
353 | | gsasl = Curl_auth_gsasl_get(sctx->conn); |
354 | | if(!gsasl) { |
355 | | sctx->result = CURLE_OUT_OF_MEMORY; |
356 | | return TRUE; /* attempted, but failed */ |
357 | | } |
358 | | |
359 | | if((sctx->enabledmechs & SASL_MECH_SCRAM_SHA_256) && |
360 | | Curl_auth_gsasl_is_supported(data, SASL_MECH_STRING_SCRAM_SHA_256, |
361 | | gsasl)) { |
362 | | sctx->mech = SASL_MECH_STRING_SCRAM_SHA_256; |
363 | | sctx->sasl->authused = SASL_MECH_SCRAM_SHA_256; |
364 | | } |
365 | | else if((sctx->enabledmechs & SASL_MECH_SCRAM_SHA_1) && |
366 | | Curl_auth_gsasl_is_supported(data, SASL_MECH_STRING_SCRAM_SHA_1, |
367 | | gsasl)) { |
368 | | sctx->mech = SASL_MECH_STRING_SCRAM_SHA_1; |
369 | | sctx->sasl->authused = SASL_MECH_SCRAM_SHA_1; |
370 | | } |
371 | | else |
372 | | return FALSE; |
373 | | |
374 | | Curl_bufref_init(&nullmsg); |
375 | | sctx->state1 = SASL_GSASL; |
376 | | sctx->state2 = SASL_GSASL; |
377 | | sctx->result = Curl_auth_gsasl_start(data, sctx->conn->user, |
378 | | sctx->conn->passwd, gsasl); |
379 | | if(!sctx->result && (sctx->sasl->force_ir || data->set.sasl_ir)) |
380 | | sctx->result = Curl_auth_gsasl_token(data, &nullmsg, gsasl, &sctx->resp); |
381 | | return TRUE; |
382 | | } |
383 | | return FALSE; |
384 | | } |
385 | | |
386 | | #endif /* USE_GSASL */ |
387 | | |
388 | | #ifndef CURL_DISABLE_DIGEST_AUTH |
389 | | static bool sasl_choose_digest(struct Curl_easy *data, struct sasl_ctx *sctx) |
390 | 479 | { |
391 | 479 | (void)data; |
392 | 479 | if((sctx->enabledmechs & SASL_MECH_DIGEST_MD5) && |
393 | 84 | Curl_auth_is_digest_supported()) { |
394 | 84 | sctx->mech = SASL_MECH_STRING_DIGEST_MD5; |
395 | 84 | sctx->state1 = SASL_DIGESTMD5; |
396 | 84 | sctx->sasl->authused = SASL_MECH_DIGEST_MD5; |
397 | 84 | return TRUE; |
398 | 84 | } |
399 | 395 | else if(sctx->enabledmechs & SASL_MECH_CRAM_MD5) { |
400 | 117 | sctx->mech = SASL_MECH_STRING_CRAM_MD5; |
401 | 117 | sctx->state1 = SASL_CRAMMD5; |
402 | 117 | sctx->sasl->authused = SASL_MECH_CRAM_MD5; |
403 | 117 | return TRUE; |
404 | 117 | } |
405 | 278 | return FALSE; |
406 | 479 | } |
407 | | #endif /* !CURL_DISABLE_DIGEST_AUTH */ |
408 | | |
409 | | #ifdef USE_NTLM |
410 | | static bool sasl_choose_ntlm(struct Curl_easy *data, struct sasl_ctx *sctx) |
411 | 278 | { |
412 | 278 | if((sctx->enabledmechs & SASL_MECH_NTLM) && |
413 | 112 | Curl_auth_is_ntlm_supported()) { |
414 | 112 | const char *service = data->set.str[STRING_SERVICE_NAME] ? |
415 | 37 | data->set.str[STRING_SERVICE_NAME] : |
416 | 112 | sctx->sasl->params->service; |
417 | 112 | const char *hostname; |
418 | 112 | int port; |
419 | | |
420 | 112 | Curl_conn_get_current_host(data, FIRSTSOCKET, &hostname, &port); |
421 | | |
422 | 112 | sctx->mech = SASL_MECH_STRING_NTLM; |
423 | 112 | sctx->state1 = SASL_NTLM; |
