Merge branch 'dbmjz'
authorPhil Pennock <pdp@exim.org>
Wed, 21 Mar 2012 08:45:59 +0000 (01:45 -0700)
committerPhil Pennock <pdp@exim.org>
Wed, 21 Mar 2012 08:45:59 +0000 (01:45 -0700)
doc/doc-docbook/spec.xfpt
doc/doc-txt/ChangeLog
src/src/auths/heimdal_gssapi.c

index 04eafc0dc5fc4c3abcde3dc915e56d1c1c557df8..ed9b0d71014bf579dfe7fe9897046096b37dd95c 100644 (file)
@@ -24599,7 +24599,8 @@ role suffix.  For instance, &"joe/admin@EXAMPLE.ORG"&.
 .next
 .vindex "&$auth2$&"
 &$auth2$&: the &'authorization id'&, sent within SASL encapsulation after
-authentication.
+authentication.  If that was empty, this will also be set to the
+GSS Display Name.
 .endlist
 
 .wen
index 9aca72920d63abd36f69f84b3feff514ed0fabd5..f24e1a8f9a2d613abf3195baf76f239ba9d86c13 100644 (file)
@@ -39,6 +39,8 @@ PP/09 Bugzilla 1214 - Log authentication information in reject log.
 
 PP/10 Added dbmjz lookup type.
 
+PP/11 Let heimdal_gssapi authenticator take a SASL message without an authzid.
+
 
 Exim version 4.77
 -----------------
index 9021509dd9f6650249b2b358c000f1c02e693ab8..e01789e31e49b67179006e53270178c60dc3a298 100644 (file)
@@ -412,10 +412,10 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
           error_out = FAIL;
           goto ERROR_OUT;
         }
-        if (gbufdesc_out.length < 5) {
+        if (gbufdesc_out.length < 4) {
           HDEBUG(D_auth)
             debug_printf("gssapi: final message too short; "
-                "need flags, buf sizes and authzid\n");
+                "need flags, buf sizes and optional authzid\n");
           error_out = FAIL;
           goto ERROR_OUT;
         }
@@ -434,14 +434,17 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
 
         /* Identifiers:
         The SASL provided identifier is an unverified authzid.
-        GSSAPI provides us with a verified identifier.
+        GSSAPI provides us with a verified identifier, but it might be empty
+        for some clients.
         */
 
         /* $auth2 is authzid requested at SASL layer */
-        expand_nlength[2] = gbufdesc_out.length - 4;
-        auth_vars[1] = expand_nstring[2] =
-          string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
-        expand_nmax = 2;
+        if (gbufdesc_out.length > 4) {
+          expand_nlength[2] = gbufdesc_out.length - 4;
+          auth_vars[1] = expand_nstring[2] =
+            string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
+          expand_nmax = 2;
+        }
 
         gss_release_buffer(&min_stat, &gbufdesc_out);
         EmptyBuf(gbufdesc_out);
@@ -464,6 +467,14 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
         auth_vars[0] = expand_nstring[1] =
           string_copyn(gbufdesc_out.value, gbufdesc_out.length);
 
+        if (expand_nmax == 0) { /* should be: authzid was empty */
+          expand_nmax = 2;
+          expand_nlength[2] = expand_nlength[1];
+          auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
+          HDEBUG(D_auth)
+            debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
+        }
+
         HDEBUG(D_auth)
           debug_printf("heimdal SASL: happy with client request\n"
              "  auth1 (verified GSSAPI display-name): \"%s\"\n"