/src/PROJ/curl/lib/curl_sasl.c
Line | Count | Source |
1 | | /*************************************************************************** |
2 | | * _ _ ____ _ |
3 | | * Project ___| | | | _ \| | |
4 | | * / __| | | | |_) | | |
5 | | * | (__| |_| | _ <| |___ |
6 | | * \___|\___/|_| \_\_____| |
7 | | * |
8 | | * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. |
9 | | * |
10 | | * This software is licensed as described in the file COPYING, which |
11 | | * you should have received as part of this distribution. The terms |
12 | | * are also available at https://curl.se/docs/copyright.html. |
13 | | * |
14 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | | * copies of the Software, and permit persons to whom the Software is |
16 | | * furnished to do so, under the terms of the COPYING file. |
17 | | * |
18 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | | * KIND, either express or implied. |
20 | | * |
21 | | * SPDX-License-Identifier: curl |
22 | | * |
23 | | * RFC2195 CRAM-MD5 authentication |
24 | | * RFC2617 Basic and Digest Access Authentication |
25 | | * RFC2831 DIGEST-MD5 authentication |
26 | | * RFC4422 Simple Authentication and Security Layer (SASL) |
27 | | * RFC4616 PLAIN authentication |
28 | | * RFC5802 SCRAM-SHA-1 authentication |
29 | | * RFC7677 SCRAM-SHA-256 authentication |
30 | | * RFC6749 OAuth 2.0 Authorization Framework |
31 | | * RFC7628 A Set of SASL Mechanisms for OAuth |
32 | | * Draft LOGIN SASL Mechanism <draft-murchison-sasl-login-00.txt> |
33 | | * |
34 | | ***************************************************************************/ |
35 | | |
36 | | #include "curl_setup.h" |
37 | | |
38 | | #if !defined(CURL_DISABLE_IMAP) || !defined(CURL_DISABLE_SMTP) || \ |
39 | | !defined(CURL_DISABLE_POP3) || \ |
40 | | (!defined(CURL_DISABLE_LDAP) && defined(USE_OPENLDAP)) |
41 | | |
42 | | #include <curl/curl.h> |
43 | | #include "urldata.h" |
44 | | |
45 | | #include "curlx/base64.h" |
46 | | #include "vauth/vauth.h" |
47 | | #include "cfilters.h" |
48 | | #include "vtls/vtls.h" |
49 | | #include "curl_hmac.h" |
50 | | #include "curl_sasl.h" |
51 | | #include "curlx/warnless.h" |
52 | | #include "sendf.h" |
53 | | |
54 | | /* The last 2 #include files should be in this order */ |
55 | | #include "curl_memory.h" |
56 | | #include "memdebug.h" |
57 | | |
58 | | /* Supported mechanisms */ |
59 | | static const struct { |
60 | | const char *name; /* Name */ |
61 | | size_t len; /* Name length */ |
62 | | unsigned short bit; /* Flag bit */ |
63 | | } mechtable[] = { |
64 | | { "LOGIN", 5, SASL_MECH_LOGIN }, |
65 | | { "PLAIN", 5, SASL_MECH_PLAIN }, |
66 | | { "CRAM-MD5", 8, SASL_MECH_CRAM_MD5 }, |
67 | | { "DIGEST-MD5", 10, SASL_MECH_DIGEST_MD5 }, |
68 | | { "GSSAPI", 6, SASL_MECH_GSSAPI }, |
69 | | { "EXTERNAL", 8, SASL_MECH_EXTERNAL }, |
70 | | { "NTLM", 4, SASL_MECH_NTLM }, |
71 | | { "XOAUTH2", 7, SASL_MECH_XOAUTH2 }, |
72 | | { "OAUTHBEARER", 11, SASL_MECH_OAUTHBEARER }, |
73 | | { "SCRAM-SHA-1", 11, SASL_MECH_SCRAM_SHA_1 }, |
74 | | { "SCRAM-SHA-256",13, SASL_MECH_SCRAM_SHA_256 }, |
75 | | { ZERO_NULL, 0, 0 } |
76 | | }; |
77 | | |
78 | | /* |
79 | | * Curl_sasl_decode_mech() |
80 | | * |
81 | | * Convert a SASL mechanism name into a token. |
82 | | * |
83 | | * Parameters: |
84 | | * |
85 | | * ptr [in] - The mechanism string. |
86 | | * maxlen [in] - Maximum mechanism string length. |
87 | | * len [out] - If not NULL, effective name length. |
88 | | * |
89 | | * Returns the SASL mechanism token or 0 if no match. |
90 | | */ |
91 | | unsigned short Curl_sasl_decode_mech(const char *ptr, size_t maxlen, |
92 | | size_t *len) |
93 | 0 | { |
94 | 0 | unsigned int i; |
95 | 0 | char c; |
96 | |
|
97 | 0 | for(i = 0; mechtable[i].name; i++) { |
98 | 0 | if(maxlen >= mechtable[i].len && |
99 | 0 | !memcmp(ptr, mechtable[i].name, mechtable[i].len)) { |
100 | 0 | if(len) |
101 | 0 | *len = mechtable[i].len; |
102 | |
|
103 | 0 | if(maxlen == mechtable[i].len) |
104 | 0 | return mechtable[i].bit; |
105 | | |
106 | 0 | c = ptr[mechtable[i].len]; |
107 | 0 | if(!ISUPPER(c) && !ISDIGIT(c) && c != '-' && c != '_') |
108 | 0 | return mechtable[i].bit; |
109 | 0 | } |
110 | 0 | } |
111 | | |
112 | 0 | return 0; |
113 | 0 | } |
114 | | |
115 | | /* |
116 | | * Curl_sasl_parse_url_auth_option() |
117 | | * |
118 | | * Parse the URL login options. |
119 | | */ |
120 | | CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl, |