424 | 112 | sctx->state2 = SASL_NTLM_TYPE2MSG; |
425 | 112 | sctx->sasl->authused = SASL_MECH_NTLM; |
426 | | |
427 | 112 | if(sctx->sasl->force_ir || data->set.sasl_ir) { |
428 | 8 | struct ntlmdata *ntlm = Curl_auth_ntlm_get(sctx->conn, FALSE); |
429 | 8 | sctx->result = !ntlm ? CURLE_OUT_OF_MEMORY : |
430 | 8 | Curl_auth_create_ntlm_type1_message(data, |
431 | 8 | sctx->conn->user, |
432 | 8 | sctx->conn->passwd, |
433 | 8 | service, hostname, |
434 | 8 | ntlm, &sctx->resp); |
435 | 8 | } |
436 | 112 | return TRUE; |
437 | 112 | } |
438 | 166 | return FALSE; |
439 | 278 | } |
440 | | #endif /* USE_NTLM */ |
441 | | |
442 | | static bool sasl_choose_oauth(struct Curl_easy *data, struct sasl_ctx *sctx) |
443 | 166 | { |
444 | 166 | const char *oauth_bearer = |
445 | 166 | (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? |
446 | 166 | data->set.str[STRING_BEARER] : NULL; |
447 | | |
448 | 166 | if(oauth_bearer && (sctx->enabledmechs & SASL_MECH_OAUTHBEARER)) { |
449 | 0 | const char *hostname; |
450 | 0 | int port; |
451 | 0 | Curl_conn_get_current_host(data, FIRSTSOCKET, &hostname, &port); |
452 | |
|
453 | 0 | sctx->mech = SASL_MECH_STRING_OAUTHBEARER; |
454 | 0 | sctx->state1 = SASL_OAUTH2; |
455 | 0 | sctx->state2 = SASL_OAUTH2_RESP; |
456 | 0 | sctx->sasl->authused = SASL_MECH_OAUTHBEARER; |
457 | |
|
458 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
459 | 0 | sctx->result = |
460 | 0 | Curl_auth_create_oauth_bearer_message(sctx->conn->user, |
461 | 0 | hostname, port, |
462 | 0 | oauth_bearer, &sctx->resp); |
463 | 0 | return TRUE; |
464 | 0 | } |
465 | 166 | return FALSE; |
466 | 166 | } |
467 | | |
468 | | static bool sasl_choose_oauth2(struct Curl_easy *data, struct sasl_ctx *sctx) |
469 | 166 | { |
470 | 166 | const char *oauth_bearer = |
471 | 166 | (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? |
472 | 166 | data->set.str[STRING_BEARER] : NULL; |
473 | | |
474 | 166 | if(oauth_bearer && (sctx->enabledmechs & SASL_MECH_XOAUTH2)) { |
475 | 0 | sctx->mech = SASL_MECH_STRING_XOAUTH2; |
476 | 0 | sctx->state1 = SASL_OAUTH2; |
477 | 0 | sctx->sasl->authused = SASL_MECH_XOAUTH2; |
478 | |
|
479 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
480 | 0 | sctx->result = Curl_auth_create_xoauth_bearer_message(sctx->conn->user, |
481 | 0 | oauth_bearer, |
482 | 0 | &sctx->resp); |
483 | 0 | return TRUE; |
484 | 0 | } |
485 | 166 | return FALSE; |
486 | 166 | } |
487 | | |
488 | | static bool sasl_choose_plain(struct Curl_easy *data, struct sasl_ctx *sctx) |
489 | 166 | { |
490 | 166 | if(sctx->enabledmechs & SASL_MECH_PLAIN) { |
491 | 26 | sctx->mech = SASL_MECH_STRING_PLAIN; |
492 | 26 | sctx->state1 = SASL_PLAIN; |
493 | 26 | sctx->sasl->authused = SASL_MECH_PLAIN; |
494 | | |
495 | 26 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
