xref: /curl/lib/curl_sasl.c (revision c074ba64)
1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9  *
10  * This software is licensed as described in the file COPYING, which
11  * you should have received as part of this distribution. The terms
12  * are also available at https://curl.se/docs/copyright.html.
13  *
14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15  * copies of the Software, and permit persons to whom the Software is
16  * furnished to do so, under the terms of the COPYING file.
17  *
18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19  * KIND, either express or implied.
20  *
21  * SPDX-License-Identifier: curl
22  *
23  * RFC2195 CRAM-MD5 authentication
24  * RFC2617 Basic and Digest Access Authentication
25  * RFC2831 DIGEST-MD5 authentication
26  * RFC4422 Simple Authentication and Security Layer (SASL)
27  * RFC4616 PLAIN authentication
28  * RFC5802 SCRAM-SHA-1 authentication
29  * RFC7677 SCRAM-SHA-256 authentication
30  * RFC6749 OAuth 2.0 Authorization Framework
31  * RFC7628 A Set of SASL Mechanisms for OAuth
32  * Draft   LOGIN SASL Mechanism <draft-murchison-sasl-login-00.txt>
33  *
34  ***************************************************************************/
35 
36 #include "curl_setup.h"
37 
38 #if !defined(CURL_DISABLE_IMAP) || !defined(CURL_DISABLE_SMTP) || \
39   !defined(CURL_DISABLE_POP3) || \
40   (!defined(CURL_DISABLE_LDAP) && defined(USE_OPENLDAP))
41 
42 #include <curl/curl.h>
43 #include "urldata.h"
44 
45 #include "curl_base64.h"
46 #include "curl_md5.h"
47 #include "vauth/vauth.h"
48 #include "cfilters.h"
49 #include "vtls/vtls.h"
50 #include "curl_hmac.h"
51 #include "curl_sasl.h"
52 #include "warnless.h"
53 #include "strtok.h"
54 #include "sendf.h"
55 /* The last 3 #include files should be in this order */
56 #include "curl_printf.h"
57 #include "curl_memory.h"
58 #include "memdebug.h"
59 
60 /* Supported mechanisms */
61 static const struct {
62   const char    *name;  /* Name */
63   size_t         len;   /* Name length */
64   unsigned short bit;   /* Flag bit */
65 } mechtable[] = {
66   { "LOGIN",        5,  SASL_MECH_LOGIN },
67   { "PLAIN",        5,  SASL_MECH_PLAIN },
68   { "CRAM-MD5",     8,  SASL_MECH_CRAM_MD5 },
69   { "DIGEST-MD5",   10, SASL_MECH_DIGEST_MD5 },
70   { "GSSAPI",       6,  SASL_MECH_GSSAPI },
71   { "EXTERNAL",     8,  SASL_MECH_EXTERNAL },
72   { "NTLM",         4,  SASL_MECH_NTLM },
73   { "XOAUTH2",      7,  SASL_MECH_XOAUTH2 },
74   { "OAUTHBEARER",  11, SASL_MECH_OAUTHBEARER },
75   { "SCRAM-SHA-1",  11, SASL_MECH_SCRAM_SHA_1 },
76   { "SCRAM-SHA-256",13, SASL_MECH_SCRAM_SHA_256 },
77   { ZERO_NULL,      0,  0 }
78 };
79 
80 /*
81  * Curl_sasl_cleanup()
82  *
83  * This is used to cleanup any libraries or curl modules used by the sasl
84  * functions.
85  *
86  * Parameters:
87  *
88  * conn     [in]     - The connection data.
89  * authused [in]     - The authentication mechanism used.
90  */
Curl_sasl_cleanup(struct connectdata * conn,unsigned short authused)91 void Curl_sasl_cleanup(struct connectdata *conn, unsigned short authused)
92 {
93   (void)conn;
94   (void)authused;
95 
96 #if defined(USE_KERBEROS5)
97   /* Cleanup the gssapi structure */
98   if(authused == SASL_MECH_GSSAPI) {
99     Curl_auth_cleanup_gssapi(&conn->krb5);
100   }
101 #endif
102 
103 #if defined(USE_GSASL)
104   /* Cleanup the GSASL structure */
105   if(authused & (SASL_MECH_SCRAM_SHA_1 | SASL_MECH_SCRAM_SHA_256)) {
106     Curl_auth_gsasl_cleanup(&conn->gsasl);
107   }
108 #endif
109 
110 #if defined(USE_NTLM)
111   /* Cleanup the NTLM structure */
112   if(authused == SASL_MECH_NTLM) {
113     Curl_auth_cleanup_ntlm(&conn->ntlm);
114   }
115 #endif
116 }
117 
118 /*
119  * Curl_sasl_decode_mech()
120  *
121  * Convert a SASL mechanism name into a token.