121 | | const char *value, size_t len) |
122 | 0 | { |
123 | 0 | CURLcode result = CURLE_OK; |
124 | 0 | size_t mechlen; |
125 | |
|
126 | 0 | if(!len) |
127 | 0 | return CURLE_URL_MALFORMAT; |
128 | | |
129 | 0 | if(sasl->resetprefs) { |
130 | 0 | sasl->resetprefs = FALSE; |
131 | 0 | sasl->prefmech = SASL_AUTH_NONE; |
132 | 0 | } |
133 | |
|
134 | 0 | if(!strncmp(value, "*", len)) |
135 | 0 | sasl->prefmech = SASL_AUTH_DEFAULT; |
136 | 0 | else { |
137 | 0 | unsigned short mechbit = Curl_sasl_decode_mech(value, len, &mechlen); |
138 | 0 | if(mechbit && mechlen == len) |
139 | 0 | sasl->prefmech |= mechbit; |
140 | 0 | else |
141 | 0 | result = CURLE_URL_MALFORMAT; |
142 | 0 | } |
143 | |
|
144 | 0 | return result; |
145 | 0 | } |
146 | | |
147 | | /* |
148 | | * Curl_sasl_init() |
149 | | * |
150 | | * Initializes the SASL structure. |
151 | | */ |
152 | | void Curl_sasl_init(struct SASL *sasl, struct Curl_easy *data, |
153 | | const struct SASLproto *params) |
154 | 0 | { |
155 | 0 | unsigned long auth = data->set.httpauth; |
156 | |
|
157 | 0 | sasl->params = params; /* Set protocol dependent parameters */ |
158 | 0 | sasl->state = SASL_STOP; /* Not yet running */ |
159 | 0 | sasl->curmech = NULL; /* No mechanism yet. */ |
160 | 0 | sasl->authmechs = SASL_AUTH_NONE; /* No known authentication mechanism yet */ |
161 | 0 | sasl->prefmech = params->defmechs; /* Default preferred mechanisms */ |
162 | 0 | sasl->authused = SASL_AUTH_NONE; /* The authentication mechanism used */ |
163 | 0 | sasl->resetprefs = TRUE; /* Reset prefmech upon AUTH parsing. */ |
164 | 0 | sasl->mutual_auth = FALSE; /* No mutual authentication (GSSAPI only) */ |
165 | 0 | sasl->force_ir = FALSE; /* Respect external option */ |
166 | |
|
167 | 0 | if(auth != CURLAUTH_BASIC) { |
168 | 0 | unsigned short mechs = SASL_AUTH_NONE; |
169 | | |
170 | | /* If some usable http authentication options have been set, determine |
171 | | new defaults from them. */ |
172 | 0 | if(auth & CURLAUTH_BASIC) |
173 | 0 | mechs |= SASL_MECH_PLAIN | SASL_MECH_LOGIN; |
174 | 0 | if(auth & CURLAUTH_DIGEST) |
175 | 0 | mechs |= SASL_MECH_DIGEST_MD5; |
176 | 0 | if(auth & CURLAUTH_NTLM) |
177 | 0 | mechs |= SASL_MECH_NTLM; |
178 | 0 | if(auth & CURLAUTH_BEARER) |
179 | 0 | mechs |= SASL_MECH_OAUTHBEARER | SASL_MECH_XOAUTH2; |
180 | 0 | if(auth & CURLAUTH_GSSAPI) |
181 | 0 | mechs |= SASL_MECH_GSSAPI; |
182 | |
|
183 | 0 | if(mechs != SASL_AUTH_NONE) |
184 | 0 | sasl->prefmech = mechs; |
185 | 0 | } |
186 | 0 | } |
187 | | |
188 | | /* |
189 | | * sasl_state() |
190 | | * |
191 | | * This is the ONLY way to change SASL state! |
192 | | */ |
193 | | static void sasl_state(struct SASL *sasl, struct Curl_easy *data, |
194 | | saslstate newstate) |
195 | 0 | { |
196 | | #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) |
197 | | /* for debug purposes */ |
198 | | static const char * const names[]={ |
199 | | "STOP", |
200 | | "PLAIN", |
201 | | "LOGIN", |
202 | | "LOGIN_PASSWD", |
203 | | "EXTERNAL", |
204 | | "CRAMMD5", |
205 | | "DIGESTMD5", |
206 | | "DIGESTMD5_RESP", |
207 | | "NTLM", |
208 | | "NTLM_TYPE2MSG", |
209 | | "GSSAPI", |
210 | | "GSSAPI_TOKEN", |
211 | | "GSSAPI_NO_DATA", |
212 | | "OAUTH2", |
213 | | "OAUTH2_RESP", |
214 | | "GSASL", |
215 | | "CANCEL", |
216 | | "FINAL", |
217 | | /* LAST */ |
218 | | }; |
219 | | |
220 | | if(sasl->state != newstate) |
221 | | infof(data, "SASL %p state change from %s to %s", |
222 | | (void *)sasl, names[sasl->state], names[newstate]); |
223 | | #else |
224 | 0 | (void)data; |
225 | 0 | #endif |
226 | |
|
227 | 0 | sasl->state = newstate; |
228 | 0 | } |
229 | | |
230 | | #if defined(USE_NTLM) || defined(USE_GSASL) || defined(USE_KERBEROS5) || \ |
231 | | !defined(CURL_DISABLE_DIGEST_AUTH) |
232 | | /* Get the SASL server message and convert it to binary. */ |
233 | | static CURLcode get_server_message(struct SASL *sasl, struct Curl_easy *data, |
234 | | struct bufref *out) |
235 | 0 | { |
236 | 0 | CURLcode result = CURLE_OK; |
237 | |
|
238 | 0 | result = sasl->params->getmessage(data, out); |
239 | 0 | if(!result && (sasl->params->flags & SASL_FLAG_BASE64)) { |
240 | 0 | unsigned char *msg; |
241 | 0 | size_t msglen; |
242 | 0 | const char *serverdata = (const char *) Curl_bufref_ptr(out); |
243 | |
|
244 | 0 | if(!*serverdata || *serverdata == '=') |
245 | 0 | Curl_bufref_set(out, NULL, 0, NULL); |
