aboutsummaryrefslogtreecommitdiff
path: root/lib/curl_sasl.c
AgeCommit message (Collapse)Author
2014-11-09ntlm: Moved SSPI clean-up code into SASL moduleSteve Holme
2014-11-07http_digest: Fixed some memory leaks introduced in commit 6f8d8131b1Steve Holme
Fixed a couple of memory leaks as a result of moving code that used to populate allocuserpwd and relied on it's clean up.
2014-11-06http_digest: Post SSPI support tidy upSteve Holme
Post tidy up to ensure commonality of code style and variable names.
2014-11-06sasl: Removed non-SSPI Digest functions and defines from SSPI based buildsSteve Holme
Introduced in commit 7e6d51a73c these functions and definitions are only required by the internal challenge-response functions now.
2014-11-06http_digest: Added SSPI based authentication functionsSteve Holme
This temporarily breaks HTTP digest authentication in SSPI based builds, causing CURLE_NOT_BUILT_IN to be returned. A follow up commit will resume normal operation.
2014-11-05sasl: Fixed HTTP digest challenges with spaces between auth parametersSteve Holme
Broken as part of the rework, in commit 7e6d51a73c, to assist with the addition of HTTP digest via Windows SSPI.
2014-11-05http_digest: Moved response generation into SASL moduleSteve Holme
2014-11-05http_digest: Moved challenge decoding into SASL moduleSteve Holme
2014-11-05http_digest: Moved clean-up function into SASL moduleSteve Holme
2014-11-02sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is usedSteve Holme
Typically the USE_WINDOWS_SSPI definition would not be used when the CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication data structures and functions would incorrectly be used when they shouldn't be. Introduced a new USE_KRB5 definition that takes into account the use of CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do.
2014-08-22sasl: Fixed a memory leak on OOMDan Fandrich
2014-08-14sasl_sspi: Added GSSAPI message functionsSteve Holme
2014-08-09sasl: Tidy up to rename SPN variable from URISteve Holme
2014-08-09sasl: Use a dynamic buffer for SPN generationSteve Holme
Updated Curl_sasl_create_digest_md5_message() to use a dynamic buffer for the SPN generation via the recently introduced Curl_sasl_build_spn() function rather than a fixed buffer of 128 characters.
2014-08-09sasl: Introduced Curl_sasl_build_spn() for building a SPNSteve Holme
Various parts of the libcurl source code build a SPN for inclusion in authentication data. This information is either used by our own native generation routines or passed to authentication functions in third-party libraries such as SSPI. However, some of these instances use fixed buffers rather than dynamically allocated ones and not all of those that should, convert to wide character strings in Unicode builds. Implemented a common function that generates a SPN and performs the wide character conversion where necessary.
2014-06-15sasl: Added back qop argument mistakenly removed in e95ca7ceDan Fandrich
This caused segfaults on tests 823 869 907.
2014-06-11curl_sasl: revert the goto for error bailoutDaniel Stenberg
They were added because of an older code path that used allocations and should not have been left in the code. With this change the logic goes back to how it was.
2014-06-11NTLM: set a fake entropy for debug builds with CURL_ENTROPY setDaniel Stenberg
Curl_rand() will return a dummy and repatable random value for this case. Makes it possible to write test cases that verify output. Also, fake timestamp with CURL_FORCETIME set. Only when built debug enabled of course. Curl_ssl_random() was not used anymore so it has been removed. Curl_rand() is enough. create_digest_md5_message: generate base64 instead of hex string curl_sasl: also fix memory leaks in some OOM situations
2014-06-03random: use Curl_rand() for proper random dataDaniel Stenberg
The SASL/Digest previously used the current time's seconds + microseconds to add randomness but it is much better to instead get more data from Curl_rand(). It will also allow us to easier "fake" that for debug builds on demand in a future.
2014-06-02curl_sasl: Fixed copy/paste error of now.tv_sec in commit eefeb73af4Steve Holme
2014-06-01curl_sasl: Fixed compilation warning under DEBUGBUILDSteve Holme
2014-06-01curl_sasl: Extended native DIGEST-MD5 cnonce to be a 32-byte hex stringSteve Holme
Rather than use a short 8-byte hex string, extended the cnonce to be 32-bytes long, like Windows SSPI does. Used a combination of random data as well as the current date and time for the generation.
2014-05-11sasl: Fixed missing qop in the client's challenge-response messageSteve Holme
Whilst the qop directive isn't required to be present in a client's response, as servers should assume a qop of "auth" if it isn't specified, some may return authentication failure if it is missing.
2014-04-08sas: Added DIGEST-MD5 qop-option validation in native challange handlingSteve Holme
Given that we presently support "auth" and not "auth-int" or "auth-conf" for native challenge-response messages, added client side validation of the quality-of-protection options from the server's challenge message.
