* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2016 */
/* See the file NOTICE for conditions of use and distribution. */
/* Copyright (c) Twitter Inc 2012
Author: Phil Pennock <pdp@exim.org> */
+/* Copyright (c) Phil Pennock 2012 */
-/* Interface to Heimdal SASL library for GSSAPI authentication. */
+/* Interface to Heimdal library for GSSAPI authentication. */
/* Naming and rationale
* heimdal sources and man-pages, plus http://www.h5l.org/manual/
* FreeBSD man-pages (very informative!)
* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
- semantics, that found by browsing Heimdal source to find how to set the keytab
-
+ semantics, that found by browsing Heimdal source to find how to set the keytab; however,
+ after multiple attempts I failed to get that to work and instead switched to
+ gsskrb5_register_acceptor_identity().
*/
#include "../exim.h"
#ifndef AUTH_HEIMDAL_GSSAPI
/* dummy function to satisfy compilers when we link in an "empty" file. */
-static void dummy(int x) { dummy(x-1); }
+static void dummy(int x);
+static void dummy2(int x) { dummy(x-1); }
+static void dummy(int x) { dummy2(x-1); }
#else
#include <gssapi/gssapi.h>
/* for the _init debugging */
#include <krb5.h>
-/* Because __gss_krb5_register_acceptor_identity_x_oid_desc is internal */
-#include <roken.h>
-
#include "heimdal_gssapi.h"
/* Authenticator-specific options. */
(void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) },
{ "server_keytab", opt_stringptr,
(void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) },
- { "server_realm", opt_stringptr,
- (void *)(offsetof(auth_heimdal_gssapi_options_block, server_realm)) },
{ "server_service", opt_stringptr,
(void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) }
};
auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
US"$primary_hostname", /* server_hostname */
NULL, /* server_keytab */
- NULL, /* server_realm */
US"smtp", /* server_service */
};
/* "Globals" for managing the heimdal_gssapi interface. */
-/* hack around unavailable __gss_krb5_register_acceptor_identity_x_oid_desc
-OID: 1.2.752.43.13.5
-from heimdal lib/gssapi/krb5/external.c */
-gss_OID_desc exim_register_keytab_OID = {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")};
-
/* Utility functions */
static void
exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
enable consistency checks to be done, or anything else that needs
to be set up. */
-/* Heimdal provides a GSSAPI extension method (via an OID) for setting the
-keytab; in the init, we mostly just use raw krb5 methods so that we can report
+/* Heimdal provides a GSSAPI extension method for setting the keytab;
+in the init, we mostly just use raw krb5 methods so that we can report
the keytab contents, for -D+auth debugging. */
void
(auth_heimdal_gssapi_options_block *)(ablock->options_block);
BOOL handled_empty_ir;
uschar *store_reset_point;
+ uschar *keytab;
uschar sasl_config[4];
uschar requested_qop;
/* Use a specific keytab, if specified */
if (ob->server_keytab) {
- gbufdesc.value = (void *) string_sprintf("file:%s", expand_string(ob->server_keytab));
- gbufdesc.length = strlen(CS gbufdesc.value);
- maj_stat = gss_set_sec_context_option(&min_stat,
- &gcontext, /* create new security context */
- &exim_register_keytab_OID, /* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X */
- &gbufdesc);
+ keytab = expand_string(ob->server_keytab);
+ maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
if (GSS_ERROR(maj_stat))
return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
- "registering keytab \"%s\"", CS gbufdesc.value);
+ "registering keytab \"%s\"", keytab);
+ HDEBUG(D_auth)
+ debug_printf("heimdal: using keytab \"%s\"\n", keytab);
}
/* Acquire our credentials */
maj_stat = gss_release_name(&min_stat, &gserver);
+ HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");
+
/* Loop talking to client */
step = 0;
from_client = initial_data;
error_out = auth_get_data(&from_client, US"", 0);
if (error_out != OK)
goto ERROR_OUT;
+ handled_empty_ir = TRUE;
continue;
}
}
/* We should now have the opening data from the client, base64-encoded. */
step += 1;
+ HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
break;
case 1:
- gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value);
+ gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
if (gclient) {
maj_stat = gss_release_name(&min_stat, &gclient);
gclient = GSS_C_NO_NAME;
gss_release_buffer(&min_stat, &gbufdesc_out);
EmptyBuf(gbufdesc_out);
}
- if (maj_stat == GSS_S_COMPLETE)
+ if (maj_stat == GSS_S_COMPLETE) {
step += 1;
+ HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
+ } else {
+ HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
+ }
break;
case 2:
0x02 Integrity protection
0x04 Confidentiality protection
- The remaining three octets are the maximum buffer size for wrappe
+ The remaining three octets are the maximum buffer size for wrapped
content. */
sasl_config[0] = 0x01; /* Exim does not wrap/unwrap SASL layers after auth */
gbufdesc.value = (void *) sasl_config;
error_out = FAIL;
goto ERROR_OUT;
}
+
+ HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");
+
error_out = auth_get_data(&from_client,
gbufdesc_out.value, gbufdesc_out.length);
if (error_out != OK)
break;
case 3:
- gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value);
+ gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
maj_stat = gss_unwrap(&min_stat,
gcontext,
&gbufdesc_in, /* data from client */
error_out = FAIL;
goto ERROR_OUT;
}
- if (gbufdesc_out.length < 5) {
+ if (gbufdesc_out.length < 4) {
HDEBUG(D_auth)
debug_printf("gssapi: final message too short; "
- "need flags, buf sizes and authzid\n");
+ "need flags, buf sizes and optional authzid\n");
error_out = FAIL;
goto ERROR_OUT;
}
/* Identifiers:
The SASL provided identifier is an unverified authzid.
- GSSAPI provides us with a verified identifier.
+ GSSAPI provides us with a verified identifier, but it might be empty
+ for some clients.
*/
/* $auth2 is authzid requested at SASL layer */
- expand_nlength[2] = gbufdesc_out.length - 4;
- auth_vars[1] = expand_nstring[2] =
- string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
- expand_nmax = 2;
+ if (gbufdesc_out.length > 4) {
+ expand_nlength[2] = gbufdesc_out.length - 4;
+ auth_vars[1] = expand_nstring[2] =
+ string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
+ expand_nmax = 2;
+ }
gss_release_buffer(&min_stat, &gbufdesc_out);
EmptyBuf(gbufdesc_out);
auth_vars[0] = expand_nstring[1] =
string_copyn(gbufdesc_out.value, gbufdesc_out.length);
+ if (expand_nmax == 0) { /* should be: authzid was empty */
+ expand_nmax = 2;
+ expand_nlength[2] = expand_nlength[1];
+ auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
+ HDEBUG(D_auth)
+ debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
+ }
+
+ HDEBUG(D_auth)
+ debug_printf("heimdal SASL: happy with client request\n"
+ " auth1 (verified GSSAPI display-name): \"%s\"\n"
+ " auth2 (unverified SASL requested authzid): \"%s\"\n",
+ auth_vars[0], auth_vars[1]);
+
step += 1;
break;
va_start(ap, format);
if (!string_vformat(buffer, sizeof(buffer), format, ap))
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
- "exim_gssapi_error_defer expansion larger than %d",
+ "exim_gssapi_error_defer expansion larger than %lu",
sizeof(buffer));
va_end(ap);