246 | 0 | else { |
247 | 0 | result = curlx_base64_decode(serverdata, &msg, &msglen); |
248 | 0 | if(!result) |
249 | 0 | Curl_bufref_set(out, msg, msglen, curl_free); |
250 | 0 | } |
251 | 0 | } |
252 | 0 | return result; |
253 | 0 | } |
254 | | #endif |
255 | | |
256 | | /* Encode the outgoing SASL message. */ |
257 | | static CURLcode build_message(struct SASL *sasl, struct bufref *msg) |
258 | 0 | { |
259 | 0 | CURLcode result = CURLE_OK; |
260 | |
|
261 | 0 | if(sasl->params->flags & SASL_FLAG_BASE64) { |
262 | 0 | if(!Curl_bufref_ptr(msg)) /* Empty message. */ |
263 | 0 | Curl_bufref_set(msg, "", 0, NULL); |
264 | 0 | else if(!Curl_bufref_len(msg)) /* Explicit empty response. */ |
265 | 0 | Curl_bufref_set(msg, "=", 1, NULL); |
266 | 0 | else { |
267 | 0 | char *base64; |
268 | 0 | size_t base64len; |
269 | |
|
270 | 0 | result = curlx_base64_encode((const char *) Curl_bufref_ptr(msg), |
271 | 0 | Curl_bufref_len(msg), &base64, &base64len); |
272 | 0 | if(!result) |
273 | 0 | Curl_bufref_set(msg, base64, base64len, curl_free); |
274 | 0 | } |
275 | 0 | } |
276 | |
|
277 | 0 | return result; |
278 | 0 | } |
279 | | |
280 | | /* |
281 | | * Curl_sasl_can_authenticate() |
282 | | * |
283 | | * Check if we have enough auth data and capabilities to authenticate. |
284 | | */ |
285 | | bool Curl_sasl_can_authenticate(struct SASL *sasl, struct Curl_easy *data) |
286 | 0 | { |
287 | | /* Have credentials been provided? */ |
288 | 0 | if(data->state.aptr.user) |
289 | 0 | return TRUE; |
290 | | |
291 | | /* EXTERNAL can authenticate without a username and/or password */ |
292 | 0 | if(sasl->authmechs & sasl->prefmech & SASL_MECH_EXTERNAL) |
293 | 0 | return TRUE; |
294 | | |
295 | 0 | return FALSE; |
296 | 0 | } |
297 | | |
298 | | struct sasl_ctx { |
299 | | struct SASL *sasl; |
300 | | struct connectdata *conn; |
301 | | const char *user; |
302 | | unsigned short enabledmechs; |
303 | | const char *mech; |
304 | | saslstate state1; |
305 | | saslstate state2; |
306 | | struct bufref resp; |
307 | | CURLcode result; |
308 | | }; |
309 | | |
310 | | static bool sasl_choose_external(struct Curl_easy *data, struct sasl_ctx *sctx) |
311 | 0 | { |
312 | 0 | if((sctx->enabledmechs & SASL_MECH_EXTERNAL) && !sctx->conn->passwd[0]) { |
313 | 0 | sctx->mech = SASL_MECH_STRING_EXTERNAL; |
314 | 0 | sctx->state1 = SASL_EXTERNAL; |
315 | 0 | sctx->sasl->authused = SASL_MECH_EXTERNAL; |
316 | |
|
317 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
318 | 0 | Curl_auth_create_external_message(sctx->conn->user, &sctx->resp); |
319 | 0 | return TRUE; |
320 | 0 | } |
321 | 0 | return FALSE; |
322 | 0 | } |
323 | | |
324 | | #ifdef USE_KERBEROS5 |
325 | | static bool sasl_choose_krb5(struct Curl_easy *data, struct sasl_ctx *sctx) |
326 | | { |
327 | | if(sctx->user && |
328 | | (sctx->enabledmechs & SASL_MECH_GSSAPI) && |
329 | | Curl_auth_is_gssapi_supported() && |
330 | | Curl_auth_user_contains_domain(sctx->conn->user)) { |
331 | | const char *service = data->set.str[STRING_SERVICE_NAME] ? |
332 | | data->set.str[STRING_SERVICE_NAME] : |
333 | | sctx->sasl->params->service; |
334 | | |
335 | | sctx->sasl->mutual_auth = FALSE; |
336 | | sctx->mech = SASL_MECH_STRING_GSSAPI; |
337 | | sctx->state1 = SASL_GSSAPI; |
338 | | sctx->state2 = SASL_GSSAPI_TOKEN; |
339 | | sctx->sasl->authused = SASL_MECH_GSSAPI; |
340 | | |
341 | | if(sctx->sasl->force_ir || data->set.sasl_ir) { |
342 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(sctx->conn); |
343 | | sctx->result = !krb5 ? CURLE_OUT_OF_MEMORY : |
344 | | Curl_auth_create_gssapi_user_message(data, sctx->conn->user, |
345 | | sctx->conn->passwd, |
346 | | service, sctx->conn->host.name, |
347 | | sctx->sasl->mutual_auth, NULL, |
348 | | krb5, &sctx->resp); |
349 | | } |
350 | | return TRUE; |
351 | | } |
352 | | return FALSE; |
353 | | } |
354 | | #endif /* USE_KERBEROS5 */ |
355 | | |
356 | | #ifdef USE_GSASL |
357 | | static bool sasl_choose_gsasl(struct Curl_easy *data, struct sasl_ctx *sctx) |
358 | | { |
359 | | struct gsasldata *gsasl; |
360 | | struct bufref nullmsg; |
361 | | |
362 | | if(sctx->user && |
363 | | (sctx->enabledmechs & (SASL_MECH_SCRAM_SHA_256|SASL_MECH_SCRAM_SHA_1))) { |
364 | | gsasl = Curl_auth_gsasl_get(sctx->conn); |
365 | | if(!gsasl) { |
366 | | sctx->result = CURLE_OUT_OF_MEMORY; |
367 | | return TRUE; /* attempted, but failed */ |
