[exim-cvs] First pass heimdal_gssapi authenticator.

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim Git Commits Mailing List
Date:  
À: exim-cvs
Sujet: [exim-cvs] First pass heimdal_gssapi authenticator.
Gitweb: http://git.exim.org/exim.git/commitdiff/dde3daac46f9cc3b35993e1c9a931b53645f1c1d
Commit:     dde3daac46f9cc3b35993e1c9a931b53645f1c1d
Parent:     c1e794ba50d0d5a73529412929228ae5c5d09073
Author:     Phil Pennock <pdp@???>
AuthorDate: Wed Feb 15 08:09:57 2012 -0500
Committer:  Phil Pennock <pdp@???>
CommitDate: Wed Feb 15 08:09:57 2012 -0500


    First pass heimdal_gssapi authenticator.


    Not yet working, failing to set keytab.


    Also: support (AUTH|LOOKUP)_*_PC=foo to use `pkg-config foo` for cflags/libs.
---
 src/scripts/Configure-Makefile |   47 ++++
 src/scripts/Configure-config.h |    3 +-
 src/scripts/MakeLinks          |    2 +
 src/scripts/lookups-Makefile   |   15 +-
 src/src/auths/Makefile         |    3 +-
 src/src/auths/heimdal_gssapi.c |  575 ++++++++++++++++++++++++++++++++++++++++
 src/src/auths/heimdal_gssapi.h |   38 +++
 src/src/config.h.defaults      |    1 +
 src/src/drtables.c             |   18 ++
 src/src/exim.c                 |    3 +
 10 files changed, 699 insertions(+), 6 deletions(-)


diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile
index 8a4362a..24ba108 100755
--- a/src/scripts/Configure-Makefile
+++ b/src/scripts/Configure-Makefile
@@ -111,6 +111,52 @@ do   if test -r ../$f
      fi
 done >> $mft || exit 1


+# handle pkg-config
+# beware portability of extended regexps with sed.
+
+egrep "^[$st]*(AUTH|LOOKUP)_[A-Z0-9_]*[$st]*=[$st]*" $mft | \
+  sed "s/[$st]*=/='/" | \
+  sed "s/\$/'/" > $mftt
+if test -s $mftt
+then
+  (
+  echo "# pkg-config fixups"
+  . ./$mftt
+  for var in `cut -d = -f 1 < $mftt`; do
+    case $var in
+      *_PC)
+        eval "pc_value=\"\$$var\""
+        base=`echo $var | sed 's/_PC$//'`
+        eval "basevalue=\"\$$base\""
+        if [ ".$basevalue" = "." ]; then
+          # not pulling in this module, _PC defined as default? Ignore
+          true
+        elif [ $basevalue = 2 ]; then
+          # module; handled in scripts/lookups-Makefile
+          true
+        else
+          # main binary
+          cflags=`pkg-config --cflags $pc_value`
+          libs=`pkg-config --libs $pc_value`
+          if [ "$var" != "${var#LOOKUP_}" ]; then
+            echo "LOOKUP_INCLUDE += $cflags"
+            echo "LOOKUP_LIBS += $libs"
+          elif [ "$var" != "${var#AUTH_}" ]; then
+            echo "CFLAGS += $cflags"
+            echo "AUTH_LIBS += $libs"
+          else
+            echo >&2 "Don't know how to handle pkg-config for $var"
+          fi
+        fi
+        ;;
+    esac
+  done
+  echo "# End of pkg-config fixups"
+  echo
+  ) >> $mft
+fi
+rm -f $mftt
+
 # make the lookups Makefile with the definitions


 ## prepend stuff here; eg: grep LOOKUP_ $mft > $look_mft
@@ -184,4 +230,5 @@ else    echo " "
         exit 1;
 fi


+# vim: set ft=sh :
 # End of Configure-Makefile
diff --git a/src/scripts/Configure-config.h b/src/scripts/Configure-config.h
index c235239..75d366f 100755
--- a/src/scripts/Configure-config.h
+++ b/src/scripts/Configure-config.h
@@ -34,7 +34,7 @@ $MAKE buildconfig || exit 1
 st='     '


