1: /***************************************************************************
2: * _ _ ____ _
3: * Project ___| | | | _ \| |
4: * / __| | | | |_) | |
5: * | (__| |_| | _ <| |___
6: * \___|\___/|_| \_\_____|
7: *
8: * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
9: *
10: * This software is licensed as described in the file COPYING, which
11: * you should have received as part of this distribution. The terms
12: * are also available at https://curl.haxx.se/docs/copyright.html.
13: *
14: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15: * copies of the Software, and permit persons to whom the Software is
16: * furnished to do so, under the terms of the COPYING file.
17: *
18: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19: * KIND, either express or implied.
20: *
21: * RFC2195 CRAM-MD5 authentication
22: * RFC2617 Basic and Digest Access Authentication
23: * RFC2831 DIGEST-MD5 authentication
24: * RFC4422 Simple Authentication and Security Layer (SASL)
25: * RFC4616 PLAIN authentication
26: * RFC6749 OAuth 2.0 Authorization Framework
27: * RFC7628 A Set of SASL Mechanisms for OAuth
28: * Draft LOGIN SASL Mechanism <draft-murchison-sasl-login-00.txt>
29: *
30: ***************************************************************************/
31:
32: #include "curl_setup.h"
33:
34: #if !defined(CURL_DISABLE_IMAP) || !defined(CURL_DISABLE_SMTP) || \
35: !defined(CURL_DISABLE_POP3)
36:
37: #include <curl/curl.h>
38: #include "urldata.h"
39:
40: #include "curl_base64.h"
41: #include "curl_md5.h"
42: #include "vauth/vauth.h"
43: #include "vtls/vtls.h"
44: #include "curl_hmac.h"
45: #include "curl_sasl.h"
46: #include "warnless.h"
47: #include "strtok.h"
48: #include "sendf.h"
49: #include "non-ascii.h" /* included for Curl_convert_... prototypes */
50: /* The last 3 #include files should be in this order */
51: #include "curl_printf.h"
52: #include "curl_memory.h"
53: #include "memdebug.h"
54:
55: /* Supported mechanisms */
56: static const struct {
57: const char *name; /* Name */
58: size_t len; /* Name length */
59: unsigned int bit; /* Flag bit */
60: } mechtable[] = {
61: { "LOGIN", 5, SASL_MECH_LOGIN },
62: { "PLAIN", 5, SASL_MECH_PLAIN },
63: { "CRAM-MD5", 8, SASL_MECH_CRAM_MD5 },
64: { "DIGEST-MD5", 10, SASL_MECH_DIGEST_MD5 },
65: { "GSSAPI", 6, SASL_MECH_GSSAPI },
66: { "EXTERNAL", 8, SASL_MECH_EXTERNAL },
67: { "NTLM", 4, SASL_MECH_NTLM },
68: { "XOAUTH2", 7, SASL_MECH_XOAUTH2 },
69: { "OAUTHBEARER", 11, SASL_MECH_OAUTHBEARER },
70: { ZERO_NULL, 0, 0 }
71: };
72:
73: /*
74: * Curl_sasl_cleanup()
75: *
76: * This is used to cleanup any libraries or curl modules used by the sasl
77: * functions.
78: *
79: * Parameters:
80: *
81: * conn [in] - The connection data.
82: * authused [in] - The authentication mechanism used.
83: */
84: void Curl_sasl_cleanup(struct connectdata *conn, unsigned int authused)
85: {
86: #if defined(USE_KERBEROS5)
87: /* Cleanup the gssapi structure */
88: if(authused == SASL_MECH_GSSAPI) {
89: Curl_auth_cleanup_gssapi(&conn->krb5);
90: }
91: #endif
92:
93: #if defined(USE_NTLM)
94: /* Cleanup the NTLM structure */
95: if(authused == SASL_MECH_NTLM) {
96: Curl_auth_cleanup_ntlm(&conn->ntlm);
97: }
98: #endif
99:
100: #if !defined(USE_KERBEROS5) && !defined(USE_NTLM)
101: /* Reserved for future use */
102: (void)conn;
103: (void)authused;
104: #endif
105: }
106:
107: /*
108: * Curl_sasl_decode_mech()
109: *
110: * Convert a SASL mechanism name into a token.
