2
0

curl_sasl.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at http://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * RFC2195 CRAM-MD5 authentication
  22. * RFC2831 DIGEST-MD5 authentication
  23. * RFC4422 Simple Authentication and Security Layer (SASL)
  24. * RFC4616 PLAIN authentication
  25. * RFC6749 OAuth 2.0 Authorization Framework
  26. * Draft LOGIN SASL Mechanism <draft-murchison-sasl-login-00.txt>
  27. *
  28. ***************************************************************************/
  29. #include "curl_setup.h"
  30. #include <curl/curl.h>
  31. #include "urldata.h"
  32. #include "curl_base64.h"
  33. #include "curl_md5.h"
  34. #include "vtls/vtls.h"
  35. #include "curl_hmac.h"
  36. #include "curl_ntlm_msgs.h"
  37. #include "curl_sasl.h"
  38. #include "warnless.h"
  39. #include "curl_memory.h"
  40. #include "strtok.h"
  41. #include "rawstr.h"
  42. #ifdef USE_NSS
  43. #include "vtls/nssg.h" /* for Curl_nss_force_init() */
  44. #endif
  45. #define _MPRINTF_REPLACE /* use our functions only */
  46. #include <curl/mprintf.h>
  47. /* The last #include file should be: */
  48. #include "memdebug.h"
  49. #if defined(USE_KRB5)
  50. extern void Curl_sasl_gssapi_cleanup(struct kerberos5data *krb5);
  51. #endif
  52. #if !defined(CURL_DISABLE_CRYPTO_AUTH) && !defined(USE_WINDOWS_SSPI)
  53. #define DIGEST_QOP_VALUE_AUTH (1 << 0)
  54. #define DIGEST_QOP_VALUE_AUTH_INT (1 << 1)
  55. #define DIGEST_QOP_VALUE_AUTH_CONF (1 << 2)
  56. #define DIGEST_QOP_VALUE_STRING_AUTH "auth"
  57. #define DIGEST_QOP_VALUE_STRING_AUTH_INT "auth-int"
  58. #define DIGEST_QOP_VALUE_STRING_AUTH_CONF "auth-conf"
  59. /* Retrieves the value for a corresponding key from the challenge string
  60. * returns TRUE if the key could be found, FALSE if it does not exists
  61. */
  62. static bool sasl_digest_get_key_value(const char *chlg,
  63. const char *key,
  64. char *value,
  65. size_t max_val_len,
  66. char end_char)
  67. {
  68. char *find_pos;
  69. size_t i;
  70. find_pos = strstr(chlg, key);
  71. if(!find_pos)
  72. return FALSE;
  73. find_pos += strlen(key);
  74. for(i = 0; *find_pos && *find_pos != end_char && i < max_val_len - 1; ++i)
  75. value[i] = *find_pos++;
  76. value[i] = '\0';
  77. return TRUE;
  78. }
  79. static CURLcode sasl_digest_get_qop_values(const char *options, int *value)
  80. {
  81. char *tmp;
  82. char *token;
  83. char *tok_buf;
  84. /* Initialise the output */
  85. *value = 0;
  86. /* Tokenise the list of qop values. Use a temporary clone of the buffer since
  87. strtok_r() ruins it. */
  88. tmp = strdup(options);
  89. if(!tmp)
  90. return CURLE_OUT_OF_MEMORY;
  91. token = strtok_r(tmp, ",", &tok_buf);
  92. while(token != NULL) {
  93. if(Curl_raw_equal(token, DIGEST_QOP_VALUE_STRING_AUTH))
  94. *value |= DIGEST_QOP_VALUE_AUTH;
  95. else if(Curl_raw_equal(token, DIGEST_QOP_VALUE_STRING_AUTH_INT))
  96. *value |= DIGEST_QOP_VALUE_AUTH_INT;
  97. else if(Curl_raw_equal(token, DIGEST_QOP_VALUE_STRING_AUTH_CONF))
  98. *value |= DIGEST_QOP_VALUE_AUTH_CONF;
  99. token = strtok_r(NULL, ",", &tok_buf);
  100. }
  101. Curl_safefree(tmp);
  102. return CURLE_OK;
  103. }
  104. #endif
  105. #if !defined(USE_WINDOWS_SSPI)
  106. /*
  107. * Curl_sasl_build_spn()
  108. *
  109. * This is used to build a SPN string in the format service/host.