122  *
123  * Parameters:
124  *
125  * ptr    [in]     - The mechanism string.
126  * maxlen [in]     - Maximum mechanism string length.
127  * len    [out]    - If not NULL, effective name length.
128  *
129  * Returns the SASL mechanism token or 0 if no match.
130  */
Curl_sasl_decode_mech(const char * ptr,size_t maxlen,size_t * len)131 unsigned short Curl_sasl_decode_mech(const char *ptr, size_t maxlen,
132                                      size_t *len)
133 {
134   unsigned int i;
135   char c;
136 
137   for(i = 0; mechtable[i].name; i++) {
138     if(maxlen >= mechtable[i].len &&
139        !memcmp(ptr, mechtable[i].name, mechtable[i].len)) {
140       if(len)
141         *len = mechtable[i].len;
142 
143       if(maxlen == mechtable[i].len)
144         return mechtable[i].bit;
145 
146       c = ptr[mechtable[i].len];
147       if(!ISUPPER(c) && !ISDIGIT(c) && c != '-' && c != '_')
148         return mechtable[i].bit;
149     }
150   }
151 
152   return 0;
153 }
154 
155 /*
156  * Curl_sasl_parse_url_auth_option()
157  *
158  * Parse the URL login options.
159  */
Curl_sasl_parse_url_auth_option(struct SASL * sasl,const char * value,size_t len)160 CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl,
161                                          const char *value, size_t len)
162 {
163   CURLcode result = CURLE_OK;
164   size_t mechlen;
165 
166   if(!len)
167     return CURLE_URL_MALFORMAT;
168 
169   if(sasl->resetprefs) {
170     sasl->resetprefs = FALSE;
171     sasl->prefmech = SASL_AUTH_NONE;
172   }
173 
174   if(!strncmp(value, "*", len))
175     sasl->prefmech = SASL_AUTH_DEFAULT;
176   else {
177     unsigned short mechbit = Curl_sasl_decode_mech(value, len, &mechlen);
178     if(mechbit && mechlen == len)
179       sasl->prefmech |= mechbit;
180     else
181       result = CURLE_URL_MALFORMAT;
182   }
183 
184   return result;
185 }
186 
187 /*
188  * Curl_sasl_init()
189  *
190  * Initializes the SASL structure.
191  */
Curl_sasl_init(struct SASL * sasl,struct Curl_easy * data,const struct SASLproto * params)192 void Curl_sasl_init(struct SASL *sasl, struct Curl_easy *data,
193                     const struct SASLproto *params)
194 {
195   unsigned long auth = data->set.httpauth;
196 
197   sasl->params = params;           /* Set protocol dependent parameters */
198   sasl->state = SASL_STOP;         /* Not yet running */
199   sasl->curmech = NULL;            /* No mechanism yet. */
200   sasl->authmechs = SASL_AUTH_NONE; /* No known authentication mechanism yet */
201   sasl->prefmech = params->defmechs; /* Default preferred mechanisms */
202   sasl->authused = SASL_AUTH_NONE; /* The authentication mechanism used */
203   sasl->resetprefs = TRUE;         /* Reset prefmech upon AUTH parsing. */
204   sasl->mutual_auth = FALSE;       /* No mutual authentication (GSSAPI only) */
205   sasl->force_ir = FALSE;          /* Respect external option */
206 
207   if(auth != CURLAUTH_BASIC) {
208     unsigned short mechs = SASL_AUTH_NONE;
209 
210     /* If some usable http authentication options have been set, determine
211        new defaults from them. */
212     if(auth & CURLAUTH_BASIC)
213       mechs |= SASL_MECH_PLAIN | SASL_MECH_LOGIN;
214     if(auth & CURLAUTH_DIGEST)
215       mechs |= SASL_MECH_DIGEST_MD5;
216     if(auth & CURLAUTH_NTLM)
217       mechs |= SASL_MECH_NTLM;
218     if(auth & CURLAUTH_BEARER)
219       mechs |= SASL_MECH_OAUTHBEARER | SASL_MECH_XOAUTH2;
220     if(auth & CURLAUTH_GSSAPI)
221       mechs |= SASL_MECH_GSSAPI;
222 
223     if(mechs != SASL_AUTH_NONE)
224       sasl->prefmech = mechs;
225   }
226 }
227 
228 /*
229  * sasl_state()
230  *
231  * This is the ONLY way to change SASL state!