496 | 12 | sctx->result = |
497 | 12 | Curl_auth_create_plain_message(sctx->conn->sasl_authzid, |
498 | 12 | sctx->conn->user, sctx->conn->passwd, |
499 | 12 | &sctx->resp); |
500 | 26 | return TRUE; |
501 | 26 | } |
502 | 140 | return FALSE; |
503 | 166 | } |
504 | | |
505 | | static bool sasl_choose_login(struct Curl_easy *data, struct sasl_ctx *sctx) |
506 | 140 | { |
507 | 140 | if(sctx->enabledmechs & SASL_MECH_LOGIN) { |
508 | 25 | sctx->mech = SASL_MECH_STRING_LOGIN; |
509 | 25 | sctx->state1 = SASL_LOGIN; |
510 | 25 | sctx->state2 = SASL_LOGIN_PASSWD; |
511 | 25 | sctx->sasl->authused = SASL_MECH_LOGIN; |
512 | | |
513 | 25 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
514 | 8 | Curl_auth_create_login_message(sctx->conn->user, &sctx->resp); |
515 | 25 | return TRUE; |
516 | 25 | } |
517 | 115 | return FALSE; |
518 | 140 | } |
519 | | |
520 | | /* |
521 | | * Curl_sasl_start() |
522 | | * |
523 | | * Calculate the required login details for SASL authentication. |
524 | | */ |
525 | | CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data, |
526 | | bool force_ir, saslprogress *progress) |
527 | 479 | { |
528 | 479 | struct sasl_ctx sctx; |
529 | | |
530 | 479 | sasl->force_ir = force_ir; /* Latch for future use */ |
531 | 479 | sasl->authused = 0; /* No mechanism used yet */ |
532 | 479 | *progress = SASL_IDLE; |
533 | | |
534 | 479 | memset(&sctx, 0, sizeof(sctx)); |
535 | 479 | sctx.sasl = sasl; |
536 | 479 | sctx.conn = data->conn; |
537 | 479 | Curl_bufref_init(&sctx.resp); |
538 | 479 | sctx.enabledmechs = sasl->authmechs & sasl->prefmech; |
539 | 479 | sctx.state1 = SASL_STOP; |
540 | 479 | sctx.state2 = SASL_FINAL; |
541 | | |
542 | | /* Calculate the supported authentication mechanism, by decreasing order of |
543 | | security, as well as the initial response where appropriate */ |
544 | 479 | if(sasl_choose_external(data, &sctx) || |
545 | | #ifdef USE_KERBEROS5 |
546 | | sasl_choose_krb5(data, &sctx) || |
547 | | #endif |
548 | | #ifdef USE_GSASL |
549 | | sasl_choose_gsasl(data, &sctx) || |
550 | | #endif |
551 | 479 | #ifndef CURL_DISABLE_DIGEST_AUTH |
552 | 479 | sasl_choose_digest(data, &sctx) || |
553 | 278 | #endif |
554 | 278 | #ifdef USE_NTLM |
555 | 278 | sasl_choose_ntlm(data, &sctx) || |
556 | 166 | #endif |
557 | 166 | sasl_choose_oauth(data, &sctx) || |
558 | 166 | sasl_choose_oauth2(data, &sctx) || |
559 | 166 | sasl_choose_plain(data, &sctx) || |
560 | 364 | sasl_choose_login(data, &sctx)) { |
561 | | /* selected, either we have a mechanism or a failure */ |
562 | 364 | DEBUGASSERT(sctx.mech || sctx.result); |
563 | 364 | } |
564 | | |
565 | 479 | if(!sctx.result && sctx.mech) { |
566 | 364 | sasl->curmech = sctx.mech; |
567 | 364 | if(Curl_bufref_ptr(&sctx.resp)) |