(sed -n \
- "/\\\$/d;s/#.*\$//;s/^[$st]*\\([A-Z][^:$st]*\\)[$st]*=[$st]*\\([^$st]*\\)[$st]*\$/\\1=\\2 export \\1/p" \
+ "/\\\$/d;s/#.*\$//;s/^[$st]*\\([A-Z][^:!+$st]*\\)[$st]*=[$st]*\\([^$st]*\\)[$st]*\$/\\1=\\2 export \\1/p" \
< Makefile ; echo "./buildconfig") | /bin/sh

# If buildconfig ends with an error code, it will have output an error
@@ -56,4 +56,5 @@ fi
echo ">>> config.h built"
echo ""

+# vim: set ft=sh :
 # End of Configure-config.h
diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks
index f7d0003..166a25f 100755
--- a/src/scripts/MakeLinks
+++ b/src/scripts/MakeLinks
@@ -127,6 +127,8 @@ ln -s ../../src/auths/gsasl_exim.c       gsasl_exim.c
 ln -s ../../src/auths/gsasl_exim.h       gsasl_exim.h
 ln -s ../../src/auths/get_data.c         get_data.c
 ln -s ../../src/auths/get_no64_data.c    get_no64_data.c
+ln -s ../../src/auths/heimdal_gssapi.c   heimdal_gssapi.c
+ln -s ../../src/auths/heimdal_gssapi.h   heimdal_gssapi.h
 ln -s ../../src/auths/md5.c              md5.c
 ln -s ../../src/auths/xtextencode.c      xtextencode.c
 ln -s ../../src/auths/xtextdecode.c      xtextdecode.c
diff --git a/src/scripts/lookups-Makefile b/src/scripts/lookups-Makefile
index cd0a51b..14c1525 100755
--- a/src/scripts/lookups-Makefile
+++ b/src/scripts/lookups-Makefile
@@ -84,7 +84,7 @@ OBJ=""


 emit_module_rule() {
   local lookup_name="$1"
-  local mod_name
+  local mod_name pkgconf
   if [ "${lookup_name%:*}" = "$lookup_name" ]
   then
     mod_name=$(echo $lookup_name | tr A-Z a-z)
@@ -100,9 +100,16 @@ emit_module_rule() {
       exit 1
     fi
     MODS="${MODS} ${mod_name}.so"
-    grep "^LOOKUP_${lookup_name}_" "$defs_source"
-    echo "LOOKUP_${mod_name}_INCLUDE = \$(LOOKUP_${lookup_name}_INCLUDE)"
-    echo "LOOKUP_${mod_name}_LIBS = \$(LOOKUP_${lookup_name}_LIBS)"
+    pkgconf=$(grep "^LOOKUP_${lookup_name}_PC" "$defs_source")
+    if [ $? -eq 0 ]; then
+      pkgconf=$(echo $pkgconf | sed 's/^.*= *//')
+      echo "LOOKUP_${mod_name}_INCLUDE = $(pkg-config --cflags $pkgconf)"
+      echo "LOOKUP_${mod_name}_LIBS = $(pkg-config --libs $pkgconf)"
+    else
+      grep "^LOOKUP_${lookup_name}_" "$defs_source"
+      echo "LOOKUP_${mod_name}_INCLUDE = \$(LOOKUP_${lookup_name}_INCLUDE)"
+      echo "LOOKUP_${mod_name}_LIBS = \$(LOOKUP_${lookup_name}_LIBS)"
+    fi
   elif want_at_all "$lookup_name"
   then
     OBJ="${OBJ} ${mod_name}.o"
diff --git a/src/src/auths/Makefile b/src/src/auths/Makefile
index 1354c8c..c6ef218 100644
--- a/src/src/auths/Makefile
+++ b/src/src/auths/Makefile
@@ -7,7 +7,7 @@