232  */
sasl_state(struct SASL * sasl,struct Curl_easy * data,saslstate newstate)233 static void sasl_state(struct SASL *sasl, struct Curl_easy *data,
234                        saslstate newstate)
235 {
236 #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
237   /* for debug purposes */
238   static const char * const names[]={
239     "STOP",
240     "PLAIN",
241     "LOGIN",
242     "LOGIN_PASSWD",
243     "EXTERNAL",
244     "CRAMMD5",
245     "DIGESTMD5",
246     "DIGESTMD5_RESP",
247     "NTLM",
248     "NTLM_TYPE2MSG",
249     "GSSAPI",
250     "GSSAPI_TOKEN",
251     "GSSAPI_NO_DATA",
252     "OAUTH2",
253     "OAUTH2_RESP",
254     "GSASL",
255     "CANCEL",
256     "FINAL",
257     /* LAST */
258   };
259 
260   if(sasl->state != newstate)
261     infof(data, "SASL %p state change from %s to %s",
262           (void *)sasl, names[sasl->state], names[newstate]);
263 #else
264   (void) data;
265 #endif
266 
267   sasl->state = newstate;
268 }
269 
270 #if defined(USE_NTLM) || defined(USE_GSASL) || defined(USE_KERBEROS5) || \
271   !defined(CURL_DISABLE_DIGEST_AUTH)
272 /* Get the SASL server message and convert it to binary. */
get_server_message(struct SASL * sasl,struct Curl_easy * data,struct bufref * out)273 static CURLcode get_server_message(struct SASL *sasl, struct Curl_easy *data,
274                                    struct bufref *out)
275 {
276   CURLcode result = CURLE_OK;
277 
278   result = sasl->params->getmessage(data, out);
279   if(!result && (sasl->params->flags & SASL_FLAG_BASE64)) {
280     unsigned char *msg;
281     size_t msglen;
282     const char *serverdata = (const char *) Curl_bufref_ptr(out);
283 
284     if(!*serverdata || *serverdata == '=')
285       Curl_bufref_set(out, NULL, 0, NULL);
286     else {
287       result = Curl_base64_decode(serverdata, &msg, &msglen);
288       if(!result)
289         Curl_bufref_set(out, msg, msglen, curl_free);
290     }
291   }
292   return result;
293 }
294 #endif
295 
296 /* Encode the outgoing SASL message. */
build_message(struct SASL * sasl,struct bufref * msg)297 static CURLcode build_message(struct SASL *sasl, struct bufref *msg)
298 {
299   CURLcode result = CURLE_OK;
300 
301   if(sasl->params->flags & SASL_FLAG_BASE64) {
302     if(!Curl_bufref_ptr(msg))                   /* Empty message. */
303       Curl_bufref_set(msg, "", 0, NULL);
304     else if(!Curl_bufref_len(msg))              /* Explicit empty response. */
305       Curl_bufref_set(msg, "=", 1, NULL);
306     else {
307       char *base64;
308       size_t base64len;
309 
310       result = Curl_base64_encode((const char *) Curl_bufref_ptr(msg),
311                                   Curl_bufref_len(msg), &base64, &base64len);
312       if(!result)
313         Curl_bufref_set(msg, base64, base64len, curl_free);
314     }
315   }
316 
317   return result;
318 }
319 
320 /*
321  * Curl_sasl_can_authenticate()
322  *
323  * Check if we have enough auth data and capabilities to authenticate.
324  */
Curl_sasl_can_authenticate(struct SASL * sasl,struct Curl_easy * data)325 bool Curl_sasl_can_authenticate(struct SASL *sasl, struct Curl_easy *data)
326 {
327   /* Have credentials been provided? */
328   if(data->state.aptr.user)
329     return TRUE;
330 
331   /* EXTERNAL can authenticate without a username and/or password */
332   if(sasl->authmechs & sasl->prefmech & SASL_MECH_EXTERNAL)
333     return TRUE;
334 
335   return FALSE;
336 }
337 
338 /*
339  * Curl_sasl_start()
340  *
341  * Calculate the required login details for SASL authentication.
