[exim-cvs] Swap gsasl GSSAPI $auth1/$auth2

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Swap gsasl GSSAPI $auth1/$auth2
Gitweb: http://git.exim.org/exim.git/commitdiff/df6303fac223cae633ac6054ea8d795f2e8bf7ee
Commit:     df6303fac223cae633ac6054ea8d795f2e8bf7ee
Parent:     304e34d8d41f861dca7952b6c27b9974047d749f
Author:     Phil Pennock <pdp@???>
AuthorDate: Sat Feb 18 08:14:29 2012 -0500
Committer:  Phil Pennock <pdp@???>
CommitDate: Sat Feb 18 08:14:29 2012 -0500


    Swap gsasl GSSAPI $auth1/$auth2
---
 doc/doc-docbook/spec.xfpt  |    4 ++--
 doc/doc-txt/ChangeLog      |    3 +++
 src/src/auths/gsasl_exim.c |   18 ++++++++++++++----
 3 files changed, 19 insertions(+), 6 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index e8ac8f3..b1984b5 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -24449,8 +24449,8 @@ ANONYMOUS: only &$auth1$& is set, to the possibly empty &'anonymous token'&;
the &%server_condition%& option must be present.
.next
.cindex "authentication" "GSSAPI"
-GSSAPI: &$auth1$& will be set to the &'authorization id'&,
-&$auth2$& will be set to the &'GSSAPI Display Name'&;
+GSSAPI: &$auth1$& will be set to the &'GSSAPI Display Name'&;
+&$auth2$& will be set to the &'authorization id'&,
the &%server_condition%& option must be present.
.endlist

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 75d5ccd..aa11372 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -22,6 +22,9 @@ PP/03 Implemented heimdal_gssapi authenticator with "server_keytab" option.
 PP/04 Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use
       `pkg-config foo` for cflags/libs.


+PP/05 Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent
+      with rest of GSASL and with heimdal_gssapi.
+


Exim version 4.77
-----------------
diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c
index 3c8a250..d9a27ea 100644
--- a/src/src/auths/gsasl_exim.c
+++ b/src/src/auths/gsasl_exim.c
@@ -5,7 +5,9 @@
/* Copyright (c) University of Cambridge 1995 - 2012 */
/* See the file NOTICE for conditions of use and distribution. */

-/* Copyright (c) Twitter Inc 2012 */
+/* Copyright (c) Twitter Inc 2012
+ Author: Phil Pennock <pdp@???> */
+/* Copyright (c) Phil Pennock 2012 */

/* Interface to GNU SASL library for generic authentication. */

@@ -480,10 +482,18 @@ server_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop, auth_insta
       break;


     case GSASL_VALIDATE_GSSAPI:
-      /* GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME */
-      propval = (uschar *) gsasl_property_get(sctx, GSASL_AUTHZID);
-      auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+      /* GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME
+      The display-name is authenticated as part of GSS, the authzid is claimed
+      by the SASL integration after authentication; protected against tampering
+      (if the SASL mechanism supports that, which Kerberos does) but is
+      unverified, same as normal for other mechanisms.
+
+      First coding, we had these values swapped, but for consistency and prior
+      to the first release of Exim with this authenticator, they've been
+      switched to match the ordering of GSASL_VALIDATE_SIMPLE. */
       propval = (uschar *) gsasl_property_get(sctx, GSASL_GSSAPI_DISPLAY_NAME);
+      auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+      propval = (uschar *) gsasl_property_get(sctx, GSASL_AUTHZID);
       auth_vars[1] = expand_nstring[2] = propval ? propval : US"";
       expand_nmax = 2;
       for (i = 1; i <= 2; ++i)