pop3: Added basic SASL XOAUTH2 support (18db7438) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

RELEASE-NOTES

+1 −1

Original line number	Diff line number	Diff line
		@@ -13,7 +13,7 @@ This release includes the following changes:
		o CURLM_ADDED_ALREADY: new error code
		o test TFTP server: support "writedelay" within <servercmd>
		o krb4 support has been removed
		o imap and smtp: added basic SASL XOAUTH2 support [9]
		o imap/pop3/smtp: added basic SASL XOAUTH2 support [9]
		o darwinssl: add support for PKCS#12 files for client authentication
		o Pass password to OpenSSL engine by user interface [15]

docs/curl.1

+3 −3

Original line number	Diff line number	Diff line
		@@ -174,9 +174,9 @@ since it may require data to be sent twice and then the client must be able to
		rewind. If the need should arise when uploading from stdin, the upload
		operation will fail.
		.IP "--bearer"
		(IMAP/SMTP) Specify the Bearer Token for OAUTH 2.0 server authentication. The
		Bearer Token is used in conjuction with the user name which can be specified
		as part of the \fI--url\fP option or the \fI-u, --user\fP option.
		(IMAP/POP3/SMTP) Specify the Bearer Token for OAUTH 2.0 server authentication.
		The Bearer Token is used in conjuction with the user name which can be
		specified as part of the \fI--url\fP or \fI-u, --user\fP options.

		The Bearer Token and user name are formatted according to RFC 6750.

docs/libcurl/curl_easy_setopt.3

+2 −2

Original line number	Diff line number	Diff line
		@@ -1304,8 +1304,8 @@ as libcurl can determine the feature itself when the server supports the
		SASL-IR CAPABILITY.
		.IP CURLOPT_BEARER
		Pass a char * as parameter, which should point to the zero terminated OAUTH
		2.0 Bearer Access Token for use with IMAP and SMTP servers that support the
		OAUTH 2.0 Authorization Framework. (Added in 7.33.0)
		2.0 Bearer Access Token for use with IMAP. POP3 and SMTP servers that support
		the OAUTH 2.0 Authorization Framework. (Added in 7.33.0)

		Note: The user name used to generate the Bearer Token should be supplied via
		the \fICURLOPT_USERNAME\fP option.

lib/pop3.c

+63 −1

Original line number	Diff line number	Diff line
		@@ -28,6 +28,7 @@
		* RFC4422 Simple Authentication and Security Layer (SASL)
		* RFC4616 PLAIN authentication
		* RFC5034 POP3 SASL Authentication Mechanism
		* RFC6749 OAuth 2.0 Authorization Framework
		*
		***************************************************************************/

		@@ -326,6 +327,8 @@ static bool pop3_endofresp(struct connectdata conn, char line, size_t len,
		pop3c->authmechs \|= SASL_MECH_EXTERNAL;
		else if(wordlen == 4 && !memcmp(line, "NTLM", 4))
		pop3c->authmechs \|= SASL_MECH_NTLM;
		else if(wordlen == 7 && !memcmp(line, "XOAUTH2", 7))
		pop3c->authmechs \|= SASL_MECH_XOAUTH2;

		line += wordlen;
		len -= wordlen;
		@@ -371,6 +374,7 @@ static void state(struct connectdata *conn, pop3state newstate)
		"AUTH_DIGESTMD5_RESP",
		"AUTH_NTLM",
		"AUTH_NTLM_TYPE2MSG",
		"AUTH_XOAUTH2",
		"AUTH_FINAL",
		"APOP",
		"USER",
		@@ -599,7 +603,20 @@ static CURLcode pop3_perform_authenticate(struct connectdata *conn)
		}
		else
		#endif
		if((pop3c->authmechs & SASL_MECH_LOGIN) &&
		if(((pop3c->authmechs & SASL_MECH_XOAUTH2) &&
		(pop3c->prefmech & SASL_MECH_XOAUTH2) &&
		(pop3c->prefmech != SASL_AUTH_ANY)) \|\| conn->xoauth2_bearer) {
		mech = "XOAUTH2";
		state1 = POP3_AUTH_XOAUTH2;
		state2 = POP3_AUTH_FINAL;
		pop3c->authused = SASL_MECH_XOAUTH2;

		if(data->set.sasl_ir)
		result = Curl_sasl_create_xoauth2_message(conn->data, conn->user,
		conn->xoauth2_bearer,
		&initresp, &len);
		}
		else if((pop3c->authmechs & SASL_MECH_LOGIN) &&
		(pop3c->prefmech & SASL_MECH_LOGIN)) {
		mech = "LOGIN";
		state1 = POP3_AUTH_LOGIN;
		@@ -1110,6 +1127,43 @@ static CURLcode pop3_state_auth_ntlm_type2msg_resp(struct connectdata *conn,
		}
		#endif

		/* For AUTH XOAUTH2 (without initial response) responses */
		static CURLcode pop3_state_auth_xoauth2_resp(struct connectdata *conn,
		int pop3code, pop3state instate)
		{
		CURLcode result = CURLE_OK;
		struct SessionHandle *data = conn->data;
		size_t len = 0;
		char *xoauth = NULL;

		(void)instate; /* no use for this yet */

		if(pop3code != '+') {
		failf(data, "Access denied: %d", pop3code);
		result = CURLE_LOGIN_DENIED;
		}
		else {
		/* Create the authorisation message */
		result = Curl_sasl_create_xoauth2_message(conn->data, conn->user,
		conn->xoauth2_bearer,
		&xoauth, &len);

		/* Send the message */
		if(!result) {
		if(xoauth) {
		result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", xoauth);

		if(!result)
		state(conn, POP3_AUTH_FINAL);
		}

		Curl_safefree(xoauth);
		}
		}

		return result;
		}

		/* For final responses to the AUTH sequence */
		static CURLcode pop3_state_auth_final_resp(struct connectdata *conn,
		int pop3code,
		@@ -1328,6 +1382,10 @@ static CURLcode pop3_statemach_act(struct connectdata *conn)
		break;
		#endif

		case POP3_AUTH_XOAUTH2:
		result = pop3_state_auth_xoauth2_resp(conn, pop3code, pop3c->state);
		break;

		case POP3_AUTH_FINAL:
		result = pop3_state_auth_final_resp(conn, pop3code, pop3c->state);
		break;
		@@ -1754,6 +1812,10 @@ static CURLcode pop3_parse_url_options(struct connectdata *conn)
		pop3c->preftype = POP3_TYPE_SASL;
		pop3c->prefmech = SASL_MECH_NTLM;
		}
		else if(strequal(value, "XOAUTH2")) {
		pop3c->preftype = POP3_TYPE_SASL;
		pop3c->prefmech = SASL_MECH_XOAUTH2;
		}
		else {
		pop3c->preftype = POP3_TYPE_NONE;
		pop3c->prefmech = SASL_AUTH_NONE;

lib/pop3.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -43,6 +43,7 @@ typedef enum {
		POP3_AUTH_DIGESTMD5_RESP,
		POP3_AUTH_NTLM,
		POP3_AUTH_NTLM_TYPE2MSG,
		POP3_AUTH_XOAUTH2,
		POP3_AUTH_FINAL,
		POP3_APOP,
		POP3_USER,