  110. *
  111. * Parameters:
  112. *
  113. * serivce [in] - The service type such as www, smtp, pop or imap.
  114. * instance [in] - The instance name such as the host nme or realm.
  115. *
  116. * Returns a pointer to the newly allocated SPN.
  117. */
  118. char *Curl_sasl_build_spn(const char *service, const char *host)
  119. {
  120. /* Generate and return our SPN */
  121. return aprintf("%s/%s", service, host);
  122. }
  123. #endif
  124. /*
  125. * Curl_sasl_create_plain_message()
  126. *
  127. * This is used to generate an already encoded PLAIN message ready
  128. * for sending to the recipient.
  129. *
  130. * Parameters:
  131. *
  132. * data [in] - The session handle.
  133. * userp [in] - The user name.
  134. * passdwp [in] - The user's password.
  135. * outptr [in/out] - The address where a pointer to newly allocated memory
  136. * holding the result will be stored upon completion.
  137. * outlen [out] - The length of the output message.
  138. *
  139. * Returns CURLE_OK on success.
  140. */
  141. CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data,
  142. const char *userp,
  143. const char *passwdp,
  144. char **outptr, size_t *outlen)
  145. {
  146. CURLcode result;
  147. char *plainauth;
  148. size_t ulen;
  149. size_t plen;
  150. ulen = strlen(userp);
  151. plen = strlen(passwdp);
  152. plainauth = malloc(2 * ulen + plen + 2);
  153. if(!plainauth) {
  154. *outlen = 0;
  155. *outptr = NULL;
  156. return CURLE_OUT_OF_MEMORY;
  157. }
  158. /* Calculate the reply */
  159. memcpy(plainauth, userp, ulen);
  160. plainauth[ulen] = '\0';
  161. memcpy(plainauth + ulen + 1, userp, ulen);
  162. plainauth[2 * ulen + 1] = '\0';
  163. memcpy(plainauth + 2 * ulen + 2, passwdp, plen);
  164. /* Base64 encode the reply */
  165. result = Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr,
  166. outlen);
  167. Curl_safefree(plainauth);
  168. return result;
  169. }
  170. /*
  171. * Curl_sasl_create_login_message()
  172. *
  173. * This is used to generate an already encoded LOGIN message containing the
  174. * user name or password ready for sending to the recipient.
  175. *
  176. * Parameters:
  177. *
  178. * data [in] - The session handle.
  179. * valuep [in] - The user name or user's password.
  180. * outptr [in/out] - The address where a pointer to newly allocated memory
  181. * holding the result will be stored upon completion.
  182. * outlen [out] - The length of the output message.
  183. *
  184. * Returns CURLE_OK on success.
  185. */
  186. CURLcode Curl_sasl_create_login_message(struct SessionHandle *data,
  187. const char *valuep, char **outptr,
  188. size_t *outlen)
  189. {
  190. size_t vlen = strlen(valuep);
  191. if(!vlen) {
  192. /* Calculate an empty reply */
  193. *outptr = strdup("=");
  194. if(*outptr) {
  195. *outlen = (size_t) 1;
  196. return CURLE_OK;
  197. }
  198. *outlen = 0;
  199. return CURLE_OUT_OF_MEMORY;
  200. }
  201. /* Base64 encode the value */
  202. return Curl_base64_encode(data, valuep, vlen, outptr, outlen);
  203. }
  204. #ifndef CURL_DISABLE_CRYPTO_AUTH
  205. /*
  206. * Curl_sasl_decode_cram_md5_message()
  207. *
  208. * This is used to decode an already encoded CRAM-MD5 challenge message.