568 | 28 | sctx.result = build_message(sasl, &sctx.resp); |
569 | | |
570 | 364 | if(sasl->params->maxirlen && |
571 | 364 | strlen(sctx.mech) + Curl_bufref_len(&sctx.resp) > |
572 | 364 | sasl->params->maxirlen) |
573 | 16 | Curl_bufref_free(&sctx.resp); |
574 | | |
575 | 364 | if(!sctx.result) |
576 | 364 | sctx.result = sasl->params->sendauth(data, sctx.mech, &sctx.resp); |
577 | | |
578 | 364 | if(!sctx.result) { |
579 | 364 | *progress = SASL_INPROGRESS; |
580 | 364 | sasl_state(sasl, data, Curl_bufref_ptr(&sctx.resp) ? |
581 | 352 | sctx.state2 : sctx.state1); |
582 | 364 | } |
583 | 364 | } |
584 | | |
585 | 479 | Curl_bufref_free(&sctx.resp); |
586 | 479 | return sctx.result; |
587 | 479 | } |
588 | | |
589 | | /* |
590 | | * Curl_sasl_continue() |
591 | | * |
592 | | * Continue the authentication. |
593 | | */ |
594 | | CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, |
595 | | int code, saslprogress *progress) |
596 | 628 | { |
597 | 628 | CURLcode result = CURLE_OK; |
598 | 628 | struct connectdata *conn = data->conn; |
599 | 628 | saslstate newstate = SASL_FINAL; |
600 | 628 | struct bufref resp; |
601 | 628 | const char *hostname; |
602 | 628 | int port; |
603 | 628 | #if defined(USE_KERBEROS5) || defined(USE_NTLM) || \ |
604 | 628 | !defined(CURL_DISABLE_DIGEST_AUTH) |
605 | 628 | const char *service = data->set.str[STRING_SERVICE_NAME] ? |
606 | 98 | data->set.str[STRING_SERVICE_NAME] : |
607 | 628 | sasl->params->service; |
608 | 628 | #endif |
609 | 628 | const char *oauth_bearer = data->set.str[STRING_BEARER]; |
610 | 628 | struct bufref serverdata; |
611 | | |
612 | 628 | Curl_conn_get_current_host(data, FIRSTSOCKET, &hostname, &port); |
613 | 628 | Curl_bufref_init(&serverdata); |
614 | 628 | Curl_bufref_init(&resp); |
615 | 628 | *progress = SASL_INPROGRESS; |
616 | | |
617 | 628 | if(sasl->state == SASL_FINAL) { |
618 | 56 | if(code != sasl->params->finalcode) |
619 | 37 | result = CURLE_LOGIN_DENIED; |
620 | 56 | *progress = SASL_DONE; |
621 | 56 | sasl_state(sasl, data, SASL_STOP); |
622 | 56 | return result; |
623 | 56 | } |
624 | | |
625 | 572 | if(sasl->state != SASL_CANCEL && sasl->state != SASL_OAUTH2_RESP && |
626 | 469 | code != sasl->params->contcode) { |
627 | 9 | *progress = SASL_DONE; |
628 | 9 | sasl_state(sasl, data, SASL_STOP); |
629 | 9 | return CURLE_LOGIN_DENIED; |
630 | 9 | } |
631 | | |
632 | 563 | switch(sasl->state) { |
633 | 0 | case SASL_STOP: |
634 | 0 | *progress = SASL_DONE; |
635 | 0 | return result; |
636 | 23 | case SASL_PLAIN: |
637 | 23 | result = Curl_auth_create_plain_message(conn->sasl_authzid, |
638 | 23 | conn->user, conn->passwd, &resp); |
639 | 23 | break; |
640 | 21 | case SASL_LOGIN: |
641 | 21 | Curl_auth_create_login_message(conn->user, &resp); |
642 | 21 | newstate = SASL_LOGIN_PASSWD; |
643 | 21 | break; |
