1 #ifndef HEADER_CURL_SASL_H 2 #define HEADER_CURL_SASL_H 3 /*************************************************************************** 4 * _ _ ____ _ 5 * Project ___| | | | _ \| | 6 * / __| | | | |_) | | 7 * | (__| |_| | _ <| |___ 8 * \___|\___/|_| \_\_____| 9 * 10 * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. 11 * 12 * This software is licensed as described in the file COPYING, which 13 * you should have received as part of this distribution. The terms 14 * are also available at http://curl.haxx.se/docs/copyright.html. 15 * 16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 17 * copies of the Software, and permit persons to whom the Software is 18 * furnished to do so, under the terms of the COPYING file. 19 * 20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 21 * KIND, either express or implied. 22 * 23 ***************************************************************************/ 24 25 #include <curl/curl.h> 26 27 struct SessionHandle; 28 struct connectdata; 29 30 #if !defined(CURL_DISABLE_CRYPTO_AUTH) 31 struct digestdata; 32 #endif 33 34 #if defined(USE_NTLM) 35 struct ntlmdata; 36 #endif 37 38 #if defined(USE_KERBEROS5) 39 struct kerberos5data; 40 #endif 41 42 /* Authentication mechanism flags */ 43 #define SASL_MECH_LOGIN (1 << 0) 44 #define SASL_MECH_PLAIN (1 << 1) 45 #define SASL_MECH_CRAM_MD5 (1 << 2) 46 #define SASL_MECH_DIGEST_MD5 (1 << 3) 47 #define SASL_MECH_GSSAPI (1 << 4) 48 #define SASL_MECH_EXTERNAL (1 << 5) 49 #define SASL_MECH_NTLM (1 << 6) 50 #define SASL_MECH_XOAUTH2 (1 << 7) 51 52 /* Authentication mechanism values */ 53 #define SASL_AUTH_NONE 0 54 #define SASL_AUTH_ANY ~0U 55 #define SASL_AUTH_DEFAULT (SASL_AUTH_ANY & \ 56 ~(SASL_MECH_EXTERNAL | SASL_MECH_XOAUTH2)) 57 58 /* Authentication mechanism strings */ 59 #define SASL_MECH_STRING_LOGIN "LOGIN" 60 #define SASL_MECH_STRING_PLAIN "PLAIN" 61 #define SASL_MECH_STRING_CRAM_MD5 "CRAM-MD5" 62 #define SASL_MECH_STRING_DIGEST_MD5 "DIGEST-MD5" 63 #define SASL_MECH_STRING_GSSAPI "GSSAPI" 64 #define SASL_MECH_STRING_EXTERNAL "EXTERNAL" 65 #define SASL_MECH_STRING_NTLM "NTLM" 66 #define SASL_MECH_STRING_XOAUTH2 "XOAUTH2" 67 68 #if !defined(CURL_DISABLE_CRYPTO_AUTH) 69 #define DIGEST_MAX_VALUE_LENGTH 256 70 #define DIGEST_MAX_CONTENT_LENGTH 1024 71 #endif 72 73 enum { 74 CURLDIGESTALGO_MD5, 75 CURLDIGESTALGO_MD5SESS 76 }; 77 78 /* SASL machine states */ 79 typedef enum { 80 SASL_STOP, 81 SASL_PLAIN, 82 SASL_LOGIN, 83 SASL_LOGIN_PASSWD, 84 SASL_EXTERNAL, 85 SASL_CRAMMD5, 86 SASL_DIGESTMD5, 87 SASL_DIGESTMD5_RESP, 88 SASL_NTLM, 89 SASL_NTLM_TYPE2MSG, 90 SASL_GSSAPI, 91 SASL_GSSAPI_TOKEN, 92 SASL_GSSAPI_NO_DATA, 93 SASL_XOAUTH2, 94 SASL_CANCEL, 95 SASL_FINAL 96 } saslstate; 97 98 /* Progress indicator */ 99 typedef enum { 100 SASL_IDLE, 101 SASL_INPROGRESS, 102 SASL_DONE 103 } saslprogress; 104 105 /* Protocol dependent SASL parameters */ 106 struct SASLproto { 107 const char *service; /* The service name */ 108 int contcode; /* Code to receive when continuation is expected */ 109 int finalcode; /* Code to receive upon authentication success */ 110 size_t maxirlen; /* Maximum initial response length */ 111 CURLcode (*sendauth)(struct connectdata *conn, 112 const char *mech, const char *ir); 113 /* Send authentication command */ 114 CURLcode (*sendcont)(struct connectdata *conn, const char *contauth); 115 /* Send authentication continuation */ 116 void (*getmessage)(char *buffer, char **outptr); 117 /* Get SASL response message */ 118 }; 119 120 /* Per-connection parameters */ 121 struct SASL { 122 const struct SASLproto *params; /* Protocol dependent parameters */ 123 saslstate state; /* Current machine state */ 124 unsigned int authmechs; /* Accepted authentication mechanisms */ 125 unsigned int prefmech; /* Preferred authentication mechanism */ 126 unsigned int authused; /* Auth mechanism used for the connection */ 127 bool resetprefs; /* For URL auth option parsing. */ 128 bool mutual_auth; /* Mutual authentication enabled (GSSAPI only) */ 129 bool force_ir; /* Protocol always supports initial response */ 130 }; 131 132 /* This is used to test whether the line starts with the given mechanism */ 133 #define sasl_mech_equal(line, wordlen, mech) \ 134 (wordlen == (sizeof(mech) - 1) / sizeof(char) && \ 135 !memcmp(line, mech, wordlen)) 136 137 /* This is used to build a SPN string */ 138 #if !defined(USE_WINDOWS_SSPI) 139 char *Curl_sasl_build_spn(const char *service, const char *instance); 140 #else 141 TCHAR *Curl_sasl_build_spn(const char *service, const char *instance); 142 #endif 143 144 /* This is used to extract the realm from a challenge message */ 145 int Curl_sasl_digest_get_pair(const char *str, char *value, char *content, 146 const char **endptr); 147 148 #if defined(HAVE_GSSAPI) 149 char *Curl_sasl_build_gssapi_spn(const char *service, const char *host); 150 #endif 151 152 #ifndef CURL_DISABLE_CRYPTO_AUTH 153 154 /* This is used to generate a base64 encoded DIGEST-MD5 response message */ 155 CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, 156 const char *chlg64, 157 const char *userp, 158 const char *passwdp, 159 const char *service, 160 char **outptr, size_t *outlen); 161 162 /* This is used to decode a HTTP DIGEST challenge message */ 163 CURLcode Curl_sasl_decode_digest_http_message(const char *chlg, 164 struct digestdata *digest); 165 166 /* This is used to generate a HTTP DIGEST response message */ 167 CURLcode Curl_sasl_create_digest_http_message(struct SessionHandle *data, 168 const char *userp, 169 const char *passwdp, 170 const unsigned char *request, 171 const unsigned char *uri, 172 struct digestdata *digest, 173 char **outptr, size_t *outlen); 174 175 /* This is used to clean up the digest specific data */ 176 void Curl_sasl_digest_cleanup(struct digestdata *digest); 177 #endif 178 179 #ifdef USE_NTLM 180 /* This is used to generate a base64 encoded NTLM type-1 message */ 181 CURLcode Curl_sasl_create_ntlm_type1_message(const char *userp, 182 const char *passwdp, 183 struct ntlmdata *ntlm, 184 char **outptr, 185 size_t *outlen); 186 187 /* This is used to decode a base64 encoded NTLM type-2 message */ 188 CURLcode Curl_sasl_decode_ntlm_type2_message(struct SessionHandle *data, 189 const char *type2msg, 190 struct ntlmdata *ntlm); 191 192 /* This is used to generate a base64 encoded NTLM type-3 message */ 193 CURLcode Curl_sasl_create_ntlm_type3_message(struct SessionHandle *data, 194 const char *userp, 195 const char *passwdp, 196 struct ntlmdata *ntlm, 197 char **outptr, size_t *outlen); 198 199 /* This is used to clean up the ntlm specific data */ 200 void Curl_sasl_ntlm_cleanup(struct ntlmdata *ntlm); 201 202 #endif /* USE_NTLM */ 203 204 #if defined(USE_KERBEROS5) 205 /* This is used to generate a base64 encoded GSSAPI (Kerberos V5) user token 206 message */ 207 CURLcode Curl_sasl_create_gssapi_user_message(struct SessionHandle *data, 208 const char *userp, 209 const char *passwdp, 210 const char *service, 211 const bool mutual, 212 const char *chlg64, 213 struct kerberos5data *krb5, 214 char **outptr, size_t *outlen); 215 216 /* This is used to generate a base64 encoded GSSAPI (Kerberos V5) security 217 token message */ 218 CURLcode Curl_sasl_create_gssapi_security_message(struct SessionHandle *data, 219 const char *input, 220 struct kerberos5data *krb5, 221 char **outptr, 222 size_t *outlen); 223 224 /* This is used to clean up the gssapi specific data */ 225 void Curl_sasl_gssapi_cleanup(struct kerberos5data *krb5); 226 #endif /* USE_KERBEROS5 */ 227 228 /* This is used to cleanup any libraries or curl modules used by the sasl 229 functions */ 230 void Curl_sasl_cleanup(struct connectdata *conn, unsigned int authused); 231 232 /* Convert a mechanism name to a token */ 233 unsigned int Curl_sasl_decode_mech(const char *ptr, 234 size_t maxlen, size_t *len); 235 236 /* Parse the URL login options */ 237 CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl, 238 const char *value, size_t len); 239 240 /* Initializes an SASL structure */ 241 void Curl_sasl_init(struct SASL *sasl, const struct SASLproto *params); 242 243 /* Check if we have enough auth data and capabilities to authenticate */ 244 bool Curl_sasl_can_authenticate(struct SASL *sasl, struct connectdata *conn); 245 246 /* Calculate the required login details for SASL authentication */ 247 CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn, 248 bool force_ir, saslprogress *progress); 249 250 /* Continue an SASL authentication */ 251 CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn, 252 int code, saslprogress *progress); 253 254 #endif /* HEADER_CURL_SASL_H */ 255