Drop the OID and pseudo-standard GSSAPI extension mechanism.
Found Heimdal-specific API call I needed, works great.
gsskrb5_register_acceptor_identity(filename)
Separately: add various debug statements.
/* Copyright (c) Twitter Inc 2012
Author: Phil Pennock <pdp@exim.org> */
/* Copyright (c) Twitter Inc 2012
Author: Phil Pennock <pdp@exim.org> */
+/* Copyright (c) Phil Pennock 2012 */
/* Interface to Heimdal SASL library for GSSAPI authentication. */
/* Interface to Heimdal SASL library for GSSAPI authentication. */
/* "Globals" for managing the heimdal_gssapi interface. */
/* "Globals" for managing the heimdal_gssapi interface. */
-/* hack around unavailable __gss_krb5_register_acceptor_identity_x_oid_desc
-OID: 1.2.752.43.13.5
-from heimdal lib/gssapi/krb5/external.c */
-gss_OID_desc exim_register_keytab_OID = {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")};
-
/* Utility functions */
static void
exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
/* Utility functions */
static void
exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
(auth_heimdal_gssapi_options_block *)(ablock->options_block);
BOOL handled_empty_ir;
uschar *store_reset_point;
(auth_heimdal_gssapi_options_block *)(ablock->options_block);
BOOL handled_empty_ir;
uschar *store_reset_point;
uschar sasl_config[4];
uschar requested_qop;
uschar sasl_config[4];
uschar requested_qop;
/* Use a specific keytab, if specified */
if (ob->server_keytab) {
/* Use a specific keytab, if specified */
if (ob->server_keytab) {
- gbufdesc.value = (void *) string_sprintf("file:%s", expand_string(ob->server_keytab));
- gbufdesc.length = strlen(CS gbufdesc.value);
- maj_stat = gss_set_sec_context_option(&min_stat,
- &gcontext, /* create new security context */
- &exim_register_keytab_OID, /* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X */
- &gbufdesc);
+ keytab = expand_string(ob->server_keytab);
+ maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
if (GSS_ERROR(maj_stat))
return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
if (GSS_ERROR(maj_stat))
return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
- "registering keytab \"%s\"", CS gbufdesc.value);
+ "registering keytab \"%s\"", keytab);
+ HDEBUG(D_auth)
+ debug_printf("heimdal: using keytab \"%s\"\n", keytab);
}
/* Acquire our credentials */
}
/* Acquire our credentials */
maj_stat = gss_release_name(&min_stat, &gserver);
maj_stat = gss_release_name(&min_stat, &gserver);
+ HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");
+
/* Loop talking to client */
step = 0;
from_client = initial_data;
/* Loop talking to client */
step = 0;
from_client = initial_data;
}
/* We should now have the opening data from the client, base64-encoded. */
step += 1;
}
/* We should now have the opening data from the client, base64-encoded. */
step += 1;
+ HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
gss_release_buffer(&min_stat, &gbufdesc_out);
EmptyBuf(gbufdesc_out);
}
gss_release_buffer(&min_stat, &gbufdesc_out);
EmptyBuf(gbufdesc_out);
}
- if (maj_stat == GSS_S_COMPLETE)
+ if (maj_stat == GSS_S_COMPLETE) {
+ HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
+ } else {
+ HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
+ }
error_out = FAIL;
goto ERROR_OUT;
}
error_out = FAIL;
goto ERROR_OUT;
}
+
+ HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");
+
error_out = auth_get_data(&from_client,
gbufdesc_out.value, gbufdesc_out.length);
if (error_out != OK)
error_out = auth_get_data(&from_client,
gbufdesc_out.value, gbufdesc_out.length);
if (error_out != OK)
auth_vars[0] = expand_nstring[1] =
string_copyn(gbufdesc_out.value, gbufdesc_out.length);
auth_vars[0] = expand_nstring[1] =
string_copyn(gbufdesc_out.value, gbufdesc_out.length);
+ HDEBUG(D_auth)
+ debug_printf("heimdal SASL: happy with client request\n"
+ " auth1 (verified GSSAPI display-name): \"%s\"\n"
+ " auth2 (unverified SASL requested authzid): \"%s\"\n",
+ auth_vars[0], auth_vars[1]);
+