  209. *
  210. * Parameters:
  211. *
  212. * chlg64 [in] - Pointer to the base64 encoded challenge message.
  213. * outptr [in/out] - The address where a pointer to newly allocated memory
  214. * holding the result will be stored upon completion.
  215. * outlen [out] - The length of the output message.
  216. *
  217. * Returns CURLE_OK on success.
  218. */
  219. CURLcode Curl_sasl_decode_cram_md5_message(const char *chlg64, char **outptr,
  220. size_t *outlen)
  221. {
  222. CURLcode result = CURLE_OK;
  223. size_t chlg64len = strlen(chlg64);
  224. *outptr = NULL;
  225. *outlen = 0;
  226. /* Decode the challenge if necessary */
  227. if(chlg64len && *chlg64 != '=')
  228. result = Curl_base64_decode(chlg64, (unsigned char **) outptr, outlen);
  229. return result;
  230. }
  231. /*
  232. * Curl_sasl_create_cram_md5_message()
  233. *
  234. * This is used to generate an already encoded CRAM-MD5 response message ready
  235. * for sending to the recipient.
  236. *
  237. * Parameters:
  238. *
  239. * data [in] - The session handle.
  240. * chlg [in] - The challenge.
  241. * userp [in] - The user name.
  242. * passdwp [in] - The user's password.
  243. * outptr [in/out] - The address where a pointer to newly allocated memory
  244. * holding the result will be stored upon completion.
  245. * outlen [out] - The length of the output message.
  246. *
  247. * Returns CURLE_OK on success.
  248. */
  249. CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data,
  250. const char *chlg,
  251. const char *userp,
  252. const char *passwdp,
  253. char **outptr, size_t *outlen)
  254. {
  255. CURLcode result = CURLE_OK;
  256. size_t chlglen = 0;
  257. HMAC_context *ctxt;
  258. unsigned char digest[MD5_DIGEST_LEN];
  259. char *response;
  260. if(chlg)
  261. chlglen = strlen(chlg);
  262. /* Compute the digest using the password as the key */
  263. ctxt = Curl_HMAC_init(Curl_HMAC_MD5,
  264. (const unsigned char *) passwdp,
  265. curlx_uztoui(strlen(passwdp)));
  266. if(!ctxt)
  267. return CURLE_OUT_OF_MEMORY;
  268. /* Update the digest with the given challenge */
  269. if(chlglen > 0)
  270. Curl_HMAC_update(ctxt, (const unsigned char *) chlg,
  271. curlx_uztoui(chlglen));
  272. /* Finalise the digest */
  273. Curl_HMAC_final(ctxt, digest);
  274. /* Generate the response */
  275. response = aprintf(
  276. "%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
  277. userp, digest[0], digest[1], digest[2], digest[3], digest[4],
  278. digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],
  279. digest[11], digest[12], digest[13], digest[14], digest[15]);
  280. if(!response)
  281. return CURLE_OUT_OF_MEMORY;
  282. /* Base64 encode the response */
  283. result = Curl_base64_encode(data, response, 0, outptr, outlen);
  284. Curl_safefree(response);
  285. return result;
  286. }
  287. #ifndef USE_WINDOWS_SSPI
  288. /*
  289. * sasl_decode_digest_md5_message()
  290. *
  291. * This is used internally to decode an already encoded DIGEST-MD5 challenge
  292. * message into the seperate attributes.
  293. *
  294. * Parameters:
  295. *
  296. * chlg64 [in] - Pointer to the base64 encoded challenge message.
  297. * nonce [in/out] - The buffer where the nonce will be stored.
  298. * nlen [in] - The length of the nonce buffer.
  299. * realm [in/out] - The buffer where the realm will be stored.