368 | | } |
369 | | |
370 | | if((sctx->enabledmechs & SASL_MECH_SCRAM_SHA_256) && |
371 | | Curl_auth_gsasl_is_supported(data, SASL_MECH_STRING_SCRAM_SHA_256, |
372 | | gsasl)) { |
373 | | sctx->mech = SASL_MECH_STRING_SCRAM_SHA_256; |
374 | | sctx->sasl->authused = SASL_MECH_SCRAM_SHA_256; |
375 | | } |
376 | | else if((sctx->enabledmechs & SASL_MECH_SCRAM_SHA_1) && |
377 | | Curl_auth_gsasl_is_supported(data, SASL_MECH_STRING_SCRAM_SHA_1, |
378 | | gsasl)) { |
379 | | sctx->mech = SASL_MECH_STRING_SCRAM_SHA_1; |
380 | | sctx->sasl->authused = SASL_MECH_SCRAM_SHA_1; |
381 | | } |
382 | | else |
383 | | return FALSE; |
384 | | |
385 | | Curl_bufref_init(&nullmsg); |
386 | | sctx->state1 = SASL_GSASL; |
387 | | sctx->state2 = SASL_GSASL; |
388 | | sctx->result = Curl_auth_gsasl_start(data, sctx->conn->user, |
389 | | sctx->conn->passwd, gsasl); |
390 | | if(!sctx->result && (sctx->sasl->force_ir || data->set.sasl_ir)) |
391 | | sctx->result = Curl_auth_gsasl_token(data, &nullmsg, gsasl, &sctx->resp); |
392 | | return TRUE; |
393 | | } |
394 | | return FALSE; |
395 | | } |
396 | | |
397 | | #endif /* USE_GSASL */ |
398 | | |
399 | | #ifndef CURL_DISABLE_DIGEST_AUTH |
400 | | static bool sasl_choose_digest(struct Curl_easy *data, struct sasl_ctx *sctx) |
401 | 0 | { |
402 | 0 | (void)data; |
403 | 0 | if(!sctx->user) |
404 | 0 | return FALSE; |
405 | 0 | else if((sctx->enabledmechs & SASL_MECH_DIGEST_MD5) && |
406 | 0 | Curl_auth_is_digest_supported()) { |
407 | 0 | sctx->mech = SASL_MECH_STRING_DIGEST_MD5; |
408 | 0 | sctx->state1 = SASL_DIGESTMD5; |
409 | 0 | sctx->sasl->authused = SASL_MECH_DIGEST_MD5; |
410 | 0 | return TRUE; |
411 | 0 | } |
412 | 0 | else if(sctx->enabledmechs & SASL_MECH_CRAM_MD5) { |
413 | 0 | sctx->mech = SASL_MECH_STRING_CRAM_MD5; |
414 | 0 | sctx->state1 = SASL_CRAMMD5; |
415 | 0 | sctx->sasl->authused = SASL_MECH_CRAM_MD5; |
416 | 0 | return TRUE; |
417 | 0 | } |
418 | 0 | return FALSE; |
419 | 0 | } |
420 | | #endif /* !CURL_DISABLE_DIGEST_AUTH */ |
421 | | |
422 | | #ifdef USE_NTLM |
423 | | static bool sasl_choose_ntlm(struct Curl_easy *data, struct sasl_ctx *sctx) |
424 | 0 | { |
425 | 0 | if(!sctx->user) |
426 | 0 | return FALSE; |
427 | 0 | else if((sctx->enabledmechs & SASL_MECH_NTLM) && |
428 | 0 | Curl_auth_is_ntlm_supported()) { |
429 | 0 | const char *service = data->set.str[STRING_SERVICE_NAME] ? |
430 | 0 | data->set.str[STRING_SERVICE_NAME] : |
431 | 0 | sctx->sasl->params->service; |
432 | 0 | const char *hostname; |
433 | 0 | int port; |
434 | |
|
435 | 0 | Curl_conn_get_current_host(data, FIRSTSOCKET, &hostname, &port); |
436 | |
|
437 | 0 | sctx->mech = SASL_MECH_STRING_NTLM; |
438 | 0 | sctx->state1 = SASL_NTLM; |
439 | 0 | sctx->state2 = SASL_NTLM_TYPE2MSG; |
440 | 0 | sctx->sasl->authused = SASL_MECH_NTLM; |
441 | |
|
442 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) { |
443 | 0 | struct ntlmdata *ntlm = Curl_auth_ntlm_get(sctx->conn, FALSE); |
444 | 0 | sctx->result = !ntlm ? CURLE_OUT_OF_MEMORY : |
445 | 0 | Curl_auth_create_ntlm_type1_message(data, |
446 | 0 | sctx->conn->user, |
447 | 0 | sctx->conn->passwd, |
448 | 0 | service, hostname, |
449 | 0 | ntlm, &sctx->resp); |
450 | 0 | } |
451 | 0 | return TRUE; |
452 | 0 | } |
453 | 0 | return FALSE; |
454 | 0 | } |
455 | | #endif /* USE_NTLM */ |
456 | | |
457 | | static bool sasl_choose_oauth(struct Curl_easy *data, struct sasl_ctx *sctx) |
458 | 0 | { |
459 | 0 | const char *oauth_bearer = data->set.str[STRING_BEARER]; |
460 | |
|
461 | 0 | if(sctx->user && oauth_bearer && |
462 | 0 | (sctx->enabledmechs & SASL_MECH_OAUTHBEARER)) { |
463 | 0 | const char *hostname; |
464 | 0 | int port; |
465 | 0 | Curl_conn_get_current_host(data, FIRSTSOCKET, &hostname, &port); |
466 | |
|
467 | 0 | sctx->mech = SASL_MECH_STRING_OAUTHBEARER; |
468 | 0 | sctx->state1 = SASL_OAUTH2; |
469 | 0 | sctx->state2 = SASL_OAUTH2_RESP; |
470 | 0 | sctx->sasl->authused = SASL_MECH_OAUTHBEARER; |
471 | |
|
472 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
473 | 0 | sctx->result = |
474 | 0 | Curl_auth_create_oauth_bearer_message(sctx->conn->user, |
475 | 0 | hostname, port, |
476 | 0 | oauth_bearer, &sctx->resp); |
477 | 0 | return TRUE; |
478 | 0 | } |
479 | 0 | return FALSE; |
480 | 0 | } |
481 | | |
482 | | static bool sasl_choose_oauth2(struct Curl_easy *data, struct sasl_ctx *sctx) |
483 | 0 | { |
