xref: /curl/lib/curl_sasl.h (revision 1485e892)
1 #ifndef HEADER_CURL_SASL_H
2 #define HEADER_CURL_SASL_H
3 /***************************************************************************
4  *                                  _   _ ____  _
5  *  Project                     ___| | | |  _ \| |
6  *                             / __| | | | |_) | |
7  *                            | (__| |_| |  _ <| |___
8  *                             \___|\___/|_| \_\_____|
9  *
10  * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
11  *
12  * This software is licensed as described in the file COPYING, which
13  * you should have received as part of this distribution. The terms
14  * are also available at https://curl.se/docs/copyright.html.
15  *
16  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
17  * copies of the Software, and permit persons to whom the Software is
18  * furnished to do so, under the terms of the COPYING file.
19  *
20  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21  * KIND, either express or implied.
22  *
23  * SPDX-License-Identifier: curl
24  *
25  ***************************************************************************/
26 
27 #include <curl/curl.h>
28 
29 #include "bufref.h"
30 
31 struct Curl_easy;
32 struct connectdata;
33 
34 /* Authentication mechanism flags */
35 #define SASL_MECH_LOGIN             (1 << 0)
36 #define SASL_MECH_PLAIN             (1 << 1)
37 #define SASL_MECH_CRAM_MD5          (1 << 2)
38 #define SASL_MECH_DIGEST_MD5        (1 << 3)
39 #define SASL_MECH_GSSAPI            (1 << 4)
40 #define SASL_MECH_EXTERNAL          (1 << 5)
41 #define SASL_MECH_NTLM              (1 << 6)
42 #define SASL_MECH_XOAUTH2           (1 << 7)
43 #define SASL_MECH_OAUTHBEARER       (1 << 8)
44 #define SASL_MECH_SCRAM_SHA_1       (1 << 9)
45 #define SASL_MECH_SCRAM_SHA_256     (1 << 10)
46 
47 /* Authentication mechanism values */
48 #define SASL_AUTH_NONE          0
49 #define SASL_AUTH_ANY           0xffff
50 #define SASL_AUTH_DEFAULT       (SASL_AUTH_ANY & ~SASL_MECH_EXTERNAL)
51 
52 /* Authentication mechanism strings */
53 #define SASL_MECH_STRING_LOGIN          "LOGIN"
54 #define SASL_MECH_STRING_PLAIN          "PLAIN"
55 #define SASL_MECH_STRING_CRAM_MD5       "CRAM-MD5"
56 #define SASL_MECH_STRING_DIGEST_MD5     "DIGEST-MD5"
57 #define SASL_MECH_STRING_GSSAPI         "GSSAPI"
58 #define SASL_MECH_STRING_EXTERNAL       "EXTERNAL"
59 #define SASL_MECH_STRING_NTLM           "NTLM"
60 #define SASL_MECH_STRING_XOAUTH2        "XOAUTH2"
61 #define SASL_MECH_STRING_OAUTHBEARER    "OAUTHBEARER"
62 #define SASL_MECH_STRING_SCRAM_SHA_1    "SCRAM-SHA-1"
63 #define SASL_MECH_STRING_SCRAM_SHA_256  "SCRAM-SHA-256"
64 
65 /* SASL flags */
66 #define SASL_FLAG_BASE64        0x0001  /* Messages are base64-encoded */
67 
68 /* SASL machine states */
69 typedef enum {
70   SASL_STOP,
71   SASL_PLAIN,
72   SASL_LOGIN,
73   SASL_LOGIN_PASSWD,
74   SASL_EXTERNAL,
75   SASL_CRAMMD5,
76   SASL_DIGESTMD5,
77   SASL_DIGESTMD5_RESP,
78   SASL_NTLM,
79   SASL_NTLM_TYPE2MSG,
80   SASL_GSSAPI,
81   SASL_GSSAPI_TOKEN,
82   SASL_GSSAPI_NO_DATA,
83   SASL_OAUTH2,
84   SASL_OAUTH2_RESP,
85   SASL_GSASL,
86   SASL_CANCEL,
87   SASL_FINAL
88 } saslstate;
89 
90 /* Progress indicator */
91 typedef enum {
92   SASL_IDLE,
93   SASL_INPROGRESS,
94   SASL_DONE
95 } saslprogress;
96 
97 /* Protocol dependent SASL parameters */
98 struct SASLproto {
99   const char *service;     /* The service name */
100   CURLcode (*sendauth)(struct Curl_easy *data, const char *mech,
101                        const struct bufref *ir);
102                            /* Send authentication command */
103   CURLcode (*contauth)(struct Curl_easy *data, const char *mech,
104                        const struct bufref *contauth);
105                            /* Send authentication continuation */
106   CURLcode (*cancelauth)(struct Curl_easy *data, const char *mech);
107                            /* Cancel authentication. */
108   CURLcode (*getmessage)(struct Curl_easy *data, struct bufref *out);
109                            /* Get SASL response message */
110   size_t maxirlen;         /* Maximum initial response + mechanism length,
111                               or zero if no max. This is normally the max
112                               command length - other characters count.
113                               This has to be zero for non-base64 protocols. */
114   int contcode;            /* Code to receive when continuation is expected */
115   int finalcode;           /* Code to receive upon authentication success */
116   unsigned short defmechs; /* Mechanisms enabled by default */
117   unsigned short flags;    /* Configuration flags. */
118 };
119 
120 /* Per-connection parameters */
121 struct SASL {
122   const struct SASLproto *params; /* Protocol dependent parameters */
123   saslstate state;           /* Current machine state */
124   const char *curmech;       /* Current mechanism id. */
125   unsigned short authmechs;  /* Accepted authentication mechanisms */
126   unsigned short prefmech;   /* Preferred authentication mechanism */
127   unsigned short authused;   /* Auth mechanism used for the connection */
128   BIT(resetprefs);           /* For URL auth option parsing. */
129   BIT(mutual_auth);          /* Mutual authentication enabled (GSSAPI only) */
130   BIT(force_ir);             /* Protocol always supports initial response */
131 };
132 
133 /* This is used to test whether the line starts with the given mechanism */
134 #define sasl_mech_equal(line, wordlen, mech) \
135   (wordlen == (sizeof(mech) - 1) / sizeof(char) && \
136    !memcmp(line, mech, wordlen))
137 
138 /* This is used to cleanup any libraries or curl modules used by the sasl
139    functions */
140 void Curl_sasl_cleanup(struct connectdata *conn, unsigned short authused);
141 
142 /* Convert a mechanism name to a token */
143 unsigned short Curl_sasl_decode_mech(const char *ptr,
144                                      size_t maxlen, size_t *len);
145 
146 /* Parse the URL login options */
147 CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl,
148                                          const char *value, size_t len);
149 
150 /* Initializes an SASL structure */
151 void Curl_sasl_init(struct SASL *sasl, struct Curl_easy *data,
152                     const struct SASLproto *params);
153 
154 /* Check if we have enough auth data and capabilities to authenticate */
155 bool Curl_sasl_can_authenticate(struct SASL *sasl, struct Curl_easy *data);
156 
157 /* Calculate the required login details for SASL authentication  */
158 CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data,
159                          bool force_ir, saslprogress *progress);
160 
161 /* Continue an SASL authentication  */
162 CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data,
163                             int code, saslprogress *progress);
164 
165 #endif /* HEADER_CURL_SASL_H */
166