342  */
Curl_sasl_start(struct SASL * sasl,struct Curl_easy * data,bool force_ir,saslprogress * progress)343 CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data,
344                          bool force_ir, saslprogress *progress)
345 {
346   CURLcode result = CURLE_OK;
347   struct connectdata *conn = data->conn;
348   unsigned short enabledmechs;
349   const char *mech = NULL;
350   struct bufref resp;
351   saslstate state1 = SASL_STOP;
352   saslstate state2 = SASL_FINAL;
353   const char *hostname, *disp_hostname;
354   int port;
355 #if defined(USE_KERBEROS5) || defined(USE_NTLM)
356   const char *service = data->set.str[STRING_SERVICE_NAME] ?
357     data->set.str[STRING_SERVICE_NAME] :
358     sasl->params->service;
359 #endif
360   const char *oauth_bearer = data->set.str[STRING_BEARER];
361   struct bufref nullmsg;
362 
363   Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port);
364   Curl_bufref_init(&nullmsg);
365   Curl_bufref_init(&resp);
366   sasl->force_ir = force_ir;    /* Latch for future use */
367   sasl->authused = 0;           /* No mechanism used yet */
368   enabledmechs = sasl->authmechs & sasl->prefmech;
369   *progress = SASL_IDLE;
370 
371   /* Calculate the supported authentication mechanism, by decreasing order of
372      security, as well as the initial response where appropriate */
373   if((enabledmechs & SASL_MECH_EXTERNAL) && !conn->passwd[0]) {
374     mech = SASL_MECH_STRING_EXTERNAL;
375     state1 = SASL_EXTERNAL;
376     sasl->authused = SASL_MECH_EXTERNAL;
377 
378     if(force_ir || data->set.sasl_ir)
379       Curl_auth_create_external_message(conn->user, &resp);
380   }
381   else if(data->state.aptr.user) {
382 #if defined(USE_KERBEROS5)
383     if((enabledmechs & SASL_MECH_GSSAPI) && Curl_auth_is_gssapi_supported() &&
384        Curl_auth_user_contains_domain(conn->user)) {
385       sasl->mutual_auth = FALSE;
386       mech = SASL_MECH_STRING_GSSAPI;
387       state1 = SASL_GSSAPI;
388       state2 = SASL_GSSAPI_TOKEN;
389       sasl->authused = SASL_MECH_GSSAPI;
390 
391       if(force_ir || data->set.sasl_ir)
392         result = Curl_auth_create_gssapi_user_message(data, conn->user,
393                                                       conn->passwd,
394                                                       service,
395                                                       conn->host.name,
396                                                       sasl->mutual_auth,
397                                                       NULL, &conn->krb5,
398                                                       &resp);
399     }
400     else
401 #endif
402 #ifdef USE_GSASL
403     if((enabledmechs & SASL_MECH_SCRAM_SHA_256) &&
404        Curl_auth_gsasl_is_supported(data, SASL_MECH_STRING_SCRAM_SHA_256,
405                                     &conn->gsasl)) {
406       mech = SASL_MECH_STRING_SCRAM_SHA_256;
407       sasl->authused = SASL_MECH_SCRAM_SHA_256;
408       state1 = SASL_GSASL;
409       state2 = SASL_GSASL;
410 
411       result = Curl_auth_gsasl_start(data, conn->user,
412                                      conn->passwd, &conn->gsasl);
413       if(result == CURLE_OK && (force_ir || data->set.sasl_ir))
414         result = Curl_auth_gsasl_token(data, &nullmsg, &conn->gsasl, &resp);
415     }
416     else if((enabledmechs & SASL_MECH_SCRAM_SHA_1) &&
417             Curl_auth_gsasl_is_supported(data, SASL_MECH_STRING_SCRAM_SHA_1,
418                                          &conn->gsasl)) {
419       mech = SASL_MECH_STRING_SCRAM_SHA_1;
420       sasl->authused = SASL_MECH_SCRAM_SHA_1;
421       state1 = SASL_GSASL;
422       state2 = SASL_GSASL;
423 
424       result = Curl_auth_gsasl_start(data, conn->user,
425                                      conn->passwd, &conn->gsasl);
426       if(result == CURLE_OK && (force_ir || data->set.sasl_ir))