484 | 0 | const char *oauth_bearer = data->set.str[STRING_BEARER]; |
485 | |
|
486 | 0 | if(sctx->user && oauth_bearer && |
487 | 0 | (sctx->enabledmechs & SASL_MECH_XOAUTH2)) { |
488 | 0 | sctx->mech = SASL_MECH_STRING_XOAUTH2; |
489 | 0 | sctx->state1 = SASL_OAUTH2; |
490 | 0 | sctx->sasl->authused = SASL_MECH_XOAUTH2; |
491 | |
|
492 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
493 | 0 | sctx->result = Curl_auth_create_xoauth_bearer_message(sctx->conn->user, |
494 | 0 | oauth_bearer, |
495 | 0 | &sctx->resp); |
496 | 0 | return TRUE; |
497 | 0 | } |
498 | 0 | return FALSE; |
499 | 0 | } |
500 | | |
501 | | static bool sasl_choose_plain(struct Curl_easy *data, struct sasl_ctx *sctx) |
502 | 0 | { |
503 | 0 | if(sctx->user && (sctx->enabledmechs & SASL_MECH_PLAIN)) { |
504 | 0 | sctx->mech = SASL_MECH_STRING_PLAIN; |
505 | 0 | sctx->state1 = SASL_PLAIN; |
506 | 0 | sctx->sasl->authused = SASL_MECH_PLAIN; |
507 | |
|
508 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
509 | 0 | sctx->result = |
510 | 0 | Curl_auth_create_plain_message(sctx->conn->sasl_authzid, |
511 | 0 | sctx->conn->user, sctx->conn->passwd, |
512 | 0 | &sctx->resp); |
513 | 0 | return TRUE; |
514 | 0 | } |
515 | 0 | return FALSE; |
516 | 0 | } |
517 | | |
518 | | static bool sasl_choose_login(struct Curl_easy *data, struct sasl_ctx *sctx) |
519 | 0 | { |
520 | 0 | if(sctx->user && (sctx->enabledmechs & SASL_MECH_LOGIN)) { |
521 | 0 | sctx->mech = SASL_MECH_STRING_LOGIN; |
522 | 0 | sctx->state1 = SASL_LOGIN; |
523 | 0 | sctx->state2 = SASL_LOGIN_PASSWD; |
524 | 0 | sctx->sasl->authused = SASL_MECH_LOGIN; |
525 | |
|
526 | 0 | if(sctx->sasl->force_ir || data->set.sasl_ir) |
527 | 0 | Curl_auth_create_login_message(sctx->conn->user, &sctx->resp); |
528 | 0 | return TRUE; |
529 | 0 | } |
530 | 0 | return FALSE; |
531 | 0 | } |
532 | | |
533 | | /* |
534 | | * Curl_sasl_start() |
535 | | * |
536 | | * Calculate the required login details for SASL authentication. |
537 | | */ |
538 | | CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data, |
539 | | bool force_ir, saslprogress *progress) |
540 | 0 | { |
541 | 0 | struct sasl_ctx sctx; |
542 | |
|
543 | 0 | sasl->force_ir = force_ir; /* Latch for future use */ |
544 | 0 | sasl->authused = 0; /* No mechanism used yet */ |
545 | 0 | *progress = SASL_IDLE; |
546 | |
|
547 | 0 | memset(&sctx, 0, sizeof(sctx)); |
548 | 0 | sctx.sasl = sasl; |
549 | 0 | sctx.conn = data->conn; |
550 | 0 | sctx.user = data->state.aptr.user; |
551 | 0 | Curl_bufref_init(&sctx.resp); |
552 | 0 | sctx.enabledmechs = sasl->authmechs & sasl->prefmech; |
553 | 0 | sctx.state1 = SASL_STOP; |
554 | 0 | sctx.state2 = SASL_FINAL; |
555 | | |
556 | | /* Calculate the supported authentication mechanism, by decreasing order of |
557 | | security, as well as the initial response where appropriate */ |
558 | 0 | if(sasl_choose_external(data, &sctx) || |
559 | | #ifdef USE_KERBEROS5 |
560 | | sasl_choose_krb5(data, &sctx) || |
561 | | #endif |
562 | | #ifdef USE_GSASL |
563 | | sasl_choose_gsasl(data, &sctx) || |
564 | | #endif |
565 | 0 | #ifndef CURL_DISABLE_DIGEST_AUTH |
566 | 0 | sasl_choose_digest(data, &sctx) || |
567 | 0 | #endif |
568 | 0 | #ifdef USE_NTLM |
569 | 0 | sasl_choose_ntlm(data, &sctx) || |
570 | 0 | #endif |
571 | 0 | sasl_choose_oauth(data, &sctx) || |
572 | 0 | sasl_choose_oauth2(data, &sctx) || |
573 | 0 | sasl_choose_plain(data, &sctx) || |
574 | 0 | sasl_choose_login(data, &sctx)) { |
575 | | /* selected, either we have a mechanism or a failure */ |
576 | 0 | DEBUGASSERT(sctx.mech || sctx.result); |
577 | 0 | } |
578 | |
|
579 | 0 | if(!sctx.result && sctx.mech) { |
580 | 0 | sasl->curmech = sctx.mech; |
581 | 0 | if(Curl_bufref_ptr(&sctx.resp)) |
582 | 0 | sctx.result = build_message(sasl, &sctx.resp); |
583 | |
|
584 | 0 | if(sasl->params->maxirlen && |
585 | 0 | strlen(sctx.mech) + Curl_bufref_len(&sctx.resp) > |
586 | 0 | sasl->params->maxirlen) |
587 | 0 | Curl_bufref_free(&sctx.resp); |
588 | |
|
589 | 0 | if(!sctx.result) |
590 | 0 | sctx.result = sasl->params->sendauth(data, sctx.mech, &sctx.resp); |
591 | |
|
592 | 0 | if(!sctx.result) { |
593 | 0 | *progress = SASL_INPROGRESS; |
594 | 0 | sasl_state(sasl, data, Curl_bufref_ptr(&sctx.resp) ? |
595 | 0 | sctx.state2 : sctx.state1); |
596 | 0 | } |
597 | 0 | } |
598 | |
|
599 | 0 | Curl_bufref_free(&sctx.resp); |
600 | 0 | return sctx.result; |
601 | 0 | } |
