#include "curl_setup.h"
#include <curl/curl.h>
#include "urldata.h"
#include "curl_base64.h"
#include "curl_md5.h"
#include "vtls/vtls.h"
#include "curl_hmac.h"
#include "curl_sasl.h"
#include "warnless.h"
#include "strtok.h"
#include "strequal.h"
#include "rawstr.h"
#include "sendf.h"
#include "non-ascii.h"
#include "curl_printf.h"
#include "curl_memory.h"
#include "memdebug.h"
const struct {
const char *name;
size_t len;
unsigned int bit;
} mechtable[] = {
{ "LOGIN", 5, SASL_MECH_LOGIN },
{ "PLAIN", 5, SASL_MECH_PLAIN },
{ "CRAM-MD5", 8, SASL_MECH_CRAM_MD5 },
{ "DIGEST-MD5", 10, SASL_MECH_DIGEST_MD5 },
{ "GSSAPI", 6, SASL_MECH_GSSAPI },
{ "EXTERNAL", 8, SASL_MECH_EXTERNAL },
{ "NTLM", 4, SASL_MECH_NTLM },
{ "XOAUTH2", 7, SASL_MECH_XOAUTH2 },
{ ZERO_NULL, 0, 0 }
};
#if !defined(CURL_DISABLE_CRYPTO_AUTH) && !defined(USE_WINDOWS_SSPI)
#define DIGEST_QOP_VALUE_AUTH (1 << 0)
#define DIGEST_QOP_VALUE_AUTH_INT (1 << 1)
#define DIGEST_QOP_VALUE_AUTH_CONF (1 << 2)
#define DIGEST_QOP_VALUE_STRING_AUTH "auth"
#define DIGEST_QOP_VALUE_STRING_AUTH_INT "auth-int"
#define DIGEST_QOP_VALUE_STRING_AUTH_CONF "auth-conf"
#define CURL_OUTPUT_DIGEST_CONV(a, b) \
result = Curl_convert_to_network(a, (char *)b, strlen((const char*)b)); \
if(result) { \
free(b); \
return result; \
}
#endif
#if !defined(CURL_DISABLE_CRYPTO_AUTH)
int Curl_sasl_digest_get_pair(const char *str, char *value, char *content,
const char **endptr)
{
int c;
bool starts_with_quote = FALSE;
bool escape = FALSE;
for(c = DIGEST_MAX_VALUE_LENGTH - 1; (*str && (*str != '=') && c--); )
*value++ = *str++;
*value = 0;
if('=' != *str++)
return 1;
if('\"' == *str) {
str++;
starts_with_quote = TRUE;
}
for(c = DIGEST_MAX_CONTENT_LENGTH - 1; *str && c--; str++) {
switch(*str) {
case '\\':
if(!escape) {
escape = TRUE;
*content++ = '\\';
continue;
}
break;
case ',':
if(!starts_with_quote) {
c = 0;
continue;
}
break;
case '\r':
case '\n':
c = 0;
continue;
case '\"':
if(!escape && starts_with_quote) {
c = 0;
continue;
}
break;
}
escape = FALSE;
*content++ = *str;
}
*content = 0;
*endptr = str;
return 0;
}
#endif
#if !defined(CURL_DISABLE_CRYPTO_AUTH) && !defined(USE_WINDOWS_SSPI)
static void sasl_digest_md5_to_ascii(unsigned char *source,
unsigned char *dest)
{
int i;
for(i = 0; i < 16; i++)
snprintf((char *)&dest[i*2], 3, "%02x", source[i]);
}
static char *sasl_digest_string_quoted(const char *source)
{
char *dest, *d;
const char *s = source;
size_t n = 1;
while(*s) {
++n;
if(*s == '"' || *s == '\\') {
++n;
}
++s;
}
dest = malloc(n);
if(dest) {
s = source;
d = dest;
while(*s) {
if(*s == '"' || *s == '\\') {
*d++ = '\\';
}
*d++ = *s++;
}
*d = 0;
}
return dest;
}
static bool sasl_digest_get_key_value(const char *chlg,
const char *key,
char *value,
size_t max_val_len,
char end_char)
{
char *find_pos;
size_t i;
find_pos = strstr(chlg, key);
if(!find_pos)
return FALSE;
find_pos += strlen(key);
for(i = 0; *find_pos && *find_pos != end_char && i < max_val_len - 1; ++i)
value[i] = *find_pos++;
value[i] = '\0';
return TRUE;
}
static CURLcode sasl_digest_get_qop_values(const char *options, int *value)
{
char *tmp;
char *token;
char *tok_buf;
*value = 0;
tmp = strdup(options);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
token = strtok_r(tmp, ",", &tok_buf);
while(token != NULL) {
if(Curl_raw_equal(token, DIGEST_QOP_VALUE_STRING_AUTH))
*value |= DIGEST_QOP_VALUE_AUTH;