644 | 18 | case SASL_LOGIN_PASSWD: |
645 | 18 | Curl_auth_create_login_message(conn->passwd, &resp); |
646 | 18 | break; |
647 | 0 | case SASL_EXTERNAL: |
648 | 0 | Curl_auth_create_external_message(conn->user, &resp); |
649 | 0 | break; |
650 | | #ifdef USE_GSASL |
651 | | case SASL_GSASL: |
652 | | result = get_server_message(sasl, data, &serverdata); |
653 | | if(!result) { |
654 | | struct gsasldata *gsasl = Curl_auth_gsasl_get(conn); |
655 | | result = !gsasl ? CURLE_OUT_OF_MEMORY : |
656 | | Curl_auth_gsasl_token(data, &serverdata, gsasl, &resp); |
657 | | } |
658 | | if(!result && Curl_bufref_len(&resp) > 0) |
659 | | newstate = SASL_GSASL; |
660 | | break; |
661 | | #endif |
662 | 0 | #ifndef CURL_DISABLE_DIGEST_AUTH |
663 | 112 | case SASL_CRAMMD5: |
664 | 112 | result = get_server_message(sasl, data, &serverdata); |
665 | 112 | if(!result) |
666 | 67 | result = Curl_auth_create_cram_md5_message(&serverdata, conn->user, |
667 | 67 | conn->passwd, &resp); |
668 | 112 | break; |
669 | 82 | case SASL_DIGESTMD5: |
670 | 82 | result = get_server_message(sasl, data, &serverdata); |
671 | 82 | if(!result) |
672 | 43 | result = Curl_auth_create_digest_md5_message(data, &serverdata, |
673 | 43 | conn->user, conn->passwd, |
674 | 43 | service, &resp); |
675 | 82 | if(!result && (sasl->params->flags & SASL_FLAG_BASE64)) |
676 | 0 | newstate = SASL_DIGESTMD5_RESP; |
677 | 82 | break; |
678 | 0 | case SASL_DIGESTMD5_RESP: |
679 | | /* Keep response NULL to output an empty line. */ |
680 | 0 | break; |
681 | 0 | #endif |
682 | | |
683 | 0 | #ifdef USE_NTLM |
684 | 101 | case SASL_NTLM: { |
685 | | /* Create the type-1 message */ |
686 | 101 | struct ntlmdata *ntlm = Curl_auth_ntlm_get(conn, FALSE); |
687 | 101 | result = !ntlm ? CURLE_OUT_OF_MEMORY : |
688 | 101 | Curl_auth_create_ntlm_type1_message(data, |
689 | 101 | conn->user, conn->passwd, |
690 | 101 | service, hostname, |
691 | 101 | ntlm, &resp); |
692 | 101 | newstate = SASL_NTLM_TYPE2MSG; |
693 | 101 | break; |
694 | 0 | } |
695 | 103 | case SASL_NTLM_TYPE2MSG: { |
696 | | /* Decode the type-2 message */ |
697 | 103 | struct ntlmdata *ntlm = Curl_auth_ntlm_get(conn, FALSE); |
698 | 103 | result = !ntlm ? CURLE_OUT_OF_MEMORY : |
699 | 103 | get_server_message(sasl, data, &serverdata); |
700 | 103 | if(!result) |
701 | 71 | result = Curl_auth_decode_ntlm_type2_message(data, &serverdata, ntlm); |
702 | 103 | if(!result) |
703 | 34 | result = Curl_auth_create_ntlm_type3_message(data, conn->user, |
704 | 34 | conn->passwd, ntlm, |
705 | 34 | &resp); |
706 | 103 | break; |
707 | 0 | } |
708 | 0 | #endif |
709 | | |
710 | | #ifdef USE_KERBEROS5 |
711 | | case SASL_GSSAPI: { |
712 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(conn); |
713 | | result = !krb5 ? CURLE_OUT_OF_MEMORY : |
