X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/f1e05cc79778c693a1a2bad478ced44791922cce..d12746bc15d83ab821be36975da0179672708bc1:/src/src/auths/heimdal_gssapi.c

diff --git a/src/src/auths/heimdal_gssapi.c b/src/src/auths/heimdal_gssapi.c
index 9021509dd..11a7d399d 100644
--- a/src/src/auths/heimdal_gssapi.c
+++ b/src/src/auths/heimdal_gssapi.c
@@ -2,7 +2,7 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Copyright (c) Twitter Inc 2012
@@ -43,7 +43,9 @@ Without rename, we could add an option for GS2 support in the future.
 
 #ifndef AUTH_HEIMDAL_GSSAPI
 /* dummy function to satisfy compilers when we link in an "empty" file. */
-static void dummy(int x) { dummy(x-1); }
+static void dummy(int x);
+static void dummy2(int x) { dummy(x-1); }
+static void dummy(int x) { dummy2(x-1); }
 #else
 
 #include <gssapi/gssapi.h>
@@ -74,6 +76,20 @@ auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
   US"smtp",                 /* server_service */
 };
 
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+void auth_heimdal_gssapi_init(auth_instance *ablock) {}
+int auth_heimdal_gssapi_server(auth_instance *ablock, uschar *data) {return 0;}
+int auth_heimdal_gssapi_client(auth_instance *ablock, void * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
+void auth_heimdal_gssapi_version_report(FILE *f) {}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
 /* "Globals" for managing the heimdal_gssapi interface. */
 
 /* Utility functions */
@@ -318,7 +334,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
         break;
 
       case 1:
-        gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value);
+        gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
         if (gclient) {
           maj_stat = gss_release_name(&min_stat, &gclient);
           gclient = GSS_C_NO_NAME;
@@ -341,7 +357,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
           error_out = FAIL;
           goto ERROR_OUT;
         }
-        if (&gbufdesc_out.length != 0) {
+        if (gbufdesc_out.length != 0) {
           error_out = auth_get_data(&from_client,
               gbufdesc_out.value, gbufdesc_out.length);
           if (error_out != OK)
@@ -398,7 +414,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
         break;
 
       case 3:
-        gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value);
+        gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
         maj_stat = gss_unwrap(&min_stat,
             gcontext,
             &gbufdesc_in,       /* data from client */
@@ -412,10 +428,10 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
           error_out = FAIL;
           goto ERROR_OUT;
         }
-        if (gbufdesc_out.length < 5) {
+        if (gbufdesc_out.length < 4) {
           HDEBUG(D_auth)
             debug_printf("gssapi: final message too short; "
-                "need flags, buf sizes and authzid\n");
+                "need flags, buf sizes and optional authzid\n");
           error_out = FAIL;
           goto ERROR_OUT;
         }
@@ -434,14 +450,17 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
 
         /* Identifiers:
         The SASL provided identifier is an unverified authzid.
-        GSSAPI provides us with a verified identifier.
+        GSSAPI provides us with a verified identifier, but it might be empty
+        for some clients.
         */
 
         /* $auth2 is authzid requested at SASL layer */
-        expand_nlength[2] = gbufdesc_out.length - 4;
-        auth_vars[1] = expand_nstring[2] =
-          string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
-        expand_nmax = 2;
+        if (gbufdesc_out.length > 4) {
+          expand_nlength[2] = gbufdesc_out.length - 4;
+          auth_vars[1] = expand_nstring[2] =
+            string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
+          expand_nmax = 2;
+        }
 
         gss_release_buffer(&min_stat, &gbufdesc_out);
         EmptyBuf(gbufdesc_out);
@@ -464,6 +483,14 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
         auth_vars[0] = expand_nstring[1] =
           string_copyn(gbufdesc_out.value, gbufdesc_out.length);
 
+        if (expand_nmax == 0) { /* should be: authzid was empty */
+          expand_nmax = 2;
+          expand_nlength[2] = expand_nlength[1];
+          auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
+          HDEBUG(D_auth)
+            debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
+        }
+
         HDEBUG(D_auth)
           debug_printf("heimdal SASL: happy with client request\n"
              "  auth1 (verified GSSAPI display-name): \"%s\"\n"
@@ -507,31 +534,30 @@ exim_gssapi_error_defer(uschar *store_reset_point,
     const char *format, ...)
 {
   va_list ap;
-  uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
   OM_uint32 maj_stat, min_stat;
   OM_uint32 msgcontext = 0;
   gss_buffer_desc status_string;
+  gstring * g;
 
-  va_start(ap, format);
-  if (!string_vformat(buffer, sizeof(buffer), format, ap))
-    log_write(0, LOG_MAIN|LOG_PANIC_DIE,
-        "exim_gssapi_error_defer expansion larger than %d",
-        sizeof(buffer));
-  va_end(ap);
+  HDEBUG(D_auth)
+    {
+    va_start(ap, format);
+    g = string_vformat(NULL, TRUE, format, ap);
+    va_end(ap);
+    }
 
   auth_defer_msg = NULL;
 
   do {
     maj_stat = gss_display_status(&min_stat,
-        major, GSS_C_GSS_CODE, GSS_C_NO_OID,
-        &msgcontext, &status_string);
+        major, GSS_C_GSS_CODE, GSS_C_NO_OID, &msgcontext, &status_string);
 
-    if (auth_defer_msg == NULL) {
+    if (!auth_defer_msg)
       auth_defer_msg = string_copy(US status_string.value);
-    }
 
     HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
-        buffer, (int)status_string.length, CS status_string.value);
+        string_from_gstring(g), (int)status_string.length,
+	CS status_string.value);
     gss_release_buffer(&min_stat, &status_string);
 
   } while (msgcontext != 0);
@@ -551,8 +577,7 @@ exim_gssapi_error_defer(uschar *store_reset_point,
 int
 auth_heimdal_gssapi_client(
   auth_instance *ablock,                 /* authenticator block */
-  smtp_inblock *inblock,                 /* connection inblock */
-  smtp_outblock *outblock,               /* connection outblock */
+  void * sx,				 /* connection */
   int timeout,                           /* command timeout */
   uschar *buffer,                        /* buffer for reading response */
   int buffsize)                          /* size of buffer */
@@ -577,6 +602,7 @@ auth_heimdal_gssapi_version_report(FILE *f)
           heimdal_version, heimdal_long_version);
 }
 
+#endif   /*!MACRO_PREDEF*/
 #endif  /* AUTH_HEIMDAL_GSSAPI */
 
 /* End of heimdal_gssapi.c */