else if(Curl_raw_equal(token, DIGEST_QOP_VALUE_STRING_AUTH_INT))
*value |= DIGEST_QOP_VALUE_AUTH_INT;
else if(Curl_raw_equal(token, DIGEST_QOP_VALUE_STRING_AUTH_CONF))
*value |= DIGEST_QOP_VALUE_AUTH_CONF;
token = strtok_r(NULL, ",", &tok_buf);
}
free(tmp);
return CURLE_OK;
}
#endif
#if !defined(USE_WINDOWS_SSPI)
char *Curl_sasl_build_spn(const char *service, const char *host)
{
return aprintf("%s/%s", service, host);
}
#endif
static CURLcode sasl_create_plain_message(struct SessionHandle *data,
const char *userp,
const char *passwdp,
char **outptr, size_t *outlen)
{
CURLcode result;
char *plainauth;
size_t ulen;
size_t plen;
ulen = strlen(userp);
plen = strlen(passwdp);
plainauth = malloc(2 * ulen + plen + 2);
if(!plainauth) {
*outlen = 0;
*outptr = NULL;
return CURLE_OUT_OF_MEMORY;
}
memcpy(plainauth, userp, ulen);
plainauth[ulen] = '\0';
memcpy(plainauth + ulen + 1, userp, ulen);
plainauth[2 * ulen + 1] = '\0';
memcpy(plainauth + 2 * ulen + 2, passwdp, plen);
result = Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr,
outlen);
free(plainauth);
return result;
}
static CURLcode sasl_create_login_message(struct SessionHandle *data,
const char *valuep, char **outptr,
size_t *outlen)
{
size_t vlen = strlen(valuep);
if(!vlen) {
*outptr = strdup("=");
if(*outptr) {
*outlen = (size_t) 1;
return CURLE_OK;
}
*outlen = 0;
return CURLE_OUT_OF_MEMORY;
}
return Curl_base64_encode(data, valuep, vlen, outptr, outlen);
}
static CURLcode sasl_create_external_message(struct SessionHandle *data,
const char *user, char **outptr,
size_t *outlen)
{
return sasl_create_login_message(data, user, outptr, outlen);
}
#ifndef CURL_DISABLE_CRYPTO_AUTH
static CURLcode sasl_decode_cram_md5_message(const char *chlg64, char **outptr,
size_t *outlen)
{
CURLcode result = CURLE_OK;
size_t chlg64len = strlen(chlg64);
*outptr = NULL;
*outlen = 0;
if(chlg64len && *chlg64 != '=')
result = Curl_base64_decode(chlg64, (unsigned char **) outptr, outlen);
return result;
}
static CURLcode sasl_create_cram_md5_message(struct SessionHandle *data,
const char *chlg,
const char *userp,
const char *passwdp,
char **outptr, size_t *outlen)
{
CURLcode result = CURLE_OK;
size_t chlglen = 0;
HMAC_context *ctxt;
unsigned char digest[MD5_DIGEST_LEN];
char *response;
if(chlg)
chlglen = strlen(chlg);
ctxt = Curl_HMAC_init(Curl_HMAC_MD5,
(const unsigned char *) passwdp,
curlx_uztoui(strlen(passwdp)));
if(!ctxt)
return CURLE_OUT_OF_MEMORY;
if(chlglen > 0)
Curl_HMAC_update(ctxt, (const unsigned char *) chlg,
curlx_uztoui(chlglen));
Curl_HMAC_final(ctxt, digest);
response = aprintf(
"%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
userp, digest[0], digest[1], digest[2], digest[3], digest[4],
digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],
digest[11], digest[12], digest[13], digest[14], digest[15]);
if(!response)
return CURLE_OUT_OF_MEMORY;
result = Curl_base64_encode(data, response, 0, outptr, outlen);
free(response);
return result;
}
#ifndef USE_WINDOWS_SSPI
static CURLcode sasl_decode_digest_md5_message(const char *chlg64,
char *nonce, size_t nlen,
char *realm, size_t rlen,
char *alg, size_t alen,
char *qop, size_t qlen)
{
CURLcode result = CURLE_OK;
unsigned char *chlg = NULL;
size_t chlglen = 0;
size_t chlg64len = strlen(chlg64);
if(chlg64len && *chlg64 != '=') {
result = Curl_base64_decode(chlg64, &chlg, &chlglen);
if(result)
