vauth/oauth2: Fix OAUTHBEARER token generation
OAUTHBEARER tokens were incorrectly generated in a format similar to XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the RFC7628. Fixes: #2487 Reported-by: Paolo Mossino Closes https://github.com/curl/curl/pull/3377
This commit is contained in:
Родитель
d110d96b98
Коммит
6227e2bd07
|
@ -357,10 +357,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
|
|||
sasl->authused = SASL_MECH_XOAUTH2;
|
||||
|
||||
if(force_ir || data->set.sasl_ir)
|
||||
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
|
||||
NULL, 0,
|
||||
conn->oauth_bearer,
|
||||
&resp, &len);
|
||||
result = Curl_auth_create_xoauth_bearer_message(data, conn->user,
|
||||
conn->oauth_bearer,
|
||||
&resp, &len);
|
||||
}
|
||||
else if(enabledmechs & SASL_MECH_PLAIN) {
|
||||
mech = SASL_MECH_STRING_PLAIN;
|
||||
|
@ -562,10 +561,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
|
|||
newstate = SASL_OAUTH2_RESP;
|
||||
}
|
||||
else
|
||||
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
|
||||
NULL, 0,
|
||||
conn->oauth_bearer,
|
||||
&resp, &len);
|
||||
result = Curl_auth_create_xoauth_bearer_message(data, conn->user,
|
||||
conn->oauth_bearer,
|
||||
&resp, &len);
|
||||
break;
|
||||
|
||||
case SASL_OAUTH2_RESP:
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
* | (__| |_| | _ <| |___
|
||||
* \___|\___/|_| \_\_____|
|
||||
*
|
||||
* Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
* Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
*
|
||||
* This software is licensed as described in the file COPYING, which
|
||||
* you should have received as part of this distribution. The terms
|
||||
|
@ -46,8 +46,8 @@
|
|||
*
|
||||
* data[in] - The session handle.
|
||||
* user[in] - The user name.
|
||||
* host[in] - The host name(for OAUTHBEARER).
|
||||
* port[in] - The port(for OAUTHBEARER when not Port 80).
|
||||
* host[in] - The host name.
|
||||
* port[in] - The port(when not Port 80).
|
||||
* bearer[in] - The bearer token.
|
||||
* outptr[in / out] - The address where a pointer to newly allocated memory
|
||||
* holding the result will be stored upon completion.
|
||||
|
@ -66,13 +66,11 @@ CURLcode Curl_auth_create_oauth_bearer_message(struct Curl_easy *data,
|
|||
char *oauth = NULL;
|
||||
|
||||
/* Generate the message */
|
||||
if(host == NULL && (port == 0 || port == 80))
|
||||
oauth = aprintf("user=%s\1auth=Bearer %s\1\1", user, bearer);
|
||||
else if(port == 0 || port == 80)
|
||||
oauth = aprintf("user=%s\1host=%s\1auth=Bearer %s\1\1", user, host,
|
||||
if(port == 0 || port == 80)
|
||||
oauth = aprintf("n,a=%s,\1host=%s\1auth=Bearer %s\1\1", user, host,
|
||||
bearer);
|
||||
else
|
||||
oauth = aprintf("user=%s\1host=%s\1port=%ld\1auth=Bearer %s\1\1", user,
|
||||
oauth = aprintf("n,a=%s,\1host=%s\1port=%ld\1auth=Bearer %s\1\1", user,
|
||||
host, port, bearer);
|
||||
if(!oauth)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
@ -84,3 +82,40 @@ CURLcode Curl_auth_create_oauth_bearer_message(struct Curl_easy *data,
|
|||
|
||||
return result;
|
||||
}
|
||||
|
||||
/*
|
||||
* Curl_auth_create_xoauth_bearer_message()
|
||||
*
|
||||
* This is used to generate an already encoded XOAuth 2.0 message ready for
|
||||
* sending to the recipient.
|
||||
*
|
||||
* Parameters:
|
||||
*
|
||||
* data[in] - The session handle.
|
||||
* user[in] - The user name.
|
||||
* bearer[in] - The bearer token.
|
||||
* outptr[in / out] - The address where a pointer to newly allocated memory
|
||||
* holding the result will be stored upon completion.
|
||||
* outlen[out] - The length of the output message.
|
||||
*
|
||||
* Returns CURLE_OK on success.
