[Dovecot] [PATCH] Interop problem with Cyrus SASL and GSSAPI

Ben Morrow ben at morrow.me.uk
Sat Jul 14 21:17:05 EEST 2012

[I sent this a while ago, but it seems not to have made it to the list.
I'm resending it having subscribed first; I apologise if anyone get it

I have been trying to get a Postfix mail server using Dovecot SASL to
accept GSSAPI AUTH from another Postfix server using Cyrus SASL, and I
believe I have found a couple of bugs in Dovecot's GSSAPI

The first problem is that, because of the way the client invokes
libsasl, it sends a GSSAPI request which does not ask for mutual
authentication. This means that on the server gss_accept_sec_context
returns GSS_S_COMPLETE with a zero-length output token. Dovecot
currently sends this to the client as a zero-length continuation
response, but this is incorrect according to RFC 4752: what it ought to
do instead is proceed straight to the security layer negotiations, and
send a gss_wrap packet.

The second is that Cyrus sends an empty authz identity; that is, the
security layer negotiation packet, when gss_unwrapped, is exactly 4
bytes long. Dovecot objects to this, but in RFC 4422 this is explicitly
allowed, and means the authz identity is identical to the authn

I believe the attached patches (for the 1.2 and 2.1 branches) fix the
problem, though I'm not entirely sure if the difference between the
p_strndup in mech_gssapi_unwrap and the t_strndup in get_display_name
is important.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot12-sasl-gssapi.patch
Type: text/x-diff
Size: 2859 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20120714/a5c28b1c/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot21-sasl-gssapi.patch
Type: text/x-diff
Size: 2910 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20120714/a5c28b1c/attachment-0005.bin>

More information about the dovecot mailing list