[exim-cvs] heimdal_gssapi: accept SASL with empty authzid

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] heimdal_gssapi: accept SASL with empty authzid
Gitweb: http://git.exim.org/exim.git/commitdiff/c7955b11ec2f588b346b0bcdbd1e2fa1b55b1630
Commit:     c7955b11ec2f588b346b0bcdbd1e2fa1b55b1630
Parent:     b98bb9ac90bfc9c812c4c660fe017284ee222686
Author:     Phil Pennock <pdp@???>
AuthorDate: Wed Mar 21 01:38:57 2012 -0700
Committer:  Phil Pennock <pdp@???>
CommitDate: Wed Mar 21 01:38:57 2012 -0700


    heimdal_gssapi: accept SASL with empty authzid


    Saw this happening with Apple Mail; accept it, dup the GSS Display Name
---
 doc/doc-docbook/spec.xfpt      |    3 ++-
 doc/doc-txt/ChangeLog          |    2 ++
 src/src/auths/heimdal_gssapi.c |   25 ++++++++++++++++++-------
 3 files changed, 22 insertions(+), 8 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index b45f0c5..c13b835 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -24558,7 +24558,8 @@ role suffix. For instance, &"joe/admin@???"&.
.next
.vindex "&$auth2$&"
&$auth2$&: the &'authorization id'&, sent within SASL encapsulation after
-authentication.
+authentication. If that was empty, this will also be set to the
+GSS Display Name.
.endlist

 .wen
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 39b6107..1cd08bf 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -37,6 +37,8 @@ PP/08 cyrus_sasl server now expands the server_realm option.
 PP/09 Bugzilla 1214 - Log authentication information in reject log.
       Patch by Jeremy Harris.


+PP/10 Let heimdal_gssapi authenticator take a SASL message without an authzid.
+

 Exim version 4.77
 -----------------
diff --git a/src/src/auths/heimdal_gssapi.c b/src/src/auths/heimdal_gssapi.c
index 9021509..e01789e 100644
--- a/src/src/auths/heimdal_gssapi.c
+++ b/src/src/auths/heimdal_gssapi.c
@@ -412,10 +412,10 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
           error_out = FAIL;
           goto ERROR_OUT;
         }
-        if (gbufdesc_out.length < 5) {
+        if (gbufdesc_out.length < 4) {
           HDEBUG(D_auth)
             debug_printf("gssapi: final message too short; "
-                "need flags, buf sizes and authzid\n");
+                "need flags, buf sizes and optional authzid\n");
           error_out = FAIL;
           goto ERROR_OUT;
         }
@@ -434,14 +434,17 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)


         /* Identifiers:
         The SASL provided identifier is an unverified authzid.
-        GSSAPI provides us with a verified identifier.
+        GSSAPI provides us with a verified identifier, but it might be empty
+        for some clients.
         */


         /* $auth2 is authzid requested at SASL layer */
-        expand_nlength[2] = gbufdesc_out.length - 4;
-        auth_vars[1] = expand_nstring[2] =
-          string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
-        expand_nmax = 2;
+        if (gbufdesc_out.length > 4) {
+          expand_nlength[2] = gbufdesc_out.length - 4;
+          auth_vars[1] = expand_nstring[2] =
+            string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
+          expand_nmax = 2;
+        }


         gss_release_buffer(&min_stat, &gbufdesc_out);
         EmptyBuf(gbufdesc_out);
@@ -464,6 +467,14 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
         auth_vars[0] = expand_nstring[1] =
           string_copyn(gbufdesc_out.value, gbufdesc_out.length);


+        if (expand_nmax == 0) { /* should be: authzid was empty */
+          expand_nmax = 2;
+          expand_nlength[2] = expand_nlength[1];
+          auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
+          HDEBUG(D_auth)
+            debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
+        }
+
         HDEBUG(D_auth)
           debug_printf("heimdal SASL: happy with client request\n"
              "  auth1 (verified GSSAPI display-name): \"%s\"\n"