427         result = Curl_auth_gsasl_token(data, &nullmsg, &conn->gsasl, &resp);
428     }
429     else
430 #endif
431 #ifndef CURL_DISABLE_DIGEST_AUTH
432     if((enabledmechs & SASL_MECH_DIGEST_MD5) &&
433        Curl_auth_is_digest_supported()) {
434       mech = SASL_MECH_STRING_DIGEST_MD5;
435       state1 = SASL_DIGESTMD5;
436       sasl->authused = SASL_MECH_DIGEST_MD5;
437     }
438     else if(enabledmechs & SASL_MECH_CRAM_MD5) {
439       mech = SASL_MECH_STRING_CRAM_MD5;
440       state1 = SASL_CRAMMD5;
441       sasl->authused = SASL_MECH_CRAM_MD5;
442     }
443     else
444 #endif
445 #ifdef USE_NTLM
446     if((enabledmechs & SASL_MECH_NTLM) && Curl_auth_is_ntlm_supported()) {
447       mech = SASL_MECH_STRING_NTLM;
448       state1 = SASL_NTLM;
449       state2 = SASL_NTLM_TYPE2MSG;
450       sasl->authused = SASL_MECH_NTLM;
451 
452       if(force_ir || data->set.sasl_ir)
453         result = Curl_auth_create_ntlm_type1_message(data,
454                                                      conn->user, conn->passwd,
455                                                      service,
456                                                      hostname,
457                                                      &conn->ntlm, &resp);
458       }
459     else
460 #endif
461     if((enabledmechs & SASL_MECH_OAUTHBEARER) && oauth_bearer) {
462       mech = SASL_MECH_STRING_OAUTHBEARER;
463       state1 = SASL_OAUTH2;
464       state2 = SASL_OAUTH2_RESP;
465       sasl->authused = SASL_MECH_OAUTHBEARER;
466 
467       if(force_ir || data->set.sasl_ir)
468         result = Curl_auth_create_oauth_bearer_message(conn->user,
469                                                        hostname,
470                                                        port,
471                                                        oauth_bearer,
472                                                        &resp);
473     }
474     else if((enabledmechs & SASL_MECH_XOAUTH2) && oauth_bearer) {
475       mech = SASL_MECH_STRING_XOAUTH2;
476       state1 = SASL_OAUTH2;
477       sasl->authused = SASL_MECH_XOAUTH2;
478 
479       if(force_ir || data->set.sasl_ir)
480         result = Curl_auth_create_xoauth_bearer_message(conn->user,
481                                                         oauth_bearer,
482                                                         &resp);
483     }
484     else if(enabledmechs & SASL_MECH_PLAIN) {
485       mech = SASL_MECH_STRING_PLAIN;
486       state1 = SASL_PLAIN;
487       sasl->authused = SASL_MECH_PLAIN;
488 
489       if(force_ir || data->set.sasl_ir)
490         result = Curl_auth_create_plain_message(conn->sasl_authzid,
491                                                 conn->user, conn->passwd,
492                                                 &resp);
493     }
494     else if(enabledmechs & SASL_MECH_LOGIN) {
495       mech = SASL_MECH_STRING_LOGIN;
496       state1 = SASL_LOGIN;
497       state2 = SASL_LOGIN_PASSWD;
498       sasl->authused = SASL_MECH_LOGIN;
499 
500       if(force_ir || data->set.sasl_ir)
501         Curl_auth_create_login_message(conn->user, &resp);
502     }
503   }
504 
505   if(!result && mech) {
506     sasl->curmech = mech;
507     if(Curl_bufref_ptr(&resp))
508       result = build_message(sasl, &resp);
509 
510     if(sasl->params->maxirlen &&
511        strlen(mech) + Curl_bufref_len(&resp) > sasl->params->maxirlen)
512       Curl_bufref_free(&resp);
513 
514     if(!result)
515       result = sasl->params->sendauth(data, mech, &resp);
516 
517     if(!result) {
518       *progress = SASL_INPROGRESS;
519       sasl_state(sasl, data, Curl_bufref_ptr(&resp) ? state2 : state1);
520     }
521   }
522 
523   Curl_bufref_free(&resp);
524   return result;
525 }
526 
527 /*
528  * Curl_sasl_continue()
529  *
530  * Continue the authentication.