 OBJ = auth-spa.o b64decode.o b64encode.o call_pam.o call_pwcheck.o \
       call_radius.o check_serv_cond.o cram_md5.o cyrus_sasl.o dovecot.o \
-      get_data.o get_no64_data.o gsasl_exim.o \
+      get_data.o get_no64_data.o gsasl_exim.o heimdal_gssapi.o \
       md5.o plaintext.o pwcheck.o sha1.o \
       spa.o xtextdecode.o xtextencode.o


@@ -40,6 +40,7 @@ cram_md5.o:         $(HDRS) cram_md5.c cram_md5.h
 cyrus_sasl.o:       $(HDRS) cyrus_sasl.c cyrus_sasl.h
 dovecot.o:          $(HDRS) dovecot.c dovecot.h
 gsasl_exim.o:       $(HDRS) gsasl_exim.c gsasl_exim.h
+heimdal_gssapi.o:   $(HDRS) heimdal_gssapi.c heimdal_gssapi.h
 plaintext.o:        $(HDRS) plaintext.c plaintext.h
 spa.o:              $(HDRS) spa.c spa.h


diff --git a/src/src/auths/heimdal_gssapi.c b/src/src/auths/heimdal_gssapi.c
new file mode 100644
index 0000000..ef00274
--- /dev/null
+++ b/src/src/auths/heimdal_gssapi.c
@@ -0,0 +1,575 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Copyright (c) Twitter Inc 2012
+   Author: Phil Pennock <pdp@???> */
+
+/* Interface to Heimdal SASL library for GSSAPI authentication. */
+
+/* Naming and rationale
+
+Sensibly, this integration would be deferred to a SASL library, but none
+of them appear to offer keytab file selection interfaces in their APIs.  It
+might be that this driver only requires minor modification to work with MIT
+Kerberos.
+
+Heimdal provides a number of interfaces for various forms of authentication.
+As GS2 does not appear to provide keytab control interfaces either, we may
+end up supporting that too.  It's possible that we could trivially expand to
+support NTLM support via Heimdal, etc.  Rather than try to be too generic
+immediately, this driver is directly only supporting GSSAPI.
+
+Without rename, we could add an option for GS2 support in the future.
+*/
+
+/* Sources
+
+* mailcheck-imap (Perl, client-side, written by me years ago)
+* gsasl driver (GPL, server-side)
+* heimdal sources and man-pages, plus http://www.h5l.org/manual/
+* FreeBSD man-pages (very informative!)
+* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
+  semantics, that found by browsing Heimdal source to find how to set the keytab
+
+*/
+
+#include "../exim.h"
+
+#ifndef AUTH_HEIMDAL_GSSAPI
+/* dummy function to satisfy compilers when we link in an "empty" file. */
+static void dummy(int x) { dummy(x-1); }
+#else
+
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
+
+/* for the _init debugging */
+#include <krb5.h>
+
+/* Because __gss_krb5_register_acceptor_identity_x_oid_desc is internal */
+#include <roken.h>
+
+#include "heimdal_gssapi.h"
+
+/* Authenticator-specific options. */
+optionlist auth_heimdal_gssapi_options[] = {
+  { "server_hostname",      opt_stringptr,
+      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) },
+  { "server_keytab",        opt_stringptr,
+      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) },
+  { "server_realm",         opt_stringptr,
+      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_realm)) },
+  { "server_service",       opt_stringptr,
+      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) }
+};
+
+int auth_heimdal_gssapi_options_count =
+  sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);
+
+/* Defaults for the authenticator-specific options. */
+auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
+  US"$primary_hostname",    /* server_hostname */
+  NULL,                     /* server_keytab */
+  NULL,                     /* server_realm */
+  US"smtp",                 /* server_service */
+};
+
+/* "Globals" for managing the heimdal_gssapi interface. */
+
+/* hack around unavailable __gss_krb5_register_acceptor_identity_x_oid_desc
+OID: 1.2.752.43.13.5
+from heimdal lib/gssapi/krb5/external.c */
+gss_OID_desc exim_register_keytab_OID = {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")};
+
+/* Utility functions */
+static void
+  exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
+static int
+  exim_gssapi_error_defer(uschar *, OM_uint32, OM_uint32, const char *, ...)
+    PRINTF_FUNCTION(4, 5);
+
+#define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+/* Heimdal provides a GSSAPI extension method (via an OID) for setting the
+keytab; in the init, we mostly just use raw krb5 methods so that we can report