  300. * rlen [in] - The length of the realm buffer.
  301. * alg [in/out] - The buffer where the algorithm will be stored.
  302. * alen [in] - The length of the algorithm buffer.
  303. * qop [in/out] - The buffer where the qop-options will be stored.
  304. * qlen [in] - The length of the qop buffer.
  305. *
  306. * Returns CURLE_OK on success.
  307. */
  308. static CURLcode sasl_decode_digest_md5_message(const char *chlg64,
  309. char *nonce, size_t nlen,
  310. char *realm, size_t rlen,
  311. char *alg, size_t alen,
  312. char *qop, size_t qlen)
  313. {
  314. CURLcode result = CURLE_OK;
  315. unsigned char *chlg = NULL;
  316. size_t chlglen = 0;
  317. size_t chlg64len = strlen(chlg64);
  318. /* Decode the base-64 encoded challenge message */
  319. if(chlg64len && *chlg64 != '=') {
  320. result = Curl_base64_decode(chlg64, &chlg, &chlglen);
  321. if(result)
  322. return result;
  323. }
  324. /* Ensure we have a valid challenge message */
  325. if(!chlg)
  326. return CURLE_BAD_CONTENT_ENCODING;
  327. /* Retrieve nonce string from the challenge */
  328. if(!sasl_digest_get_key_value((char *)chlg, "nonce=\"", nonce, nlen, '\"')) {
  329. Curl_safefree(chlg);
  330. return CURLE_BAD_CONTENT_ENCODING;
  331. }
  332. /* Retrieve realm string from the challenge */
  333. if(!sasl_digest_get_key_value((char *)chlg, "realm=\"", realm, rlen, '\"')) {
  334. /* Challenge does not have a realm, set empty string [RFC2831] page 6 */
  335. strcpy(realm, "");
  336. }
  337. /* Retrieve algorithm string from the challenge */
  338. if(!sasl_digest_get_key_value((char *)chlg, "algorithm=", alg, alen, ',')) {
  339. Curl_safefree(chlg);
  340. return CURLE_BAD_CONTENT_ENCODING;
  341. }
  342. /* Retrieve qop-options string from the challenge */
  343. if(!sasl_digest_get_key_value((char *)chlg, "qop=\"", qop, qlen, '\"')) {
  344. Curl_safefree(chlg);
  345. return CURLE_BAD_CONTENT_ENCODING;
  346. }
  347. Curl_safefree(chlg);
  348. return CURLE_OK;
  349. }
  350. /*
  351. * Curl_sasl_create_digest_md5_message()
  352. *
  353. * This is used to generate an already encoded DIGEST-MD5 response message
  354. * ready for sending to the recipient.
  355. *
  356. * Parameters:
  357. *
  358. * data [in] - The session handle.
  359. * chlg64 [in] - Pointer to the base64 encoded challenge message.
  360. * userp [in] - The user name.
  361. * passdwp [in] - The user's password.
  362. * service [in] - The service type such as www, smtp, pop or imap.
  363. * outptr [in/out] - The address where a pointer to newly allocated memory
  364. * holding the result will be stored upon completion.
  365. * outlen [out] - The length of the output message.
  366. *
  367. * Returns CURLE_OK on success.
