1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-25 09:38:54 -05:00
Commit Graph

150 Commits

Author SHA1 Message Date
Steve Holme
7c469fa537 sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
Added the ability for the calling program to specify the authorisation
identity (authzid), the identity to act as, in addition to the
authentication identity (authcid) and password when using SASL PLAIN
authentication.

Fixes #3653
Closes #3790

NOTE: This commit was cherry-picked and is part of a series of commits
that added the authzid feature for upcoming 7.66.0. The series was
temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
patch release.

Closes https://github.com/curl/curl/pull/4186
2019-08-06 11:38:20 -04:00
Jay Satiro
db8ec1fa38
Revert all SASL authzid (new feature) commits
- Revert all commits related to the SASL authzid feature since the next
  release will be a patch release, 7.65.1.

Prior to this change CURLOPT_SASL_AUTHZID  / --sasl-authzid was destined
for the next release, assuming it would be a feature release 7.66.0.
However instead the next release will be a patch release, 7.65.1 and
will not contain any new features.

After the patch release after the reverted commits can be restored by
using cherry-pick:

git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690

Details for all reverted commits:

Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()."

This reverts commit 0edf6907ae.

Revert "tests: Fix the line endings for the SASL alt-auth tests"

This reverts commit c2a8d52a13.

Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples"

This reverts commit 8c1cc369d0.

Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool"

This reverts commit a9499ff136.

Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID"

This reverts commit a14d72ca2f.
2019-05-25 23:36:11 +02:00
Steve Holme
a14d72ca2f
sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
Added the ability for the calling program to specify the authorisation
identity (authzid), the identity to act as, in addition to the
authentication identity (authcid) and password when using SASL PLAIN
authentication.

Fixed #3653
Closes #3790
2019-05-22 22:55:05 +01:00
Daniel Stenberg
8ece8177f1
cleanup: remove FIXME and TODO comments
They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.

Ref: #3876
Closes #3883
2019-05-16 09:16:56 +02:00
Daniel Stenberg
e5b546b339
sasl: only enable if there's a protocol enabled using it 2019-05-13 08:17:10 +02:00
Steve Holme
52dfab65d6
auth: Rename the various authentication clean up functions
For consistency and to a avoid confusion.

Closes #3869
2019-05-12 18:37:00 +01:00
Steve Holme
eb84ca3ea8 sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
RFC 4616 specifies the authzid is optional in the client authentication
message and that the server will derive the authorisation identity
(authzid) from the authentication identity (authcid) when not specified
by the client.
2019-04-22 12:29:49 +01:00
Steve Holme
762a292f87 vauth/cleartext: Update the PLAIN login function signature to match RFC 4616
Functionally this doesn't change anything as we still use the username
for both the authorisation identity and the authentication identity.

Closes #3757
2019-04-11 22:43:30 +01:00
Mert Yazıcıoğlu
6227e2bd07 vauth/oauth2: Fix OAUTHBEARER token generation
OAUTHBEARER tokens were incorrectly generated in a format similar to
XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the
RFC7628.

Fixes: #2487
Reported-by: Paolo Mossino

Closes https://github.com/curl/curl/pull/3377
2019-04-02 15:52:12 -04:00
Daniel Stenberg
ba243235ec
urldata: rename easy_conn to just conn
We use "conn" everywhere to be a pointer to the connection.

Introduces two functions that "attaches" and "detaches" the connection
to and from the transfer.

Going forward, we should favour using "data->conn" (since a transfer
always only has a single connection or none at all) to "conn->data"
(since a connection can have none, one or many transfers associated with
it and updating conn->data to be correct is error prone and a frequent
reason for internal issues).

Closes #3442
2019-01-11 15:35:13 +01:00
Marian Klymov
c45360d463
cppcheck: fix warnings
- Get rid of variable that was generating false positive warning
(unitialized)

- Fix issues in tests

- Reduce scope of several variables all over

etc

Closes #2631
2018-06-11 11:14:48 +02:00
toughengineer
bc4b8c9717
ntlm_sspi: fix authentication using Credential Manager
If you pass empty user/pass asking curl to use Windows Credential
Storage (as stated in the docs) and it has valid credentials for the
domain, e.g.
curl -v -u : --ntlm example.com
currently authentication fails.
This change fixes it by providing proper SPN string to the SSPI API
calls.