714 | | Curl_auth_create_gssapi_user_message(data, conn->user, conn->passwd, |
715 | | service, conn->host.name, |
716 | | (bool)sasl->mutual_auth, NULL, |
717 | | krb5, &resp); |
718 | | newstate = SASL_GSSAPI_TOKEN; |
719 | | break; |
720 | | } |
721 | | case SASL_GSSAPI_TOKEN: |
722 | | result = get_server_message(sasl, data, &serverdata); |
723 | | if(!result) { |
724 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(conn); |
725 | | if(!krb5) |
726 | | result = CURLE_OUT_OF_MEMORY; |
727 | | else if(sasl->mutual_auth) { |
728 | | /* Decode the user token challenge and create the optional response |
729 | | message */ |
730 | | result = Curl_auth_create_gssapi_user_message(data, NULL, NULL, |
731 | | NULL, NULL, |
732 | | (bool)sasl->mutual_auth, |
733 | | &serverdata, |
734 | | krb5, &resp); |
735 | | newstate = SASL_GSSAPI_NO_DATA; |
736 | | } |
737 | | else |
738 | | /* Decode the security challenge and create the response message */ |
739 | | result = Curl_auth_create_gssapi_security_message(data, |
740 | | conn->sasl_authzid, |
741 | | &serverdata, |
742 | | krb5, &resp); |
743 | | } |
744 | | break; |
745 | | case SASL_GSSAPI_NO_DATA: |
746 | | /* Decode the security challenge and create the response message */ |
747 | | result = get_server_message(sasl, data, &serverdata); |
748 | | if(!result) { |
749 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(conn); |
750 | | if(!krb5) |
751 | | result = CURLE_OUT_OF_MEMORY; |
752 | | else |
753 | | result = Curl_auth_create_gssapi_security_message(data, |
754 | | conn->sasl_authzid, |
755 | | &serverdata, |
756 | | krb5, &resp); |
757 | | } |
758 | | break; |
759 | | #endif |
760 | | |
761 | 0 | case SASL_OAUTH2: |
762 | | /* Create the authorization message */ |
763 | 0 | if(sasl->authused == SASL_MECH_OAUTHBEARER) { |
764 | 0 | result = Curl_auth_create_oauth_bearer_message(conn->user, |
765 | 0 | hostname, |
766 | 0 | port, |
767 | 0 | oauth_bearer, |
768 | 0 | &resp); |
769 | | |
770 | | /* Failures maybe sent by the server as continuations for OAUTHBEARER */ |
771 | 0 | newstate = SASL_OAUTH2_RESP; |
772 | 0 | } |
773 | 0 | else |
774 | 0 | result = Curl_auth_create_xoauth_bearer_message(conn->user, |
775 | 0 | oauth_bearer, |
776 | 0 | &resp); |
777 | 0 | break; |
778 | | |
779 | 0 | case SASL_OAUTH2_RESP: |
780 | | /* The continuation is optional so check the response code */ |
781 | 0 | if(code == sasl->params->finalcode) { |
782 | | /* Final response was received so we are done */ |
783 | 0 | *progress = SASL_DONE; |
784 | 0 | sasl_state(sasl, data, SASL_STOP); |
785 | 0 | return result; |
786 | 0 | } |
787 | 0 | else if(code == sasl->params->contcode) { |
788 | | /* Acknowledge the continuation by sending a 0x01 response. */ |
789 | 0 | Curl_bufref_set(&resp, "\x01", 1, NULL); |
790 | 0 | break; |