602 | | |
603 | | /* |
604 | | * Curl_sasl_continue() |
605 | | * |
606 | | * Continue the authentication. |
607 | | */ |
608 | | CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, |
609 | | int code, saslprogress *progress) |
610 | 0 | { |
611 | 0 | CURLcode result = CURLE_OK; |
612 | 0 | struct connectdata *conn = data->conn; |
613 | 0 | saslstate newstate = SASL_FINAL; |
614 | 0 | struct bufref resp; |
615 | 0 | const char *hostname; |
616 | 0 | int port; |
617 | 0 | #if defined(USE_KERBEROS5) || defined(USE_NTLM) || \ |
618 | 0 | !defined(CURL_DISABLE_DIGEST_AUTH) |
619 | 0 | const char *service = data->set.str[STRING_SERVICE_NAME] ? |
620 | 0 | data->set.str[STRING_SERVICE_NAME] : |
621 | 0 | sasl->params->service; |
622 | 0 | #endif |
623 | 0 | const char *oauth_bearer = data->set.str[STRING_BEARER]; |
624 | 0 | struct bufref serverdata; |
625 | |
|
626 | 0 | Curl_conn_get_current_host(data, FIRSTSOCKET, &hostname, &port); |
627 | 0 | Curl_bufref_init(&serverdata); |
628 | 0 | Curl_bufref_init(&resp); |
629 | 0 | *progress = SASL_INPROGRESS; |
630 | |
|
631 | 0 | if(sasl->state == SASL_FINAL) { |
632 | 0 | if(code != sasl->params->finalcode) |
633 | 0 | result = CURLE_LOGIN_DENIED; |
634 | 0 | *progress = SASL_DONE; |
635 | 0 | sasl_state(sasl, data, SASL_STOP); |
636 | 0 | return result; |
637 | 0 | } |
638 | | |
639 | 0 | if(sasl->state != SASL_CANCEL && sasl->state != SASL_OAUTH2_RESP && |
640 | 0 | code != sasl->params->contcode) { |
641 | 0 | *progress = SASL_DONE; |
642 | 0 | sasl_state(sasl, data, SASL_STOP); |
643 | 0 | return CURLE_LOGIN_DENIED; |
644 | 0 | } |
645 | | |
646 | 0 | switch(sasl->state) { |
647 | 0 | case SASL_STOP: |
648 | 0 | *progress = SASL_DONE; |
649 | 0 | return result; |
650 | 0 | case SASL_PLAIN: |
651 | 0 | result = Curl_auth_create_plain_message(conn->sasl_authzid, |
652 | 0 | conn->user, conn->passwd, &resp); |
653 | 0 | break; |
654 | 0 | case SASL_LOGIN: |
655 | 0 | Curl_auth_create_login_message(conn->user, &resp); |
656 | 0 | newstate = SASL_LOGIN_PASSWD; |
657 | 0 | break; |
658 | 0 | case SASL_LOGIN_PASSWD: |
659 | 0 | Curl_auth_create_login_message(conn->passwd, &resp); |
660 | 0 | break; |
661 | 0 | case SASL_EXTERNAL: |
662 | 0 | Curl_auth_create_external_message(conn->user, &resp); |
663 | 0 | break; |
664 | | #ifdef USE_GSASL |
665 | | case SASL_GSASL: |
666 | | result = get_server_message(sasl, data, &serverdata); |
667 | | if(!result) { |
668 | | struct gsasldata *gsasl = Curl_auth_gsasl_get(conn); |
669 | | result = !gsasl ? CURLE_OUT_OF_MEMORY : |
670 | | Curl_auth_gsasl_token(data, &serverdata, gsasl, &resp); |
671 | | } |
672 | | if(!result && Curl_bufref_len(&resp) > 0) |
673 | | newstate = SASL_GSASL; |
674 | | break; |
675 | | #endif |
676 | 0 | #ifndef CURL_DISABLE_DIGEST_AUTH |
677 | 0 | case SASL_CRAMMD5: |
678 | 0 | result = get_server_message(sasl, data, &serverdata); |
679 | 0 | if(!result) |
680 | 0 | result = Curl_auth_create_cram_md5_message(&serverdata, conn->user, |
681 | 0 | conn->passwd, &resp); |
682 | 0 | break; |
683 | 0 | case SASL_DIGESTMD5: |
684 | 0 | result = get_server_message(sasl, data, &serverdata); |
685 | 0 | if(!result) |
686 | 0 | result = Curl_auth_create_digest_md5_message(data, &serverdata, |
687 | 0 | conn->user, conn->passwd, |
688 | 0 | service, &resp); |
689 | 0 | if(!result && (sasl->params->flags & SASL_FLAG_BASE64)) |
690 | 0 | newstate = SASL_DIGESTMD5_RESP; |
691 | 0 | break; |
692 | 0 | case SASL_DIGESTMD5_RESP: |
693 | | /* Keep response NULL to output an empty line. */ |
694 | 0 | break; |
695 | 0 | #endif |
696 | | |
697 | 0 | #ifdef USE_NTLM |
698 | 0 | case SASL_NTLM: { |
699 | | /* Create the type-1 message */ |
700 | 0 | struct ntlmdata *ntlm = Curl_auth_ntlm_get(conn, FALSE); |
701 | 0 | result = !ntlm ? CURLE_OUT_OF_MEMORY : |
702 | 0 | Curl_auth_create_ntlm_type1_message(data, |
703 | 0 | conn->user, conn->passwd, |
704 | 0 | service, hostname, |
705 | 0 | ntlm, &resp); |
706 | 0 | newstate = SASL_NTLM_TYPE2MSG; |
707 | 0 | break; |
708 | 0 | } |
709 | 0 | case SASL_NTLM_TYPE2MSG: { |
710 | | /* Decode the type-2 message */ |
711 | 0 | struct ntlmdata *ntlm = Curl_auth_ntlm_get(conn, FALSE); |
712 | 0 | result = !ntlm ? CURLE_FAILED_INIT : |
713 | 0 | get_server_message(sasl, data, &serverdata); |
714 | 0 | if(!result) |
715 | 0 | result = Curl_auth_decode_ntlm_type2_message(data, &serverdata, ntlm); |
