diff options
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 4 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 3 | ||||
| -rw-r--r-- | src/src/auths/gsasl_exim.c | 18 |
3 files changed, 19 insertions, 6 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index e8ac8f360..b1984b5cb 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -24449,8 +24449,8 @@ ANONYMOUS: only &$auth1$& is set, to the possibly empty &'anonymous token'&; the &%server_condition%& option must be present. .next .cindex "authentication" "GSSAPI" -GSSAPI: &$auth1$& will be set to the &'authorization id'&, -&$auth2$& will be set to the &'GSSAPI Display Name'&; +GSSAPI: &$auth1$& will be set to the &'GSSAPI Display Name'&; +&$auth2$& will be set to the &'authorization id'&, the &%server_condition%& option must be present. .endlist diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 75d5ccd74..aa11372cb 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -22,6 +22,9 @@ PP/03 Implemented heimdal_gssapi authenticator with "server_keytab" option. PP/04 Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use `pkg-config foo` for cflags/libs. +PP/05 Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent + with rest of GSASL and with heimdal_gssapi. + Exim version 4.77 ----------------- diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c index 3c8a25017..d9a27ea5f 100644 --- a/src/src/auths/gsasl_exim.c +++ b/src/src/auths/gsasl_exim.c @@ -5,7 +5,9 @@ /* Copyright (c) University of Cambridge 1995 - 2012 */ /* See the file NOTICE for conditions of use and distribution. */ -/* Copyright (c) Twitter Inc 2012 */ +/* Copyright (c) Twitter Inc 2012 + Author: Phil Pennock <pdp@exim.org> */ +/* Copyright (c) Phil Pennock 2012 */ /* Interface to GNU SASL library for generic authentication. */ @@ -480,10 +482,18 @@ server_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop, auth_insta break; case GSASL_VALIDATE_GSSAPI: - /* GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME */ - propval = (uschar *) gsasl_property_get(sctx, GSASL_AUTHZID); - auth_vars[0] = expand_nstring[1] = propval ? propval : US""; + /* GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME + The display-name is authenticated as part of GSS, the authzid is claimed + by the SASL integration after authentication; protected against tampering + (if the SASL mechanism supports that, which Kerberos does) but is + unverified, same as normal for other mechanisms. + + First coding, we had these values swapped, but for consistency and prior + to the first release of Exim with this authenticator, they've been + switched to match the ordering of GSASL_VALIDATE_SIMPLE. */ propval = (uschar *) gsasl_property_get(sctx, GSASL_GSSAPI_DISPLAY_NAME); + auth_vars[0] = expand_nstring[1] = propval ? propval : US""; + propval = (uschar *) gsasl_property_get(sctx, GSASL_AUTHZID); auth_vars[1] = expand_nstring[2] = propval ? propval : US""; expand_nmax = 2; for (i = 1; i <= 2; ++i) |