summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve Holme <steve_holme@hotmail.com>2019-04-17 23:47:51 +0100
committerSteve Holme <steve_holme@hotmail.com>2019-05-22 22:55:05 +0100
commita14d72ca2fec5d4eb5a043936e4f7ce08015c177 (patch)
treead856028203028c20e1ba9c30bb3b74d64a7f41c
parent081d374f4949b7fabfa76a0fb14daa02d47b5050 (diff)
downloadcurl-a14d72ca2fec5d4eb5a043936e4f7ce08015c177.tar.gz
sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixed #3653 Closes #3790
-rw-r--r--docs/libcurl/curl_easy_setopt.32
-rw-r--r--docs/libcurl/opts/CURLOPT_SASL_AUTHZID.364
-rw-r--r--docs/libcurl/opts/Makefile.inc1
-rw-r--r--docs/libcurl/symbols-in-versions1
-rw-r--r--include/curl/curl.h3
-rw-r--r--include/curl/typecheck-gcc.h1
-rw-r--r--lib/curl_sasl.c10
-rw-r--r--lib/setopt.c6
-rw-r--r--lib/url.c9
-rw-r--r--lib/urldata.h4
-rw-r--r--packages/OS400/curl.inc.in2
11 files changed, 98 insertions, 5 deletions
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 1f18a3494..a523364cd 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -256,6 +256,8 @@ TLS authentication methods. See \fICURLOPT_TLSAUTH_TYPE(3)\fP
Proxy TLS authentication methods. See \fICURLOPT_PROXY_TLSAUTH_TYPE(3)\fP
.IP CURLOPT_PROXYAUTH
HTTP proxy authentication methods. See \fICURLOPT_PROXYAUTH(3)\fP
+.IP CURLOPT_SASL_AUTHZID
+SASL authorisation identity (identity to act as). See \fICURLOPT_SASL_AUTHZID(3)\fP
.IP CURLOPT_SASL_IR
Enable SASL initial response. See \fICURLOPT_SASL_IR(3)\fP
.IP CURLOPT_XOAUTH2_BEARER
diff --git a/docs/libcurl/opts/CURLOPT_SASL_AUTHZID.3 b/docs/libcurl/opts/CURLOPT_SASL_AUTHZID.3
new file mode 100644
index 000000000..79b360b5e
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_SASL_AUTHZID.3
@@ -0,0 +1,64 @@
+.\" **************************************************************************
+.\" * _ _ ____ _
+.\" * Project ___| | | | _ \| |
+.\" * / __| | | | |_) | |
+.\" * | (__| |_| | _ <| |___
+.\" * \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_SASL_AUTHZID 3 "17 July 2019" "libcurl 7.66.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_SASL_AUTHZID \- authorisation identity (identity to act as)
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SASL_AUTHZID, char *authzid);
+.SH DESCRIPTION
+Pass a char * as parameter, which should be pointing to the zero terminated
+authorisation identity (authzid) for the transfer. Only applicable to the PLAIN
+SASL authentication mechanism where it is optional.
+
+When not specified only the authentication identity (authcid) as specified by
+the username will be sent to the server, along with the password. The server
+will derive a authzid from the authcid when not provided, which it will then
+uses internally.
+
+When the authzid is specified, the use of which is server dependent, it can be
+used to access another user's inbox, that the user has been granted access to,
+or a shared mailbox for example.
+.SH DEFAULT
+blank
+.SH PROTOCOLS
+IMAP, POP3 and SMTP
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+ curl_easy_setopt(curl, CURLOPT_URL, "imap://example.com/");
+ curl_easy_setopt(curl, CURLOPT_USERNAME, "Kurt");
+ curl_easy_setopt(curl, CURLOPT_PASSWORD, "xipj3plmq");
+ curl_easy_setopt(curl, CURLOPT_SASL_AUTHZID, "Ursel");
+ ret = curl_easy_perform(curl);
+ curl_easy_cleanup(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in 7.66.0
+.SH RETURN VALUE
+Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
+.SH "SEE ALSO"
+.BR CURLOPT_USERNAME "(3), " CURLOPT_PASSWORD "(3), ".BR CURLOPT_USERPWD "(3)"
diff --git a/docs/libcurl/opts/Makefile.inc b/docs/libcurl/opts/Makefile.inc
index c8e15a5ed..9a1016c3f 100644
--- a/docs/libcurl/opts/Makefile.inc
+++ b/docs/libcurl/opts/Makefile.inc
@@ -272,6 +272,7 @@ man_MANS = \
CURLOPT_RTSP_SESSION_ID.3 \
CURLOPT_RTSP_STREAM_URI.3 \
CURLOPT_RTSP_TRANSPORT.3 \
+ CURLOPT_SASL_AUTHZID.3 \
CURLOPT_SASL_IR.3 \
CURLOPT_SEEKDATA.3 \
CURLOPT_SEEKFUNCTION.3 \
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index 715badf97..addbaf905 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -553,6 +553,7 @@ CURLOPT_RTSP_SERVER_CSEQ 7.20.0
CURLOPT_RTSP_SESSION_ID 7.20.0
CURLOPT_RTSP_STREAM_URI 7.20.0
CURLOPT_RTSP_TRANSPORT 7.20.0
+CURLOPT_SASL_AUTHZID 7.66.0
CURLOPT_SASL_IR 7.31.0
CURLOPT_SEEKDATA 7.18.0
CURLOPT_SEEKFUNCTION 7.18.0
diff --git a/include/curl/curl.h b/include/curl/curl.h