2014-04-06sasl: Fixed compilation warning in SSPI buildsSteve Holme
warning: 'sasl_digest_get_key_value' defined but not used
2014-04-06sasl: Post DIGEST-MD5 SSPI code tidy upSteve Holme
* Added comments to SSPI NTLM message generation * Added comments to native DIGEST-MD5 code * Removed redundant identity pointer
2014-04-05sasl: Added initial stub functions for SSPI DIGEST-MD supportSteve Holme
2014-04-05sasl: Combined DIGEST-MD5 message decoding and generationSteve Holme
2014-01-02Updated copyright year for recent changesSteve Holme
2014-01-03vtls/nssg.h: fixed include references to moved fileMarc Hoersken
2013-12-20vtls: renamed sslgen.[ch] to vtls.[ch]Daniel Stenberg
2013-12-20vtls: created subdir, moved sslgen.[ch] there, updated all include linesDaniel Stenberg
2013-11-03base64: Fixed compilation warnings when using Curl_base64_decode()Steve Holme
curl_sasl.c:294: warning: dereferencing type-punned pointer will break strict-aliasing rules getpart.c:201: warning: dereferencing type-punned pointer will break strict-aliasing rules
2013-10-30email: Post graceful SASL authentication cancellation tidy upSteve Holme
2013-10-28sasl: Updated create_digest_md5_message() to use a dynamic bufferSteve Holme
2013-10-27email: Added support for cancelling NTLM authenticationSteve Holme
2013-10-27sasl: Removed unused variables from commit b87ba2c94217c0Steve Holme
2013-10-27email: Added support for cancelling DIGEST-MD5 authenticationSteve Holme
2013-10-27email: Added support for canceling CRAM-MD5 authenticationSteve Holme
2013-10-26email: Added references to SASL LOGIN authentication draft proposalSteve Holme
2013-10-24sasl: Fixed memory leak in OAUTH2 message creationSteve Holme
2013-10-23sasl: fix compiler warningDaniel Stenberg
error: unused variable 'table16'
2013-10-23tests: Added POP3 DIGEST-MD5 authentication testSteve Holme
2013-10-18curl_sasl: initialize NSS before using cryptoKamil Dudka
2013-08-25sasl: added basic SASL XOAUTH2 supportKyle L. Huff
Added the ability to generated a base64 encoded XOAUTH2 token containing: "user=<username>^Aauth=Bearer <bearer token>^A^A" as per RFC6749 "OAuth 2.0 Authorization Framework".
2013-08-20sasl: allow arbitrarily long username and passwordJonathan Nieder
Use appropriately sized buffers on the heap instead of fixed-size buffers on the stack, to allow for longer usernames and passwords. Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp. MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet.
2013-06-25formpost: better random boundariesDaniel Stenberg
When doing multi-part formposts, libcurl used a pseudo-random value that was seeded with time(). This turns out to be bad for users who formpost data that is provided with users who then can guess how the boundary string will look like and then they can forge a different formpost part and trick the receiver. My advice to such implementors is (still even after this change) to not rely on the boundary strings being cryptographically strong. Fix your code and logic to not depend on them that much! I moved the Curl_rand() function into the sslgen.c source file now to be able to take advantage of the SSL library's random function if it provides one. If not, try to use the RANDOM_FILE for seeding and as a last resort keep the old logic, just modified to also add microseconds which makes it harder to properly guess the exact seed. The formboundary() function in formdata.c is now using 64 bit entropy for the boundary and therefore the string of dashes was reduced by 4 letters and there are 16 hex digits following it. The total length is thus still the same. Bug: http://curl.haxx.se/bug/view.cgi?id=1251 Reported-by: "Floris"
2013-03-21sasl: Corrected a few violations of the curl coding standardsSteve Holme
Corrected some incorrectly positioned pointer variable declarations to be "char *" rather than "char* ".
2013-02-12sasl: Fixed null pointer reference when decoding empty digest challengeSteve Holme
Fixed a null pointer reference when an empty challenge is passed to the Curl_sasl_create_digest_md5_message() function. Bug: http://sourceforge.net/p/curl/bugs/1193/ Reported by: Saran Neti
2013-02-06Curl_sasl_create_digest_md5_message: fix buffer overflowEldar Zaitov
When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack. This vulnerability can be exploited by someone who is in control of a server that a libcurl based program is accessing with POP3, SMTP or IMAP. For applications that accept user provided URLs, it is also thinkable that a malicious user would feed an application with a URL to a server hosting code targetting this flaw. Bug: http://curl.haxx.se/docs/adv_20130206.html