return result;
}
if(!chlg)
return CURLE_BAD_CONTENT_ENCODING;
if(!sasl_digest_get_key_value((char *)chlg, "nonce=\"", nonce, nlen, '\"')) {
free(chlg);
return CURLE_BAD_CONTENT_ENCODING;
}
if(!sasl_digest_get_key_value((char *)chlg, "realm=\"", realm, rlen, '\"')) {
strcpy(realm, "");
}
if(!sasl_digest_get_key_value((char *)chlg, "algorithm=", alg, alen, ',')) {
free(chlg);
return CURLE_BAD_CONTENT_ENCODING;
}
if(!sasl_digest_get_key_value((char *)chlg, "qop=\"", qop, qlen, '\"')) {
free(chlg);
return CURLE_BAD_CONTENT_ENCODING;
}
free(chlg);
return CURLE_OK;
}
CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
const char *chlg64,
const char *userp,
const char *passwdp,
const char *service,
char **outptr, size_t *outlen)
{
CURLcode result = CURLE_OK;
size_t i;
MD5_context *ctxt;
char *response = NULL;
unsigned char digest[MD5_DIGEST_LEN];
char HA1_hex[2 * MD5_DIGEST_LEN + 1];
char HA2_hex[2 * MD5_DIGEST_LEN + 1];
char resp_hash_hex[2 * MD5_DIGEST_LEN + 1];
char nonce[64];
char realm[128];
char algorithm[64];
char qop_options[64];
int qop_values;
char cnonce[33];
unsigned int entropy[4];
char nonceCount[] = "00000001";
char method[] = "AUTHENTICATE";
char qop[] = DIGEST_QOP_VALUE_STRING_AUTH;
char *spn = NULL;
result = sasl_decode_digest_md5_message(chlg64, nonce, sizeof(nonce),
realm, sizeof(realm),
algorithm, sizeof(algorithm),
qop_options, sizeof(qop_options));
if(result)
return result;
if(strcmp(algorithm, "md5-sess") != 0)
return CURLE_BAD_CONTENT_ENCODING;
result = sasl_digest_get_qop_values(qop_options, &qop_values);
if(result)
return result;
if(!(qop_values & DIGEST_QOP_VALUE_AUTH))
return CURLE_BAD_CONTENT_ENCODING;
entropy[0] = Curl_rand(data);
entropy[1] = Curl_rand(data);
entropy[2] = Curl_rand(data);
entropy[3] = Curl_rand(data);
snprintf(cnonce, sizeof(cnonce), "%08x%08x%08x%08x",
entropy[0], entropy[1], entropy[2], entropy[3]);
ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
if(!ctxt)
return CURLE_OUT_OF_MEMORY;
Curl_MD5_update(ctxt, (const unsigned char *) userp,
curlx_uztoui(strlen(userp)));
Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
Curl_MD5_update(ctxt, (const unsigned char *) realm,
curlx_uztoui(strlen(realm)));
Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
Curl_MD5_update(ctxt, (const unsigned char *) passwdp,
curlx_uztoui(strlen(passwdp)));
Curl_MD5_final(ctxt, digest);
ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
if(!ctxt)
return CURLE_OUT_OF_MEMORY;
Curl_MD5_update(ctxt, (const unsigned char *) digest, MD5_DIGEST_LEN);
Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
Curl_MD5_update(ctxt, (const unsigned char *) nonce,
curlx_uztoui(strlen(nonce)));
Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
Curl_MD5_update(ctxt, (const unsigned char *) cnonce,
curlx_uztoui(strlen(cnonce)));
Curl_MD5_final(ctxt, digest);
for(i = 0; i < MD5_DIGEST_LEN; i++)
snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]);
spn = Curl_sasl_build_spn(service, realm);
if(!spn)
return CURLE_OUT_OF_MEMORY;
ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
if(!ctxt) {
free(spn);
return CURLE_OUT_OF_MEMORY;
}
Curl_MD5_update(ctxt, (const unsigned char *) method,
curlx_uztoui(strlen(method)));
Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
Curl_MD5_update(ctxt, (const unsigned char *) spn,
curlx_uztoui(strlen(spn)));
Curl_MD5_final(ctxt, digest);