531  */
Curl_sasl_continue(struct SASL * sasl,struct Curl_easy * data,int code,saslprogress * progress)532 CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data,
533                             int code, saslprogress *progress)
534 {
535   CURLcode result = CURLE_OK;
536   struct connectdata *conn = data->conn;
537   saslstate newstate = SASL_FINAL;
538   struct bufref resp;
539   const char *hostname, *disp_hostname;
540   int port;
541 #if defined(USE_KERBEROS5) || defined(USE_NTLM) \
542     || !defined(CURL_DISABLE_DIGEST_AUTH)
543   const char *service = data->set.str[STRING_SERVICE_NAME] ?
544     data->set.str[STRING_SERVICE_NAME] :
545     sasl->params->service;
546 #endif
547   const char *oauth_bearer = data->set.str[STRING_BEARER];
548   struct bufref serverdata;
549 
550   Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port);
551   Curl_bufref_init(&serverdata);
552   Curl_bufref_init(&resp);
553   *progress = SASL_INPROGRESS;
554 
555   if(sasl->state == SASL_FINAL) {
556     if(code != sasl->params->finalcode)
557       result = CURLE_LOGIN_DENIED;
558     *progress = SASL_DONE;
559     sasl_state(sasl, data, SASL_STOP);
560     return result;
561   }
562 
563   if(sasl->state != SASL_CANCEL && sasl->state != SASL_OAUTH2_RESP &&
564      code != sasl->params->contcode) {
565     *progress = SASL_DONE;
566     sasl_state(sasl, data, SASL_STOP);
567     return CURLE_LOGIN_DENIED;
568   }
569 
570   switch(sasl->state) {
571   case SASL_STOP:
572     *progress = SASL_DONE;
573     return result;
574   case SASL_PLAIN:
575     result = Curl_auth_create_plain_message(conn->sasl_authzid,
576                                             conn->user, conn->passwd, &resp);
577     break;
578   case SASL_LOGIN:
579     Curl_auth_create_login_message(conn->user, &resp);
580     newstate = SASL_LOGIN_PASSWD;
581     break;
582   case SASL_LOGIN_PASSWD:
583     Curl_auth_create_login_message(conn->passwd, &resp);
584     break;
585   case SASL_EXTERNAL:
586     Curl_auth_create_external_message(conn->user, &resp);
587     break;
588 #ifdef USE_GSASL
589   case SASL_GSASL:
590     result = get_server_message(sasl, data, &serverdata);
591     if(!result)
592       result = Curl_auth_gsasl_token(data, &serverdata, &conn->gsasl, &resp);
593     if(!result && Curl_bufref_len(&resp) > 0)
594       newstate = SASL_GSASL;
595     break;
596 #endif
597 #ifndef CURL_DISABLE_DIGEST_AUTH
598   case SASL_CRAMMD5:
599     result = get_server_message(sasl, data, &serverdata);
600     if(!result)
601       result = Curl_auth_create_cram_md5_message(&serverdata, conn->user,
602                                                  conn->passwd, &resp);
603     break;
604   case SASL_DIGESTMD5:
605     result = get_server_message(sasl, data, &serverdata);
606     if(!result)
607       result = Curl_auth_create_digest_md5_message(data, &serverdata,
608                                                    conn->user, conn->passwd,
609                                                    service, &resp);
610     if(!result && (sasl->params->flags & SASL_FLAG_BASE64))
611       newstate = SASL_DIGESTMD5_RESP;
612     break;
613   case SASL_DIGESTMD5_RESP:
614     /* Keep response NULL to output an empty line. */
615     break;
616 #endif
617 
618 #ifdef USE_NTLM
619   case SASL_NTLM:
620     /* Create the type-1 message */
621     result = Curl_auth_create_ntlm_type1_message(data,
622                                                  conn->user, conn->passwd,
623                                                  service, hostname,
624                                                  &conn->ntlm, &resp);
625     newstate = SASL_NTLM_TYPE2MSG;
626     break;
627   case SASL_NTLM_TYPE2MSG:
628     /* Decode the type-2 message */
629     result = get_server_message(sasl, data, &serverdata);
630     if(!result)
631       result = Curl_auth_decode_ntlm_type2_message(data, &serverdata,
632                                                    &conn->ntlm);
633     if(!result)
634       result = Curl_auth_create_ntlm_type3_message(data, conn->user,
635                                                    conn->passwd, &conn->ntlm,
636                                                    &resp);
637     break;
638 #endif
639 
640 #if defined(USE_KERBEROS5)
641   case SASL_GSSAPI:
642     result = Curl_auth_create_gssapi_user_message(data, conn->user,
643                                                   conn->passwd,
644                                                   service,
645                                                   conn->host.name,
646                                                   sasl->mutual_auth, NULL,
