From 4b0a67b55cec24f99d4842fe8ac980327beed0cb Mon Sep 17 00:00:00 2001
From: Andrew Clemons <andrew.clemons@gmail.com>
Date: Wed, 2 Aug 2017 21:22:53 +1200
Subject: [PATCH] Add support for XOAUTH2 auth
I have thus far only tested this with gmail and using node-xoauth2 for
generating the tokens.
Emailrelay still requires a client auth configuration file with four
values. The id value here can be anything since it is ignored.
I am using:
client XOAUTH2 ignored <generated token>
---
src/gauth/gsaslclient.h | 5 +++++
src/gauth/gsaslclient_native.cpp | 32 +++++++++++++++++++++++++++++++-
src/gsmtp/gclientprotocol.cpp | 18 ++++++++++++++++--
3 files changed, 52 insertions(+), 3 deletions(-)
diff --git a/src/gauth/gsaslclient.h b/src/gauth/gsaslclient.h
index ea12e05..d74b56d 100644
--- a/src/gauth/gsaslclient.h
+++ b/src/gauth/gsaslclient.h
@@ -67,6 +67,11 @@ class GAuth::SaslClient
///< Returns true if the constructor's secrets object
///< is valid.
+ std::string initial_response( const std::string & mechanism ,
+ bool & done , bool & error , bool & sensitive ) const ;
+ ///< Returns an initial_response for authentication.
+ ///< Returns various boolean flags by reference.
+
std::string response( const std::string & mechanism , const std::string & challenge ,
bool & done , bool & error , bool & sensitive ) const ;
///< Returns a response to the given challenge.
diff --git a/src/gauth/gsaslclient_native.cpp b/src/gauth/gsaslclient_native.cpp
index d0bded2..924772a 100644
--- a/src/gauth/gsaslclient_native.cpp
+++ b/src/gauth/gsaslclient_native.cpp
@@ -101,6 +101,33 @@ bool GAuth::SaslClient::active() const
return m_imp->m_secrets.valid() ;
}
+std::string GAuth::SaslClient::initial_response( const std::string & mechanism , bool & done ,
+ bool & error , bool & sensitive ) const
+{
+ done = false ;
+ error = false ;
+ sensitive = false ;
+
+ std::string auth("AUTH") ;
+ std::string sep(" ") ;
+
+ std::string rsp ;
+ if( mechanism == "XOAUTH2" )
+ {
+ std::string secret = m_imp->m_secrets.secret(mechanism) ;
+ rsp = auth + sep + mechanism + sep + secret ;
+ error = secret.empty() ;
+ done = true ;
+ sensitive = true ;
+ }
+ else
+ {
+ rsp = auth + sep + mechanism ;
+ }
+
+ return rsp ;
+}
+
std::string GAuth::SaslClient::response( const std::string & mechanism , const std::string & challenge ,
bool & done , bool & error , bool & sensitive ) const
{
@@ -175,6 +202,7 @@ std::string GAuth::SaslClient::preferred( const G::Strings & mechanism_list ) co
const std::string login( "LOGIN" ) ;
const std::string plain( "PLAIN" ) ;
+ const std::string xoauth2( "XOAUTH2" ) ;
const std::string cram( "CRAM-MD5" ) ;
// create a them set
@@ -186,15 +214,17 @@ std::string GAuth::SaslClient::preferred( const G::Strings & mechanism_list ) co
std::set<std::string> us ;
if( !m_imp->m_secrets.id(login).empty() ) us.insert(login) ;
if( !m_imp->m_secrets.id(plain).empty() ) us.insert(plain) ;
+ if( !m_imp->m_secrets.id(xoauth2).empty() ) us.insert(xoauth2) ;
if( !m_imp->m_secrets.id(cram).empty() ) us.insert(cram) ;
// get the intersection
std::set<std::string> both ;
std::set_intersection( them.begin() , them.end() , us.begin() , us.end() , std::inserter(both,both.end()) ) ;
- // preferred order: cram, plain, login
+ // preferred order: cram, xoauth2, plain, login
std::string m ;
if( m.empty() && both.find(cram) != both.end() ) m = cram ;
+ if( m.empty() && both.find(xoauth2) != both.end() ) m = xoauth2 ;
if( m.empty() && both.find(plain) != both.end() ) m = plain ;
if( m.empty() && both.find(login) != both.end() ) m = login ;
G_DEBUG( "GAuth::SaslClient::preferred: we prefer \"" << m << "\"" ) ;
diff --git a/src/gsmtp/gclientprotocol.cpp b/src/gsmtp/gclientprotocol.cpp
index 3ebc0c7..bbd8aca 100644
--- a/src/gsmtp/gclientprotocol.cpp
+++ b/src/gsmtp/gclientprotocol.cpp
@@ -303,8 +303,22 @@ bool GSmtp::ClientProtocol::applyEvent( const Reply & reply , bool is_start_even
}
else if( m_server_has_auth && m_sasl->active() )
{
- m_state = sAuth1 ;
- send( "AUTH " , m_auth_mechanism ) ;
+ bool done = true ;
+ bool error = false ;
+ bool sensitive = false ;
+ std::string rsp = m_sasl->initial_response( m_auth_mechanism ,
+ done , error , sensitive ) ;
+
+ if( error )
+ {
+ m_state = sAuth2 ;
+ send( "*" ) ; // ie. cancel authentication
+ }
+ else
+ {
+ m_state = done ? sAuth2 : sAuth1 ;
+ send( rsp , false , sensitive ) ;
+ }
}
else if( !m_server_has_auth && m_sasl->active() && m_must_authenticate )
{
|