Fixes https://github.com/curl/curl/issues/1622
Closes https://github.com/curl/curl/pull/1660
2018-04-16 20:43:21 +02:00
Patrick Monnerat
de97b5fcef sasl: prefer PLAIN mechanism over LOGIN
SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
PLAIN should be used instead if available.
2018-02-21 17:42:25 +01:00
Patrick Monnerat
6869d65f54 Curl_base64_encode: always call with a real data handle.
Some calls in different modules were setting the data handle to NULL, causing
segmentation faults when using builds that enable character code conversions.
2017-09-02 12:49:59 +01:00
Marcel Raad
f8518059ce
curl_sasl: fix unused-variable warning
This fixes the following warning with CURL_DISABLE_CRYPTO_AUTH,
as seen in the autobuilds:

curl_sasl.c:417:9: warning: unused variable 'serverdata'
[-Wunused-variable]
2017-06-03 11:59:38 +02:00
Daniel Stenberg
32c27f9e98 curl_sasl: fix build error with CURL_DISABLE_CRYPTO_AUTH + USE_NTLM
Reported-by: wyattoday at github
Fixes #1487
2017-05-16 16:13:03 +02:00
Martin Kepplinger
2d4413fefd curl_sasl: declare mechtable static
struct mechtable is only used locally here. It can be declared static.
2017-04-04 22:59:34 +02:00
Daniel Stenberg
dbadaebfc4 checksrc: code style: use 'char *name' style 2016-11-24 23:58:22 +01:00
Okhin Vasilij
c6da05a5ec HTTPS-proxy: fixed mbedtls and polishing 2016-11-24 23:41:45 +01:00
Daniel Stenberg
811a693b80 strcasecompare: all case insensitive string compares ignore locale now
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
502acba2af strcasecompare: is the new name for strequal()
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
2016-10-31 08:46:35 +01:00
Steve Holme
a78c61a4bf sasl: Don't use GSSAPI authentication when domain name not specified
Only choose the GSSAPI authentication mechanism when the user name
contains a Windows domain name or the user is a valid UPN.

Fixes #718
2016-08-21 11:56:23 +01:00
Steve Holme
00417fd66c sasl: Added calls to Curl_auth_is_<mechansism>_supported()
Hooked up the SASL authentication layer to query the new 'is mechanism
supported' functions when deciding what mechanism to use.

For now existing functionality is maintained.
2016-08-20 14:02:44 +01:00
Daniel Stenberg
434f8d0389 internals: rename the SessionHandle struct to Curl_easy 2016-06-22 10:28:41 +02:00
Daniel Stenberg
4f45240bc8 lib: include curl_printf.h as one of the last headers
curl_printf.h defines printf to curl_mprintf, etc. This can cause
problems with external headers which may use
__attribute__((format(printf, ...))) markers etc.

To avoid that they cause problems with system includes, we include
curl_printf.h after any system headers. That makes the three last
headers to always be, and we keep them in this order:

 curl_printf.h
 curl_memory.h
 memdebug.h

None of them include system headers, they all do funny #defines.

Reported-by: David Benjamin

Fixes #743
2016-04-29 22:32:49 +02:00
Steve Holme
f044cbe6fc sasl: Fixed compilation errors from commit 9d89a0387
...when GSS-API or Windows SSPI are not used.
2016-04-09 05:57:10 +01:00
Steve Holme
9d89a03872 ftp/imap/pop3/smtp: Allow the service name to be overridden
Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
authentication in FTP, IMAP, POP3 and SMTP.
2016-04-08 18:59:33 +01:00
Steve Holme
e655ae0c80 curl_sasl: Fixed potential null pointer utilisation
Although this should never happen due to the relationship between the
'mech' and 'resp' variables, and the way they are allocated together,
it does cause problems for code analysis tools:

V595 The 'mech' pointer was utilized before it was verified against
     nullptr. Check lines: 376, 381. curl_sasl.c 376

Bug: https://github.com/curl/curl/issues/745
Reported-by: Alexis La Goutte
2016-04-03 17:55:17 +01:00
Steve Holme
ced0cbb5b7 krb5: Moved host from Curl_auth_create_gssapi_user_message() to be argument
For consistency with the spnego and oauth2 code moved the setting of
the host name outside of the Curl_auth_create_gssapi_user_messag()
function.