111: *
112: * Parameters:
113: *
114: * ptr [in] - The mechanism string.
115: * maxlen [in] - Maximum mechanism string length.
116: * len [out] - If not NULL, effective name length.
117: *
118: * Returns the SASL mechanism token or 0 if no match.
119: */
120: unsigned int Curl_sasl_decode_mech(const char *ptr, size_t maxlen, size_t *len)
121: {
122: unsigned int i;
123: char c;
124:
125: for(i = 0; mechtable[i].name; i++) {
126: if(maxlen >= mechtable[i].len &&
127: !memcmp(ptr, mechtable[i].name, mechtable[i].len)) {
128: if(len)
129: *len = mechtable[i].len;
130:
131: if(maxlen == mechtable[i].len)
132: return mechtable[i].bit;
133:
134: c = ptr[mechtable[i].len];
135: if(!ISUPPER(c) && !ISDIGIT(c) && c != '-' && c != '_')
136: return mechtable[i].bit;
137: }
138: }
139:
140: return 0;
141: }
142:
143: /*
144: * Curl_sasl_parse_url_auth_option()
145: *
146: * Parse the URL login options.
147: */
148: CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl,
149: const char *value, size_t len)
150: {
151: CURLcode result = CURLE_OK;
152: size_t mechlen;
153:
154: if(!len)
155: return CURLE_URL_MALFORMAT;
156:
157: if(sasl->resetprefs) {
158: sasl->resetprefs = FALSE;
159: sasl->prefmech = SASL_AUTH_NONE;
160: }
161:
162: if(!strncmp(value, "*", len))
163: sasl->prefmech = SASL_AUTH_DEFAULT;
164: else {
165: unsigned int mechbit = Curl_sasl_decode_mech(value, len, &mechlen);
166: if(mechbit && mechlen == len)
167: sasl->prefmech |= mechbit;
168: else
169: result = CURLE_URL_MALFORMAT;
170: }
171:
172: return result;
173: }
174:
175: /*
176: * Curl_sasl_init()
177: *
178: * Initializes the SASL structure.
179: */
180: void Curl_sasl_init(struct SASL *sasl, const struct SASLproto *params)
181: {
182: sasl->params = params; /* Set protocol dependent parameters */
183: sasl->state = SASL_STOP; /* Not yet running */
184: sasl->authmechs = SASL_AUTH_NONE; /* No known authentication mechanism yet */
185: sasl->prefmech = SASL_AUTH_DEFAULT; /* Prefer all mechanisms */
186: sasl->authused = SASL_AUTH_NONE; /* No the authentication mechanism used */
187: sasl->resetprefs = TRUE; /* Reset prefmech upon AUTH parsing. */
188: sasl->mutual_auth = FALSE; /* No mutual authentication (GSSAPI only) */
189: sasl->force_ir = FALSE; /* Respect external option */
190: }
191:
192: /*
193: * state()
194: *
195: * This is the ONLY way to change SASL state!
196: */
197: static void state(struct SASL *sasl, struct connectdata *conn,
198: saslstate newstate)
199: {
200: #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
201: /* for debug purposes */
202: static const char * const names[]={
203: "STOP",
204: "PLAIN",
205: "LOGIN",
206: "LOGIN_PASSWD",
207: "EXTERNAL",
208: "CRAMMD5",
209: "DIGESTMD5",
210: "DIGESTMD5_RESP",
211: "NTLM",
212: "NTLM_TYPE2MSG",
213: "GSSAPI",
214: "GSSAPI_TOKEN",
215: "GSSAPI_NO_DATA",
216: "OAUTH2",
217: "OAUTH2_RESP",
218: "CANCEL",
219: "FINAL",
220: /* LAST */
221: };
222:
223: if(sasl->state != newstate)
224: infof(conn->data, "SASL %p state change from %s to %s\n",
225: (void *)sasl, names[sasl->state], names[newstate]);
226: #else
227: (void) conn;
228: #endif
229:
230: sasl->state = newstate;
231: }
232:
233: /*
234: * Curl_sasl_can_authenticate()
235: *
236: * Check if we have enough auth data and capabilities to authenticate.
