dovecot - Sep 2006 - Incorrect GSSAPI Service Name for POP3

In pop3-login/client-authenticate.c, when sasl_server_auth_begin() is
called, it does so with the service name of "POP3".  GSSAPI uses this
service name when obtaining its service credentials.  The problem is
that according to http://www.iana.org/assignments/gssapi-service-names ,
the service name should instead be simply "pop".  This causes GSSAPI
authentication to fail when used with a POP3 account.

I have created a small patch that corrects this problem for GSSAPI only,
as I do not know if other mechanisms are affected by this.

--Tim Steiner

----------------------------START PATCH----------------------------
diff -ruN dovecot-1.0.beta8/src/auth/mech-gssapi.c
dovecot-1.0.beta8.new/src/auth/mech-gssapi.c
--- dovecot-1.0.beta8/src/auth/mech-gssapi.c    2006-09-18 17:35:02.000000000
-0500
+++ dovecot-1.0.beta8.new/src/auth/mech-gssapi.c        2006-09-18
17:37:46.000000000 -0500
@@ -101,7 +101,11 @@
        gss_name_t gss_principal;
 
        principal_name = t_str_new(128);
-       str_append(principal_name, t_str_lcase(request->service));
+       if(strcmp(request->service, "POP3") == 0) {
+               str_append(principal_name, "pop");
+       } else {
+               str_append(principal_name, t_str_lcase(request->service));
+       }
        str_append_c(principal_name, '@');
        str_append(principal_name, my_hostname); 
 
-----------------------------END PATCH-----------------------------

On Mon, 2006-09-18 at 18:13 -0500, Tim Steiner wrote:
> In pop3-login/client-authenticate.c, when sasl_server_auth_begin() is
> called, it does so with the service name of "POP3".  GSSAPI uses
this
> service name when obtaining its service credentials.  The problem is
> that according to http://www.iana.org/assignments/gssapi-service-names ,
> the service name should instead be simply "pop".  This causes
GSSAPI
> authentication to fail when used with a POP3 account.
> 
> I have created a small patch that corrects this problem for GSSAPI only,
> as I do not know if other mechanisms are affected by this.
Might have been better if I had used "pop" from the beginning, but I
think changing it now would just break things..

I fixed it for GSSAPI anyway, with a slightly different patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20060922/9c79d41f/attachment.bin>