for(i = 0; i < MD5_DIGEST_LEN; i++)
snprintf(&HA2_hex[2 * i], 3, "%02x", digest[i]);
ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
if(!ctxt) {
free(spn);
return CURLE_OUT_OF_MEMORY;
}
Curl_MD5_update(ctxt, (const unsigned char *) HA1_hex, 2 * MD5_DIGEST_LEN);
Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
Curl_MD5_update(ctxt, (const unsigned char *) nonce,
curlx_uztoui(strlen(nonce)));
Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
Curl_MD5_update(ctxt, (const unsigned char *) nonceCount,
curlx_uztoui(strlen(nonceCount)));
Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
Curl_MD5_update(ctxt, (const unsigned char *) cnonce,
curlx_uztoui(strlen(cnonce)));
Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
Curl_MD5_update(ctxt, (const unsigned char *) qop,
curlx_uztoui(strlen(qop)));
Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
Curl_MD5_update(ctxt, (const unsigned char *) HA2_hex, 2 * MD5_DIGEST_LEN);
Curl_MD5_final(ctxt, digest);
for(i = 0; i < MD5_DIGEST_LEN; i++)
snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]);
response = aprintf("username=\"%s\",realm=\"%s\",nonce=\"%s\","
"cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s,"
"qop=%s",
userp, realm, nonce,
cnonce, nonceCount, spn, resp_hash_hex, qop);
free(spn);
if(!response)
return CURLE_OUT_OF_MEMORY;
result = Curl_base64_encode(data, response, 0, outptr, outlen);
free(response);
return result;
}
CURLcode Curl_sasl_decode_digest_http_message(const char *chlg,
struct digestdata *digest)
{
bool before = FALSE;
bool foundAuth = FALSE;
bool foundAuthInt = FALSE;
char *token = NULL;
char *tmp = NULL;
if(digest->nonce)
before = TRUE;
Curl_sasl_digest_cleanup(digest);
for(;;) {
char value[DIGEST_MAX_VALUE_LENGTH];
char content[DIGEST_MAX_CONTENT_LENGTH];
while(*chlg && ISSPACE(*chlg))
chlg++;
if(!Curl_sasl_digest_get_pair(chlg, value, content, &chlg)) {
if(Curl_raw_equal(value, "nonce")) {
digest->nonce = strdup(content);
if(!digest->nonce)
return CURLE_OUT_OF_MEMORY;
}
else if(Curl_raw_equal(value, "stale")) {
if(Curl_raw_equal(content, "true")) {
digest->stale = TRUE;
digest->nc = 1;
}
}
else if(Curl_raw_equal(value, "realm")) {
digest->realm = strdup(content);
if(!digest->realm)
return CURLE_OUT_OF_MEMORY;
}
else if(Curl_raw_equal(value, "opaque")) {
digest->opaque = strdup(content);
if(!digest->opaque)
return CURLE_OUT_OF_MEMORY;
}
else if(Curl_raw_equal(value, "qop")) {
char *tok_buf;
tmp = strdup(content);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
token = strtok_r(tmp, ",", &tok_buf);
while(token != NULL) {
if(Curl_raw_equal(token, DIGEST_QOP_VALUE_STRING_AUTH)) {
foundAuth = TRUE;
}
else if(Curl_raw_equal(token, DIGEST_QOP_VALUE_STRING_AUTH_INT)) {
foundAuthInt = TRUE;
}
token = strtok_r(NULL, ",", &tok_buf);
}
free(tmp);
if(foundAuth) {
digest->qop = strdup(DIGEST_QOP_VALUE_STRING_AUTH);
if(!digest->qop)
return CURLE_OUT_OF_MEMORY;
}
else if(foundAuthInt) {
digest->qop = strdup(DIGEST_QOP_VALUE_STRING_AUTH_INT);
if(!digest->qop)
return CURLE_OUT_OF_MEMORY;
}
}
else if(Curl_raw_equal(value, "algorithm")) {
digest->algorithm = strdup(content);
if(!digest->algorithm)
return CURLE_OUT_OF_MEMORY;
if(Curl_raw_equal(content, "MD5-sess"))
digest->algo = CURLDIGESTALGO_MD5SESS;
else if(Curl_raw_equal(content, "MD5"))
digest->algo = CURLDIGESTALGO_MD5;
else
return CURLE_BAD_CONTENT_ENCODING;