237: */
238: bool Curl_sasl_can_authenticate(struct SASL *sasl, struct connectdata *conn)
239: {
240: /* Have credentials been provided? */
241: if(conn->bits.user_passwd)
242: return TRUE;
243:
244: /* EXTERNAL can authenticate without a user name and/or password */
245: if(sasl->authmechs & sasl->prefmech & SASL_MECH_EXTERNAL)
246: return TRUE;
247:
248: return FALSE;
249: }
250:
251: /*
252: * Curl_sasl_start()
253: *
254: * Calculate the required login details for SASL authentication.
255: */
256: CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
257: bool force_ir, saslprogress *progress)
258: {
259: CURLcode result = CURLE_OK;
260: struct Curl_easy *data = conn->data;
261: unsigned int enabledmechs;
262: const char *mech = NULL;
263: char *resp = NULL;
264: size_t len = 0;
265: saslstate state1 = SASL_STOP;
266: saslstate state2 = SASL_FINAL;
267: const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
268: conn->host.name;
269: const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
270: #if defined(USE_KERBEROS5) || defined(USE_NTLM)
271: const char *service = data->set.str[STRING_SERVICE_NAME] ?
272: data->set.str[STRING_SERVICE_NAME] :
273: sasl->params->service;
274: #endif
275: const char *oauth_bearer = data->set.str[STRING_BEARER];
276:
277: sasl->force_ir = force_ir; /* Latch for future use */
278: sasl->authused = 0; /* No mechanism used yet */
279: enabledmechs = sasl->authmechs & sasl->prefmech;
280: *progress = SASL_IDLE;
281:
282: /* Calculate the supported authentication mechanism, by decreasing order of
283: security, as well as the initial response where appropriate */
284: if((enabledmechs & SASL_MECH_EXTERNAL) && !conn->passwd[0]) {
285: mech = SASL_MECH_STRING_EXTERNAL;
286: state1 = SASL_EXTERNAL;
287: sasl->authused = SASL_MECH_EXTERNAL;
288:
289: if(force_ir || data->set.sasl_ir)
290: result = Curl_auth_create_external_message(data, conn->user, &resp,
291: &len);
292: }
293: else if(conn->bits.user_passwd) {
294: #if defined(USE_KERBEROS5)
295: if((enabledmechs & SASL_MECH_GSSAPI) && Curl_auth_is_gssapi_supported() &&
296: Curl_auth_user_contains_domain(conn->user)) {
297: sasl->mutual_auth = FALSE;
298: mech = SASL_MECH_STRING_GSSAPI;
299: state1 = SASL_GSSAPI;
300: state2 = SASL_GSSAPI_TOKEN;
301: sasl->authused = SASL_MECH_GSSAPI;
302:
303: if(force_ir || data->set.sasl_ir)
304: result = Curl_auth_create_gssapi_user_message(data, conn->user,
305: conn->passwd,
306: service,
307: data->conn->host.name,
308: sasl->mutual_auth,
309: NULL, &conn->krb5,
310: &resp, &len);
311: }
312: else
313: #endif
314: #ifndef CURL_DISABLE_CRYPTO_AUTH
315: if((enabledmechs & SASL_MECH_DIGEST_MD5) &&
316: Curl_auth_is_digest_supported()) {
317: mech = SASL_MECH_STRING_DIGEST_MD5;
318: state1 = SASL_DIGESTMD5;
319: sasl->authused = SASL_MECH_DIGEST_MD5;
320: }
321: else if(enabledmechs & SASL_MECH_CRAM_MD5) {
322: mech = SASL_MECH_STRING_CRAM_MD5;
323: state1 = SASL_CRAMMD5;
324: sasl->authused = SASL_MECH_CRAM_MD5;
325: }