+the keytab contents, for -D+auth debugging. */
+
+void
+auth_heimdal_gssapi_init(auth_instance *ablock)
+{
+  krb5_context context;
+  krb5_keytab keytab;
+  krb5_kt_cursor cursor;
+  krb5_keytab_entry entry;
+  krb5_error_code krc;
+  char *principal, *enctype_s;
+  const char *k_keytab_typed_name = NULL;
+  auth_heimdal_gssapi_options_block *ob =
+    (auth_heimdal_gssapi_options_block *)(ablock->options_block);
+
+  ablock->server = FALSE;
+  ablock->client = FALSE;
+
+  if (!ob->server_service || !*ob->server_service) {
+    HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
+    return;
+  }
+
+  krc = krb5_init_context(&context);
+  if (krc != 0) {
+    int kerr = errno;
+    HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
+        strerror(kerr));
+    return;
+  }
+
+  if (ob->server_keytab) {
+    k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
+    HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
+    krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab);
+    if (krc) {
+      HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
+      return;
+    }
+  } else {
+    HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
+    krc = krb5_kt_default(context, &keytab);
+    if (krc) {
+      HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
+      return;
+    }
+  }
+
+  HDEBUG(D_auth) {
+    /* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
+    krc = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if (krc)
+      exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
+    else {
+      while ((krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
+        principal = enctype_s = NULL;
+        krb5_unparse_name(context, entry.principal, &principal);
+        krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
+        debug_printf("heimdal: keytab principal: %s  vno=%d  type=%s\n",
+            principal ? principal : "??",
+            entry.vno,
+            enctype_s ? enctype_s : "??");
+        free(principal);
+        free(enctype_s);
+        krb5_kt_free_entry(context, &entry);
+      }
+      krc = krb5_kt_end_seq_get(context, keytab, &cursor);
+      if (krc)
+        exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
+    }
+  }
+
+  krc = krb5_kt_close(context, keytab);
+  if (krc)
+    HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);
+
+  krb5_free_context(context);
+
+  /* RFC 4121 section 5.2, SHOULD support 64K input buffers */
+  if (big_buffer_size < (64 * 1024)) {
+    uschar *newbuf;
+    big_buffer_size = 64 * 1024;
+    newbuf = store_malloc(big_buffer_size);
+    store_free(big_buffer);
+    big_buffer = newbuf;
+  }
+
+  ablock->server = TRUE;
+}
+
+
+static void
+exim_heimdal_error_debug(const char *label,
+    krb5_context context, krb5_error_code err)
+{
+  const char *kerrsc;
+  kerrsc = krb5_get_error_message(context, err);
+  debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
+  krb5_free_error_message(context, kerrsc);
+}
+
+/*************************************************
+*             Server entry point                 *
+*************************************************/
+
+/* For interface, see auths/README */
+
+/* GSSAPI notes:
+OM_uint32: portable type for unsigned int32
+gss_buffer_desc / *gss_buffer_t: hold/point-to size_t .length & void *value
+  -- all strings/etc passed in should go through one of these
+  -- when allocated by gssapi, release with gss_release_buffer()
+*/
+
+int
+auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
+{
+  gss_name_t gclient = GSS_C_NO_NAME;
+  gss_name_t gserver = GSS_C_NO_NAME;
+  gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
+  gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
+  uschar *ex_server_str;
+  gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
+  gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
+  gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
+  gss_OID mech_type;
+  OM_uint32 maj_stat, min_stat;
+  int step, error_out, i;
+  uschar *tmp1, *tmp2, *from_client;
+  auth_heimdal_gssapi_options_block *ob =
+    (auth_heimdal_gssapi_options_block *)(ablock->options_block);
+  BOOL handled_empty_ir;
+  uschar *store_reset_point;
+  uschar sasl_config[4];
+  uschar requested_qop;
+
+  store_reset_point = store_get(0);
+
+  HDEBUG(D_auth)
