vauth.h (13240B)
1 #ifndef HEADER_CURL_VAUTH_H 2 #define HEADER_CURL_VAUTH_H 3 /*************************************************************************** 4 * _ _ ____ _ 5 * Project ___| | | | _ \| | 6 * / __| | | | |_) | | 7 * | (__| |_| | _ <| |___ 8 * \___|\___/|_| \_\_____| 9 * 10 * Copyright (C) Steve Holme, <steve_holme@hotmail.com>. 11 * 12 * This software is licensed as described in the file COPYING, which 13 * you should have received as part of this distribution. The terms 14 * are also available at https://curl.se/docs/copyright.html. 15 * 16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 17 * copies of the Software, and permit persons to whom the Software is 18 * furnished to do so, under the terms of the COPYING file. 19 * 20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 21 * KIND, either express or implied. 22 * 23 * SPDX-License-Identifier: curl 24 * 25 ***************************************************************************/ 26 27 #include <curl/curl.h> 28 29 #include "../bufref.h" 30 #include "../curlx/dynbuf.h" 31 32 struct Curl_easy; 33 struct connectdata; 34 35 #if !defined(CURL_DISABLE_DIGEST_AUTH) 36 struct digestdata; 37 #endif 38 39 #if defined(USE_NTLM) 40 struct ntlmdata; 41 #endif 42 43 #if (defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)) && defined(USE_SPNEGO) 44 struct negotiatedata; 45 #endif 46 47 #if defined(USE_GSASL) 48 struct gsasldata; 49 #endif 50 51 #ifdef USE_WINDOWS_SSPI 52 #include "../curl_sspi.h" 53 #define GSS_ERROR(status) ((status) & 0x80000000) 54 #endif 55 56 /* 57 * Curl_auth_allowed_to_host() tells if authentication, cookies or other 58 * "sensitive data" can (still) be sent to this host. 59 */ 60 bool Curl_auth_allowed_to_host(struct Curl_easy *data); 61 62 /* This is used to build an SPN string */ 63 #if !defined(USE_WINDOWS_SSPI) 64 char *Curl_auth_build_spn(const char *service, const char *host, 65 const char *realm); 66 #else 67 TCHAR *Curl_auth_build_spn(const char *service, const char *host, 68 const char *realm); 69 #endif 70 71 /* This is used to test if the user contains a Windows domain name */ 72 bool Curl_auth_user_contains_domain(const char *user); 73 74 /* This is used to generate a PLAIN cleartext message */ 75 CURLcode Curl_auth_create_plain_message(const char *authzid, 76 const char *authcid, 77 const char *passwd, 78 struct bufref *out); 79 80 /* This is used to generate a LOGIN cleartext message */ 81 void Curl_auth_create_login_message(const char *value, struct bufref *out); 82 83 /* This is used to generate an EXTERNAL cleartext message */ 84 void Curl_auth_create_external_message(const char *user, struct bufref *out); 85 86 #ifndef CURL_DISABLE_DIGEST_AUTH 87 /* This is used to generate a CRAM-MD5 response message */ 88 CURLcode Curl_auth_create_cram_md5_message(const struct bufref *chlg, 89 const char *userp, 90 const char *passwdp, 91 struct bufref *out); 92 93 /* This is used to evaluate if DIGEST is supported */ 94 bool Curl_auth_is_digest_supported(void); 95 96 /* This is used to generate a base64 encoded DIGEST-MD5 response message */ 97 CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data, 98 const struct bufref *chlg, 99 const char *userp, 100 const char *passwdp, 101 const char *service, 102 struct bufref *out); 103 104 /* This is used to decode an HTTP DIGEST challenge message */ 105 CURLcode Curl_auth_decode_digest_http_message(const char *chlg, 106 struct digestdata *digest); 107 108 /* This is used to generate an HTTP DIGEST response message */ 109 CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, 110 const char *userp, 111 const char *passwdp, 112 const unsigned char *request, 113 const unsigned char *uri, 114 struct digestdata *digest, 115 char **outptr, size_t *outlen); 116 117 /* This is used to