326: else
327: #endif
328: #ifdef USE_NTLM
329: if((enabledmechs & SASL_MECH_NTLM) && Curl_auth_is_ntlm_supported()) {
330: mech = SASL_MECH_STRING_NTLM;
331: state1 = SASL_NTLM;
332: state2 = SASL_NTLM_TYPE2MSG;
333: sasl->authused = SASL_MECH_NTLM;
334:
335: if(force_ir || data->set.sasl_ir)
336: result = Curl_auth_create_ntlm_type1_message(data,
337: conn->user, conn->passwd,
338: service,
339: hostname,
340: &conn->ntlm, &resp,
341: &len);
342: }
343: else
344: #endif
345: if((enabledmechs & SASL_MECH_OAUTHBEARER) && oauth_bearer) {
346: mech = SASL_MECH_STRING_OAUTHBEARER;
347: state1 = SASL_OAUTH2;
348: state2 = SASL_OAUTH2_RESP;
349: sasl->authused = SASL_MECH_OAUTHBEARER;
350:
351: if(force_ir || data->set.sasl_ir)
352: result = Curl_auth_create_oauth_bearer_message(data, conn->user,
353: hostname,
354: port,
355: oauth_bearer,
356: &resp, &len);
357: }
358: else if((enabledmechs & SASL_MECH_XOAUTH2) && oauth_bearer) {
359: mech = SASL_MECH_STRING_XOAUTH2;
360: state1 = SASL_OAUTH2;
361: sasl->authused = SASL_MECH_XOAUTH2;
362:
363: if(force_ir || data->set.sasl_ir)
364: result = Curl_auth_create_xoauth_bearer_message(data, conn->user,
365: oauth_bearer,
366: &resp, &len);
367: }
368: else if(enabledmechs & SASL_MECH_PLAIN) {
369: mech = SASL_MECH_STRING_PLAIN;
370: state1 = SASL_PLAIN;
371: sasl->authused = SASL_MECH_PLAIN;
372:
373: if(force_ir || data->set.sasl_ir)
374: result = Curl_auth_create_plain_message(data, conn->sasl_authzid,
375: conn->user, conn->passwd,
376: &resp, &len);
377: }
378: else if(enabledmechs & SASL_MECH_LOGIN) {
379: mech = SASL_MECH_STRING_LOGIN;
380: state1 = SASL_LOGIN;
381: state2 = SASL_LOGIN_PASSWD;
382: sasl->authused = SASL_MECH_LOGIN;
383:
384: if(force_ir || data->set.sasl_ir)
385: result = Curl_auth_create_login_message(data, conn->user, &resp, &len);
386: }
387: }
388:
389: if(!result && mech) {
390: if(resp && sasl->params->maxirlen &&
391: strlen(mech) + len > sasl->params->maxirlen) {
392: free(resp);
393: resp = NULL;
394: }
395:
396: result = sasl->params->sendauth(conn, mech, resp);
397: if(!result) {
398: *progress = SASL_INPROGRESS;
399: state(sasl, conn, resp ? state2 : state1);
400: }
401: }
402:
403: free(resp);
404:
405: return result;
406: }
407:
408: /*
409: * Curl_sasl_continue()
410: *
411: * Continue the authentication.
412: */
413: CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
414: int code, saslprogress *progress)
415: {
416: CURLcode result = CURLE_OK;
417: struct Curl_easy *data = conn->data;
418: saslstate newstate = SASL_FINAL;
419: char *resp = NULL;
420: const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
421: conn->host.name;
422: const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
423: #if !defined(CURL_DISABLE_CRYPTO_AUTH)
424: char *chlg = NULL;
425: size_t chlglen = 0;
426: #endif
427: #if !defined(CURL_DISABLE_CRYPTO_AUTH) || defined(USE_KERBEROS5) || \
428: defined(USE_NTLM)
429: const char *service = data->set.str[STRING_SERVICE_NAME] ?