791 | 0 | } |
792 | 0 | else { |
793 | 0 | *progress = SASL_DONE; |
794 | 0 | sasl_state(sasl, data, SASL_STOP); |
795 | 0 | return CURLE_LOGIN_DENIED; |
796 | 0 | } |
797 | | |
798 | 103 | case SASL_CANCEL: |
799 | | /* Remove the offending mechanism from the supported list */ |
800 | 103 | sasl->authmechs &= (unsigned short)~sasl->authused; |
801 | 103 | sasl->authused = SASL_AUTH_NONE; |
802 | 103 | sasl->curmech = NULL; |
803 | | |
804 | | /* Start an alternative SASL authentication */ |
805 | 103 | return Curl_sasl_start(sasl, data, (bool)sasl->force_ir, progress); |
806 | 0 | default: |
807 | 0 | failf(data, "Unsupported SASL authentication mechanism"); |
808 | 0 | result = CURLE_UNSUPPORTED_PROTOCOL; /* Should not happen */ |
809 | 0 | break; |
810 | 563 | } |
811 | | |
812 | 460 | Curl_bufref_free(&serverdata); |
813 | | |
814 | 460 | switch(result) { |
815 | 196 | case CURLE_BAD_CONTENT_ENCODING: |
816 | | /* Cancel dialog */ |
817 | 196 | result = sasl->params->cancelauth(data, sasl->curmech); |
818 | 196 | newstate = SASL_CANCEL; |
819 | 196 | break; |
820 | 264 | case CURLE_OK: |
821 | 264 | result = build_message(sasl, &resp); |
822 | 264 | if(!result) |
823 | 264 | result = sasl->params->contauth(data, sasl->curmech, &resp); |
824 | 264 | break; |
825 | 0 | default: |
826 | 0 | newstate = SASL_STOP; /* Stop on error */ |
827 | 0 | *progress = SASL_DONE; |
828 | 0 | break; |
829 | 460 | } |
830 | | |
831 | 460 | Curl_bufref_free(&resp); |
832 | | |
833 | 460 | sasl_state(sasl, data, newstate); |
834 | | |
835 | 460 | return result; |
836 | 460 | } |
837 | | |
838 | | #ifdef CURLVERBOSE |
839 | | static void sasl_unchosen(struct Curl_easy *data, unsigned short mech, |
840 | | unsigned short enabledmechs, |
841 | | bool built_in, bool platform, |
842 | | const char *param_missing) |
843 | 24 | { |
844 | 24 | const char *mname = NULL; |
845 | 24 | size_t i; |
846 | | |
847 | 24 | if(!(enabledmechs & mech)) |
848 | 21 | return; |
849 | | |
850 | 21 | for(i = 0; mechtable[i].name; ++i) { |
851 | 21 | if(mechtable[i].bit == mech) { |
852 | 3 | mname = mechtable[i].name; |
853 | 3 | break; |
854 | 3 | } |
855 | 21 | } |
856 | 3 | if(!mname) /* should not happen */ |
857 | 0 | return; |
858 | 3 | if(!built_in) |
859 | 3 | infof(data, "SASL: %s not builtin", mname); |
860 | 0 | else if(!platform) |
861 | 0 | infof(data, "SASL: %s not supported by the platform/libraries", mname); |
862 | 0 | else { |
863 | 0 | if(param_missing) |
864 | 0 | infof(data, "SASL: %s is missing %s", mname, param_missing); |
865 | 0 | if(!data->conn->user[0]) |
866 | 0 | infof(data, "SASL: %s is missing username", mname); |
867 | 0 | } |
868 | 3 | } |
869 | | #endif /* CURLVERBOSE */ |
870 | | |
871 | | CURLcode Curl_sasl_is_blocked(struct SASL *sasl, struct Curl_easy *data) |