716 | 0 | if(!result) |
717 | 0 | result = Curl_auth_create_ntlm_type3_message(data, conn->user, |
718 | 0 | conn->passwd, ntlm, |
719 | 0 | &resp); |
720 | 0 | break; |
721 | 0 | } |
722 | 0 | #endif |
723 | | |
724 | | #ifdef USE_KERBEROS5 |
725 | | case SASL_GSSAPI: { |
726 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(conn); |
727 | | result = !krb5 ? CURLE_OUT_OF_MEMORY : |
728 | | Curl_auth_create_gssapi_user_message(data, conn->user, conn->passwd, |
729 | | service, conn->host.name, |
730 | | sasl->mutual_auth, NULL, |
731 | | krb5, &resp); |
732 | | newstate = SASL_GSSAPI_TOKEN; |
733 | | break; |
734 | | } |
735 | | case SASL_GSSAPI_TOKEN: |
736 | | result = get_server_message(sasl, data, &serverdata); |
737 | | if(!result) { |
738 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(conn); |
739 | | if(!krb5) |
740 | | result = CURLE_OUT_OF_MEMORY; |
741 | | else if(sasl->mutual_auth) { |
742 | | /* Decode the user token challenge and create the optional response |
743 | | message */ |
744 | | result = Curl_auth_create_gssapi_user_message(data, NULL, NULL, |
745 | | NULL, NULL, |
746 | | sasl->mutual_auth, |
747 | | &serverdata, |
748 | | krb5, &resp); |
749 | | newstate = SASL_GSSAPI_NO_DATA; |
750 | | } |
751 | | else |
752 | | /* Decode the security challenge and create the response message */ |
753 | | result = Curl_auth_create_gssapi_security_message(data, |
754 | | conn->sasl_authzid, |
755 | | &serverdata, |
756 | | krb5, &resp); |
757 | | } |
758 | | break; |
759 | | case SASL_GSSAPI_NO_DATA: |
760 | | /* Decode the security challenge and create the response message */ |
761 | | result = get_server_message(sasl, data, &serverdata); |
762 | | if(!result) { |
763 | | struct kerberos5data *krb5 = Curl_auth_krb5_get(conn); |
764 | | if(!krb5) |
765 | | result = CURLE_OUT_OF_MEMORY; |
766 | | else |
767 | | result = Curl_auth_create_gssapi_security_message(data, |
768 | | conn->sasl_authzid, |
769 | | &serverdata, |
770 | | krb5, &resp); |
771 | | } |
772 | | break; |
773 | | #endif |
774 | | |
775 | 0 | case SASL_OAUTH2: |
776 | | /* Create the authorization message */ |
777 | 0 | if(sasl->authused == SASL_MECH_OAUTHBEARER) { |
778 | 0 | result = Curl_auth_create_oauth_bearer_message(conn->user, |
779 | 0 | hostname, |
780 | 0 | port, |
781 | 0 | oauth_bearer, |
782 | 0 | &resp); |
783 | | |
784 | | /* Failures maybe sent by the server as continuations for OAUTHBEARER */ |
785 | 0 | newstate = SASL_OAUTH2_RESP; |
786 | 0 | } |
787 | 0 | else |
788 | 0 | result = Curl_auth_create_xoauth_bearer_message(conn->user, |
789 | 0 | oauth_bearer, |
790 | 0 | &resp); |
791 | 0 | break; |
792 | | |
793 | 0 | case SASL_OAUTH2_RESP: |
794 | | /* The continuation is optional so check the response code */ |
795 | 0 | if(code == sasl->params->finalcode) { |
796 | | /* Final response was received so we are done */ |
797 | 0 | *progress = SASL_DONE; |
798 | 0 | sasl_state(sasl, data, SASL_STOP); |
799 | 0 | return result; |
800 | 0 | } |
801 | 0 | else if(code == sasl->params->contcode) { |
802 | | /* Acknowledge the continuation by sending a 0x01 response. */ |
803 | 0 | Curl_bufref_set(&resp, "\x01", 1, NULL); |
804 | 0 | break; |
805 | 0 | } |
806 | 0 | else { |
807 | 0 | *progress = SASL_DONE; |
808 | 0 | sasl_state(sasl, data, SASL_STOP); |
809 | 0 | return CURLE_LOGIN_DENIED; |
810 | 0 | } |
811 | | |
812 | 0 | case SASL_CANCEL: |
813 | | /* Remove the offending mechanism from the supported list */ |
814 | 0 | sasl->authmechs &= (unsigned short)~sasl->authused; |
815 | 0 | sasl->authused = SASL_AUTH_NONE; |
816 | 0 | sasl->curmech = NULL; |
817 | | |
818 | | /* Start an alternative SASL authentication */ |
819 | 0 | return Curl_sasl_start(sasl, data, sasl->force_ir, progress); |
820 | 0 | default: |
821 | 0 | failf(data, "Unsupported SASL authentication mechanism"); |
822 | 0 | result = CURLE_UNSUPPORTED_PROTOCOL; /* Should not happen */ |
823 | 0 | break; |
824 | 0 | } |
825 | | |
826 | 0 | Curl_bufref_free(&serverdata); |
827 | |
|
828 | 0 | switch(result) { |
829 | 0 | case CURLE_BAD_CONTENT_ENCODING: |
830 | | /* Cancel dialog */ |
831 | 0 | result = sasl->params->cancelauth(data, sasl->curmech); |
832 | 0 | newstate = SASL_CANCEL; |
833 | 0 | break; |
834 | 0 | case CURLE_OK: |
835 | 0 | result = build_message(sasl, &resp); |
836 | 0 | if(!result) |
837 | 0 | result = sasl->params->contauth(data, sasl->curmech, &resp); |
