Commit Graph

177 Commits

Author SHA1 Message Date
Daniel Stenberg
742196bd62
vauth: make two functions void that always just returned OK
Removes the need to check return values when they can never fail.

Pointed out by CodeSonar

Closes #13621
2024-05-13 22:38:25 +02:00
Patrick Monnerat
7b2d98dfad sasl: make login option string override http auth
- Use http authentication mechanisms as a default, not a preset.

Consider http authentication options which are mapped to SASL options as
a default (overriding the hardcoded default mask for the protocol) that
is ignored if a login option string is given.

Prior to this change, if some HTTP auth options were given, sasl mapped
http authentication options to sasl ones but merged them with the login
options.

That caused problems with the cli tool that sets the http login option
CURLAUTH_BEARER as a side-effect of --oauth2-bearer, because this flag
maps to more than one sasl mechanisms and the latter cannot be cleared
individually by the login options string.

New test 992 checks this.

Fixes https://github.com/curl/curl/issues/10259
Closes https://github.com/curl/curl/pull/12790
2024-01-26 02:58:21 -05:00
Viktor Szakats
c537b0aa19
sasl: fix -Wunused-function compiler warning
In builds with disabled auths.

```
lib/curl_sasl.c:266:17: warning: unused function 'get_server_message' [-Wunused-function]
static CURLcode get_server_message(struct SASL *sasl, struct Curl_easy *data,
                ^
1 warning generated.
```
Ref: https://github.com/curl/trurl/actions/runs/6871732122/job/18689066151#step:3:3822

Reviewed-by: Daniel Stenberg
Closes #12326
2023-11-15 13:00:38 +00:00
Wyatt O'Day
e92edfbef6
lib: add ability to disable auths individually
Both with configure and cmake

Closes #11490
2023-09-07 17:45:06 +02:00
Viktor Szakats
3f8fc25720
cmake: add support for "unity" builds
Aka "jumbo" or "amalgamation" builds. It means to compile all sources
per target as a single C source. This is experimental.

You can enable it by passing `-DCMAKE_UNITY_BUILD=ON` to cmake.
It requires CMake 3.16 or newer.

It makes builds (much) faster, allows for better optimizations and tends
to promote less ambiguous code.

Also add a new AppVeyor CI job and convert an existing one to use
"unity" mode (one MSVC, one MinGW), and enable it for one macOS CI job.

Fix related issues:
- add missing include guard to `easy_lock.h`.
- rename static variables and functions (and a macro) with names reused
  across sources, or shadowed by local variables.
- add an `#undef` after use.
- add a missing `#undef` before use.
- move internal definitions from `ftp.h` to `ftp.c`.
- `curl_memory.h` fixes to make it work when included repeatedly.
- stop building/linking curlx bits twice for a static-mode curl tool.
  These caused doubly defined symbols in unity builds.
- silence missing extern declarations compiler warning for ` _CRT_glob`.
- fix extern declarations for `tool_freq` and `tool_isVistaOrGreater`.
- fix colliding static symbols in debug mode: `debugtime()` and
  `statename`.
- rename `ssl_backend_data` structure to unique names for each
  TLS-backend, along with the `ssl_connect_data` struct member
  referencing them. This required adding casts for each access.
- add workaround for missing `[P]UNICODE_STRING` types in certain Windows
  builds when compiling `lib/ldap.c`. To support "unity" builds, we had
  to enable `SCHANNEL_USE_BLACKLISTS` for Schannel (a Windows
  `schannel.h` option) _globally_. This caused an indirect inclusion of
  Windows `schannel.h` from `ldap.c` via `winldap.h` to have it enabled
  as well. This requires `[P]UNICODE_STRING` types, which is apperantly
  not defined automatically (as seen with both MSVS and mingw-w64).
  This patch includes `<subauth.h>` to fix it.
  Ref: https://github.com/curl/curl/runs/13987772013
  Ref: https://dev.azure.com/daniel0244/curl/_build/results?buildId=15827&view=logs&jobId=2c9f582d-e278-56b6-4354-f38a4d851906&j=2c9f582d-e278-56b6-4354-f38a4d851906&t=90509b00-34fa-5a81-35d7-5ed9569d331c
- tweak unity builds to compile `lib/memdebug.c` separately in memory
  trace builds to avoid PP confusion.
- force-disable unity for test programs.
- do not compile and link libcurl sources to libtests _twice_ when libcurl
  is built in static mode.