This will allow us to more easily override it in the future.
2016-04-02 06:15:29 +01:00
Steve Holme
58a7bc96ec vauth: Refactored function names after move to new vauth directory
Renamed all the SASL functions that moved to the new vauth directory to
include the correct module name.
2016-03-25 17:40:12 +00:00
Steve Holme
70e56939aa vauth: Moved the OAuth 2.0 authentication code to the new vauth directory 2016-03-25 15:11:10 +00:00
Steve Holme
6012fa5aee vauth: Moved the NTLM authentication code to the new vauth directory 2016-03-25 15:11:09 +00:00
Steve Holme
51358a3f40 vauth: Moved the DIGEST authentication code to the new vauth directory 2016-03-25 12:05:23 +00:00
Steve Holme
ec5b8dc647 vauth: Moved the CRAM-MD5 authentication code to the new vauth directory 2016-03-25 12:05:23 +00:00
Steve Holme
6101e35819 vauth: Moved the ClearText authentication code to the new vauth directory 2016-03-25 12:05:23 +00:00
Steve Holme
685fee3828 vauth: Moved Curl_sasl_build_spn() to create the initial vauth source files 2016-03-25 09:12:01 +00:00
Steve Holme
c142e73142 ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
warning C4706: assignment within conditional expression
2016-03-19 17:15:53 +00:00
Daniel Stenberg
3c6238b3eb curl_sasl.c: minor code indent fixes 2016-03-14 09:55:38 +01:00
Steve Holme
e4a0a9ef18 digest: Use boolean based success code for Curl_sasl_digest_get_pair()
Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
based success code.
2016-03-12 17:25:15 +00:00
Steve Holme
a7a653fd58 digest: Corrected some typos in comments 2016-03-12 13:20:03 +00:00
Steve Holme
dbb90e7e9f ntlm: Corrected some typos in function descriptions 2016-03-12 11:56:10 +00:00
Emil Lerner
3fa220a6a5 curl_sasl: Fix memory leak in digest parser
If any parameter in a HTTP DIGEST challenge message is present multiple
times, memory allocated for all but the last entry should be freed.

Bug: https://github.com/curl/curl/pull/667
2016-02-19 21:52:05 -05:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Daniel Stenberg
88f585c3a1 sasl; fix checksrc warnings 2015-11-15 23:15:00 +01:00
Steve Holme
ee04bee82b oauth2: Support OAUTHBEARER failures sent as continuation responses
According to RFC7628 a failure message may be sent by the server in a
base64 encoded JSON string as a continuation response.

Currently only implemented for OAUTHBEARER and not XAUTH2.
2015-11-15 20:11:53 +00:00
Steve Holme
febda2f305 oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
OAUTHBEARER is now the official "registered" SASL mechanism name for
OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some
servers won't support the new mechanism yet.
2015-11-14 10:28:05 +00:00
Steve Holme
1f82df9146 sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism
Following the fix in commit d6d58dd558 it is necessary to re-introduce
XOAUTH2 in the default enabled authentication mechanism, which was
removed in commit 7b2012f262, otherwise users will have to specify
AUTH=XOAUTH2 in the URL.

Note: OAuth 2.0 will only be used when the bearer is specified.
2015-11-12 19:45:24 +00:00
Steve Holme
88702ebb31 oauth2: Re-factored OAuth 2.0 state variable 2015-11-12 18:25:33 +00:00
Steve Holme
d6d58dd558 sasl: Don't choose OAuth 2.0 if mechanism not advertised
Regression from commit 9e8ced9890 which meant if --oauth2-bearer was
specified but the SASL mechanism wasn't supported by the server then
the mechanism would be chosen.
2015-11-12 18:25:33 +00:00
Steve Holme
dcf5b614ca oauth2: Introduced support for host and port details
Added support to the OAuth 2.0 message function for host and port, in
order to accommodate the official OAUTHBEARER SASL mechanism which is
to be added shortly.
2015-11-11 22:26:21 +00:00