+    debug_printf("heimdal: initialising auth context for %s\n", ablock->name);
+
+  /* Construct our gss_name_t gserver describing ourselves */
+  tmp1 = expand_string(ob->server_service);
+  tmp2 = expand_string(ob->server_hostname);
+  ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
+  gbufdesc.value = (void *) ex_server_str;
+  gbufdesc.length = Ustrlen(ex_server_str);
+  maj_stat = gss_import_name(&min_stat,
+      &gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
+  if (GSS_ERROR(maj_stat))
+    return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
+        "gss_import_name(%s)", CS gbufdesc.value);
+
+  /* Use a specific keytab, if specified */
+  if (ob->server_keytab) {
+    gbufdesc.value = (void *) string_sprintf("file:%s", expand_string(ob->server_keytab));
+    gbufdesc.length = strlen(CS gbufdesc.value);
+    maj_stat = gss_set_sec_context_option(&min_stat,
+        &gcontext,                  /* create new security context */
+        &exim_register_keytab_OID,  /* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X */
+        &gbufdesc);
+    if (GSS_ERROR(maj_stat))
+      return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
+          "registering keytab \"%s\"", CS gbufdesc.value);
+  }
+
+  /* Acquire our credentials */
+  maj_stat = gss_acquire_cred(&min_stat,
+      gserver,             /* desired name */
+      0,                   /* time */
+      GSS_C_NULL_OID_SET,  /* desired mechs */
+      GSS_C_ACCEPT,        /* cred usage */
+      &gcred,              /* handle */
+      NULL                 /* actual mechs */,
+      NULL                 /* time rec */);
+  if (GSS_ERROR(maj_stat))
+    return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
+        "gss_acquire_cred(%s)", ex_server_str);
+
+  maj_stat = gss_release_name(&min_stat, &gserver);
+
+  /* Loop talking to client */
+  step = 0;
+  from_client = initial_data;
+  handled_empty_ir = FALSE;
+  error_out = OK;
+
+  /* buffer sizes: auth_get_data() uses big_buffer, which we grow per
+  GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
+  (big_buffer starts life at the MUST size of 16KB). */
+
+  /* step values
+  0: getting initial data from client to feed into GSSAPI
+  1: iterating for as long as GSS_S_CONTINUE_NEEDED
+  2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
+  3: unpick final auth message from client
+  4: break/finish (non-step)
+  */
+  while (step < 4) {
+    switch (step) {
+      case 0:
+        if (!from_client || *from_client == '\0') {
+          if (handled_empty_ir) {
+            HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
+            error_out = BAD64;
+            goto ERROR_OUT;
+          } else {
+            HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
+            error_out = auth_get_data(&from_client, US"", 0);
+            if (error_out != OK)
+              goto ERROR_OUT;
+            continue;
+          }
+        }
+        /* We should now have the opening data from the client, base64-encoded. */
+        step += 1;
+        break;
+
+      case 1:
+        gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value);
+        if (gclient) {
+          maj_stat = gss_release_name(&min_stat, &gclient);
+          gclient = GSS_C_NO_NAME;
+        }
+        maj_stat = gss_accept_sec_context(&min_stat,
+            &gcontext,          /* context handle */
+            gcred,              /* acceptor cred handle */
+            &gbufdesc_in,       /* input from client */
+            GSS_C_NO_CHANNEL_BINDINGS,  /* XXX fixme: use the channel bindings from GnuTLS */
+            &gclient,           /* client identifier */
+            &mech_type,         /* mechanism in use */
+            &gbufdesc_out,      /* output to send to client */
+            NULL,               /* return flags */
+            NULL,               /* time rec */
+            NULL                /* delegated cred_handle */
+            );
+        if (GSS_ERROR(maj_stat)) {
+          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
+              "gss_accept_sec_context()");
+          error_out = FAIL;
+          goto ERROR_OUT;
+        }
+        if (&gbufdesc_out.length != 0) {
+          error_out = auth_get_data(&from_client,
+              gbufdesc_out.value, gbufdesc_out.length);
