1#ifndef HEADER_CURL_SASL_H 2#define HEADER_CURL_SASL_H 3/*************************************************************************** 4 * _ _ ____ _ 5 * Project ___| | | | _ \| | 6 * / __| | | | |_) | | 7 * | (__| |_| | _ <| |___ 8 * \___|\___/|_| \_\_____| 9 * 10 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 11 * 12 * This software is licensed as described in the file COPYING, which 13 * you should have received as part of this distribution. The terms 14 * are also available at https://curl.se/docs/copyright.html. 15 * 16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 17 * copies of the Software, and permit persons to whom the Software is 18 * furnished to do so, under the terms of the COPYING file. 19 * 20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 21 * KIND, either express or implied. 22 * 23 * SPDX-License-Identifier: curl 24 * 25 ***************************************************************************/ 26 27#include <curl/curl.h> 28 29#include "bufref.h" 30 31struct Curl_easy; 32struct connectdata; 33 34/* Authentication mechanism flags */ 35#define SASL_MECH_LOGIN (1 << 0) 36#define SASL_MECH_PLAIN (1 << 1) 37#define SASL_MECH_CRAM_MD5 (1 << 2) 38#define SASL_MECH_DIGEST_MD5 (1 << 3) 39#define SASL_MECH_GSSAPI (1 << 4) 40#define SASL_MECH_EXTERNAL (1 << 5) 41#define SASL_MECH_NTLM (1 << 6) 42#define SASL_MECH_XOAUTH2 (1 << 7) 43#define SASL_MECH_OAUTHBEARER (1 << 8) 44#define SASL_MECH_SCRAM_SHA_1 (1 << 9) 45#define SASL_MECH_SCRAM_SHA_256 (1 << 10) 46 47/* Authentication mechanism values */ 48#define SASL_AUTH_NONE 0 49#define SASL_AUTH_ANY 0xffff 50#define SASL_AUTH_DEFAULT (SASL_AUTH_ANY & ~SASL_MECH_EXTERNAL) 51 52/* Authentication mechanism strings */ 53#define SASL_MECH_STRING_LOGIN "LOGIN" 54#define SASL_MECH_STRING_PLAIN "PLAIN" 55#define SASL_MECH_STRING_CRAM_MD5 "CRAM-MD5" 56#define SASL_MECH_STRING_DIGEST_MD5 "DIGEST-MD5" 57#define SASL_MECH_STRING_GSSAPI "GSSAPI" 58#define SASL_MECH_STRING_EXTERNAL "EXTERNAL" 59#define SASL_MECH_STRING_NTLM "NTLM" 60#define SASL_MECH_STRING_XOAUTH2 "XOAUTH2" 61#define SASL_MECH_STRING_OAUTHBEARER "OAUTHBEARER" 62#define SASL_MECH_STRING_SCRAM_SHA_1 "SCRAM-SHA-1" 63#define SASL_MECH_STRING_SCRAM_SHA_256 "SCRAM-SHA-256" 64 65/* SASL flags */ 66#define SASL_FLAG_BASE64 0x0001 /* Messages are base64-encoded */ 67 68/* SASL machine states */ 69typedef enum { 70 SASL_STOP, 71 SASL_PLAIN, 72 SASL_LOGIN, 73 SASL_LOGIN_PASSWD, 74 SASL_EXTERNAL, 75 SASL_CRAMMD5, 76 SASL_DIGESTMD5, 77 SASL_DIGESTMD5_RESP, 78 SASL_NTLM, 79 SASL_NTLM_TYPE2MSG, 80 SASL_GSSAPI, 81 SASL_GSSAPI_TOKEN, 82 SASL_GSSAPI_NO_DATA, 83 SASL_OAUTH2, 84 SASL_OAUTH2_RESP, 85 SASL_GSASL, 86 SASL_CANCEL, 87 SASL_FINAL 88} saslstate; 89 90/* Progress indicator */ 91typedef enum { 92 SASL_IDLE, 93 SASL_INPROGRESS, 94 SASL_DONE 95} saslprogress; 96 97/* Protocol dependent SASL parameters */ 98struct SASLproto { 99 const char *service; /* The service name */ 100 CURLcode (*sendauth)(struct Curl_easy *data, const char *mech, 101 const struct bufref *ir); 102 /* Send authentication command */ 103 CURLcode (*contauth)(struct Curl_easy *data, const char *mech, 104 const struct bufref *contauth); 105 /* Send authentication continuation */ 106 CURLcode (*cancelauth)(struct Curl_easy *data, const char *mech); 107 /* Cancel authentication. */ 108 CURLcode (*getmessage)(struct Curl_easy *data, struct bufref *out); 109 /* Get SASL response message */ 110 size_t maxirlen; /* Maximum initial response + mechanism length, 111 or zero if no max. This is normally the max 112 command length - other characters count. 113 This has to be zero for non-base64 protocols. */ 114 int contcode; /* Code to receive when continuation is expected */ 115 int finalcode; /* Code to receive upon authentication success */ 116 unsigned short defmechs; /* Mechanisms enabled by default */ 117 unsigned short flags; /* Configuration flags. */ 118}; 119 120/* Per-connection parameters */ 121struct SASL { 122 const struct SASLproto *params; /* Protocol dependent parameters */ 123 saslstate state; /* Current machine state */ 124 const char *curmech; /* Current mechanism id. */ 125 unsigned short authmechs; /* Accepted authentication mechanisms */ 126 unsigned short prefmech; /* Preferred authentication mechanism */ 127 unsigned short authused; /* Auth mechanism used for the connection */ 128 BIT(resetprefs); /* For URL auth option parsing. */ 129 BIT(mutual_auth); /* Mutual authentication enabled (GSSAPI only) */ 130 BIT(force_ir); /* Protocol always supports initial response */ 131}; 132 133/* This is used to test whether the line starts with the given mechanism */ 134#define sasl_mech_equal(line, wordlen, mech) \ 135 (wordlen == (sizeof(mech) - 1) / sizeof(char) && \ 136 !memcmp(line, mech, wordlen)) 137 138/* This is used to cleanup any libraries or curl modules used by the sasl 139 functions */ 140void Curl_sasl_cleanup(struct connectdata *conn, unsigned short authused); 141 142/* Convert a mechanism name to a token */ 143unsigned short Curl_sasl_decode_mech(const char *ptr, 144 size_t maxlen, size_t *len); 145 146/* Parse the URL login options */ 147CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl, 148 const char *value, size_t len); 149 150/* Initializes an SASL structure */ 151void Curl_sasl_init(struct SASL *sasl, struct Curl_easy *data, 152 const struct SASLproto *params); 153 154/* Check if we have enough auth data and capabilities to authenticate */ 155bool Curl_sasl_can_authenticate(struct SASL *sasl, struct Curl_easy *data); 156 157/* Calculate the required login details for SASL authentication */ 158CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data, 159 bool force_ir, saslprogress *progress); 160 161/* Continue an SASL authentication */ 162CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, 163 int code, saslprogress *progress); 164 165#endif /* HEADER_CURL_SASL_H */ 166