}
else {
}
}
else
break;
while(*chlg && ISSPACE(*chlg))
chlg++;
if(',' == *chlg)
chlg++;
}
if(before && !digest->stale)
return CURLE_BAD_CONTENT_ENCODING;
if(!digest->nonce)
return CURLE_BAD_CONTENT_ENCODING;
return CURLE_OK;
}
CURLcode Curl_sasl_create_digest_http_message(struct SessionHandle *data,
const char *userp,
const char *passwdp,
const unsigned char *request,
const unsigned char *uripath,
struct digestdata *digest,
char **outptr, size_t *outlen)
{
CURLcode result;
unsigned char md5buf[16];
unsigned char request_digest[33];
unsigned char *md5this;
unsigned char ha1[33];
unsigned char ha2[33];
char cnoncebuf[33];
char *cnonce = NULL;
size_t cnonce_sz = 0;
char *userp_quoted;
char *response = NULL;
char *tmp = NULL;
if(!digest->nc)
digest->nc = 1;
if(!digest->cnonce) {
snprintf(cnoncebuf, sizeof(cnoncebuf), "%08x%08x%08x%08x",
Curl_rand(data), Curl_rand(data),
Curl_rand(data), Curl_rand(data));
result = Curl_base64_encode(data, cnoncebuf, strlen(cnoncebuf),
&cnonce, &cnonce_sz);
if(result)
return result;
digest->cnonce = cnonce;
}
md5this = (unsigned char *)
aprintf("%s:%s:%s", userp, digest->realm, passwdp);
if(!md5this)
return CURLE_OUT_OF_MEMORY;
CURL_OUTPUT_DIGEST_CONV(data, md5this);
Curl_md5it(md5buf, md5this);
free(md5this);
sasl_digest_md5_to_ascii(md5buf, ha1);
if(digest->algo == CURLDIGESTALGO_MD5SESS) {
tmp = aprintf("%s:%s:%s", ha1, digest->nonce, digest->cnonce);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
CURL_OUTPUT_DIGEST_CONV(data, tmp);
Curl_md5it(md5buf, (unsigned char *)tmp);
free(tmp);
sasl_digest_md5_to_ascii(md5buf, ha1);
}
md5this = (unsigned char *)aprintf("%s:%s", request, uripath);
if(digest->qop && Curl_raw_equal(digest->qop, "auth-int")) {
unsigned char *md5this2 = (unsigned char *)
aprintf("%s:%s", md5this, "d41d8cd98f00b204e9800998ecf8427e");
free(md5this);
md5this = md5this2;
}
if(!md5this)
return CURLE_OUT_OF_MEMORY;
CURL_OUTPUT_DIGEST_CONV(data, md5this);
Curl_md5it(md5buf, md5this);
free(md5this);
sasl_digest_md5_to_ascii(md5buf, ha2);
if(digest->qop) {
md5this = (unsigned char *)aprintf("%s:%s:%08x:%s:%s:%s",
ha1,
digest->nonce,
digest->nc,
digest->cnonce,
digest->qop,
ha2);
}
else {
md5this = (unsigned char *)aprintf("%s:%s:%s",
ha1,
digest->nonce,
ha2);
}
if(!md5this)
return CURLE_OUT_OF_MEMORY;
CURL_OUTPUT_DIGEST_CONV(data, md5this);
Curl_md5it(md5buf, md5this);
free(md5this);
sasl_digest_md5_to_ascii(md5buf, request_digest);
userp_quoted = sasl_digest_string_quoted(userp);
if(!userp_quoted)
return CURLE_OUT_OF_MEMORY;
if(digest->qop) {
response = aprintf("username=\"%s\", "
"realm=\"%s\", "
"nonce=\"%s\", "
"uri=\"%s\", "
"cnonce=\"%s\", "
"nc=%08x, "
"qop=%s, "
"response=\"%s\"",
userp_quoted,
digest->realm,
digest->nonce,
uripath,
digest->cnonce,
digest->nc,
digest->qop,
request_digest);
if(Curl_raw_equal(digest->qop, "auth"))
digest->nc++;
}
else {
response = aprintf("username=\"%s\", "
"realm=\"%s\", "
"nonce=\"%s\", "
"uri=\"%s\", "
"response=\"%s\"",
userp_quoted,
digest->realm,
digest->nonce,
uripath,
request_digest);
}
free(userp_quoted);
if(!response)
return CURLE_OUT_OF_MEMORY;
if(digest->opaque) {
tmp = aprintf("%s, opaque=\"%s\"", response, digest->opaque);
free(response);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
response = tmp;
}
if(digest->algorithm) {
tmp = aprintf("%s, algorithm=\"%s\"", response, digest->algorithm);