clean up the digest specific data */ 118 void Curl_auth_digest_cleanup(struct digestdata *digest); 119 #else 120 #define Curl_auth_is_digest_supported() FALSE 121 #endif /* !CURL_DISABLE_DIGEST_AUTH */ 122 123 #ifdef USE_GSASL 124 125 /* meta key for storing GSASL meta at connection */ 126 #define CURL_META_GSASL_CONN "meta:auth:gsasl:conn" 127 128 #include <gsasl.h> 129 struct gsasldata { 130 Gsasl *ctx; 131 Gsasl_session *client; 132 }; 133 134 struct gsasldata *Curl_auth_gsasl_get(struct connectdata *conn); 135 136 /* This is used to evaluate if MECH is supported by gsasl */ 137 bool Curl_auth_gsasl_is_supported(struct Curl_easy *data, 138 const char *mech, 139 struct gsasldata *gsasl); 140 /* This is used to start a gsasl method */ 141 CURLcode Curl_auth_gsasl_start(struct Curl_easy *data, 142 const char *userp, 143 const char *passwdp, 144 struct gsasldata *gsasl); 145 146 /* This is used to process and generate a new SASL token */ 147 CURLcode Curl_auth_gsasl_token(struct Curl_easy *data, 148 const struct bufref *chlg, 149 struct gsasldata *gsasl, 150 struct bufref *out); 151 152 /* This is used to clean up the gsasl specific data */ 153 void Curl_auth_gsasl_cleanup(struct gsasldata *digest); 154 #endif 155 156 #if defined(USE_NTLM) 157 158 /* meta key for storing NTML meta at connection */ 159 #define CURL_META_NTLM_CONN "meta:auth:ntml:conn" 160 /* meta key for storing NTML-PROXY meta at connection */ 161 #define CURL_META_NTLM_PROXY_CONN "meta:auth:ntml-proxy:conn" 162 163 struct ntlmdata { 164 #ifdef USE_WINDOWS_SSPI 165 /* The sslContext is used for the Schannel bindings. The 166 * api is available on the Windows 7 SDK and later. 167 */ 168 #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS 169 CtxtHandle *sslContext; 170 #endif 171 CredHandle *credentials; 172 CtxtHandle *context; 173 SEC_WINNT_AUTH_IDENTITY identity; 174 SEC_WINNT_AUTH_IDENTITY *p_identity; 175 size_t token_max; 176 BYTE *output_token; 177 BYTE *input_token; 178 size_t input_token_len; 179 TCHAR *spn; 180 #else 181 unsigned int flags; 182 unsigned char nonce[8]; 183 unsigned int target_info_len; 184 void *target_info; /* TargetInfo received in the NTLM type-2 message */ 185 #endif 186 }; 187 188 /* This is used to evaluate if NTLM is supported */ 189 bool Curl_auth_is_ntlm_supported(void); 190 191 struct ntlmdata *Curl_auth_ntlm_get(struct connectdata *conn, bool proxy); 192 void Curl_auth_ntlm_remove(struct connectdata *conn, bool proxy); 193 194 /* This is used to clean up the NTLM specific data */ 195 void Curl_auth_cleanup_ntlm(struct ntlmdata *ntlm); 196 197 /* This is used to generate a base64 encoded NTLM type-1 message */ 198 CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data, 199 const char *userp, 200 const char *passwdp, 201 const char *service, 202 const char *host, 203 struct ntlmdata *ntlm, 204 struct bufref *out); 205 206 /* This is used to decode a base64 encoded NTLM type-2 message */ 207 CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data, 208 const struct bufref *type2, 209 struct ntlmdata *ntlm); 210 211 /* This is used to generate a base64 encoded NTLM type-3 message */ 212 CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, 213 const char *userp, 214 const char *passwdp, 215 struct ntlmdata *ntlm, 216 struct bufref *out); 217 218 #else 219 #define Curl_auth_is_ntlm_supported() FALSE 220 #endif /* USE_NTLM */ 221 222 /* This is used to generate a base64 encoded OAuth 2.0 message */ 223 CURLcode Curl_auth_create_oauth_bearer_message(const char *user, 224 const char *host, 225 const long port, 226 const char *bearer, 227 struct bufref *out); 228 229 /* This is used to generate a base64 encoded XOAuth 2.0 message */ 230 CURLcode Curl_auth_create_xoauth_bearer_message(const char *user, 231 const char *bearer, 232 struct bufref *out); 233 234 #if defined(USE_KERBEROS5) 235 236 #ifdef HAVE_GSSAPI 237 # ifdef HAVE_GSSGNU 238 # include <gss.h> 239 # elif defined HAVE_GSSAPI_GSSAPI_H 240 # include <gssapi/gssapi.h> 241 # else 242 # include <gssapi.h> 243 # endif 244 # ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H 245 # include <gssapi/gssapi_generic.h> 246 # endif 247 #endif 248 249 /* meta key for storing KRB5 meta at connection */ 250 #define CURL_META_KRB5_CONN "meta:auth:krb5:conn" 251 252 struct kerberos5data { 253 #if defined(USE_WINDOWS_SSPI) 254 CredHandle *credentials; 255 CtxtHandle *context; 256 TCHAR *spn; 257 SEC_WINNT_AUTH_IDENTITY identity; 258 SEC_WINNT_AUTH_IDENTITY *p_identity; 259 size_t token_max; 260 BYTE *output_token; 261 #else 262 gss_ctx_id_t context; 263 gss_name_t spn; 264 #endif 265 }; 266 267 struct kerberos5data *Curl_auth_krb5_get(struct connectdata *conn); 268 269 /* This is used to evaluate if GSSAPI (Kerberos V5) is supported */ 270 bool Curl_auth_is_gssapi_supported(void); 271 272 /* This is used to generate a base64 encoded GSSAPI (Kerberos V5) user token 273 message */ 274 CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data, 275 const char *userp, 276 const char *passwdp, 277 const char *service, 278 const char *host, 279 const bool mutual, 280 const struct bufref *chlg, 281 struct kerberos5data *krb5, 282 struct bufref *out); 283 284 /* This is used to generate a base64 encoded GSSAPI (Kerberos V5) security 285 token message */ 286 CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data, 287 const char *authzid, 288 const struct bufref *chlg, 289 struct kerberos5data *krb5, 290 struct bufref *out); 291 292 /* This is used to clean up the GSSAPI specific data */ 293 void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5); 294 #else 295 #define Curl_auth_is_gssapi_supported() FALSE 296 #endif /* USE_KERBEROS5 */ 297 298 #ifdef USE_SPNEGO 299 300 bool Curl_auth_is_spnego_supported(void); 301 302 /* meta key for storing NEGO meta at connection */ 303 #define CURL_META_NEGO_CONN "meta:auth:nego:conn" 304 /* meta key for storing NEGO PROXY meta at connection */ 305 #define CURL_META_NEGO_PROXY_CONN "meta:auth:nego-proxy:conn" 306 307 /* Struct used for Negotiate (SPNEGO) authentication */ 308 struct negotiatedata { 309 #ifdef HAVE_GSSAPI 310 OM_uint32 status; 311 gss_ctx_id_t context; 312 gss_name_t spn; 313 gss_buffer_desc output_token; 314 struct dynbuf channel_binding_data; 315 #else 316 #ifdef USE_WINDOWS_SSPI 317 #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS 318 CtxtHandle *sslContext; 319 #endif 320 DWORD status; 321 CredHandle *credentials; 322 CtxtHandle *context; 323 SEC_WINNT_AUTH_IDENTITY identity; 324 SEC_WINNT_AUTH_IDENTITY *p_identity; 325 TCHAR *spn; 326 size_t token_max; 327 BYTE *output_token; 328 size_t output_token_length; 329 #endif 330 #endif 331 BIT(noauthpersist); 332 BIT(havenoauthpersist); 333 BIT(havenegdata); 334 BIT(havemultiplerequests); 335 }; 336 337 struct negotiatedata * 338 Curl_auth_nego_get(struct connectdata *conn, bool proxy); 339 340 /* This is used to decode a base64 encoded SPNEGO (Negotiate) challenge 341 message */ 342 CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data, 343 const char *user, 344 const char *password, 345 const char *service, 346 const char *host, 347 const char *chlg64, 348 struct negotiatedata *nego); 349 350 /* This is used to generate a base64 encoded SPNEGO (Negotiate) response 351 message */ 352 CURLcode Curl_auth_create_spnego_message(struct negotiatedata *nego, 353 char **outptr, size_t *outlen); 354 355 /* This is used to clean up the SPNEGO specific data */ 356 void Curl_auth_cleanup_spnego(struct negotiatedata *nego); 357 358 #endif /* USE_SPNEGO */ 359 360 #endif /* HEADER_CURL_VAUTH_H */