647                                                   &conn->krb5,
648                                                   &resp);
649     newstate = SASL_GSSAPI_TOKEN;
650     break;
651   case SASL_GSSAPI_TOKEN:
652     result = get_server_message(sasl, data, &serverdata);
653     if(!result) {
654       if(sasl->mutual_auth) {
655         /* Decode the user token challenge and create the optional response
656            message */
657         result = Curl_auth_create_gssapi_user_message(data, NULL, NULL,
658                                                       NULL, NULL,
659                                                       sasl->mutual_auth,
660                                                       &serverdata,
661                                                       &conn->krb5,
662                                                       &resp);
663         newstate = SASL_GSSAPI_NO_DATA;
664       }
665       else
666         /* Decode the security challenge and create the response message */
667         result = Curl_auth_create_gssapi_security_message(data,
668                                                           conn->sasl_authzid,
669                                                           &serverdata,
670                                                           &conn->krb5,
671                                                           &resp);
672     }
673     break;
674   case SASL_GSSAPI_NO_DATA:
675     /* Decode the security challenge and create the response message */
676     result = get_server_message(sasl, data, &serverdata);
677     if(!result)
678       result = Curl_auth_create_gssapi_security_message(data,
679                                                         conn->sasl_authzid,
680                                                         &serverdata,
681                                                         &conn->krb5,
682                                                         &resp);
683     break;
684 #endif
685 
686   case SASL_OAUTH2:
687     /* Create the authorization message */
688     if(sasl->authused == SASL_MECH_OAUTHBEARER) {
689       result = Curl_auth_create_oauth_bearer_message(conn->user,
690                                                      hostname,
691                                                      port,
692                                                      oauth_bearer,
693                                                      &resp);
694 
695       /* Failures maybe sent by the server as continuations for OAUTHBEARER */
696       newstate = SASL_OAUTH2_RESP;
697     }
698     else
699       result = Curl_auth_create_xoauth_bearer_message(conn->user,
700                                                       oauth_bearer,
701                                                       &resp);
702     break;
703 
704   case SASL_OAUTH2_RESP:
705     /* The continuation is optional so check the response code */
706     if(code == sasl->params->finalcode) {
707       /* Final response was received so we are done */
708       *progress = SASL_DONE;
709       sasl_state(sasl, data, SASL_STOP);
710       return result;
711     }
712     else if(code == sasl->params->contcode) {
713       /* Acknowledge the continuation by sending a 0x01 response. */
714       Curl_bufref_set(&resp, "\x01", 1, NULL);
715       break;
716     }
717     else {
718       *progress = SASL_DONE;
719       sasl_state(sasl, data, SASL_STOP);
720       return CURLE_LOGIN_DENIED;
721     }
722 
723   case SASL_CANCEL:
724     /* Remove the offending mechanism from the supported list */
725     sasl->authmechs ^= sasl->authused;
726 
727     /* Start an alternative SASL authentication */
728     return Curl_sasl_start(sasl, data, sasl->force_ir, progress);
729   default:
730     failf(data, "Unsupported SASL authentication mechanism");
731     result = CURLE_UNSUPPORTED_PROTOCOL;  /* Should not happen */
732     break;
733   }
734 
735   Curl_bufref_free(&serverdata);
736 
737   switch(result) {
738   case CURLE_BAD_CONTENT_ENCODING:
739     /* Cancel dialog */
740     result = sasl->params->cancelauth(data, sasl->curmech);
741     newstate = SASL_CANCEL;
742     break;
743   case CURLE_OK:
744     result = build_message(sasl, &resp);
745     if(!result)
746       result = sasl->params->contauth(data, sasl->curmech, &resp);
747     break;
748   default:
749     newstate = SASL_STOP;    /* Stop on error */
750     *progress = SASL_DONE;
751     break;
752   }
753 
754   Curl_bufref_free(&resp);
755 
756   sasl_state(sasl, data, newstate);
757 
758   return result;
759 }
760 #endif /* protocols are enabled that use SASL */
761