free(response);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
response = tmp;
}
*outptr = response;
*outlen = strlen(response);
return CURLE_OK;
}
void Curl_sasl_digest_cleanup(struct digestdata *digest)
{
Curl_safefree(digest->nonce);
Curl_safefree(digest->cnonce);
Curl_safefree(digest->realm);
Curl_safefree(digest->opaque);
Curl_safefree(digest->qop);
Curl_safefree(digest->algorithm);
digest->nc = 0;
digest->algo = CURLDIGESTALGO_MD5;
digest->stale = FALSE;
}
#endif
#endif
#if defined(USE_NTLM) && !defined(USE_WINDOWS_SSPI)
void Curl_sasl_ntlm_cleanup(struct ntlmdata *ntlm)
{
Curl_safefree(ntlm->target_info);
ntlm->target_info_len = 0;
}
#endif
static CURLcode sasl_create_xoauth2_message(struct SessionHandle *data,
const char *user,
const char *bearer,
char **outptr, size_t *outlen)
{
CURLcode result = CURLE_OK;
char *xoauth = NULL;
xoauth = aprintf("user=%s\1auth=Bearer %s\1\1", user, bearer);
if(!xoauth)
return CURLE_OUT_OF_MEMORY;
result = Curl_base64_encode(data, xoauth, strlen(xoauth), outptr, outlen);
free(xoauth);
return result;
}
void Curl_sasl_cleanup(struct connectdata *conn, unsigned int authused)
{
#if defined(USE_KERBEROS5)
if(authused == SASL_MECH_GSSAPI) {
Curl_sasl_gssapi_cleanup(&conn->krb5);
}
#endif
#if defined(USE_NTLM)
if(authused == SASL_MECH_NTLM) {
Curl_sasl_ntlm_cleanup(&conn->ntlm);
}
#endif
#if !defined(USE_KERBEROS5) && !defined(USE_NTLM)
(void)conn;
(void)authused;
#endif
}
unsigned int Curl_sasl_decode_mech(const char *ptr, size_t maxlen, size_t *len)
{
unsigned int i;
char c;
for(i = 0; mechtable[i].name; i++) {
if(maxlen >= mechtable[i].len &&
!memcmp(ptr, mechtable[i].name, mechtable[i].len)) {
if(len)
*len = mechtable[i].len;
if(maxlen == mechtable[i].len)
return mechtable[i].bit;
c = ptr[mechtable[i].len];
if(!ISUPPER(c) && !ISDIGIT(c) && c != '-' && c != '_')
return mechtable[i].bit;
}
}
return 0;
}
CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl,
const char *value, size_t len)
{
CURLcode result = CURLE_OK;
unsigned int mechbit;
size_t mechlen;
if(!len)
return CURLE_URL_MALFORMAT;
if(sasl->resetprefs) {
sasl->resetprefs = FALSE;
sasl->prefmech = SASL_AUTH_NONE;
}
if(strnequal(value, "*", len))
sasl->prefmech = SASL_AUTH_DEFAULT;
else if((mechbit = Curl_sasl_decode_mech(value, len, &mechlen)) &&
mechlen == len)
sasl->prefmech |= mechbit;
else
result = CURLE_URL_MALFORMAT;
return result;
}
void Curl_sasl_init(struct SASL *sasl, const struct SASLproto *params)
{
sasl->params = params;
sasl->state = SASL_STOP;
sasl->authmechs = SASL_AUTH_NONE;
sasl->prefmech = SASL_AUTH_DEFAULT;
sasl->authused = SASL_AUTH_NONE;
sasl->resetprefs = TRUE;
sasl->mutual_auth = FALSE;
sasl->force_ir = FALSE;
}
static void state(struct SASL *sasl, struct connectdata *conn,
saslstate newstate)
{
#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
static const char * const names[]={
"STOP",
"PLAIN",
"LOGIN",
"LOGIN_PASSWD",
"EXTERNAL",
"CRAMMD5",
"DIGESTMD5",
"DIGESTMD5_RESP",
"NTLM",
"NTLM_TYPE2MSG",
"GSSAPI",
"GSSAPI_TOKEN",
"GSSAPI_NO_DATA",
"XOAUTH2",
"CANCEL",
"FINAL",
};
if(sasl->state != newstate)
infof(conn->data, "SASL %p state change from %s to %s\n",
(void *)sasl, names[sasl->state], names[newstate]);
#else
(void) conn;
#endif
sasl->state = newstate;
}
bool Curl_sasl_can_authenticate(struct SASL *sasl, struct connectdata *conn)
{