838 | 0 | break; |
839 | 0 | default: |
840 | 0 | newstate = SASL_STOP; /* Stop on error */ |
841 | 0 | *progress = SASL_DONE; |
842 | 0 | break; |
843 | 0 | } |
844 | | |
845 | 0 | Curl_bufref_free(&resp); |
846 | |
|
847 | 0 | sasl_state(sasl, data, newstate); |
848 | |
|
849 | 0 | return result; |
850 | 0 | } |
851 | | |
852 | | #ifndef CURL_DISABLE_VERBOSE_STRINGS |
853 | | static void sasl_unchosen(struct Curl_easy *data, unsigned short mech, |
854 | | unsigned short enabledmechs, |
855 | | bool built_in, bool platform, |
856 | | const char *param_missing) |
857 | 0 | { |
858 | 0 | const char *mname = NULL; |
859 | 0 | size_t i; |
860 | |
|
861 | 0 | if(!(enabledmechs & mech)) |
862 | 0 | return; |
863 | | |
864 | 0 | for(i = 0; mechtable[i].name; ++i) { |
865 | 0 | if(mechtable[i].bit == mech) { |
866 | 0 | mname = mechtable[i].name; |
867 | 0 | break; |
868 | 0 | } |
869 | 0 | } |
870 | 0 | if(!mname) /* should not happen */ |
871 | 0 | return; |
872 | 0 | if(!built_in) |
873 | 0 | infof(data, "SASL: %s not builtin", mname); |
874 | 0 | else if(!platform) |
875 | 0 | infof(data, "SASL: %s not supported by the platform/libraries", mname); |
876 | 0 | else { |
877 | 0 | if(param_missing) |
878 | 0 | infof(data, "SASL: %s is missing %s", mname, param_missing); |
879 | 0 | if(!data->state.aptr.user) |
880 | 0 | infof(data, "SASL: %s is missing username", mname); |
881 | 0 | } |
882 | 0 | } |
883 | | #endif /* CURL_DISABLE_VERBOSE_STRINGS */ |
884 | | |
885 | | CURLcode Curl_sasl_is_blocked(struct SASL *sasl, struct Curl_easy *data) |
886 | 0 | { |
887 | 0 | #ifndef CURL_DISABLE_VERBOSE_STRINGS |
888 | | #ifdef USE_KERBEROS5 |
889 | | #define CURL_SASL_KERBEROS5 TRUE |
890 | | #else |
891 | 0 | #define CURL_SASL_KERBEROS5 FALSE |
892 | 0 | #endif |
893 | | #ifdef USE_GSASL |
894 | | #define CURL_SASL_GASL TRUE |
895 | | #else |
896 | 0 | #define CURL_SASL_GASL FALSE |
897 | 0 | #endif |
898 | | #ifdef CURL_DISABLE_DIGEST_AUTH |
899 | | #define CURL_SASL_DIGEST TRUE |
900 | | #else |
901 | 0 | #define CURL_SASL_DIGEST FALSE |
902 | 0 | #endif |
903 | | #ifndef USE_NTLM |
904 | | #define CURL_SASL_NTLM TRUE |
905 | | #else |
906 | 0 | #define CURL_SASL_NTLM FALSE |
907 | 0 | #endif |
908 | | /* Failing SASL authentication is a pain. Give a helping hand if |
909 | | * we were unable to select an AUTH mechanism. |
910 | | * `sasl->authmechs` are mechanisms offered by the peer |
911 | | * `sasl->prefmech` are mechanisms preferred by us */ |
912 | 0 | unsigned short enabledmechs = sasl->authmechs & sasl->prefmech; |
913 | |
|
914 | 0 | if(!sasl->authmechs) |
915 | 0 | infof(data, "SASL: no auth mechanism was offered or recognized"); |
916 | 0 | else if(!enabledmechs) |
917 | 0 | infof(data, "SASL: no overlap between offered and configured " |
918 | 0 | "auth mechanisms"); |
919 | 0 | else { |
920 | 0 | infof(data, "SASL: no auth mechanism offered could be selected"); |
921 | 0 | if((enabledmechs & SASL_MECH_EXTERNAL) && data->conn->passwd[0]) |
922 | 0 | infof(data, "SASL: auth EXTERNAL not chosen with password"); |
923 | 0 | sasl_unchosen(data, SASL_MECH_GSSAPI, enabledmechs, |
924 | 0 | CURL_SASL_KERBEROS5, Curl_auth_is_gssapi_supported(), NULL); |
925 | 0 | sasl_unchosen(data, SASL_MECH_SCRAM_SHA_256, enabledmechs, |
926 | 0 | CURL_SASL_GASL, FALSE, NULL); |
927 | 0 | sasl_unchosen(data, SASL_MECH_SCRAM_SHA_1, enabledmechs, |
928 | 0 | CURL_SASL_GASL, FALSE, NULL); |
929 | 0 | sasl_unchosen(data, SASL_MECH_DIGEST_MD5, enabledmechs, |
930 | 0 | CURL_SASL_DIGEST, Curl_auth_is_digest_supported(), NULL); |
931 | 0 | sasl_unchosen(data, SASL_MECH_CRAM_MD5, enabledmechs, |
932 | 0 | CURL_SASL_DIGEST, TRUE, NULL); |
933 | 0 | sasl_unchosen(data, SASL_MECH_NTLM, enabledmechs, |
934 | 0 | CURL_SASL_NTLM, Curl_auth_is_ntlm_supported(), NULL); |
935 | 0 | sasl_unchosen(data, SASL_MECH_OAUTHBEARER, enabledmechs, TRUE, TRUE, |
936 | 0 | data->set.str[STRING_BEARER] ? |
937 | 0 | NULL : "CURLOPT_XOAUTH2_BEARER"); |
938 | 0 | sasl_unchosen(data, SASL_MECH_XOAUTH2, enabledmechs, TRUE, TRUE, |
939 | 0 | data->set.str[STRING_BEARER] ? |
940 | 0 | NULL : "CURLOPT_XOAUTH2_BEARER"); |
941 | 0 | } |
942 | 0 | #endif /* CURL_DISABLE_VERBOSE_STRINGS */ |
943 | 0 | (void)sasl; |
944 | 0 | (void)data; |
945 | 0 | return CURLE_LOGIN_DENIED; |
946 | 0 | } |
947 | | |
948 | | #endif /* protocols are enabled that use SASL */ |