430: data->set.str[STRING_SERVICE_NAME] :
431: sasl->params->service;
432: char *serverdata;
433: #endif
434: size_t len = 0;
435: const char *oauth_bearer = data->set.str[STRING_BEARER];
436:
437: *progress = SASL_INPROGRESS;
438:
439: if(sasl->state == SASL_FINAL) {
440: if(code != sasl->params->finalcode)
441: result = CURLE_LOGIN_DENIED;
442: *progress = SASL_DONE;
443: state(sasl, conn, SASL_STOP);
444: return result;
445: }
446:
447: if(sasl->state != SASL_CANCEL && sasl->state != SASL_OAUTH2_RESP &&
448: code != sasl->params->contcode) {
449: *progress = SASL_DONE;
450: state(sasl, conn, SASL_STOP);
451: return CURLE_LOGIN_DENIED;
452: }
453:
454: switch(sasl->state) {
455: case SASL_STOP:
456: *progress = SASL_DONE;
457: return result;
458: case SASL_PLAIN:
459: result = Curl_auth_create_plain_message(data, conn->sasl_authzid,
460: conn->user, conn->passwd,
461: &resp, &len);
462: break;
463: case SASL_LOGIN:
464: result = Curl_auth_create_login_message(data, conn->user, &resp, &len);
465: newstate = SASL_LOGIN_PASSWD;
466: break;
467: case SASL_LOGIN_PASSWD:
468: result = Curl_auth_create_login_message(data, conn->passwd, &resp, &len);
469: break;
470: case SASL_EXTERNAL:
471: result = Curl_auth_create_external_message(data, conn->user, &resp, &len);
472: break;
473:
474: #ifndef CURL_DISABLE_CRYPTO_AUTH
475: case SASL_CRAMMD5:
476: sasl->params->getmessage(data->state.buffer, &serverdata);
477: result = Curl_auth_decode_cram_md5_message(serverdata, &chlg, &chlglen);
478: if(!result)
479: result = Curl_auth_create_cram_md5_message(data, chlg, conn->user,
480: conn->passwd, &resp, &len);
481: free(chlg);
482: break;
483: case SASL_DIGESTMD5:
484: sasl->params->getmessage(data->state.buffer, &serverdata);
485: result = Curl_auth_create_digest_md5_message(data, serverdata,
486: conn->user, conn->passwd,
487: service,
488: &resp, &len);
489: newstate = SASL_DIGESTMD5_RESP;
490: break;
491: case SASL_DIGESTMD5_RESP:
492: resp = strdup("");
493: if(!resp)
494: result = CURLE_OUT_OF_MEMORY;
495: break;
496: #endif
497:
498: #ifdef USE_NTLM
499: case SASL_NTLM:
500: /* Create the type-1 message */
501: result = Curl_auth_create_ntlm_type1_message(data,
502: conn->user, conn->passwd,
503: service, hostname,
504: &conn->ntlm, &resp, &len);
505: newstate = SASL_NTLM_TYPE2MSG;
506: break;
507: case SASL_NTLM_TYPE2MSG:
508: /* Decode the type-2 message */
509: sasl->params->getmessage(data->state.buffer, &serverdata);
510: result = Curl_auth_decode_ntlm_type2_message(data, serverdata,
511: &conn->ntlm);
512: if(!result)
513: result = Curl_auth_create_ntlm_type3_message(data, conn->user,
514: conn->passwd, &conn->ntlm,
515: &resp, &len);
516: break;
517: #endif
518:
519: #if defined(USE_KERBEROS5)
520: case SASL_GSSAPI:
521: result = Curl_auth_create_gssapi_user_message(data, conn->user,
522: conn->passwd,
523: service,
524: data->conn->host.name,
525: sasl->mutual_auth, NULL,
526: &conn->krb5,
527: &resp, &len);
528: newstate = SASL_GSSAPI_TOKEN;
529: break;
530: case SASL_GSSAPI_TOKEN:
531: sasl->params->getmessage(data->state.buffer, &serverdata);
