sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID

Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes #3653 Closes #3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes https://github.com/curl/curl/pull/4186
author: Steve Holme <steve_holme@hotmail.com> 2019-04-17 23:47:51 +0100
committer: Jay Satiro <raysatiro@yahoo.com> 2019-08-06 11:38:20 -0400
commit: 7c469fa537397c3b8307c92aa723e3af6d941e95 (patch)
tree: b2c2629c47a6ca6d1a64b67696c1c35dec8497b3 /lib
parent: d3be2ca7ba02fac4f2a972cee41c9f818142fc6e (diff)
4 files changed, 24 insertions, 5 deletions
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index 018e4228b..0aa1f5bb7 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -370,8 +370,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
       sasl->authused = SASL_MECH_PLAIN;
 
       if(force_ir || data->set.sasl_ir)
-        result = Curl_auth_create_plain_message(data, NULL, conn->user,
-                                                conn->passwd, &resp, &len);
+        result = Curl_auth_create_plain_message(data, conn->sasl_authzid,
+                                                conn->user, conn->passwd,
+                                                &resp, &len);
     }
     else if(enabledmechs & SASL_MECH_LOGIN) {
       mech = SASL_MECH_STRING_LOGIN;
@@ -453,8 +454,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
     *progress = SASL_DONE;
     return result;
   case SASL_PLAIN:
-    result = Curl_auth_create_plain_message(data, NULL, conn->user,
-                                            conn->passwd, &resp, &len);
+    result = Curl_auth_create_plain_message(data, conn->sasl_authzid,
+                                            conn->user, conn->passwd,
+                                            &resp, &len);
     break;
   case SASL_LOGIN:
     result = Curl_auth_create_login_message(data, conn->user, &resp, &len);
diff --git a/lib/setopt.c b/lib/setopt.c
index 64a6b010d..91251bd7b 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -2402,6 +2402,12 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
     break;
 #endif
 
+  case CURLOPT_SASL_AUTHZID:
+    /* Authorisation identity (identity to act as) */
+    result = Curl_setstropt(&data->set.str[STRING_SASL_AUTHZID],
+                            va_arg(param, char *));
+    break;
+
   case CURLOPT_SASL_IR:
     /* Enable/disable SASL initial response */
     data->set.sasl_ir = (0 != va_arg(param, long)) ? TRUE : FALSE;
diff --git a/lib/url.c b/lib/url.c
index 05fc0e50e..c61319b3b 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -715,6 +715,7 @@ static void conn_free(struct connectdata *conn)
   Curl_safefree(conn->user);
   Curl_safefree(conn->passwd);
   Curl_safefree(conn->oauth_bearer);
+  Curl_safefree(conn->sasl_authzid);
   Curl_safefree(conn->options);
   Curl_safefree(conn->http_proxy.user);
   Curl_safefree(conn->socks_proxy.user);
@@ -3492,6 +3493,14 @@ static CURLcode create_conn(struct Curl_easy *data,
     }
   }
 
+  if(data->set.str[STRING_SASL_AUTHZID]) {
+    conn->sasl_authzid = strdup(data->set.str[STRING_SASL_AUTHZID]);
+    if(!conn->sasl_authzid) {
+      result = CURLE_OUT_OF_MEMORY;
+      goto out;
+    }
+  }
+
 #ifdef USE_UNIX_SOCKETS
   if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
     conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
diff --git a/lib/urldata.h b/lib/urldata.h
index b9daf12de..b3b1263c6 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -875,7 +875,8 @@ struct connectdata {
   char *passwd;  /* password string, allocated */
   char *options; /* options string, allocated */
 
-  char *oauth_bearer; /* bearer token for OAuth 2.0, allocated */
+  char *oauth_bearer;     /* bearer token for OAuth 2.0, allocated */
+  char *sasl_authzid;     /* authorisation identity string, allocated */
 
   int httpversion;        /* the HTTP version*10 reported by the server */
   int rtspversion;        /* the RTSP version*10 reported by the server */
@@ -1498,6 +1499,7 @@ enum dupstring {
 #ifdef USE_ALTSVC
   STRING_ALTSVC,                /* CURLOPT_ALTSVC */
 #endif
+  STRING_SASL_AUTHZID,          /* CURLOPT_SASL_AUTHZID */
   /* -- end of zero-terminated strings -- */
 
   STRING_LASTZEROTERMINATED,
author	Steve Holme <steve_holme@hotmail.com>	2019-04-17 23:47:51 +0100
committer	Jay Satiro <raysatiro@yahoo.com>	2019-08-06 11:38:20 -0400
commit	7c469fa537397c3b8307c92aa723e3af6d941e95 (patch)
tree	b2c2629c47a6ca6d1a64b67696c1c35dec8497b3 /lib
parent	d3be2ca7ba02fac4f2a972cee41c9f818142fc6e (diff)