[I sent this a while ago, but it seems not to have made it to the list. I'm resending it having subscribed first; I apologise if anyone get it twice.]

I have been trying to get a Postfix mail server using Dovecot SASL to accept GSSAPI AUTH from another Postfix server using Cyrus SASL, and I believe I have found a couple of bugs in Dovecot's GSSAPI implementation.

The first problem is that, because of the way the client invokes libsasl, it sends a GSSAPI request which does not ask for mutual authentication. This means that on the server gss_accept_sec_context returns GSS_S_COMPLETE with a zero-length output token. Dovecot currently sends this to the client as a zero-length continuation response, but this is incorrect according to RFC 4752: what it ought to do instead is proceed straight to the security layer negotiations, and send a gss_wrap packet.

The second is that Cyrus sends an empty authz identity; that is, the security layer negotiation packet, when gss_unwrapped, is exactly 4 bytes long. Dovecot objects to this, but in RFC 4422 this is explicitly allowed, and means the authz identity is identical to the authn identity.

I believe the attached patches (for the 1.2 and 2.1 branches) fix the problem, though I'm not entirely sure if the difference between the p_strndup in mech_gssapi_unwrap and the t_strndup in get_display_name is important.

Ben