  368. */
  369. CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
  370. const char *chlg64,
  371. const char *userp,
  372. const char *passwdp,
  373. const char *service,
  374. char **outptr, size_t *outlen)
  375. {
  376. CURLcode result = CURLE_OK;
  377. size_t i;
  378. MD5_context *ctxt;
  379. char *response = NULL;
  380. unsigned char digest[MD5_DIGEST_LEN];
  381. char HA1_hex[2 * MD5_DIGEST_LEN + 1];
  382. char HA2_hex[2 * MD5_DIGEST_LEN + 1];
  383. char resp_hash_hex[2 * MD5_DIGEST_LEN + 1];
  384. char nonce[64];
  385. char realm[128];
  386. char algorithm[64];
  387. char qop_options[64];
  388. int qop_values;
  389. char cnonce[33];
  390. unsigned int entropy[4];
  391. char nonceCount[] = "00000001";
  392. char method[] = "AUTHENTICATE";
  393. char qop[] = DIGEST_QOP_VALUE_STRING_AUTH;
  394. char *spn = NULL;
  395. /* Decode the challange message */
  396. result = sasl_decode_digest_md5_message(chlg64, nonce, sizeof(nonce),
  397. realm, sizeof(realm),
  398. algorithm, sizeof(algorithm),
  399. qop_options, sizeof(qop_options));
  400. if(result)
  401. return result;
  402. /* We only support md5 sessions */
  403. if(strcmp(algorithm, "md5-sess") != 0)
  404. return CURLE_BAD_CONTENT_ENCODING;
  405. /* Get the qop-values from the qop-options */
  406. result = sasl_digest_get_qop_values(qop_options, &qop_values);
  407. if(result)
  408. return result;
  409. /* We only support auth quality-of-protection */
  410. if(!(qop_values & DIGEST_QOP_VALUE_AUTH))
  411. return CURLE_BAD_CONTENT_ENCODING;
  412. /* Generate 16 bytes of random data */
  413. entropy[0] = Curl_rand(data);
  414. entropy[1] = Curl_rand(data);
  415. entropy[2] = Curl_rand(data);
  416. entropy[3] = Curl_rand(data);
  417. /* Convert the random data into a 32 byte hex string */
  418. snprintf(cnonce, sizeof(cnonce), "%08x%08x%08x%08x",
  419. entropy[0], entropy[1], entropy[2], entropy[3]);
  420. /* So far so good, now calculate A1 and H(A1) according to RFC 2831 */
  421. ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
  422. if(!ctxt)
  423. return CURLE_OUT_OF_MEMORY;
  424. Curl_MD5_update(ctxt, (const unsigned char *) userp,
  425. curlx_uztoui(strlen(userp)));
  426. Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
  427. Curl_MD5_update(ctxt, (const unsigned char *) realm,
  428. curlx_uztoui(strlen(realm)));
  429. Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
  430. Curl_MD5_update(ctxt, (const unsigned char *) passwdp,
  431. curlx_uztoui(strlen(passwdp)));
  432. Curl_MD5_final(ctxt, digest);
  433. ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
  434. if(!ctxt)
  435. return CURLE_OUT_OF_MEMORY;
  436. Curl_MD5_update(ctxt, (const unsigned char *) digest, MD5_DIGEST_LEN);
  437. Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
  438. Curl_MD5_update(ctxt, (const unsigned char *) nonce,
  439. curlx_uztoui(strlen(nonce)));
  440. Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
  441. Curl_MD5_update(ctxt, (const unsigned char *) cnonce,
  442. curlx_uztoui(strlen(cnonce)));
  443. Curl_MD5_final(ctxt, digest);
  444. /* Convert calculated 16 octet hex into 32 bytes string */
  445. for(i = 0; i < MD5_DIGEST_LEN; i++)
  446. snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]);
  447. /* Generate our SPN */
  448. spn = Curl_sasl_build_spn(service, realm);
  449. if(!spn)
  450. return CURLE_OUT_OF_MEMORY;
  451. /* Calculate H(A2) */
  452. ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
  453. if(!ctxt) {
  454. Curl_safefree(spn);
  455. return CURLE_OUT_OF_MEMORY;
  456. }
  457. Curl_MD5_update(ctxt, (const unsigned char *) method,