if(conn->bits.user_passwd)
return TRUE;
if(sasl->authmechs & sasl->prefmech & SASL_MECH_EXTERNAL)
return TRUE;
return FALSE;
}
CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
bool force_ir, saslprogress *progress)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
unsigned int enabledmechs;
const char *mech = NULL;
char *resp = NULL;
size_t len = 0;
saslstate state1 = SASL_STOP;
saslstate state2 = SASL_FINAL;
sasl->force_ir = force_ir;
sasl->authused = 0;
enabledmechs = sasl->authmechs & sasl->prefmech;
*progress = SASL_IDLE;
if((enabledmechs & SASL_MECH_EXTERNAL) && !conn->passwd[0]) {
mech = SASL_MECH_STRING_EXTERNAL;
state1 = SASL_EXTERNAL;
sasl->authused = SASL_MECH_EXTERNAL;
if(force_ir || data->set.sasl_ir)
result = sasl_create_external_message(data, conn->user, &resp, &len);
}
else if(conn->bits.user_passwd) {
#if defined(USE_KERBEROS5)
if(enabledmechs & SASL_MECH_GSSAPI) {
sasl->mutual_auth = FALSE;
mech = SASL_MECH_STRING_GSSAPI;
state1 = SASL_GSSAPI;
state2 = SASL_GSSAPI_TOKEN;
sasl->authused = SASL_MECH_GSSAPI;
if(force_ir || data->set.sasl_ir)
result = Curl_sasl_create_gssapi_user_message(data, conn->user,
conn->passwd,
sasl->params->service,
sasl->mutual_auth,
NULL, &conn->krb5,
&resp, &len);
}
else
#endif
#ifndef CURL_DISABLE_CRYPTO_AUTH
if(enabledmechs & SASL_MECH_DIGEST_MD5) {
mech = SASL_MECH_STRING_DIGEST_MD5;
state1 = SASL_DIGESTMD5;
sasl->authused = SASL_MECH_DIGEST_MD5;
}
else if(enabledmechs & SASL_MECH_CRAM_MD5) {
mech = SASL_MECH_STRING_CRAM_MD5;
state1 = SASL_CRAMMD5;
sasl->authused = SASL_MECH_CRAM_MD5;
}
else
#endif
#ifdef USE_NTLM
if(enabledmechs & SASL_MECH_NTLM) {
mech = SASL_MECH_STRING_NTLM;
state1 = SASL_NTLM;
state2 = SASL_NTLM_TYPE2MSG;
sasl->authused = SASL_MECH_NTLM;
if(force_ir || data->set.sasl_ir)
result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
&conn->ntlm, &resp, &len);
}
else
#endif
if((enabledmechs & SASL_MECH_XOAUTH2) || conn->xoauth2_bearer) {
mech = SASL_MECH_STRING_XOAUTH2;
state1 = SASL_XOAUTH2;
sasl->authused = SASL_MECH_XOAUTH2;
if(force_ir || data->set.sasl_ir)
result = sasl_create_xoauth2_message(data, conn->user,
conn->xoauth2_bearer,
&resp, &len);
}
else if(enabledmechs & SASL_MECH_LOGIN) {
mech = SASL_MECH_STRING_LOGIN;
state1 = SASL_LOGIN;
state2 = SASL_LOGIN_PASSWD;
sasl->authused = SASL_MECH_LOGIN;
if(force_ir || data->set.sasl_ir)
result = sasl_create_login_message(data, conn->user, &resp, &len);
}
else if(enabledmechs & SASL_MECH_PLAIN) {
mech = SASL_MECH_STRING_PLAIN;
state1 = SASL_PLAIN;
sasl->authused = SASL_MECH_PLAIN;
if(force_ir || data->set.sasl_ir)
result = sasl_create_plain_message(data, conn->user, conn->passwd,
&resp, &len);
}
}
if(!result) {
if(resp && sasl->params->maxirlen &&
strlen(mech) + len > sasl->params->maxirlen) {
free(resp);
resp = NULL;
}
if(mech) {
result = sasl->params->sendauth(conn, mech, resp);
if(!result) {
*progress = SASL_INPROGRESS;
state(sasl, conn, resp? state2: state1);
}
}
}
free(resp);
return result;
}
CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
int code, saslprogress *progress)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
saslstate newstate = SASL_FINAL;
char *resp = NULL;
#if !defined(CURL_DISABLE_CRYPTO_AUTH)
char *serverdata;
char *chlg = NULL;
size_t chlglen = 0;
#endif
size_t len = 0;
*progress = SASL_INPROGRESS;
if(sasl->state == SASL_FINAL) {
if(code != sasl->params->finalcode)