index d83b21798..0c86e945a 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1921,6 +1921,9 @@ typedef enum {
/* maximum age of a connection to consider it for reuse (in seconds) */
CINIT(MAXAGE_CONN, LONG, 288),
+ /* SASL authorisation identity */
+ CINIT(SASL_AUTHZID, STRINGPOINT, 289),
+
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;
diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h
index 2d1de4d43..8827058e9 100644
--- a/include/curl/typecheck-gcc.h
+++ b/include/curl/typecheck-gcc.h
@@ -309,6 +309,7 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_off_t,
(option) == CURLOPT_RTSP_SESSION_ID || \
(option) == CURLOPT_RTSP_STREAM_URI || \
(option) == CURLOPT_RTSP_TRANSPORT || \
+ (option) == CURLOPT_SASL_AUTHZID || \
(option) == CURLOPT_SERVICE_NAME || \
(option) == CURLOPT_SOCKS5_GSSAPI_SERVICE || \
(option) == CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 || \
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index 018e4228b..0aa1f5bb7 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -370,8 +370,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
sasl->authused = SASL_MECH_PLAIN;
if(force_ir || data->set.sasl_ir)
- result = Curl_auth_create_plain_message(data, NULL, conn->user,
- conn->passwd, &resp, &len);
+ result = Curl_auth_create_plain_message(data, conn->sasl_authzid,
+ conn->user, conn->passwd,
+ &resp, &len);
}
else if(enabledmechs & SASL_MECH_LOGIN) {
mech = SASL_MECH_STRING_LOGIN;
@@ -453,8 +454,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
*progress = SASL_DONE;
return result;
case SASL_PLAIN:
- result = Curl_auth_create_plain_message(data, NULL, conn->user,
- conn->passwd, &resp, &len);
+ result = Curl_auth_create_plain_message(data, conn->sasl_authzid,
+ conn->user, conn->passwd,
+ &resp, &len);
break;
case SASL_LOGIN:
result = Curl_auth_create_login_message(data, conn->user, &resp, &len);
diff --git a/lib/setopt.c b/lib/setopt.c
index 92cd5b271..ff68788e5 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -2400,6 +2400,12 @@ static CURLcode vsetopt(struct Curl_easy *data, CURLoption option,
break;
#endif
+ case CURLOPT_SASL_AUTHZID:
+ /* Authorisation identity (identity to act as) */
+ result = Curl_setstropt(&data->set.str[STRING_SASL_AUTHZID],
+ va_arg(param, char *));
+ break;
+
case CURLOPT_SASL_IR:
/* Enable/disable SASL initial response */
data->set.sasl_ir = (0 != va_arg(param, long)) ? TRUE : FALSE;
diff --git a/lib/url.c b/lib/url.c
index 16d910b71..5b4b00eac 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -713,6 +713,7 @@ static void conn_free(struct connectdata *conn)
Curl_safefree(conn->user);
Curl_safefree(conn->passwd);
Curl_safefree(conn->oauth_bearer);
+ Curl_safefree(conn->sasl_authzid);
Curl_safefree(conn->options);
Curl_safefree(conn->http_proxy.user);
Curl_safefree(conn->socks_proxy.user);
@@ -3461,6 +3462,14 @@ static CURLcode create_conn(struct Curl_easy *data,
}
}
+ if(data->set.str[STRING_SASL_AUTHZID]) {
+ conn->sasl_authzid = strdup(data->set.str[STRING_SASL_AUTHZID]);
+ if(!conn->sasl_authzid) {
+ result = CURLE_OUT_OF_MEMORY;
+ goto out;
+ }
+ }
+
#ifdef USE_UNIX_SOCKETS
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
diff --git a/lib/urldata.h b/lib/urldata.h
index d759592d9..48b664063 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -870,7 +870,8 @@ struct connectdata {
char *passwd; /* password string, allocated */
char *options; /* options string, allocated */
- char *oauth_bearer; /* bearer token for OAuth 2.0, allocated */
+ char *oauth_bearer; /* bearer token for OAuth 2.0, allocated */
+ char *sasl_authzid; /* authorisation identity string, allocated */
int httpversion; /* the HTTP version*10 reported by the server */
int rtspversion; /* the RTSP version*10 reported by the server */
@@ -1492,6 +1493,7 @@ enum dupstring {
#ifdef USE_ALTSVC
STRING_ALTSVC, /* CURLOPT_ALTSVC */
#endif
+ STRING_SASL_AUTHZID, /* CURLOPT_SASL_AUTHZID */
/* -- end of zero-terminated strings -- */
STRING_LASTZEROTERMINATED,
diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in
index 8e36bac3b..61405bd13 100644
--- a/packages/OS400/curl.inc.in
+++ b/packages/OS400/curl.inc.in
@@ -1418,6 +1418,8 @@
d c 10287
d CURLOPT_MAXAGE_CONN...
d c 00288
+ d CURLOPT_SASL_AUTHZID...
+ d c 10289
*
/if not defined(CURL_NO_OLDIES)
d CURLOPT_FILE c 10001