Commit Graph

68 Commits

Author SHA1 Message Date
Steve Holme
93859e2c9a sasl: Removed non-SSPI Digest functions and defines from SSPI based builds
Introduced in commit 7e6d51a73c these functions and definitions are only
required by the internal challenge-response functions now.
2014-11-06 12:37:59 +00:00
Steve Holme
3d6b865654 http_digest: Added SSPI based authentication functions
This temporarily breaks HTTP digest authentication in SSPI based builds,
causing CURLE_NOT_BUILT_IN to be returned. A follow up commit will
resume normal operation.
2014-11-06 11:10:10 +00:00
Steve Holme
259f4f3d01 sasl: Fixed HTTP digest challenges with spaces between auth parameters
Broken as part of the rework, in commit 7e6d51a73c, to assist with the
addition of HTTP digest via Windows SSPI.
2014-11-05 17:58:07 +00:00
Steve Holme
6f8d8131b1 http_digest: Moved response generation into SASL module 2014-11-05 15:33:21 +00:00
Steve Holme
7e6d51a73c http_digest: Moved challenge decoding into SASL module 2014-11-05 14:39:13 +00:00
Steve Holme
25264131e2 http_digest: Moved clean-up function into SASL module 2014-11-05 13:51:11 +00:00
Steve Holme
b6821dbb91 sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
Typically the USE_WINDOWS_SSPI definition would not be used when the
CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build
configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication
data structures and functions would incorrectly be used when they
shouldn't be.

Introduced a new USE_KRB5 definition that takes into account the use of
CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do.
2014-11-02 00:35:16 +00:00
Dan Fandrich
1a073a20db sasl: Fixed a memory leak on OOM 2014-08-22 21:40:05 +02:00
Steve Holme
4b491c675f sasl_sspi: Added GSSAPI message functions 2014-08-14 10:37:01 +01:00
Steve Holme
d01e30431c sasl: Tidy up to rename SPN variable from URI 2014-08-09 18:55:20 +01:00
Steve Holme
ff5dcb8df2 sasl: Use a dynamic buffer for SPN generation
Updated Curl_sasl_create_digest_md5_message() to use a dynamic buffer
for the SPN generation via the recently introduced Curl_sasl_build_spn()
function rather than a fixed buffer of 128 characters.
2014-08-09 18:40:10 +01:00
Steve Holme
1b69122810 sasl: Introduced Curl_sasl_build_spn() for building a SPN
Various parts of the libcurl source code build a SPN for inclusion in
authentication data. This information is either used by our own native
generation routines or passed to authentication functions in third-party
libraries such as SSPI. However, some of these instances use fixed
buffers rather than dynamically allocated ones and not all of those that
should, convert to wide character strings in Unicode builds.

Implemented a common function that generates a SPN and performs the
wide character conversion where necessary.
2014-08-09 16:40:24 +01:00
Dan Fandrich
34d02aff71 sasl: Added back qop argument mistakenly removed in e95ca7ce
This caused segfaults on tests 823 869 907.
2014-06-15 14:11:35 +02:00
Daniel Stenberg
3aa1329e0a curl_sasl: revert the goto for error bailout
They were added because of an older code path that used allocations and
should not have been left in the code. With this change the logic goes
back to how it was.
2014-06-11 23:32:10 +02:00
Daniel Stenberg
e95ca7cec9 NTLM: set a fake entropy for debug builds with CURL_ENTROPY set
Curl_rand() will return a dummy and repatable random value for this
case. Makes it possible to write test cases that verify output.

Also, fake timestamp with CURL_FORCETIME set.

Only when built debug enabled of course.

Curl_ssl_random() was not used anymore so it has been
removed. Curl_rand() is enough.

create_digest_md5_message: generate base64 instead of hex string

curl_sasl: also fix memory leaks in some OOM situations
2014-06-11 23:15:48 +02:00
Daniel Stenberg
bbd3dc611e random: use Curl_rand() for proper random data
The SASL/Digest previously used the current time's seconds +
microseconds to add randomness but it is much better to instead get more
data from Curl_rand().

It will also allow us to easier "fake" that for debug builds on demand
in a future.
2014-06-03 18:25:48 +02:00
Steve Holme
62a26ec696 curl_sasl: Fixed copy/paste error of now.tv_sec in commit eefeb73af4 2014-06-02 23:15:15 +01:00
Steve Holme
1eb308275a curl_sasl: Fixed compilation warning under DEBUGBUILD 2014-06-01 12:29:16 +01:00
Steve Holme
eefeb73af4 curl_sasl: Extended native DIGEST-MD5 cnonce to be a 32-byte hex string
Rather than use a short 8-byte hex string, extended the cnonce to be
32-bytes long, like Windows SSPI does.