result = CURLE_LOGIN_DENIED;
*progress = SASL_DONE;
state(sasl, conn, SASL_STOP);
return result;
}
if(sasl->state != SASL_CANCEL && code != sasl->params->contcode) {
*progress = SASL_DONE;
state(sasl, conn, SASL_STOP);
return CURLE_LOGIN_DENIED;
}
switch(sasl->state) {
case SASL_STOP:
*progress = SASL_DONE;
return result;
case SASL_PLAIN:
result = sasl_create_plain_message(data, conn->user, conn->passwd, &resp,
&len);
break;
case SASL_LOGIN:
result = sasl_create_login_message(data, conn->user, &resp, &len);
newstate = SASL_LOGIN_PASSWD;
break;
case SASL_LOGIN_PASSWD:
result = sasl_create_login_message(data, conn->passwd, &resp, &len);
break;
case SASL_EXTERNAL:
result = sasl_create_external_message(data, conn->user, &resp, &len);
break;
#ifndef CURL_DISABLE_CRYPTO_AUTH
case SASL_CRAMMD5:
sasl->params->getmessage(data->state.buffer, &serverdata);
result = sasl_decode_cram_md5_message(serverdata, &chlg, &chlglen);
if(!result)
result = sasl_create_cram_md5_message(data, chlg, conn->user,
conn->passwd, &resp, &len);
free(chlg);
break;
case SASL_DIGESTMD5:
sasl->params->getmessage(data->state.buffer, &serverdata);
result = Curl_sasl_create_digest_md5_message(data, serverdata,
conn->user, conn->passwd,
sasl->params->service,
&resp, &len);
newstate = SASL_DIGESTMD5_RESP;
break;
case SASL_DIGESTMD5_RESP:
if(!(resp = strdup("")))
result = CURLE_OUT_OF_MEMORY;
break;
#endif
#ifdef USE_NTLM
case SASL_NTLM:
result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
&conn->ntlm, &resp, &len);
newstate = SASL_NTLM_TYPE2MSG;
break;
case SASL_NTLM_TYPE2MSG:
sasl->params->getmessage(data->state.buffer, &serverdata);
result = Curl_sasl_decode_ntlm_type2_message(data, serverdata,
&conn->ntlm);
if(!result)
result = Curl_sasl_create_ntlm_type3_message(data, conn->user,
conn->passwd, &conn->ntlm,
&resp, &len);
break;
#endif
#if defined(USE_KERBEROS5)
case SASL_GSSAPI:
result = Curl_sasl_create_gssapi_user_message(data, conn->user,
conn->passwd,
sasl->params->service,
sasl->mutual_auth, NULL,
&conn->krb5,
&resp, &len);
newstate = SASL_GSSAPI_TOKEN;
break;
case SASL_GSSAPI_TOKEN:
sasl->params->getmessage(data->state.buffer, &serverdata);
if(sasl->mutual_auth) {
result = Curl_sasl_create_gssapi_user_message(data, NULL, NULL, NULL,
sasl->mutual_auth,
serverdata, &conn->krb5,
&resp, &len);
newstate = SASL_GSSAPI_NO_DATA;
}
else
result = Curl_sasl_create_gssapi_security_message(data, serverdata,
&conn->krb5,
&resp, &len);
break;
case SASL_GSSAPI_NO_DATA:
sasl->params->getmessage(data->state.buffer, &serverdata);
result = Curl_sasl_create_gssapi_security_message(data, serverdata,
&conn->krb5,
&resp, &len);
break;
#endif
case SASL_XOAUTH2:
result = sasl_create_xoauth2_message(data, conn->user,
conn->xoauth2_bearer, &resp, &len);
break;
case SASL_CANCEL:
sasl->authmechs ^= sasl->authused;
result = Curl_sasl_start(sasl, conn, sasl->force_ir, progress);
newstate = sasl->state;
break;
default:
failf(data, "Unsupported SASL authentication mechanism");
result = CURLE_UNSUPPORTED_PROTOCOL;
break;
}
switch(result) {
case CURLE_BAD_CONTENT_ENCODING:
result = sasl->params->sendcont(conn, "*");
newstate = SASL_CANCEL;
break;
case CURLE_OK:
if(resp)
result = sasl->params->sendcont(conn, resp);
break;
default:
newstate = SASL_STOP;
*progress = SASL_DONE;
break;
}
free(resp);
state(sasl, conn, newstate);
return result;
}