mirror of https://github.com/moparisthebest/curl
pop3: Added basic SASL XOAUTH2 support
Added the ability to use an XOAUTH2 bearer token [RFC6750] with POP3 for authentication using RFC6749 "OAuth 2.0 Authorization Framework". The bearer token is expected to be valid for the user specified in conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has an advertised auth mechanism of "XOAUTH2", the user and access token are formatted as a base64 encoded string and sent to the server as "AUTH XOAUTH2 <bearer token>".
This commit is contained in:
parent
0e188e2dc3
commit
18db743851
|
@ -13,7 +13,7 @@ This release includes the following changes:
|
||||||
o CURLM_ADDED_ALREADY: new error code
|
o CURLM_ADDED_ALREADY: new error code
|
||||||
o test TFTP server: support "writedelay" within <servercmd>
|
o test TFTP server: support "writedelay" within <servercmd>
|
||||||
o krb4 support has been removed
|
o krb4 support has been removed
|
||||||
o imap and smtp: added basic SASL XOAUTH2 support [9]
|
o imap/pop3/smtp: added basic SASL XOAUTH2 support [9]
|
||||||
o darwinssl: add support for PKCS#12 files for client authentication
|
o darwinssl: add support for PKCS#12 files for client authentication
|
||||||
o Pass password to OpenSSL engine by user interface [15]
|
o Pass password to OpenSSL engine by user interface [15]
|
||||||
|
|
||||||
|
|
|
@ -174,9 +174,9 @@ since it may require data to be sent twice and then the client must be able to
|
||||||
rewind. If the need should arise when uploading from stdin, the upload
|
rewind. If the need should arise when uploading from stdin, the upload
|
||||||
operation will fail.
|
operation will fail.
|
||||||
.IP "--bearer"
|
.IP "--bearer"
|
||||||
(IMAP/SMTP) Specify the Bearer Token for OAUTH 2.0 server authentication. The
|
(IMAP/POP3/SMTP) Specify the Bearer Token for OAUTH 2.0 server authentication.
|
||||||
Bearer Token is used in conjuction with the user name which can be specified
|
The Bearer Token is used in conjuction with the user name which can be
|
||||||
as part of the \fI--url\fP option or the \fI-u, --user\fP option.
|
specified as part of the \fI--url\fP or \fI-u, --user\fP options.
|
||||||
|
|
||||||
The Bearer Token and user name are formatted according to RFC 6750.
|
The Bearer Token and user name are formatted according to RFC 6750.
|
||||||
|
|
||||||
|
|
|
@ -1304,8 +1304,8 @@ as libcurl can determine the feature itself when the server supports the
|
||||||
SASL-IR CAPABILITY.
|
SASL-IR CAPABILITY.
|
||||||
.IP CURLOPT_BEARER
|
.IP CURLOPT_BEARER
|
||||||
Pass a char * as parameter, which should point to the zero terminated OAUTH
|
Pass a char * as parameter, which should point to the zero terminated OAUTH
|
||||||
2.0 Bearer Access Token for use with IMAP and SMTP servers that support the
|
2.0 Bearer Access Token for use with IMAP. POP3 and SMTP servers that support
|
||||||
OAUTH 2.0 Authorization Framework. (Added in 7.33.0)
|
the OAUTH 2.0 Authorization Framework. (Added in 7.33.0)
|
||||||
|
|
||||||
Note: The user name used to generate the Bearer Token should be supplied via
|
Note: The user name used to generate the Bearer Token should be supplied via
|
||||||
the \fICURLOPT_USERNAME\fP option.
|
the \fICURLOPT_USERNAME\fP option.
