X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fauths%2Fheimdal_gssapi.c;h=21ed75bf4813e4f9ce5ec75884ad71ca01f92ea1;hb=55414b25bee9f0195ccd1e47f3d3b5cba766e099;hp=ef0027484cfece4f682e3135b69e5c1378bb851e;hpb=dde3daac46f9cc3b35993e1c9a931b53645f1c1d;p=user%2Fhenk%2Fcode%2Fexim.git

diff --git a/src/src/auths/heimdal_gssapi.c b/src/src/auths/heimdal_gssapi.c
index ef0027484..21ed75bf4 100644
--- a/src/src/auths/heimdal_gssapi.c
+++ b/src/src/auths/heimdal_gssapi.c
@@ -7,8 +7,9 @@
 
 /* Copyright (c) Twitter Inc 2012
    Author: Phil Pennock <pdp@exim.org> */
+/* Copyright (c) Phil Pennock 2012 */
 
-/* Interface to Heimdal SASL library for GSSAPI authentication. */
+/* Interface to Heimdal library for GSSAPI authentication. */
 
 /* Naming and rationale
 
@@ -33,15 +34,18 @@ Without rename, we could add an option for GS2 support in the future.
 * heimdal sources and man-pages, plus http://www.h5l.org/manual/
 * FreeBSD man-pages (very informative!)
 * http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
-  semantics, that found by browsing Heimdal source to find how to set the keytab
-
+  semantics, that found by browsing Heimdal source to find how to set the keytab; however,
+  after multiple attempts I failed to get that to work and instead switched to
+  gsskrb5_register_acceptor_identity().
 */
 
 #include "../exim.h"
 
 #ifndef AUTH_HEIMDAL_GSSAPI
 /* dummy function to satisfy compilers when we link in an "empty" file. */
-static void dummy(int x) { dummy(x-1); }
+static void dummy(int x);
+static void dummy2(int x) { dummy(x-1); }
+static void dummy(int x) { dummy2(x-1); }
 #else
 
 #include <gssapi/gssapi.h>
@@ -50,9 +54,6 @@ static void dummy(int x) { dummy(x-1); }
 /* for the _init debugging */
 #include <krb5.h>
 
-/* Because __gss_krb5_register_acceptor_identity_x_oid_desc is internal */
-#include <roken.h>
-
 #include "heimdal_gssapi.h"
 
 /* Authenticator-specific options. */
@@ -61,8 +62,6 @@ optionlist auth_heimdal_gssapi_options[] = {
       (void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) },
   { "server_keytab",        opt_stringptr,
       (void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) },
-  { "server_realm",         opt_stringptr,
-      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_realm)) },
   { "server_service",       opt_stringptr,
       (void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) }
 };
@@ -74,17 +73,11 @@ int auth_heimdal_gssapi_options_count =
 auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
   US"$primary_hostname",    /* server_hostname */
   NULL,                     /* server_keytab */
-  NULL,                     /* server_realm */
   US"smtp",                 /* server_service */
 };
 
 /* "Globals" for managing the heimdal_gssapi interface. */
 
-/* hack around unavailable __gss_krb5_register_acceptor_identity_x_oid_desc
-OID: 1.2.752.43.13.5
-from heimdal lib/gssapi/krb5/external.c */
-gss_OID_desc exim_register_keytab_OID = {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")};
-
 /* Utility functions */
 static void
   exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
@@ -103,8 +96,8 @@ static int
 enable consistency checks to be done, or anything else that needs
 to be set up. */
 
-/* Heimdal provides a GSSAPI extension method (via an OID) for setting the
-keytab; in the init, we mostly just use raw krb5 methods so that we can report
+/* Heimdal provides a GSSAPI extension method for setting the keytab;
+in the init, we mostly just use raw krb5 methods so that we can report
 the keytab contents, for -D+auth debugging. */
 
 void
@@ -238,6 +231,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
     (auth_heimdal_gssapi_options_block *)(ablock->options_block);
   BOOL handled_empty_ir;
   uschar *store_reset_point;
+  uschar *keytab;
   uschar sasl_config[4];
   uschar requested_qop;
 
@@ -260,15 +254,13 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
 
   /* Use a specific keytab, if specified */
   if (ob->server_keytab) {
-    gbufdesc.value = (void *) string_sprintf("file:%s", expand_string(ob->server_keytab));
-    gbufdesc.length = strlen(CS gbufdesc.value);
-    maj_stat = gss_set_sec_context_option(&min_stat,
-        &gcontext,                  /* create new security context */
-        &exim_register_keytab_OID,  /* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X */
-        &gbufdesc);
+    keytab = expand_string(ob->server_keytab);
+    maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
     if (GSS_ERROR(maj_stat))
       return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
-          "registering keytab \"%s\"", CS gbufdesc.value);
+          "registering keytab \"%s\"", keytab);
+    HDEBUG(D_auth)
+      debug_printf("heimdal: using keytab \"%s\"\n", keytab);
   }
 