KNOWN ISSUES:
- running tests with unity builds may fail in cases.
- some build configurations/env may not compile in unity mode. E.g.:
  https://ci.appveyor.com/project/curlorg/curl/builds/47230972/job/51wfesgnfuauwl8q#L250

Ref: https://github.com/libssh2/libssh2/issues/1034
Ref: https://cmake.org/cmake/help/latest/prop_tgt/UNITY_BUILD.html
Ref: https://en.wikipedia.org/wiki/Unity_build

Closes #11095
2023-06-07 13:06:08 +00:00
Federico Pellegrin
cace68e299
openldap: fix missing sasl symbols at build in specific configs
If curl is built with openldap support (USE_OPENLDAP=1) but does not
have also some other protocol (IMAP/SMTP/POP3) enabled that brings
in Curl_sasl_* functions, then the build will fail with undefined
references to various symbols:

ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_decode_mech'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_parse_url_auth_option'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_cleanup'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_can_authenticate'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_continue'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_start'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_init'

This was tracked down to these functions bein used in openldap.c but
defined in curl_sasl.c and then forward in two vauth/ files to have
a guard against a set of #define configurations that was now extended
to cover also this case.

Example configuration targeted that could reproduce the problem:

curl 7.87.1-DEV () libcurl/7.87.1-DEV .... OpenLDAP/2.6.3
Protocols: file ftp ftps http https ldap ldaps

Closes #10445
2023-02-09 08:17:20 +01:00
Daniel Stenberg
2bc1d775f5
copyright: update all copyright lines and remove year ranges
- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205
2023-01-03 09:19:21 +01:00
Stefan Eissing
af22c2a546
vtls: localization of state data in filters
- almost all backend calls pass the Curl_cfilter intance instead of
   connectdata+sockindex
 - ssl_connect_data is remove from struct connectdata and made internal
   to vtls
 - ssl_connect_data is allocated in the added filter, kept at cf->ctx

 - added function to let a ssl filter access its ssl_primary_config and
   ssl_config_data this selects the propert subfields in conn and data,
   for filters added as plain or proxy
 - adjusted all backends to use the changed api
 - adjusted all backends to access config data via the exposed
   functions, no longer using conn or data directly

cfilter renames for clear purpose:

 - methods `Curl_conn_*(data, conn, sockindex)` work on the complete
   filter chain at `sockindex` and connection `conn`.
 - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter
   instance.
 - methods `Curl_conn_cf()` work on/with filter instances at a
   connection.
 - rebased and resolved some naming conflicts
 - hostname validation (und session lookup) on SECONDARY use the same
   name as on FIRST (again).

new debug macros and removing connectdata from function signatures where not
needed.

adapting schannel for new Curl_read_plain paramter.

Closes #9919
2022-11-22 14:25:50 +01:00
max.mehl
ad9bc5976d
copyright: make repository REUSE compliant
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869
2022-06-13 09:13:00 +02:00
Daniel Stenberg
4a8f6869db
English: use American spelling consistently
Authorization, Initialization, Organization etc.

Closes #8673
2022-04-05 14:55:47 +02:00
Daniel Stenberg
7d600ad1c3
urldata: remove conn->bits.user_passwd
The authentication status should be told by the transfer and not the
connection.

Reported-by: John H. Ayad
Fixes #8449
Closes #8451
2022-02-16 10:28:31 +01:00
Daniel Stenberg
2610142139
lib: remove support for CURL_DOES_CONVERSIONS
TPF was the only user and support for that was dropped.

Closes #8378
2022-02-04 08:05:35 +01:00
Patrick Monnerat
3e2c1dcda8
sasl: binary messages
Capabilities of sasl module are extended to exchange messages in binary
as an alternative to base64.

If http authentication flags have been set, those are used as sasl
default preferred mechanisms.

Closes #6930
2021-10-02 23:30:37 +02:00
a1346054
7cf5e8e70e
misc: fix typos in docs and comments
No user facing output from curl/libcurl is changed by this, just
comments.

Closes #7747
2021-09-23 12:57:55 +02:00
Patrick Monnerat
396a2d7fe3
auth: use sasl authzid option in kerberos
... instead of deriving it from active ticket.
Closes #7008
2021-08-16 08:36:06 +02:00
Daniel Stenberg
e7416cfd2b
infof: remove newline from format strings, always append it
- the data needs to be "line-based" anyway since it's also passed to the
  debug callback/application

- it makes infof() work like failf() and consistency is good

- there's an assert that triggers on newlines in the format string

- Also removes a few instances of "..."

- Removes the code that would append "..." to the end of the data *iff*
  it was truncated in infof()

Closes #7357
2021-07-07 22:54:01 +02:00
Daniel Stenberg
a9bc819c89
sasl: use 'unsigned short' to store mechanism
... saves a few bytes of struct size in memory and it only uses
10 bits anyway.

