From c7955b11ec2f588b346b0bcdbd1e2fa1b55b1630 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Wed, 21 Mar 2012 01:38:57 -0700 Subject: [PATCH] heimdal_gssapi: accept SASL with empty authzid Saw this happening with Apple Mail; accept it, dup the GSS Display Name --- doc/doc-docbook/spec.xfpt | 3 ++- doc/doc-txt/ChangeLog | 2 ++ src/src/auths/heimdal_gssapi.c | 25 ++++++++++++++++++------- 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index b45f0c51a..c13b8358d 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -24558,7 +24558,8 @@ role suffix. For instance, &"joe/admin@EXAMPLE.ORG"&. .next .vindex "&$auth2$&" &$auth2$&: the &'authorization id'&, sent within SASL encapsulation after -authentication. +authentication. If that was empty, this will also be set to the +GSS Display Name. .endlist .wen diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 39b6107b7..1cd08bf70 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -37,6 +37,8 @@ PP/08 cyrus_sasl server now expands the server_realm option. PP/09 Bugzilla 1214 - Log authentication information in reject log. Patch by Jeremy Harris. +PP/10 Let heimdal_gssapi authenticator take a SASL message without an authzid. + Exim version 4.77 ----------------- diff --git a/src/src/auths/heimdal_gssapi.c b/src/src/auths/heimdal_gssapi.c index 9021509dd..e01789e31 100644 --- a/src/src/auths/heimdal_gssapi.c +++ b/src/src/auths/heimdal_gssapi.c @@ -412,10 +412,10 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) error_out = FAIL; goto ERROR_OUT; } - if (gbufdesc_out.length < 5) { + if (gbufdesc_out.length < 4) { HDEBUG(D_auth) debug_printf("gssapi: final message too short; " - "need flags, buf sizes and authzid\n"); + "need flags, buf sizes and optional authzid\n"); error_out = FAIL; goto ERROR_OUT; } @@ -434,14 +434,17 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) /* Identifiers: The SASL provided identifier is an unverified authzid. - GSSAPI provides us with a verified identifier. + GSSAPI provides us with a verified identifier, but it might be empty + for some clients. */ /* $auth2 is authzid requested at SASL layer */ - expand_nlength[2] = gbufdesc_out.length - 4; - auth_vars[1] = expand_nstring[2] = - string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]); - expand_nmax = 2; + if (gbufdesc_out.length > 4) { + expand_nlength[2] = gbufdesc_out.length - 4; + auth_vars[1] = expand_nstring[2] = + string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]); + expand_nmax = 2; + } gss_release_buffer(&min_stat, &gbufdesc_out); EmptyBuf(gbufdesc_out); @@ -464,6 +467,14 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) auth_vars[0] = expand_nstring[1] = string_copyn(gbufdesc_out.value, gbufdesc_out.length); + if (expand_nmax == 0) { /* should be: authzid was empty */ + expand_nmax = 2; + expand_nlength[2] = expand_nlength[1]; + auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]); + HDEBUG(D_auth) + debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n"); + } + HDEBUG(D_auth) debug_printf("heimdal SASL: happy with client request\n" " auth1 (verified GSSAPI display-name): \"%s\"\n" -- 2.30.2