Used a combination of random data as well as the current date and
time for the generation.
2014-06-01 11:18:12 +01:00
Steve Holme
8342b6e1dc sasl: Fixed missing qop in the client's challenge-response message
Whilst the qop directive isn't required to be present in a client's
response, as servers should assume a qop of "auth" if it isn't
specified, some may return authentication failure if it is missing.
2014-05-11 14:48:28 +01:00
Steve Holme
b574e83079 sas: Added DIGEST-MD5 qop-option validation in native challange handling
Given that we presently support "auth" and not "auth-int" or "auth-conf"
for native challenge-response messages, added client side validation of
the quality-of-protection options from the server's challenge message.
2014-04-08 21:24:34 +01:00
Steve Holme
2af28a147b sasl: Fixed compilation warning in SSPI builds
warning: 'sasl_digest_get_key_value' defined but not used
2014-04-06 16:01:55 +01:00
Steve Holme
ee40136f6c sasl: Post DIGEST-MD5 SSPI code tidy up
* Added comments to SSPI NTLM message generation
* Added comments to native DIGEST-MD5 code
* Removed redundant identity pointer
2014-04-06 13:30:52 +01:00
Steve Holme
2c49e96092 sasl: Added initial stub functions for SSPI DIGEST-MD support 2014-04-05 23:16:51 +01:00
Steve Holme
3a92de5636 sasl: Combined DIGEST-MD5 message decoding and generation 2014-04-05 23:09:04 +01:00
Steve Holme
c50d3ed075 Updated copyright year for recent changes 2014-01-02 23:53:29 +00:00
Marc Hoersken
61288cbdef vtls/nssg.h: fixed include references to moved file 2014-01-03 00:32:05 +01:00
Daniel Stenberg
11e8066ef9 vtls: renamed sslgen.[ch] to vtls.[ch] 2013-12-20 17:12:42 +01:00
Daniel Stenberg
eccf4fb7ee vtls: created subdir, moved sslgen.[ch] there, updated all include lines 2013-12-20 17:12:42 +01:00
Steve Holme
5b315a273e base64: Fixed compilation warnings when using Curl_base64_decode()
curl_sasl.c:294: warning: dereferencing type-punned pointer will break
strict-aliasing rules

getpart.c:201: warning: dereferencing type-punned pointer will break
strict-aliasing rules
2013-11-03 12:25:07 +00:00
Steve Holme
43400b4086 email: Post graceful SASL authentication cancellation tidy up 2013-10-30 20:58:24 +00:00
Steve Holme
1d0eead969 sasl: Updated create_digest_md5_message() to use a dynamic buffer 2013-10-28 23:48:53 +00:00
Steve Holme
f68559c086 email: Added support for cancelling NTLM authentication 2013-10-27 22:25:18 +00:00
Steve Holme
08f97f3b1d sasl: Removed unused variables from commit b87ba2c942 2013-10-27 17:04:56 +00:00
Steve Holme
b87ba2c942 email: Added support for cancelling DIGEST-MD5 authentication 2013-10-27 16:27:38 +00:00
Steve Holme
1e39b95682 email: Added support for canceling CRAM-MD5 authentication 2013-10-27 12:42:30 +00:00
Steve Holme
0adad07690 email: Added references to SASL LOGIN authentication draft proposal 2013-10-26 14:35:27 +01:00
Steve Holme
650036633f sasl: Fixed memory leak in OAUTH2 message creation 2013-10-24 00:16:59 +01:00
Daniel Stenberg
9bd37a6d27 sasl: fix compiler warning
error: unused variable 'table16'
2013-10-23 22:28:13 +02:00
Steve Holme
1be69159f3 tests: Added POP3 DIGEST-MD5 authentication test 2013-10-23 18:30:00 +01:00
Kamil Dudka
86c64f3daf curl_sasl: initialize NSS before using crypto 2013-10-18 15:37:18 +02:00
Kyle L. Huff
19a05c908f sasl: added basic SASL XOAUTH2 support
Added the ability to generated a base64 encoded XOAUTH2 token
containing: "user=<username>^Aauth=Bearer <bearer token>^A^A"
as per RFC6749 "OAuth 2.0 Authorization Framework".
2013-08-25 22:02:38 +01:00
Jonathan Nieder
c56f9797e7 sasl: allow arbitrarily long username and password
Use appropriately sized buffers on the heap instead of fixed-size
buffers on the stack, to allow for longer usernames and passwords.

Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp.
MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet.
2013-08-20 11:16:38 +02:00
Daniel Stenberg
365c5ba395 formpost: better random boundaries
When doing multi-part formposts, libcurl used a pseudo-random value that
was seeded with time(). This turns out to be bad for users who formpost
data that is provided with users who then can guess how the boundary
string will look like and then they can forge a different formpost part
and trick the receiver.

My advice to such implementors is (still even after this change) to not
rely on the boundary strings being cryptographically strong. Fix your
code and logic to not depend on them that much!

I moved the Curl_rand() function into the sslgen.c source file now to be
able to take advantage of the SSL library's random function if it
provides one. If not, try to use the RANDOM_FILE for seeding and as a
last resort keep the old logic, just modified to also add microseconds
which makes it harder to properly guess the exact seed.

The formboundary() function in formdata.c is now using 64 bit entropy
for the boundary and therefore the string of dashes was reduced by 4
letters and there are 16 hex digits following it. The total length is
thus still the same.

Bug: http://curl.haxx.se/bug/view.cgi?id=1251
Reported-by: "Floris"
2013-06-25 09:55:49 +02:00
Steve Holme
ce2008066a sasl: Corrected a few violations of the curl coding standards
Corrected some incorrectly positioned pointer variable declarations to
be "char *" rather than "char* ".
2013-03-21 22:21:22 +00:00
Steve Holme
e6c1e773d9 sasl: Fixed null pointer reference when decoding empty digest challenge
Fixed a null pointer reference when an empty challenge is passed to the
Curl_sasl_create_digest_md5_message() function.

Bug: http://sourceforge.net/p/curl/bugs/1193/
Reported by: Saran Neti
2013-02-12 22:20:44 +00:00
Eldar Zaitov
f206d6c055 Curl_sasl_create_digest_md5_message: fix buffer overflow
When negotiating SASL DIGEST-MD5 authentication, the function
Curl_sasl_create_digest_md5_message() uses the data provided from the
server without doing the proper length checks and that data is then
appended to a local fixed-size buffer on the stack.

This vulnerability can be exploited by someone who is in control of a
server that a libcurl based program is accessing with POP3, SMTP or
IMAP. For applications that accept user provided URLs, it is also
thinkable that a malicious user would feed an application with a URL to
a server hosting code targetting this flaw.

Bug: http://curl.haxx.se/docs/adv_20130206.html
2013-02-06 11:06:33 +01:00
Steve Holme
de991037e4 curl_sasl.c: Corrected references to RFC
The most recent version of the RFC is RFC4422 and not RFC2222 as
previously documented.
2013-01-22 22:02:30 +00:00
Yang Tse
5a053ffe80 build: fix circular header inclusion with other packages
This commit renames lib/setup.h to lib/curl_setup.h and
renames lib/setup_once.h to lib/curl_setup_once.h.

Removes the need and usage of a header inclusion guard foreign
to libcurl. [1]

Removes the need and presence of an alarming notice we carried
in old setup_once.h [2]

----------------------------------------

1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard
    up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H,
    this single inclusion guard is enough to ensure that inclusion of
    lib/setup_once.h done from lib/setup.h is only done once.

    Additionally lib/setup.h has always used __SETUP_ONCE_H macro to
    protect inclusion of setup_once.h even after commit ec691ca3, this
    was to avoid a circular header inclusion triggered when building a
    c-ares enabled version with c-ares sources available which also has
    a setup_once.h header. Commit ec691ca3 exposes the real nature of
    __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard
    foreign to libcurl belonging to c-ares's setup_once.h

    The renaming this commit does, fixes the circular header inclusion,
    and as such removes the need and usage of a header inclusion guard
    foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl.

2 - Due to the circular interdependency of old lib/setup_once.h and the
    c-ares setup_once.h header, old file lib/setup_once.h has carried
    back from 2006 up to now days an alarming and prominent notice about
    the need of keeping libcurl's and c-ares's setup_once.h in sync.

    Given that this commit fixes the circular interdependency, the need
    and presence of mentioned notice is removed.

    All mentioned interdependencies come back from now old days when
    the c-ares project lived inside a curl subdirectory. This commit
    removes last traces of such fact.
2013-01-09 00:49:50 +01:00
Steve Holme
d6bebd56f7 curl_sasl.c: Small code tidy up following imap changes 2013-01-06 22:32:33 +00:00