* heimdal sources and man-pages, plus http://www.h5l.org/manual/
* FreeBSD man-pages (very informative!)
* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
* heimdal sources and man-pages, plus http://www.h5l.org/manual/
* FreeBSD man-pages (very informative!)
* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
- semantics, that found by browsing Heimdal source to find how to set the keytab
-
+ semantics, that found by browsing Heimdal source to find how to set the keytab; however,
+ after multiple attempts I failed to get that to work and instead switched to
+ gsskrb5_register_acceptor_identity().
*/
#include "../exim.h"
#ifndef AUTH_HEIMDAL_GSSAPI
/* dummy function to satisfy compilers when we link in an "empty" file. */
*/
#include "../exim.h"
#ifndef AUTH_HEIMDAL_GSSAPI
/* dummy function to satisfy compilers when we link in an "empty" file. */
(void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) },
{ "server_keytab", opt_stringptr,
(void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) },
(void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) },
{ "server_keytab", opt_stringptr,
(void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) },
{ "server_service", opt_stringptr,
(void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) }
};
{ "server_service", opt_stringptr,
(void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) }
};
auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
US"$primary_hostname", /* server_hostname */
NULL, /* server_keytab */
auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
US"$primary_hostname", /* server_hostname */
NULL, /* server_keytab */
-/* Heimdal provides a GSSAPI extension method (via an OID) for setting the
-keytab; in the init, we mostly just use raw krb5 methods so that we can report
+/* Heimdal provides a GSSAPI extension method for setting the keytab;
+in the init, we mostly just use raw krb5 methods so that we can report
content. */
sasl_config[0] = 0x01; /* Exim does not wrap/unwrap SASL layers after auth */
gbufdesc.value = (void *) sasl_config;
content. */
sasl_config[0] = 0x01; /* Exim does not wrap/unwrap SASL layers after auth */
gbufdesc.value = (void *) sasl_config;
- expand_nlength[2] = gbufdesc_out.length - 4;
- auth_vars[1] = expand_nstring[2] =
- string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
- expand_nmax = 2;
+ if (gbufdesc_out.length > 4) {
+ expand_nlength[2] = gbufdesc_out.length - 4;
+ auth_vars[1] = expand_nstring[2] =
+ string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
+ expand_nmax = 2;
+ }
auth_vars[0] = expand_nstring[1] =
string_copyn(gbufdesc_out.value, gbufdesc_out.length);
auth_vars[0] = expand_nstring[1] =
string_copyn(gbufdesc_out.value, gbufdesc_out.length);
+ if (expand_nmax == 0) { /* should be: authzid was empty */
+ expand_nmax = 2;
+ expand_nlength[2] = expand_nlength[1];
+ auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
+ HDEBUG(D_auth)
+ debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
+ }
+
HDEBUG(D_auth)
debug_printf("heimdal SASL: happy with client request\n"
" auth1 (verified GSSAPI display-name): \"%s\"\n"
HDEBUG(D_auth)
debug_printf("heimdal SASL: happy with client request\n"
" auth1 (verified GSSAPI display-name): \"%s\"\n"
va_start(ap, format);
if (!string_vformat(buffer, sizeof(buffer), format, ap))
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
va_start(ap, format);
if (!string_vformat(buffer, sizeof(buffer), format, ap))
log_write(0, LOG_MAIN|LOG_PANIC_DIE,