|
||||
*/
|
||||
CURLcode Curl_auth_create_xoauth_bearer_message(struct Curl_easy *data,
|
||||
const char *user,
|
||||
const char *bearer,
|
||||
char **outptr, size_t *outlen)
|
||||
{
|
||||
CURLcode result = CURLE_OK;
|
||||
|
||||
/* Generate the message */
|
||||
char *xoauth = aprintf("user=%s\1auth=Bearer %s\1\1", user, bearer);
|
||||
if(!xoauth)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
/* Base64 encode the reply */
|
||||
result = Curl_base64_encode(data, xoauth, strlen(xoauth), outptr, outlen);
|
||||
|
||||
free(xoauth);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
|
|
@ -151,6 +151,13 @@ CURLcode Curl_auth_create_oauth_bearer_message(struct Curl_easy *data,
|
|||
const long port,
|
||||
const char *bearer,
|
||||
char **outptr, size_t *outlen);
|
||||
|
||||
/* This is used to generate a base64 encoded XOAuth 2.0 message */
|
||||
CURLcode Curl_auth_create_xoauth_bearer_message(struct Curl_easy *data,
|
||||
const char *user,
|
||||
const char *bearer,
|
||||
char **outptr, size_t *outlen);
|
||||
|
||||
#if defined(USE_KERBEROS5)
|
||||
/* This is used to evaluate if GSSAPI (Kerberos V5) is supported */
|
||||
bool Curl_auth_is_gssapi_supported(void);
|
||||
|
|
|
@ -15,7 +15,7 @@ RFC7628
|
|||
<servercmd>
|
||||
AUTH OAUTHBEARER
|
||||
REPLY AUTHENTICATE +
|
||||
REPLY dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== A002 OK AUTHENTICATE completed
|
||||
REPLY bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== A002 OK AUTHENTICATE completed
|
||||
</servercmd>
|
||||
<data>
|
||||
From: me@somewhere
|
||||
|
@ -53,7 +53,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
<protocol>
|
||||
A001 CAPABILITY
|
||||
A002 AUTHENTICATE OAUTHBEARER
|
||||
dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
A003 SELECT 842
|
||||
A004 FETCH 1 BODY[]
|
||||
A005 LOGOUT
|
||||
|
|
|
@ -53,7 +53,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
<verify>
|
||||
<protocol>
|
||||
A001 CAPABILITY
|
||||
A002 AUTHENTICATE OAUTHBEARER dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
A002 AUTHENTICATE OAUTHBEARER bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
A003 SELECT 843
|
||||
A004 FETCH 1 BODY[]
|
||||
A005 LOGOUT
|
||||
|
|
|
@ -15,7 +15,8 @@ RFC7628
|
|||
<servercmd>
|
||||
AUTH OAUTHBEARER
|
||||
REPLY AUTHENTICATE +
|
||||
REPLY dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== + eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwic2NvcGUiOiJleGFtcGxlX3Njb3BlIiwib3BlbmlkLWNvbmZpZ3VyYXRpb24iOiJodHRwczovL2V4YW1wbGUuY29tLy53ZWxsLWtub3duL29wZW5pZC1jb25maWd1cmF0aW9uIn0=
|
||||
REPLY bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== +
|
||||
eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwic2NvcGUiOiJleGFtcGxlX3Njb3BlIiwib3BlbmlkLWNvbmZpZ3VyYXRpb24iOiJodHRwczovL2V4YW1wbGUuY29tLy53ZWxsLWtub3duL29wZW5pZC1jb25maWd1cmF0aW9uIn0=
|
||||
REPLY AQ== A002 NO Authentication failed
|
||||
</servercmd>
|
||||
</reply>
|
||||
|
@ -52,7 +53,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
<protocol>
|
||||
A001 CAPABILITY
|
||||
A002 AUTHENTICATE OAUTHBEARER
|
||||
dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
AQ==
|
||||
</protocol>
|
||||
</verify>
|
||||
|
|
|
@ -52,7 +52,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
# transfer and such a connection will not get a "LOGOUT"
|
||||
<protocol>
|
||||
A001 CAPABILITY
|
||||
A002 AUTHENTICATE OAUTHBEARER dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
A002 AUTHENTICATE OAUTHBEARER bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMwFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
AQ==
|
||||
</protocol>
|
||||
</verify>
|
||||
|
|
|
@ -17,7 +17,7 @@ RFC7628
|
|||
<servercmd>
|
||||
AUTH OAUTHBEARER
|
||||
REPLY AUTH +
|
||||
REPLY dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== +OK Login successful
|
||||
REPLY bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== +OK Login successful
|
||||
</servercmd>
|
||||
<data>
|
||||
From: me@somewhere
|
||||
|
@ -55,7 +55,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
<protocol>
|
||||
CAPA
|
||||
AUTH OAUTHBEARER
|
||||
dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