  458. curlx_uztoui(strlen(method)));
  459. Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
  460. Curl_MD5_update(ctxt, (const unsigned char *) spn,
  461. curlx_uztoui(strlen(spn)));
  462. Curl_MD5_final(ctxt, digest);
  463. for(i = 0; i < MD5_DIGEST_LEN; i++)
  464. snprintf(&HA2_hex[2 * i], 3, "%02x", digest[i]);
  465. /* Now calculate the response hash */
  466. ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
  467. if(!ctxt) {
  468. Curl_safefree(spn);
  469. return CURLE_OUT_OF_MEMORY;
  470. }
  471. Curl_MD5_update(ctxt, (const unsigned char *) HA1_hex, 2 * MD5_DIGEST_LEN);
  472. Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
  473. Curl_MD5_update(ctxt, (const unsigned char *) nonce,
  474. curlx_uztoui(strlen(nonce)));
  475. Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
  476. Curl_MD5_update(ctxt, (const unsigned char *) nonceCount,
  477. curlx_uztoui(strlen(nonceCount)));
  478. Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
  479. Curl_MD5_update(ctxt, (const unsigned char *) cnonce,
  480. curlx_uztoui(strlen(cnonce)));
  481. Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
  482. Curl_MD5_update(ctxt, (const unsigned char *) qop,
  483. curlx_uztoui(strlen(qop)));
  484. Curl_MD5_update(ctxt, (const unsigned char *) ":", 1);
  485. Curl_MD5_update(ctxt, (const unsigned char *) HA2_hex, 2 * MD5_DIGEST_LEN);
  486. Curl_MD5_final(ctxt, digest);
  487. for(i = 0; i < MD5_DIGEST_LEN; i++)
  488. snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]);
  489. /* Generate the response */
  490. response = aprintf("username=\"%s\",realm=\"%s\",nonce=\"%s\","
  491. "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s,"
  492. "qop=%s",
  493. userp, realm, nonce,
  494. cnonce, nonceCount, spn, resp_hash_hex, qop);
  495. Curl_safefree(spn);
  496. if(!response)
  497. return CURLE_OUT_OF_MEMORY;
  498. /* Base64 encode the response */
  499. result = Curl_base64_encode(data, response, 0, outptr, outlen);
  500. Curl_safefree(response);
  501. return result;
  502. }
  503. #endif /* !USE_WINDOWS_SSPI */
  504. #endif /* CURL_DISABLE_CRYPTO_AUTH */
  505. #ifdef USE_NTLM
  506. /*
  507. * Curl_sasl_create_ntlm_type1_message()
  508. *
  509. * This is used to generate an already encoded NTLM type-1 message ready for
  510. * sending to the recipient.
  511. *
  512. * Note: This is a simple wrapper of the NTLM function which means that any
  513. * SASL based protocols don't have to include the NTLM functions directly.
  514. *
  515. * Parameters:
  516. *
  517. * userp [in] - The user name in the format User or Domain\User.
  518. * passdwp [in] - The user's password.
  519. * ntlm [in/out] - The ntlm data struct being used and modified.
  520. * outptr [in/out] - The address where a pointer to newly allocated memory
  521. * holding the result will be stored upon completion.
  522. * outlen [out] - The length of the output message.
  523. *
  524. * Returns CURLE_OK on success.
  525. */
  526. CURLcode Curl_sasl_create_ntlm_type1_message(const char *userp,
  527. const char *passwdp,
  528. struct ntlmdata *ntlm,
  529. char **outptr, size_t *outlen)
  530. {
  531. return Curl_ntlm_create_type1_message(userp, passwdp, ntlm, outptr, outlen);
  532. }
  533. /*
  534. * Curl_sasl_decode_ntlm_type2_message()
  535. *
  536. * This is used to decode an already encoded NTLM type-2 message.
  537. *
  538. * Parameters:
  539. *
  540. * data [in] - Pointer to session handle.
  541. * type2msg [in] - Pointer to the base64 encoded type-2 message.
  542. * ntlm [in/out] - The ntlm data struct being used and modified.
  543. *
  544. * Returns CURLE_OK on success.