|
||||||
|
|
64
lib/pop3.c
64
lib/pop3.c
|
@ -28,6 +28,7 @@
|
||||||
* RFC4422 Simple Authentication and Security Layer (SASL)
|
* RFC4422 Simple Authentication and Security Layer (SASL)
|
||||||
* RFC4616 PLAIN authentication
|
* RFC4616 PLAIN authentication
|
||||||
* RFC5034 POP3 SASL Authentication Mechanism
|
* RFC5034 POP3 SASL Authentication Mechanism
|
||||||
|
* RFC6749 OAuth 2.0 Authorization Framework
|
||||||
*
|
*
|
||||||
***************************************************************************/
|
***************************************************************************/
|
||||||
|
|
||||||
|
@ -326,6 +327,8 @@ static bool pop3_endofresp(struct connectdata *conn, char *line, size_t len,
|
||||||
pop3c->authmechs |= SASL_MECH_EXTERNAL;
|
pop3c->authmechs |= SASL_MECH_EXTERNAL;
|
||||||
else if(wordlen == 4 && !memcmp(line, "NTLM", 4))
|
else if(wordlen == 4 && !memcmp(line, "NTLM", 4))
|
||||||
pop3c->authmechs |= SASL_MECH_NTLM;
|
pop3c->authmechs |= SASL_MECH_NTLM;
|
||||||
|
else if(wordlen == 7 && !memcmp(line, "XOAUTH2", 7))
|
||||||
|
pop3c->authmechs |= SASL_MECH_XOAUTH2;
|
||||||
|
|
||||||
line += wordlen;
|
line += wordlen;
|
||||||
len -= wordlen;
|
len -= wordlen;
|
||||||
|
@ -371,6 +374,7 @@ static void state(struct connectdata *conn, pop3state newstate)
|
||||||
"AUTH_DIGESTMD5_RESP",
|
"AUTH_DIGESTMD5_RESP",
|
||||||
"AUTH_NTLM",
|
"AUTH_NTLM",
|
||||||
"AUTH_NTLM_TYPE2MSG",
|
"AUTH_NTLM_TYPE2MSG",
|
||||||
|
"AUTH_XOAUTH2",
|
||||||
"AUTH_FINAL",
|
"AUTH_FINAL",
|
||||||
"APOP",
|
"APOP",
|
||||||
"USER",
|
"USER",
|
||||||
|
@ -599,7 +603,20 @@ static CURLcode pop3_perform_authenticate(struct connectdata *conn)
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif
|
#endif
|
||||||
if((pop3c->authmechs & SASL_MECH_LOGIN) &&
|
if(((pop3c->authmechs & SASL_MECH_XOAUTH2) &&
|
||||||
|
(pop3c->prefmech & SASL_MECH_XOAUTH2) &&
|
||||||
|
(pop3c->prefmech != SASL_AUTH_ANY)) || conn->xoauth2_bearer) {
|
||||||
|
mech = "XOAUTH2";
|
||||||
|
state1 = POP3_AUTH_XOAUTH2;
|
||||||
|
state2 = POP3_AUTH_FINAL;
|
||||||
|
pop3c->authused = SASL_MECH_XOAUTH2;
|
||||||
|
|
||||||
|
if(data->set.sasl_ir)
|
||||||
|
result = Curl_sasl_create_xoauth2_message(conn->data, conn->user,
|
||||||
|
conn->xoauth2_bearer,
|
||||||
|
&initresp, &len);
|
||||||
|
}
|
||||||
|
else if((pop3c->authmechs & SASL_MECH_LOGIN) &&
|
||||||
(pop3c->prefmech & SASL_MECH_LOGIN)) {
|
(pop3c->prefmech & SASL_MECH_LOGIN)) {
|
||||||
mech = "LOGIN";
|
mech = "LOGIN";
|
||||||
state1 = POP3_AUTH_LOGIN;
|
state1 = POP3_AUTH_LOGIN;
|
||||||
|
@ -1110,6 +1127,43 @@ static CURLcode pop3_state_auth_ntlm_type2msg_resp(struct connectdata *conn,
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* For AUTH XOAUTH2 (without initial response) responses */
|
||||||
|
static CURLcode pop3_state_auth_xoauth2_resp(struct connectdata *conn,
|
||||||
|
int pop3code, pop3state instate)
|
||||||
|
{
|
||||||
|
CURLcode result = CURLE_OK;
|
||||||
|
struct SessionHandle *data = conn->data;
|
||||||
|
size_t len = 0;
|
||||||
|
char *xoauth = NULL;
|
||||||
|
|
||||||
|
(void)instate; /* no use for this yet */
|
||||||
|
|
||||||
|
if(pop3code != '+') {
|
||||||
|
failf(data, "Access denied: %d", pop3code);
|
||||||
|
result = CURLE_LOGIN_DENIED;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