   /* Acquire our credentials */
@@ -286,6 +278,8 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
 
   maj_stat = gss_release_name(&min_stat, &gserver);
 
+  HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");
+
   /* Loop talking to client */
   step = 0;
   from_client = initial_data;
@@ -316,11 +310,13 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
             error_out = auth_get_data(&from_client, US"", 0);
             if (error_out != OK)
               goto ERROR_OUT;
+            handled_empty_ir = TRUE;
             continue;
           }
         }
         /* We should now have the opening data from the client, base64-encoded. */
         step += 1;
+        HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
         break;
 
       case 1:
@@ -356,8 +352,12 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
           gss_release_buffer(&min_stat, &gbufdesc_out);
           EmptyBuf(gbufdesc_out);
         }
-        if (maj_stat == GSS_S_COMPLETE)
+        if (maj_stat == GSS_S_COMPLETE) {
           step += 1;
+          HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
+        } else {
+          HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
+        }
         break;
 
       case 2:
@@ -367,7 +367,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
         0x02 Integrity protection
         0x04 Confidentiality protection
 
-        The remaining three octets are the maximum buffer size for wrappe
+        The remaining three octets are the maximum buffer size for wrapped
         content. */
         sasl_config[0] = 0x01;  /* Exim does not wrap/unwrap SASL layers after auth */
         gbufdesc.value = (void *) sasl_config;
@@ -386,6 +386,9 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
           error_out = FAIL;
           goto ERROR_OUT;
         }
+
+        HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");
+
         error_out = auth_get_data(&from_client,
             gbufdesc_out.value, gbufdesc_out.length);
         if (error_out != OK)
@@ -411,10 +414,10 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
           error_out = FAIL;
           goto ERROR_OUT;
         }
-        if (gbufdesc_out.length < 5) {
+        if (gbufdesc_out.length < 4) {
           HDEBUG(D_auth)
             debug_printf("gssapi: final message too short; "
-                "need flags, buf sizes and authzid\n");
+                "need flags, buf sizes and optional authzid\n");
           error_out = FAIL;
           goto ERROR_OUT;
         }
@@ -433,14 +436,17 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
 
         /* Identifiers:
         The SASL provided identifier is an unverified authzid.
-        GSSAPI provides us with a verified identifier.
+        GSSAPI provides us with a verified identifier, but it might be empty
+        for some clients.
         */
 
         /* $auth2 is authzid requested at SASL layer */
-        expand_nlength[2] = gbufdesc_out.length - 4;
-        auth_vars[1] = expand_nstring[2] =
-          string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
-        expand_nmax = 2;
+        if (gbufdesc_out.length > 4) {
+          expand_nlength[2] = gbufdesc_out.length - 4;
+          auth_vars[1] = expand_nstring[2] =
+            string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
+          expand_nmax = 2;
+        }
 
         gss_release_buffer(&min_stat, &gbufdesc_out);
         EmptyBuf(gbufdesc_out);
@@ -463,6 +469,20 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
         auth_vars[0] = expand_nstring[1] =
           string_copyn(gbufdesc_out.value, gbufdesc_out.length);
 
+        if (expand_nmax == 0) { /* should be: authzid was empty */
+          expand_nmax = 2;
+          expand_nlength[2] = expand_nlength[1];
+          auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
+          HDEBUG(D_auth)
+            debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
+        }
+
+        HDEBUG(D_auth)
+          debug_printf("heimdal SASL: happy with client request\n"
+             "  auth1 (verified GSSAPI display-name): \"%s\"\n"
+             "  auth2 (unverified SASL requested authzid): \"%s\"\n",
+             auth_vars[0], auth_vars[1]);
+
         step += 1;
         break;
 
@@ -508,7 +528,7 @@ exim_gssapi_error_defer(uschar *store_reset_point,
   va_start(ap, format);
   if (!string_vformat(buffer, sizeof(buffer), format, ap))
     log_write(0, LOG_MAIN|LOG_PANIC_DIE,
-        "exim_gssapi_error_defer expansion larger than %d",
+        "exim_gssapi_error_defer expansion larger than %lu",
         sizeof(buffer));
   va_end(ap);