+          if (error_out != OK)
+            goto ERROR_OUT;
+
+          gss_release_buffer(&min_stat, &gbufdesc_out);
+          EmptyBuf(gbufdesc_out);
+        }
+        if (maj_stat == GSS_S_COMPLETE)
+          step += 1;
+        break;
+
+      case 2:
+        memset(sasl_config, 0xFF, 4);
+        /* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
+        0x01 No security layer
+        0x02 Integrity protection
+        0x04 Confidentiality protection
+
+        The remaining three octets are the maximum buffer size for wrappe
+        content. */
+        sasl_config[0] = 0x01;  /* Exim does not wrap/unwrap SASL layers after auth */
+        gbufdesc.value = (void *) sasl_config;
+        gbufdesc.length = 4;
+        maj_stat = gss_wrap(&min_stat,
+            gcontext,
+            0,                    /* conf_req_flag: integrity only */
+            GSS_C_QOP_DEFAULT,    /* qop requested */
+            &gbufdesc,            /* message to protect */
+            NULL,                 /* conf_state: no confidentiality applied */
+            &gbufdesc_out         /* output buffer */
+            );
+        if (GSS_ERROR(maj_stat)) {
+          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
+              "gss_wrap(SASL state after auth)");
+          error_out = FAIL;
+          goto ERROR_OUT;
+        }
+        error_out = auth_get_data(&from_client,
+            gbufdesc_out.value, gbufdesc_out.length);
+        if (error_out != OK)
+          goto ERROR_OUT;
+
+        gss_release_buffer(&min_stat, &gbufdesc_out);
+        EmptyBuf(gbufdesc_out);
+        step += 1;
+        break;
+
+      case 3:
+        gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value);
+        maj_stat = gss_unwrap(&min_stat,
+            gcontext,
+            &gbufdesc_in,       /* data from client */
+            &gbufdesc_out,      /* results */
+            NULL,               /* conf state */
+            NULL                /* qop state */
+            );
+        if (GSS_ERROR(maj_stat)) {
+          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
+              "gss_unwrap(final SASL message from client)");
+          error_out = FAIL;
+          goto ERROR_OUT;
+        }
+        if (gbufdesc_out.length < 5) {
+          HDEBUG(D_auth)
+            debug_printf("gssapi: final message too short; "
+                "need flags, buf sizes and authzid\n");
+          error_out = FAIL;
+          goto ERROR_OUT;
+        }
+
+        requested_qop = (CS gbufdesc_out.value)[0];
+        if ((requested_qop & 0x01) == 0) {
+          HDEBUG(D_auth)
+            debug_printf("gssapi: client requested security layers (%x)\n",
+                (unsigned int) requested_qop);
+          error_out = FAIL;
+          goto ERROR_OUT;
+        }
+
+        for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
+        expand_nmax = 0;
+
+        /* Identifiers:
+        The SASL provided identifier is an unverified authzid.
+        GSSAPI provides us with a verified identifier.
+        */
+
+        /* $auth2 is authzid requested at SASL layer */
+        expand_nlength[2] = gbufdesc_out.length - 4;
+        auth_vars[1] = expand_nstring[2] =
+          string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
+        expand_nmax = 2;
+
+        gss_release_buffer(&min_stat, &gbufdesc_out);
+        EmptyBuf(gbufdesc_out);
+
+        /* $auth1 is GSSAPI display name */
+        maj_stat = gss_display_name(&min_stat,
+            gclient,
+            &gbufdesc_out,
+            &mech_type);
+        if (GSS_ERROR(maj_stat)) {
+          auth_vars[1] = expand_nstring[2] = NULL;
+          expand_nmax = 0;
+          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
+              "gss_display_name(client identifier)");
+          error_out = FAIL;
+          goto ERROR_OUT;
+        }
+
+        expand_nlength[1] = gbufdesc_out.length;
+        auth_vars[0] = expand_nstring[1] =
+          string_copyn(gbufdesc_out.value, gbufdesc_out.length);
+
+        step += 1;
+        break;
+
+    } /* switch */
+  } /* while step */
+
+
+ERROR_OUT:
+  maj_stat = gss_release_cred(&min_stat, &gcred);
+  if (gclient) {
+    gss_release_name(&min_stat, &gclient);
+    gclient = GSS_C_NO_NAME;
+  }
+  if (gbufdesc_out.length) {