RETR 887
|
||||
QUIT
|
||||
</protocol>
|
||||
|
|
|
@ -54,7 +54,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
<verify>
|
||||
<protocol>
|
||||
CAPA
|
||||
AUTH OAUTHBEARER dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
AUTH OAUTHBEARER bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
RETR 888
|
||||
QUIT
|
||||
</protocol>
|
||||
|
|
|
@ -17,7 +17,7 @@ RFC7628
|
|||
<servercmd>
|
||||
AUTH OAUTHBEARER
|
||||
REPLY AUTH +
|
||||
REPLY dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== + eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwic2NvcGUiOiJleGFtcGxlX3Njb3BlIiwib3BlbmlkLWNvbmZpZ3VyYXRpb24iOiJodHRwczovL2V4YW1wbGUuY29tLy53ZWxsLWtub3duL29wZW5pZC1jb25maWd1cmF0aW9uIn0
|
||||
REPLY bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== + eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwic2NvcGUiOiJleGFtcGxlX3Njb3BlIiwib3BlbmlkLWNvbmZpZ3VyYXRpb24iOiJodHRwczovL2V4YW1wbGUuY29tLy53ZWxsLWtub3duL29wZW5pZC1jb25maWd1cmF0aW9uIn0
|
||||
REPLY AQ== -ERR Authentication failed
|
||||
</servercmd>
|
||||
</reply>
|
||||
|
@ -54,7 +54,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
<protocol>
|
||||
CAPA
|
||||
AUTH OAUTHBEARER
|
||||
dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
AQ==
|
||||
</protocol>
|
||||
</verify>
|
||||
|
|
|
@ -53,7 +53,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
# transfer and such a connection will not get a "QUIT"
|
||||
<protocol>
|
||||
CAPA
|
||||
AUTH OAUTHBEARER dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
AUTH OAUTHBEARER bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwMQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
AQ==
|
||||
</protocol>
|
||||
</verify>
|
||||
|
|
|
@ -16,7 +16,7 @@ RFC7628
|
|||
<servercmd>
|
||||
AUTH OAUTHBEARER
|
||||
REPLY AUTH 334 OAUTHBEARER supported
|
||||
REPLY dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== 235 Authenticated
|
||||
REPLY bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== 235 Authenticated
|
||||
</servercmd>
|
||||
</reply>
|
||||
|
||||
|
@ -48,7 +48,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
<protocol>
|
||||
EHLO 946
|
||||
AUTH OAUTHBEARER
|
||||
dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
MAIL FROM:<sender@example.com>
|
||||
RCPT TO:<recipient@example.com>
|
||||
DATA
|
||||
|
|
|
@ -47,7 +47,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
<verify>
|
||||
<protocol>
|
||||
EHLO 947
|
||||
AUTH OAUTHBEARER dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
AUTH OAUTHBEARER bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
MAIL FROM:<sender@example.com>
|
||||
RCPT TO:<recipient@example.com>
|
||||
DATA
|
||||
|
|
|
@ -16,7 +16,7 @@ RFC7628
|
|||
<servercmd>
|
||||
AUTH OAUTHBEARER
|
||||
REPLY AUTH 334 OAUTHBEARER supported
|
||||
REPLY dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== 334 eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwic2NvcGUiOiJleGFtcGxlX3Njb3BlIiwib3BlbmlkLWNvbmZpZ3VyYXRpb24iOiJodHRwczovL2V4YW1wbGUuY29tLy53ZWxsLWtub3duL29wZW5pZC1jb25maWd1cmF0aW9uIn0
|
||||
REPLY bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ== 334 eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwic2NvcGUiOiJleGFtcGxlX3Njb3BlIiwib3BlbmlkLWNvbmZpZ3VyYXRpb24iOiJodHRwczovL2V4YW1wbGUuY29tLy53ZWxsLWtub3duL29wZW5pZC1jb25maWd1cmF0aW9uIn0
|
||||
REPLY AQ== 535 Username and Password not accepted. Learn more at\r\n535 http://support.example.com/mail/oauth
|
||||
</servercmd>
|
||||
</reply>
|
||||
|
@ -56,7 +56,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
<protocol>
|
||||
EHLO 948
|
||||
AUTH OAUTHBEARER
|
||||
dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
AQ==
|
||||
</protocol>
|
||||
</verify>
|
||||
|
|
|
@ -55,7 +55,7 @@ perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP'
|
|||
# transfer and such a connection will not get a "QUIT"
|
||||
<protocol>
|
||||
EHLO 949
|
||||
AUTH OAUTHBEARER dXNlcj11c2VyAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
AUTH OAUTHBEARER bixhPXVzZXIsAWhvc3Q9MTI3LjAuMC4xAXBvcnQ9OTAwNQFhdXRoPUJlYXJlciBtRl85LkI1Zi00LjFKcU0BAQ==
|
||||
AQ==
|
||||
</protocol>
|
||||
</verify>
|
||||
|
|
Загрузка…
Ссылка в новой задаче