Closes #7045
2021-05-12 00:16:52 +02:00
Michał Antoniak
e4ba999646
vtls: deduplicate some DISABLE_PROXY ifdefs
continue from #5735

- using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other
  tls backend

- create SSL_HOST_PORT

Closes #6660
2021-04-22 22:50:56 +02:00
Patrick Monnerat
19ea52da4d
vauth: factor base64 conversions out of authentication procedures
Input challenges and returned messages are now in binary.
Conversions from/to base64 are performed by callers (currently curl_sasl.c
and http_ntlm.c).

Closes #6654
2021-04-22 09:06:07 +02:00
Daniel Stenberg
184ffc0bdf
curl_sasl: fix compiler error with --disable-crypto-auth
... if libgsasl was found.

Closes #6806
2021-03-28 23:03:15 +02:00
Simon Josefsson
3eebbfe8f3
sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
Closes #6372
2021-02-09 10:53:25 +01:00
Patrick Monnerat
ecb13416e3
lib: remove conn->data uses
Closes #6499
2021-01-24 18:15:03 +01:00
Daniel Stenberg
215db086e0
lib: pass in 'struct Curl_easy *' to most functions
... in most cases instead of 'struct connectdata *' but in some cases in
addition to.

- We mostly operate on transfers and not connections.

- We need the transfer handle to log, store data and more. Everything in
  libcurl is driven by a transfer (the CURL * in the public API).

- This work clarifies and separates the transfers from the connections
  better.

- We should avoid "conn->data". Since individual connections can be used
  by many transfers when multiplexing, making sure that conn->data
  points to the current and correct transfer at all times is difficult
  and has been notoriously error-prone over the years. The goal is to
  ultimately remove the conn->data pointer for this reason.

Closes #6425
2021-01-17 23:56:09 +01:00
Daniel Stenberg
4d2f800677
curl.se: new home
Closes #6172
2020-11-04 23:59:47 +01:00
Daniel Stenberg
f3d501dc67
build: disable more code/data when built without proxy support
Added build to travis to verify

Closes #5466
2020-05-30 23:18:16 +02:00
Daniel Stenberg
23a17e039d
copyright: fix year ranges
follow-up from dea17b519d (one of these days I'll learn to check before
I push)
2020-01-21 10:34:44 +01:00
nao
dea17b519d
http: move "oauth_bearer" from connectdata to Curl_easy
Fixes the bug where oauth_bearer gets deallocated when we re-use a
connection.

Closes #4824
2020-01-21 10:32:43 +01:00
Steve Holme
7c469fa537 sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
Added the ability for the calling program to specify the authorisation
identity (authzid), the identity to act as, in addition to the
authentication identity (authcid) and password when using SASL PLAIN
authentication.

Fixes #3653
Closes #3790

NOTE: This commit was cherry-picked and is part of a series of commits
that added the authzid feature for upcoming 7.66.0. The series was
temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
patch release.

Closes https://github.com/curl/curl/pull/4186
2019-08-06 11:38:20 -04:00
Jay Satiro
db8ec1fa38
Revert all SASL authzid (new feature) commits
- Revert all commits related to the SASL authzid feature since the next
  release will be a patch release, 7.65.1.

Prior to this change CURLOPT_SASL_AUTHZID  / --sasl-authzid was destined
for the next release, assuming it would be a feature release 7.66.0.
However instead the next release will be a patch release, 7.65.1 and
will not contain any new features.

After the patch release after the reverted commits can be restored by
using cherry-pick:

git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690

Details for all reverted commits:

Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()."

This reverts commit 0edf6907ae.

Revert "tests: Fix the line endings for the SASL alt-auth tests"

This reverts commit c2a8d52a13.

Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples"

This reverts commit 8c1cc369d0.

Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool"

This reverts commit a9499ff136.

Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID"

This reverts commit a14d72ca2f.
2019-05-25 23:36:11 +02:00
Steve Holme
a14d72ca2f
sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
Added the ability for the calling program to specify the authorisation
identity (authzid), the identity to act as, in addition to the
authentication identity (authcid) and password when using SASL PLAIN
authentication.

Fixed #3653
Closes #3790
2019-05-22 22:55:05 +01:00
Daniel Stenberg
8ece8177f1
cleanup: remove FIXME and TODO comments
They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.

Ref: #3876
Closes #3883
2019-05-16 09:16:56 +02:00
Daniel Stenberg
e5b546b339
sasl: only enable if there's a protocol enabled using it 2019-05-13 08:17:10 +02:00
Steve Holme
52dfab65d6
auth: Rename the various authentication clean up functions
For consistency and to a avoid confusion.