532: if(sasl->mutual_auth) {
533: /* Decode the user token challenge and create the optional response
534: message */
535: result = Curl_auth_create_gssapi_user_message(data, NULL, NULL,
536: NULL, NULL,
537: sasl->mutual_auth,
538: serverdata, &conn->krb5,
539: &resp, &len);
540: newstate = SASL_GSSAPI_NO_DATA;
541: }
542: else
543: /* Decode the security challenge and create the response message */
544: result = Curl_auth_create_gssapi_security_message(data, serverdata,
545: &conn->krb5,
546: &resp, &len);
547: break;
548: case SASL_GSSAPI_NO_DATA:
549: sasl->params->getmessage(data->state.buffer, &serverdata);
550: /* Decode the security challenge and create the response message */
551: result = Curl_auth_create_gssapi_security_message(data, serverdata,
552: &conn->krb5,
553: &resp, &len);
554: break;
555: #endif
556:
557: case SASL_OAUTH2:
558: /* Create the authorisation message */
559: if(sasl->authused == SASL_MECH_OAUTHBEARER) {
560: result = Curl_auth_create_oauth_bearer_message(data, conn->user,
561: hostname,
562: port,
563: oauth_bearer,
564: &resp, &len);
565:
566: /* Failures maybe sent by the server as continuations for OAUTHBEARER */
567: newstate = SASL_OAUTH2_RESP;
568: }
569: else
570: result = Curl_auth_create_xoauth_bearer_message(data, conn->user,
571: oauth_bearer,
572: &resp, &len);
573: break;
574:
575: case SASL_OAUTH2_RESP:
576: /* The continuation is optional so check the response code */
577: if(code == sasl->params->finalcode) {
578: /* Final response was received so we are done */
579: *progress = SASL_DONE;
580: state(sasl, conn, SASL_STOP);
581: return result;
582: }
583: else if(code == sasl->params->contcode) {
584: /* Acknowledge the continuation by sending a 0x01 response base64
585: encoded */
586: resp = strdup("AQ==");
587: if(!resp)
588: result = CURLE_OUT_OF_MEMORY;
589: break;
590: }
591: else {
592: *progress = SASL_DONE;
593: state(sasl, conn, SASL_STOP);
594: return CURLE_LOGIN_DENIED;
595: }
596:
597: case SASL_CANCEL:
598: /* Remove the offending mechanism from the supported list */
599: sasl->authmechs ^= sasl->authused;
600:
601: /* Start an alternative SASL authentication */
602: result = Curl_sasl_start(sasl, conn, sasl->force_ir, progress);
603: newstate = sasl->state; /* Use state from Curl_sasl_start() */
604: break;
605: default:
606: failf(data, "Unsupported SASL authentication mechanism");
607: result = CURLE_UNSUPPORTED_PROTOCOL; /* Should not happen */
608: break;
609: }
610:
611: switch(result) {
612: case CURLE_BAD_CONTENT_ENCODING:
613: /* Cancel dialog */
614: result = sasl->params->sendcont(conn, "*");
615: newstate = SASL_CANCEL;
616: break;
617: case CURLE_OK:
618: if(resp)
619: result = sasl->params->sendcont(conn, resp);
620: break;
621: default:
622: newstate = SASL_STOP; /* Stop on error */
623: *progress = SASL_DONE;
624: break;
625: }
626:
627: free(resp);
628:
629: state(sasl, conn, newstate);
630:
631: return result;
632: }
633: #endif /* protocols are enabled that use SASL */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to curl_sasl.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib