heimdal_gssapi: accept SASL with empty authzid

Saw this happening with Apple Mail; accept it, dup the GSS Display Name

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index b45f0c51a093792783eddd600c014d2bca41dbe8..c13b8358dca04891a84a73591b13434da0eb8c71 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -24558,7 +24558,8 @@ role suffix.  For instance, &"joe/admin@EXAMPLE.ORG"&.
 .next
 .vindex "&$auth2$&"
 &$auth2$&: the &'authorization id'&, sent within SASL encapsulation after
-authentication.
+authentication.  If that was empty, this will also be set to the
+GSS Display Name.
 .endlist
 
 .wen

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 39b6107b7fa861435f57b7ec0e065a09d9b61ff4..1cd08bf707cbcc4a4f052a425d5770780c50a814 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -37,6 +37,8 @@ PP/08 cyrus_sasl server now expands the server_realm option.
 PP/09 Bugzilla 1214 - Log authentication information in reject log.
       Patch by Jeremy Harris.
 
+PP/10 Let heimdal_gssapi authenticator take a SASL message without an authzid.
+
 
 Exim version 4.77
 -----------------

diff --git a/src/src/auths/heimdal_gssapi.c b/src/src/auths/heimdal_gssapi.c
index 9021509dd9f6650249b2b358c000f1c02e693ab8..e01789e31e49b67179006e53270178c60dc3a298 100644 (file)
--- a/src/src/auths/heimdal_gssapi.c
+++ b/src/src/auths/heimdal_gssapi.c
@@ -412,10 +412,10 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
           error_out = FAIL;
           goto ERROR_OUT;
         }
-        if (gbufdesc_out.length < 5) {
+        if (gbufdesc_out.length < 4) {
           HDEBUG(D_auth)
             debug_printf("gssapi: final message too short; "
-                "need flags, buf sizes and authzid\n");
+                "need flags, buf sizes and optional authzid\n");
           error_out = FAIL;
           goto ERROR_OUT;
         }
@@ -434,14 +434,17 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
 
         /* Identifiers:
         The SASL provided identifier is an unverified authzid.
-        GSSAPI provides us with a verified identifier.
+        GSSAPI provides us with a verified identifier, but it might be empty
+        for some clients.
         */
 
         /* $auth2 is authzid requested at SASL layer */
-        expand_nlength[2] = gbufdesc_out.length - 4;
-        auth_vars[1] = expand_nstring[2] =
-          string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
-        expand_nmax = 2;
+        if (gbufdesc_out.length > 4) {
+          expand_nlength[2] = gbufdesc_out.length - 4;
+          auth_vars[1] = expand_nstring[2] =
+            string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
+          expand_nmax = 2;
+        }
 
         gss_release_buffer(&min_stat, &gbufdesc_out);
         EmptyBuf(gbufdesc_out);
@@ -464,6 +467,14 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
         auth_vars[0] = expand_nstring[1] =
           string_copyn(gbufdesc_out.value, gbufdesc_out.length);
 
+        if (expand_nmax == 0) { /* should be: authzid was empty */
+          expand_nmax = 2;
+          expand_nlength[2] = expand_nlength[1];
+          auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
+          HDEBUG(D_auth)
+            debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
+        }
+
         HDEBUG(D_auth)
           debug_printf("heimdal SASL: happy with client request\n"
              "  auth1 (verified GSSAPI display-name): \"%s\"\n"