Closes #3869
2019-05-12 18:37:00 +01:00
Steve Holme
eb84ca3ea8 sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
RFC 4616 specifies the authzid is optional in the client authentication
message and that the server will derive the authorisation identity
(authzid) from the authentication identity (authcid) when not specified
by the client.
2019-04-22 12:29:49 +01:00
Steve Holme
762a292f87 vauth/cleartext: Update the PLAIN login function signature to match RFC 4616
Functionally this doesn't change anything as we still use the username
for both the authorisation identity and the authentication identity.

Closes #3757
2019-04-11 22:43:30 +01:00
Mert Yazıcıoğlu
6227e2bd07 vauth/oauth2: Fix OAUTHBEARER token generation
OAUTHBEARER tokens were incorrectly generated in a format similar to
XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the
RFC7628.

Fixes: #2487
Reported-by: Paolo Mossino

Closes https://github.com/curl/curl/pull/3377
2019-04-02 15:52:12 -04:00
Daniel Stenberg
ba243235ec
urldata: rename easy_conn to just conn
We use "conn" everywhere to be a pointer to the connection.

Introduces two functions that "attaches" and "detaches" the connection
to and from the transfer.

Going forward, we should favour using "data->conn" (since a transfer
always only has a single connection or none at all) to "conn->data"
(since a connection can have none, one or many transfers associated with
it and updating conn->data to be correct is error prone and a frequent
reason for internal issues).

Closes #3442
2019-01-11 15:35:13 +01:00
Marian Klymov
c45360d463
cppcheck: fix warnings
- Get rid of variable that was generating false positive warning
(unitialized)

- Fix issues in tests

- Reduce scope of several variables all over

etc

Closes #2631
2018-06-11 11:14:48 +02:00
toughengineer
bc4b8c9717
ntlm_sspi: fix authentication using Credential Manager
If you pass empty user/pass asking curl to use Windows Credential
Storage (as stated in the docs) and it has valid credentials for the
domain, e.g.
curl -v -u : --ntlm example.com
currently authentication fails.
This change fixes it by providing proper SPN string to the SSPI API
calls.

Fixes https://github.com/curl/curl/issues/1622
Closes https://github.com/curl/curl/pull/1660
2018-04-16 20:43:21 +02:00
Patrick Monnerat
de97b5fcef sasl: prefer PLAIN mechanism over LOGIN
SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
PLAIN should be used instead if available.
2018-02-21 17:42:25 +01:00
Patrick Monnerat
6869d65f54 Curl_base64_encode: always call with a real data handle.
Some calls in different modules were setting the data handle to NULL, causing
segmentation faults when using builds that enable character code conversions.
2017-09-02 12:49:59 +01:00
Marcel Raad
f8518059ce
curl_sasl: fix unused-variable warning
This fixes the following warning with CURL_DISABLE_CRYPTO_AUTH,
as seen in the autobuilds:

curl_sasl.c:417:9: warning: unused variable 'serverdata'
[-Wunused-variable]
2017-06-03 11:59:38 +02:00
Daniel Stenberg
32c27f9e98 curl_sasl: fix build error with CURL_DISABLE_CRYPTO_AUTH + USE_NTLM
Reported-by: wyattoday at github
Fixes #1487
2017-05-16 16:13:03 +02:00
Martin Kepplinger
2d4413fefd curl_sasl: declare mechtable static
struct mechtable is only used locally here. It can be declared static.
2017-04-04 22:59:34 +02:00
Daniel Stenberg
dbadaebfc4 checksrc: code style: use 'char *name' style 2016-11-24 23:58:22 +01:00
Okhin Vasilij
c6da05a5ec HTTPS-proxy: fixed mbedtls and polishing 2016-11-24 23:41:45 +01:00
Daniel Stenberg
811a693b80 strcasecompare: all case insensitive string compares ignore locale now
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
502acba2af strcasecompare: is the new name for strequal()
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
2016-10-31 08:46:35 +01:00
Steve Holme
a78c61a4bf sasl: Don't use GSSAPI authentication when domain name not specified
Only choose the GSSAPI authentication mechanism when the user name
contains a Windows domain name or the user is a valid UPN.

Fixes #718
2016-08-21 11:56:23 +01:00
Steve Holme
00417fd66c sasl: Added calls to Curl_auth_is_<mechansism>_supported()
Hooked up the SASL authentication layer to query the new 'is mechanism
supported' functions when deciding what mechanism to use.

For now existing functionality is maintained.
2016-08-20 14:02:44 +01:00