+    gss_release_buffer(&min_stat, &gbufdesc_out);
+    EmptyBuf(gbufdesc_out);
+  }
+  if (gcontext != GSS_C_NO_CONTEXT) {
+    gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);
+  }
+
+  store_reset(store_reset_point);
+
+  if (error_out != OK)
+    return error_out;
+
+  /* Auth succeeded, check server_condition */
+  return auth_check_serv_cond(ablock);
+}
+
+
+static int
+exim_gssapi_error_defer(uschar *store_reset_point,
+    OM_uint32 major, OM_uint32 minor,
+    const char *format, ...)
+{
+  va_list ap;
+  uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
+  OM_uint32 maj_stat, min_stat;
+  OM_uint32 msgcontext = 0;
+  gss_buffer_desc status_string;
+
+  va_start(ap, format);
+  if (!string_vformat(buffer, sizeof(buffer), format, ap))
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+        "exim_gssapi_error_defer expansion larger than %d",
+        sizeof(buffer));
+  va_end(ap);
+
+  auth_defer_msg = NULL;
+
+  do {
+    maj_stat = gss_display_status(&min_stat,
+        major, GSS_C_GSS_CODE, GSS_C_NO_OID,
+        &msgcontext, &status_string);
+
+    if (auth_defer_msg == NULL) {
+      auth_defer_msg = string_copy(US status_string.value);
+    }
+
+    HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
+        buffer, (int)status_string.length, CS status_string.value);
+    gss_release_buffer(&min_stat, &status_string);
+
+  } while (msgcontext != 0);
+
+  if (store_reset_point)
+    store_reset(store_reset_point);
+  return DEFER;
+}
+
+
+/*************************************************
+*              Client entry point                *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_heimdal_gssapi_client(
+  auth_instance *ablock,                 /* authenticator block */
+  smtp_inblock *inblock,                 /* connection inblock */
+  smtp_outblock *outblock,               /* connection outblock */
+  int timeout,                           /* command timeout */
+  uschar *buffer,                        /* buffer for reading response */
+  int buffsize)                          /* size of buffer */
+{
+  HDEBUG(D_auth)
+    debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
+  /* NOT IMPLEMENTED */
+  return FAIL;
+}
+
+/*************************************************
+*                Diagnostic API                  *
+*************************************************/
+
+void
+auth_heimdal_gssapi_version_report(FILE *f)
+{
+  /* No build-time constants available unless we link against libraries at
+  build-time and export the result as a string into a header ourselves. */
+  fprintf(f, "Library version: Heimdal: Runtime: %s\n"
+             " Build Info: %s\n",
+          heimdal_version, heimdal_long_version);
+}
+
+#endif  /* AUTH_HEIMDAL_GSSAPI */
+
+/* End of heimdal_gssapi.c */
diff --git a/src/src/auths/heimdal_gssapi.h b/src/src/auths/heimdal_gssapi.h
new file mode 100644
index 0000000..b9e8a4e
--- /dev/null
+++ b/src/src/auths/heimdal_gssapi.h
@@ -0,0 +1,38 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Copyright (c) Twitter Inc 2012 */
+
+/* Interface to Heimdal library for GSSAPI authentication. */
+
+/* Authenticator-specific options. */
+
+typedef struct {
+  uschar *server_hostname;
+  uschar *server_keytab;
+  uschar *server_realm;
+  uschar *server_service;
+} auth_heimdal_gssapi_options_block;
+
+/* Data for reading the authenticator-specific options. */
+
+extern optionlist auth_heimdal_gssapi_options[];
+extern int auth_heimdal_gssapi_options_count;
+
+/* Defaults for the authenticator-specific options. */
+
+extern auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults;
+
+/* The entry points for the mechanism */
+
+extern void auth_heimdal_gssapi_init(auth_instance *);
+extern int auth_heimdal_gssapi_server(auth_instance *, uschar *);
+extern int auth_heimdal_gssapi_client(auth_instance *, smtp_inblock *,
+                                smtp_outblock *, int, uschar *, int);
+extern void auth_heimdal_gssapi_version_report(FILE *f);
+
+/* End of heimdal_gssapi.h */
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index c562ee9..f3e3d88 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -21,6 +21,7 @@ it's a default value. */
 #define AUTH_CYRUS_SASL
 #define AUTH_DOVECOT
 #define AUTH_GSASL
+#define AUTH_HEIMDAL_GSSAPI
 #define AUTH_PLAINTEXT
 #define AUTH_SPA


