X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fauths%2Fheimdal_gssapi.c;h=381898050fa4e173f929117d3a7a74382e477493;hb=ffbc20ed9c9ed09a68ff0a608f623c3c83d521a8;hp=ef0027484cfece4f682e3135b69e5c1378bb851e;hpb=dde3daac46f9cc3b35993e1c9a931b53645f1c1d;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/auths/heimdal_gssapi.c b/src/src/auths/heimdal_gssapi.c index ef0027484..381898050 100644 --- a/src/src/auths/heimdal_gssapi.c +++ b/src/src/auths/heimdal_gssapi.c @@ -2,13 +2,14 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2018 */ /* See the file NOTICE for conditions of use and distribution. */ /* Copyright (c) Twitter Inc 2012 Author: Phil Pennock */ +/* Copyright (c) Phil Pennock 2012 */ -/* Interface to Heimdal SASL library for GSSAPI authentication. */ +/* Interface to Heimdal library for GSSAPI authentication. */ /* Naming and rationale @@ -33,15 +34,18 @@ Without rename, we could add an option for GS2 support in the future. * heimdal sources and man-pages, plus http://www.h5l.org/manual/ * FreeBSD man-pages (very informative!) * http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X - semantics, that found by browsing Heimdal source to find how to set the keytab - + semantics, that found by browsing Heimdal source to find how to set the keytab; however, + after multiple attempts I failed to get that to work and instead switched to + gsskrb5_register_acceptor_identity(). */ #include "../exim.h" #ifndef AUTH_HEIMDAL_GSSAPI /* dummy function to satisfy compilers when we link in an "empty" file. */ -static void dummy(int x) { dummy(x-1); } +static void dummy(int x); +static void dummy2(int x) { dummy(x-1); } +static void dummy(int x) { dummy2(x-1); } #else #include @@ -50,9 +54,6 @@ static void dummy(int x) { dummy(x-1); } /* for the _init debugging */ #include -/* Because __gss_krb5_register_acceptor_identity_x_oid_desc is internal */ -#include - #include "heimdal_gssapi.h" /* Authenticator-specific options. */ @@ -61,8 +62,6 @@ optionlist auth_heimdal_gssapi_options[] = { (void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) }, { "server_keytab", opt_stringptr, (void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) }, - { "server_realm", opt_stringptr, - (void *)(offsetof(auth_heimdal_gssapi_options_block, server_realm)) }, { "server_service", opt_stringptr, (void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) } }; @@ -74,16 +73,24 @@ int auth_heimdal_gssapi_options_count = auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = { US"$primary_hostname", /* server_hostname */ NULL, /* server_keytab */ - NULL, /* server_realm */ US"smtp", /* server_service */ }; -/* "Globals" for managing the heimdal_gssapi interface. */ -/* hack around unavailable __gss_krb5_register_acceptor_identity_x_oid_desc -OID: 1.2.752.43.13.5 -from heimdal lib/gssapi/krb5/external.c */ -gss_OID_desc exim_register_keytab_OID = {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")}; +#ifdef MACRO_PREDEF + +/* Dummy values */ +void auth_heimdal_gssapi_init(auth_instance *ablock) {} +int auth_heimdal_gssapi_server(auth_instance *ablock, uschar *data) {return 0;} +int auth_heimdal_gssapi_client(auth_instance *ablock, void * sx, + int timeout, uschar *buffer, int buffsize) {return 0;} +void auth_heimdal_gssapi_version_report(FILE *f) {} + +#else /*!MACRO_PREDEF*/ + + + +/* "Globals" for managing the heimdal_gssapi interface. */ /* Utility functions */ static void @@ -103,8 +110,8 @@ static int enable consistency checks to be done, or anything else that needs to be set up. */ -/* Heimdal provides a GSSAPI extension method (via an OID) for setting the -keytab; in the init, we mostly just use raw krb5 methods so that we can report +/* Heimdal provides a GSSAPI extension method for setting the keytab; +in the init, we mostly just use raw krb5 methods so that we can report the keytab contents, for -D+auth debugging. */ void @@ -238,6 +245,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) (auth_heimdal_gssapi_options_block *)(ablock->options_block); BOOL handled_empty_ir; uschar *store_reset_point; + uschar *keytab; uschar sasl_config[4]; uschar requested_qop; @@ -260,15 +268,13 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) /* Use a specific keytab, if specified */ if (ob->server_keytab) { - gbufdesc.value = (void *) string_sprintf("file:%s", expand_string(ob->server_keytab)); - gbufdesc.length = strlen(CS gbufdesc.value); - maj_stat = gss_set_sec_context_option(&min_stat, - &gcontext, /* create new security context */ - &exim_register_keytab_OID, /* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X */ - &gbufdesc); + keytab = expand_string(ob->server_keytab); + maj_stat = gsskrb5_register_acceptor_identity(CCS keytab); if (GSS_ERROR(maj_stat)) return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat, - "registering keytab \"%s\"", CS gbufdesc.value); + "registering keytab \"%s\"", keytab); + HDEBUG(D_auth) + debug_printf("heimdal: using keytab \"%s\"\n", keytab); } /* Acquire our credentials */ @@ -286,6 +292,8 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) maj_stat = gss_release_name(&min_stat, &gserver); + HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n"); + /* Loop talking to client */ step = 0; from_client = initial_data; @@ -316,15 +324,17 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) error_out = auth_get_data(&from_client, US"", 0); if (error_out != OK) goto ERROR_OUT; + handled_empty_ir = TRUE; continue; } } /* We should now have the opening data from the client, base64-encoded. */ step += 1; + HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n"); break; case 1: - gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value); + gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value); if (gclient) { maj_stat = gss_release_name(&min_stat, &gclient); gclient = GSS_C_NO_NAME; @@ -347,7 +357,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) error_out = FAIL; goto ERROR_OUT; } - if (&gbufdesc_out.length != 0) { + if (gbufdesc_out.length != 0) { error_out = auth_get_data(&from_client, gbufdesc_out.value, gbufdesc_out.length); if (error_out != OK) @@ -356,8 +366,12 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) gss_release_buffer(&min_stat, &gbufdesc_out); EmptyBuf(gbufdesc_out); } - if (maj_stat == GSS_S_COMPLETE) + if (maj_stat == GSS_S_COMPLETE) { step += 1; + HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n"); + } else { + HDEBUG(D_auth) debug_printf("heimdal: need more data\n"); + } break; case 2: @@ -367,7 +381,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) 0x02 Integrity protection 0x04 Confidentiality protection - The remaining three octets are the maximum buffer size for wrappe + The remaining three octets are the maximum buffer size for wrapped content. */ sasl_config[0] = 0x01; /* Exim does not wrap/unwrap SASL layers after auth */ gbufdesc.value = (void *) sasl_config; @@ -386,6 +400,9 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) error_out = FAIL; goto ERROR_OUT; } + + HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n"); + error_out = auth_get_data(&from_client, gbufdesc_out.value, gbufdesc_out.length); if (error_out != OK) @@ -397,7 +414,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) break; case 3: - gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value); + gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value); maj_stat = gss_unwrap(&min_stat, gcontext, &gbufdesc_in, /* data from client */ @@ -411,10 +428,10 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) error_out = FAIL; goto ERROR_OUT; } - if (gbufdesc_out.length < 5) { + if (gbufdesc_out.length < 4) { HDEBUG(D_auth) debug_printf("gssapi: final message too short; " - "need flags, buf sizes and authzid\n"); + "need flags, buf sizes and optional authzid\n"); error_out = FAIL; goto ERROR_OUT; } @@ -433,14 +450,17 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) /* Identifiers: The SASL provided identifier is an unverified authzid. - GSSAPI provides us with a verified identifier. + GSSAPI provides us with a verified identifier, but it might be empty + for some clients. */ /* $auth2 is authzid requested at SASL layer */ - expand_nlength[2] = gbufdesc_out.length - 4; - auth_vars[1] = expand_nstring[2] = - string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]); - expand_nmax = 2; + if (gbufdesc_out.length > 4) { + expand_nlength[2] = gbufdesc_out.length - 4; + auth_vars[1] = expand_nstring[2] = + string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]); + expand_nmax = 2; + } gss_release_buffer(&min_stat, &gbufdesc_out); EmptyBuf(gbufdesc_out); @@ -463,6 +483,20 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) auth_vars[0] = expand_nstring[1] = string_copyn(gbufdesc_out.value, gbufdesc_out.length); + if (expand_nmax == 0) { /* should be: authzid was empty */ + expand_nmax = 2; + expand_nlength[2] = expand_nlength[1]; + auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]); + HDEBUG(D_auth) + debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n"); + } + + HDEBUG(D_auth) + debug_printf("heimdal SASL: happy with client request\n" + " auth1 (verified GSSAPI display-name): \"%s\"\n" + " auth2 (unverified SASL requested authzid): \"%s\"\n", + auth_vars[0], auth_vars[1]); + step += 1; break; @@ -508,7 +542,7 @@ exim_gssapi_error_defer(uschar *store_reset_point, va_start(ap, format); if (!string_vformat(buffer, sizeof(buffer), format, ap)) log_write(0, LOG_MAIN|LOG_PANIC_DIE, - "exim_gssapi_error_defer expansion larger than %d", + "exim_gssapi_error_defer expansion larger than %lu", sizeof(buffer)); va_end(ap); @@ -544,8 +578,7 @@ exim_gssapi_error_defer(uschar *store_reset_point, int auth_heimdal_gssapi_client( auth_instance *ablock, /* authenticator block */ - smtp_inblock *inblock, /* connection inblock */ - smtp_outblock *outblock, /* connection outblock */ + void * sx, /* connection */ int timeout, /* command timeout */ uschar *buffer, /* buffer for reading response */ int buffsize) /* size of buffer */ @@ -570,6 +603,7 @@ auth_heimdal_gssapi_version_report(FILE *f) heimdal_version, heimdal_long_version); } +#endif /*!MACRO_PREDEF*/ #endif /* AUTH_HEIMDAL_GSSAPI */ /* End of heimdal_gssapi.c */