872 | 14 | { |
873 | 14 | #ifdef CURLVERBOSE |
874 | | #ifdef USE_KERBEROS5 |
875 | | #define CURL_SASL_KERBEROS5 TRUE |
876 | | #else |
877 | 14 | #define CURL_SASL_KERBEROS5 FALSE |
878 | 14 | #endif |
879 | | #ifdef USE_GSASL |
880 | | #define CURL_SASL_GASL TRUE |
881 | | #else |
882 | 14 | #define CURL_SASL_GASL FALSE |
883 | 14 | #endif |
884 | | #ifdef CURL_DISABLE_DIGEST_AUTH |
885 | | #define CURL_SASL_DIGEST TRUE |
886 | | #else |
887 | 14 | #define CURL_SASL_DIGEST FALSE |
888 | 14 | #endif |
889 | | #ifndef USE_NTLM |
890 | | #define CURL_SASL_NTLM TRUE |
891 | | #else |
892 | 14 | #define CURL_SASL_NTLM FALSE |
893 | 14 | #endif |
894 | | /* Failing SASL authentication is a pain. Give a helping hand if |
895 | | * we were unable to select an AUTH mechanism. |
896 | | * `sasl->authmechs` are mechanisms offered by the peer |
897 | | * `sasl->prefmech` are mechanisms preferred by us */ |
898 | 14 | unsigned short enabledmechs = sasl->authmechs & sasl->prefmech; |
899 | | |
900 | 14 | if(!sasl->authmechs) |
901 | 9 | infof(data, "SASL: no auth mechanism was offered or recognized"); |
902 | 5 | else if(!enabledmechs) |
903 | 2 | infof(data, "SASL: no overlap between offered and configured " |
904 | 5 | "auth mechanisms"); |
905 | 3 | else { |
906 | 3 | infof(data, "SASL: no auth mechanism offered could be selected"); |
907 | 3 | if((enabledmechs & SASL_MECH_EXTERNAL) && data->conn->passwd[0]) |
908 | 0 | infof(data, "SASL: auth EXTERNAL not chosen with password"); |
909 | 3 | sasl_unchosen(data, SASL_MECH_GSSAPI, enabledmechs, |
910 | 3 | CURL_SASL_KERBEROS5, Curl_auth_is_gssapi_supported(), NULL); |
911 | 3 | sasl_unchosen(data, SASL_MECH_SCRAM_SHA_256, enabledmechs, |
912 | 3 | CURL_SASL_GASL, FALSE, NULL); |
913 | 3 | sasl_unchosen(data, SASL_MECH_SCRAM_SHA_1, enabledmechs, |
914 | 3 | CURL_SASL_GASL, FALSE, NULL); |
915 | 3 | sasl_unchosen(data, SASL_MECH_DIGEST_MD5, enabledmechs, |
916 | 3 | CURL_SASL_DIGEST, Curl_auth_is_digest_supported(), NULL); |
917 | 3 | sasl_unchosen(data, SASL_MECH_CRAM_MD5, enabledmechs, |
918 | 3 | CURL_SASL_DIGEST, TRUE, NULL); |
919 | 3 | sasl_unchosen(data, SASL_MECH_NTLM, enabledmechs, |
920 | 3 | CURL_SASL_NTLM, Curl_auth_is_ntlm_supported(), NULL); |
921 | 3 | sasl_unchosen(data, SASL_MECH_OAUTHBEARER, enabledmechs, TRUE, TRUE, |
922 | 3 | data->set.str[STRING_BEARER] ? |
923 | 3 | NULL : "CURLOPT_XOAUTH2_BEARER"); |
924 | 3 | sasl_unchosen(data, SASL_MECH_XOAUTH2, enabledmechs, TRUE, TRUE, |
925 | 3 | data->set.str[STRING_BEARER] ? |
926 | 3 | NULL : "CURLOPT_XOAUTH2_BEARER"); |
927 | 3 | } |
928 | 14 | #endif /* CURLVERBOSE */ |
929 | 14 | (void)sasl; |
930 | 14 | (void)data; |
931 | 14 | return CURLE_LOGIN_DENIED; |
932 | 14 | } |
933 | | |
934 | | #endif /* protocols are enabled that use SASL */ |