X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fauths%2Fheimdal_gssapi.c;h=b583a73fdf8b8ea27d3be0c2f7079552bc95943d;hb=d4fd1b83a197d73cbac114fe53f3448d8b5c7cc2;hp=5f3b7ecb42f91ec0863f8934afd1da20a0af34e2;hpb=b245b4a5b28e1011655ce3b6ac5051ba6c517299;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/auths/heimdal_gssapi.c b/src/src/auths/heimdal_gssapi.c index 5f3b7ecb4..b583a73fd 100644 --- a/src/src/auths/heimdal_gssapi.c +++ b/src/src/auths/heimdal_gssapi.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2017 */ /* See the file NOTICE for conditions of use and distribution. */ /* Copyright (c) Twitter Inc 2012 @@ -43,7 +43,9 @@ Without rename, we could add an option for GS2 support in the future. #ifndef AUTH_HEIMDAL_GSSAPI /* dummy function to satisfy compilers when we link in an "empty" file. */ -static void dummy(int x) { dummy(x-1); } +static void dummy(int x); +static void dummy2(int x) { dummy(x-1); } +static void dummy(int x) { dummy2(x-1); } #else #include @@ -60,8 +62,6 @@ optionlist auth_heimdal_gssapi_options[] = { (void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) }, { "server_keytab", opt_stringptr, (void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) }, - { "server_realm", opt_stringptr, - (void *)(offsetof(auth_heimdal_gssapi_options_block, server_realm)) }, { "server_service", opt_stringptr, (void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) } }; @@ -73,10 +73,23 @@ int auth_heimdal_gssapi_options_count = auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = { US"$primary_hostname", /* server_hostname */ NULL, /* server_keytab */ - NULL, /* server_realm */ US"smtp", /* server_service */ }; + +#ifdef MACRO_PREDEF + +/* Dummy values */ +void auth_heimdal_init(auth_instance *ablock) {} +int auth_heimdal_server(auth_instance *ablock, uschar *data) {return 0;} +int auth_heimdal_client(auth_instance *ablock, smtp_inblock *inblock, + smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;} +void auth_heimdal_gssapi_version_report(FILE *f) {} + +#else /*!MACRO_PREDEF*/ + + + /* "Globals" for managing the heimdal_gssapi interface. */ /* Utility functions */ @@ -321,7 +334,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) break; case 1: - gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value); + gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value); if (gclient) { maj_stat = gss_release_name(&min_stat, &gclient); gclient = GSS_C_NO_NAME; @@ -401,7 +414,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) break; case 3: - gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value); + gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value); maj_stat = gss_unwrap(&min_stat, gcontext, &gbufdesc_in, /* data from client */ @@ -415,10 +428,10 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) error_out = FAIL; goto ERROR_OUT; } - if (gbufdesc_out.length < 5) { + if (gbufdesc_out.length < 4) { HDEBUG(D_auth) debug_printf("gssapi: final message too short; " - "need flags, buf sizes and authzid\n"); + "need flags, buf sizes and optional authzid\n"); error_out = FAIL; goto ERROR_OUT; } @@ -437,14 +450,17 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) /* Identifiers: The SASL provided identifier is an unverified authzid. - GSSAPI provides us with a verified identifier. + GSSAPI provides us with a verified identifier, but it might be empty + for some clients. */ /* $auth2 is authzid requested at SASL layer */ - expand_nlength[2] = gbufdesc_out.length - 4; - auth_vars[1] = expand_nstring[2] = - string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]); - expand_nmax = 2; + if (gbufdesc_out.length > 4) { + expand_nlength[2] = gbufdesc_out.length - 4; + auth_vars[1] = expand_nstring[2] = + string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]); + expand_nmax = 2; + } gss_release_buffer(&min_stat, &gbufdesc_out); EmptyBuf(gbufdesc_out); @@ -467,6 +483,14 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data) auth_vars[0] = expand_nstring[1] = string_copyn(gbufdesc_out.value, gbufdesc_out.length); + if (expand_nmax == 0) { /* should be: authzid was empty */ + expand_nmax = 2; + expand_nlength[2] = expand_nlength[1]; + auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]); + HDEBUG(D_auth) + debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n"); + } + HDEBUG(D_auth) debug_printf("heimdal SASL: happy with client request\n" " auth1 (verified GSSAPI display-name): \"%s\"\n" @@ -518,7 +542,7 @@ exim_gssapi_error_defer(uschar *store_reset_point, va_start(ap, format); if (!string_vformat(buffer, sizeof(buffer), format, ap)) log_write(0, LOG_MAIN|LOG_PANIC_DIE, - "exim_gssapi_error_defer expansion larger than %d", + "exim_gssapi_error_defer expansion larger than %lu", sizeof(buffer)); va_end(ap); @@ -580,6 +604,7 @@ auth_heimdal_gssapi_version_report(FILE *f) heimdal_version, heimdal_long_version); } +#endif /*!MACRO_PREDEF*/ #endif /* AUTH_HEIMDAL_GSSAPI */ /* End of heimdal_gssapi.c */