From 7c469fa537397c3b8307c92aa723e3af6d941e95 Mon Sep 17 00:00:00 2001 From: Steve Holme Date: Wed, 17 Apr 2019 23:47:51 +0100 Subject: sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes #3653 Closes #3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes https://github.com/curl/curl/pull/4186 --- lib/curl_sasl.c | 10 ++++++---- lib/setopt.c | 6 ++++++ lib/url.c | 9 +++++++++ lib/urldata.h | 4 +++- 4 files changed, 24 insertions(+), 5 deletions(-) (limited to 'lib') diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c index 018e4228b..0aa1f5bb7 100644 --- a/lib/curl_sasl.c +++ b/lib/curl_sasl.c @@ -370,8 +370,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn, sasl->authused = SASL_MECH_PLAIN; if(force_ir || data->set.sasl_ir) - result = Curl_auth_create_plain_message(data, NULL, conn->user, - conn->passwd, &resp, &len); + result = Curl_auth_create_plain_message(data, conn->sasl_authzid, + conn->user, conn->passwd, + &resp, &len); } else if(enabledmechs & SASL_MECH_LOGIN) { mech = SASL_MECH_STRING_LOGIN; @@ -453,8 +454,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn, *progress = SASL_DONE; return result; case SASL_PLAIN: - result = Curl_auth_create_plain_message(data, NULL, conn->user, - conn->passwd, &resp, &len); + result = Curl_auth_create_plain_message(data, conn->sasl_authzid, + conn->user, conn->passwd, + &resp, &len); break; case SASL_LOGIN: result = Curl_auth_create_login_message(data, conn->user, &resp, &len); diff --git a/lib/setopt.c b/lib/setopt.c index 64a6b010d..91251bd7b 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -2402,6 +2402,12 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) break; #endif + case CURLOPT_SASL_AUTHZID: + /* Authorisation identity (identity to act as) */ + result = Curl_setstropt(&data->set.str[STRING_SASL_AUTHZID], + va_arg(param, char *)); + break; + case CURLOPT_SASL_IR: /* Enable/disable SASL initial response */ data->set.sasl_ir = (0 != va_arg(param, long)) ? TRUE : FALSE; diff --git a/lib/url.c b/lib/url.c index 05fc0e50e..c61319b3b 100644 --- a/lib/url.c +++ b/lib/url.c @@ -715,6 +715,7 @@ static void conn_free(struct connectdata *conn) Curl_safefree(conn->user); Curl_safefree(conn->passwd); Curl_safefree(conn->oauth_bearer); + Curl_safefree(conn->sasl_authzid); Curl_safefree(conn->options); Curl_safefree(conn->http_proxy.user); Curl_safefree(conn->socks_proxy.user); @@ -3492,6 +3493,14 @@ static CURLcode create_conn(struct Curl_easy *data, } } + if(data->set.str[STRING_SASL_AUTHZID]) { + conn->sasl_authzid = strdup(data->set.str[STRING_SASL_AUTHZID]); + if(!conn->sasl_authzid) { + result = CURLE_OUT_OF_MEMORY; + goto out; + } + } + #ifdef USE_UNIX_SOCKETS if(data->set.str[STRING_UNIX_SOCKET_PATH]) { conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); diff --git a/lib/urldata.h b/lib/urldata.h index b9daf12de..b3b1263c6 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -875,7 +875,8 @@ struct connectdata { char *passwd; /* password string, allocated */ char *options; /* options string, allocated */ - char *oauth_bearer; /* bearer token for OAuth 2.0, allocated */ + char *oauth_bearer; /* bearer token for OAuth 2.0, allocated */ + char *sasl_authzid; /* authorisation identity string, allocated */ int httpversion; /* the HTTP version*10 reported by the server */ int rtspversion; /* the RTSP version*10 reported by the server */ @@ -1498,6 +1499,7 @@ enum dupstring { #ifdef USE_ALTSVC STRING_ALTSVC, /* CURLOPT_ALTSVC */ #endif + STRING_SASL_AUTHZID, /* CURLOPT_SASL_AUTHZID */ /* -- end of zero-terminated strings -- */ STRING_LASTZEROTERMINATED, -- cgit v1.2.3