summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2012-03-21 01:38:57 -0700
committerPhil Pennock <pdp@exim.org>2012-03-21 01:38:57 -0700
commitc7955b11ec2f588b346b0bcdbd1e2fa1b55b1630 (patch)
tree0e8d52de0161e0fd7885dc061582ed220a8dfd7c
parentb98bb9ac90bfc9c812c4c660fe017284ee222686 (diff)
heimdal_gssapi: accept SASL with empty authzid
Saw this happening with Apple Mail; accept it, dup the GSS Display Name
-rw-r--r--doc/doc-docbook/spec.xfpt3
-rw-r--r--doc/doc-txt/ChangeLog2
-rw-r--r--src/src/auths/heimdal_gssapi.c25
3 files changed, 22 insertions, 8 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index b45f0c51a..c13b8358d 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -24558,7 +24558,8 @@ role suffix. For instance, &"joe/admin@EXAMPLE.ORG"&.
.next
.vindex "&$auth2$&"
&$auth2$&: the &'authorization id'&, sent within SASL encapsulation after
-authentication.
+authentication. If that was empty, this will also be set to the
+GSS Display Name.
.endlist
.wen
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 39b6107b7..1cd08bf70 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -37,6 +37,8 @@ PP/08 cyrus_sasl server now expands the server_realm option.
PP/09 Bugzilla 1214 - Log authentication information in reject log.
Patch by Jeremy Harris.
+PP/10 Let heimdal_gssapi authenticator take a SASL message without an authzid.
+
Exim version 4.77
-----------------
diff --git a/src/src/auths/heimdal_gssapi.c b/src/src/auths/heimdal_gssapi.c
index 9021509dd..e01789e31 100644
--- a/src/src/auths/heimdal_gssapi.c
+++ b/src/src/auths/heimdal_gssapi.c
@@ -412,10 +412,10 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
error_out = FAIL;
goto ERROR_OUT;
}
- if (gbufdesc_out.length < 5) {
+ if (gbufdesc_out.length < 4) {
HDEBUG(D_auth)
debug_printf("gssapi: final message too short; "
- "need flags, buf sizes and authzid\n");
+ "need flags, buf sizes and optional authzid\n");
error_out = FAIL;
goto ERROR_OUT;
}
@@ -434,14 +434,17 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
/* Identifiers:
The SASL provided identifier is an unverified authzid.
- GSSAPI provides us with a verified identifier.
+ GSSAPI provides us with a verified identifier, but it might be empty
+ for some clients.
*/
/* $auth2 is authzid requested at SASL layer */
- expand_nlength[2] = gbufdesc_out.length - 4;
- auth_vars[1] = expand_nstring[2] =
- string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
- expand_nmax = 2;
+ if (gbufdesc_out.length > 4) {
+ expand_nlength[2] = gbufdesc_out.length - 4;
+ auth_vars[1] = expand_nstring[2] =
+ string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
+ expand_nmax = 2;
+ }
gss_release_buffer(&min_stat, &gbufdesc_out);
EmptyBuf(gbufdesc_out);
@@ -464,6 +467,14 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
auth_vars[0] = expand_nstring[1] =
string_copyn(gbufdesc_out.value, gbufdesc_out.length);
+ if (expand_nmax == 0) { /* should be: authzid was empty */
+ expand_nmax = 2;
+ expand_nlength[2] = expand_nlength[1];
+ auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
+ HDEBUG(D_auth)
+ debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
+ }
+
HDEBUG(D_auth)
debug_printf("heimdal SASL: happy with client request\n"
" auth1 (verified GSSAPI display-name): \"%s\"\n"