/* Create the authorisation message */
|
||||||
|
result = Curl_sasl_create_xoauth2_message(conn->data, conn->user,
|
||||||
|
conn->xoauth2_bearer,
|
||||||
|
&xoauth, &len);
|
||||||
|
|
||||||
|
/* Send the message */
|
||||||
|
if(!result) {
|
||||||
|
if(xoauth) {
|
||||||
|
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", xoauth);
|
||||||
|
|
||||||
|
if(!result)
|
||||||
|
state(conn, POP3_AUTH_FINAL);
|
||||||
|
}
|
||||||
|
|
||||||
|
Curl_safefree(xoauth);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
/* For final responses to the AUTH sequence */
|
/* For final responses to the AUTH sequence */
|
||||||
static CURLcode pop3_state_auth_final_resp(struct connectdata *conn,
|
static CURLcode pop3_state_auth_final_resp(struct connectdata *conn,
|
||||||
int pop3code,
|
int pop3code,
|
||||||
|
@ -1328,6 +1382,10 @@ static CURLcode pop3_statemach_act(struct connectdata *conn)
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
case POP3_AUTH_XOAUTH2:
|
||||||
|
result = pop3_state_auth_xoauth2_resp(conn, pop3code, pop3c->state);
|
||||||
|
break;
|
||||||
|
|
||||||
case POP3_AUTH_FINAL:
|
case POP3_AUTH_FINAL:
|
||||||
result = pop3_state_auth_final_resp(conn, pop3code, pop3c->state);
|
result = pop3_state_auth_final_resp(conn, pop3code, pop3c->state);
|
||||||
break;
|
break;
|
||||||
|
@ -1754,6 +1812,10 @@ static CURLcode pop3_parse_url_options(struct connectdata *conn)
|
||||||
pop3c->preftype = POP3_TYPE_SASL;
|
pop3c->preftype = POP3_TYPE_SASL;
|
||||||
pop3c->prefmech = SASL_MECH_NTLM;
|
pop3c->prefmech = SASL_MECH_NTLM;
|
||||||
}
|
}
|
||||||
|
else if(strequal(value, "XOAUTH2")) {
|
||||||
|
pop3c->preftype = POP3_TYPE_SASL;
|
||||||
|
pop3c->prefmech = SASL_MECH_XOAUTH2;
|
||||||
|
}
|
||||||
else {
|
else {
|
||||||
pop3c->preftype = POP3_TYPE_NONE;
|
pop3c->preftype = POP3_TYPE_NONE;
|
||||||
pop3c->prefmech = SASL_AUTH_NONE;
|
pop3c->prefmech = SASL_AUTH_NONE;
|
||||||
|
|
|
@ -43,6 +43,7 @@ typedef enum {
|
||||||
POP3_AUTH_DIGESTMD5_RESP,
|
POP3_AUTH_DIGESTMD5_RESP,
|
||||||
POP3_AUTH_NTLM,
|
POP3_AUTH_NTLM,
|
||||||
POP3_AUTH_NTLM_TYPE2MSG,
|
POP3_AUTH_NTLM_TYPE2MSG,
|
||||||
|
POP3_AUTH_XOAUTH2,
|
||||||
POP3_AUTH_FINAL,
|
POP3_AUTH_FINAL,
|
||||||
POP3_APOP,
|
POP3_APOP,
|
||||||
POP3_USER,
|
POP3_USER,
|
||||||
|
|
|
@ -47,7 +47,7 @@ static const char *const helptext[] = {
|
||||||
" --anyauth Pick \"any\" authentication method (H)",
|
" --anyauth Pick \"any\" authentication method (H)",
|
||||||
" -a, --append Append to target file when uploading (F/SFTP)",
|
" -a, --append Append to target file when uploading (F/SFTP)",
|
||||||
" --basic Use HTTP Basic Authentication (H)",
|
" --basic Use HTTP Basic Authentication (H)",
|
||||||
" --bearer BEARER XOAUTH2 Bearer Token (IMAP and SMTP)",
|
" --bearer BEARER XOAUTH2 Bearer Token (IMAP, POP3, SMTP)",
|
||||||
" --cacert FILE CA certificate to verify peer against (SSL)",
|
" --cacert FILE CA certificate to verify peer against (SSL)",
|
||||||
" --capath DIR CA directory to verify peer against (SSL)",
|
" --capath DIR CA directory to verify peer against (SSL)",
|
||||||
" -E, --cert CERT[:PASSWD] Client certificate file and password (SSL)",
|
" -E, --cert CERT[:PASSWD] Client certificate file and password (SSL)",
|
||||||
|
|
Loading…
Reference in New Issue