diff --git a/src/src/drtables.c b/src/src/drtables.c
index 6e42ef9..c87e9c2 100644
--- a/src/src/drtables.c
+++ b/src/src/drtables.c
@@ -41,6 +41,10 @@ set to NULL for those that are not compiled into the binary. */
#include "auths/gsasl_exim.h"
#endif

+#ifdef AUTH_HEIMDAL_GSSAPI
+#include "auths/heimdal_gssapi.h"
+#endif
+
#ifdef AUTH_PLAINTEXT
#include "auths/plaintext.h"
#endif
@@ -109,6 +113,20 @@ auth_info auths_available[] = {
},
#endif

+#ifdef AUTH_HEIMDAL_GSSAPI
+  {
+  US"heimdal_gssapi",                         /* lookup name */
+  auth_heimdal_gssapi_options,
+  &auth_heimdal_gssapi_options_count,
+  &auth_heimdal_gssapi_option_defaults,
+  sizeof(auth_heimdal_gssapi_options_block),
+  auth_heimdal_gssapi_init,                   /* init function */
+  auth_heimdal_gssapi_server,                 /* server function */
+  NULL,                                       /* client function */
+  auth_heimdal_gssapi_version_report          /* diagnostic function */
+  },
+#endif
+
 #ifdef AUTH_PLAINTEXT
   {
   US"plaintext",                             /* lookup name */
diff --git a/src/src/exim.c b/src/src/exim.c
index b4ea01d..4a690a7 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -872,6 +872,9 @@ fprintf(f, "Authenticators:");
 #ifdef AUTH_GSASL
   fprintf(f, " gsasl");
 #endif
+#ifdef AUTH_HEIMDAL_GSSAPI
+  fprintf(f, " heimdal_gssapi");
+#endif
 #ifdef AUTH_PLAINTEXT
   fprintf(f, " plaintext");
 #endif