  545. */
  546. CURLcode Curl_sasl_decode_ntlm_type2_message(struct SessionHandle *data,
  547. const char *type2msg,
  548. struct ntlmdata *ntlm)
  549. {
  550. #ifdef USE_NSS
  551. CURLcode result;
  552. /* make sure the crypto backend is initialized */
  553. result = Curl_nss_force_init(data);
  554. if(result)
  555. return result;
  556. #endif
  557. return Curl_ntlm_decode_type2_message(data, type2msg, ntlm);
  558. }
  559. /*
  560. * Curl_sasl_create_ntlm_type3_message()
  561. *
  562. * This is used to generate an already encoded NTLM type-3 message ready for
  563. * sending to the recipient.
  564. *
  565. * Parameters:
  566. *
  567. * data [in] - Pointer to session handle.
  568. * userp [in] - The user name in the format User or Domain\User.
  569. * passdwp [in] - The user's password.
  570. * ntlm [in/out] - The ntlm data struct being used and modified.
  571. * outptr [in/out] - The address where a pointer to newly allocated memory
  572. * holding the result will be stored upon completion.
  573. * outlen [out] - The length of the output message.
  574. *
  575. * Returns CURLE_OK on success.
  576. */
  577. CURLcode Curl_sasl_create_ntlm_type3_message(struct SessionHandle *data,
  578. const char *userp,
  579. const char *passwdp,
  580. struct ntlmdata *ntlm,
  581. char **outptr, size_t *outlen)
  582. {
  583. return Curl_ntlm_create_type3_message(data, userp, passwdp, ntlm, outptr,
  584. outlen);
  585. }
  586. #endif /* USE_NTLM */
  587. /*
  588. * Curl_sasl_create_xoauth2_message()
  589. *
  590. * This is used to generate an already encoded OAuth 2.0 message ready for
  591. * sending to the recipient.
  592. *
  593. * Parameters:
  594. *
  595. * data [in] - The session handle.
  596. * user [in] - The user name.
  597. * bearer [in] - The bearer token.
  598. * outptr [in/out] - The address where a pointer to newly allocated memory
  599. * holding the result will be stored upon completion.
  600. * outlen [out] - The length of the output message.
  601. *
  602. * Returns CURLE_OK on success.
  603. */
  604. CURLcode Curl_sasl_create_xoauth2_message(struct SessionHandle *data,
  605. const char *user,
  606. const char *bearer,
  607. char **outptr, size_t *outlen)
  608. {
  609. CURLcode result = CURLE_OK;
  610. char *xoauth = NULL;
  611. /* Generate the message */
  612. xoauth = aprintf("user=%s\1auth=Bearer %s\1\1", user, bearer);
  613. if(!xoauth)
  614. return CURLE_OUT_OF_MEMORY;
  615. /* Base64 encode the reply */
  616. result = Curl_base64_encode(data, xoauth, strlen(xoauth), outptr, outlen);
  617. Curl_safefree(xoauth);
  618. return result;
  619. }
  620. /*
  621. * Curl_sasl_cleanup()
  622. *
  623. * This is used to cleanup any libraries or curl modules used by the sasl
  624. * functions.
  625. *
  626. * Parameters:
  627. *
  628. * conn [in] - Pointer to the connection data.
  629. * authused [in] - The authentication mechanism used.
  630. */
  631. void Curl_sasl_cleanup(struct connectdata *conn, unsigned int authused)
  632. {
  633. #if defined(USE_KRB5)
  634. /* Cleanup the gssapi structure */
  635. if(authused == SASL_MECH_GSSAPI) {
  636. Curl_sasl_gssapi_cleanup(&conn->krb5);
  637. }
  638. #ifdef USE_NTLM
  639. /* Cleanup the ntlm structure */
  640. else if(authused == SASL_MECH_NTLM) {
  641. Curl_ntlm_sspi_cleanup(&conn->ntlm);
  642. }
  643. #endif
  644. #else
  645. /* Reserved for future use */
  646. (void)conn;
  647. (void)authused;
  648. #endif
  649. }