Add GS2 authorization to sasl-scram-rfc

* lisp/net/sasl-scram-rfc.el (sasl-scram-gs2-header-function,
sasl-scram-construct-gs2-header): Add new variable and default
function for determining a SCRAM GSS-API message header.  This is
mainly intended for other libraries rather than end users.
(sasl-scram-client-first-message): Use gs2-header function.
(sasl-scram--client-final-message): Use dedicated gs2-header function.
Also remove whitespace when base64-encoding, as per RFC 5802.
(Bug#57956.)

diff --git a/lisp/net/sasl-scram-rfc.el b/lisp/net/sasl-scram-rfc.el
index ee52ed6e071c41d46268d96c6797314638b984d2..f7a2e425412c8f2ab1aa8829818b2536a984714d 100644 (file)
--- a/lisp/net/sasl-scram-rfc.el
+++ b/lisp/net/sasl-scram-rfc.el
@@ -45,14 +45,21 @@
 
 ;;; Generic for SCRAM-*
 
+(defvar sasl-scram-gs2-header-function 'sasl-scram-construct-gs2-header
+  "Function to create GS2 header.
+See https://www.rfc-editor.org/rfc/rfc5801#section-4.")
+
+(defun sasl-scram-construct-gs2-header (client)
+  ;; The "n," means the client doesn't support channel binding, and
+  ;; the trailing comma is included as per RFC 5801.
+  (let ((authzid (sasl-client-property client 'authenticator-name)))
+    (concat "n," (and authzid "a=") authzid ",")))
+
 (defun sasl-scram-client-first-message (client _step)
   (let ((c-nonce (sasl-unique-id)))
     (sasl-client-set-property client 'c-nonce c-nonce))
   (concat
-   ;; n = client doesn't support channel binding
-   "n,"
-   ;; TODO: where would we get authorization id from?
-   ","
+   (funcall sasl-scram-gs2-header-function client)
    (sasl-scram--client-first-message-bare client)))
 
 (defun sasl-scram--client-first-message-bare (client)
@@ -77,11 +84,11 @@
 
         (c-nonce (sasl-client-property client 'c-nonce))
         ;; no channel binding, no authorization id
-        (cbind-input "n,,"))
+         (cbind-input (funcall sasl-scram-gs2-header-function client)))
     (unless (string-prefix-p c-nonce nonce)
       (sasl-error "Invalid nonce from server"))
     (let* ((client-final-message-without-proof
-           (concat "c=" (base64-encode-string cbind-input) ","
+            (concat "c=" (base64-encode-string cbind-input t) ","
                    "r=" nonce))
           (password
            ;; TODO: either apply saslprep or disallow non-ASCII characters
@@ -113,7 +120,7 @@
           (client-proof (funcall string-xor client-key client-signature))
           (client-final-message
            (concat client-final-message-without-proof ","
-                   "p=" (base64-encode-string client-proof))))
+                    "p=" (base64-encode-string client-proof t))))
       (sasl-client-set-property client 'auth-message auth-message)
       (sasl-client-set-property client 'salted-password salted-password)
       client-final-message)))