Ben Morrow
2012-Jul-14 18:17 UTC
[Dovecot] [PATCH] Interop problem with Cyrus SASL and GSSAPI
[I sent this a while ago, but it seems not to have made it to the list. I'm resending it having subscribed first; I apologise if anyone get it twice.] I have been trying to get a Postfix mail server using Dovecot SASL to accept GSSAPI AUTH from another Postfix server using Cyrus SASL, and I believe I have found a couple of bugs in Dovecot's GSSAPI implementation. The first problem is that, because of the way the client invokes libsasl, it sends a GSSAPI request which does not ask for mutual authentication. This means that on the server gss_accept_sec_context returns GSS_S_COMPLETE with a zero-length output token. Dovecot currently sends this to the client as a zero-length continuation response, but this is incorrect according to RFC 4752: what it ought to do instead is proceed straight to the security layer negotiations, and send a gss_wrap packet. The second is that Cyrus sends an empty authz identity; that is, the security layer negotiation packet, when gss_unwrapped, is exactly 4 bytes long. Dovecot objects to this, but in RFC 4422 this is explicitly allowed, and means the authz identity is identical to the authn identity. I believe the attached patches (for the 1.2 and 2.1 branches) fix the problem, though I'm not entirely sure if the difference between the p_strndup in mech_gssapi_unwrap and the t_strndup in get_display_name is important. Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot12-sasl-gssapi.patch Type: text/x-diff Size: 2859 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20120714/a5c28b1c/attachment-0008.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot21-sasl-gssapi.patch Type: text/x-diff Size: 2910 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20120714/a5c28b1c/attachment-0009.bin>
Timo Sirainen
2012-Jul-17 13:21 UTC
[Dovecot] [PATCH] Interop problem with Cyrus SASL and GSSAPI
On Sat, 2012-07-14 at 19:17 +0100, Ben Morrow wrote:> I have been trying to get a Postfix mail server using Dovecot SASL to > accept GSSAPI AUTH from another Postfix server using Cyrus SASL, and I > believe I have found a couple of bugs in Dovecot's GSSAPI > implementation.Committed: http://hg.dovecot.org/dovecot-2.1/rev/ced6a796f56d I also noticed another bug while checking that: http://hg.dovecot.org/dovecot-2.1/rev/35ae9569de5a