Re: [Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 -> 1.2.4 Upgrade

2009-08-28 Thread John Marshall 
On Fri, 28 Aug 2009, 16:51 -0400, Timo Sirainen wrote:
> On Sat, 2009-08-29 at 06:08 +1000, John Marshall wrote:
> > > > It turned out to be a recent change in Dovecot's mech-gssapi.c to do
> > > > with checking for NULs in usernames: everything worked fine when I
> > > > disabled that test.
> > > 
> > > What exactly is the username? What does it say with the attached patch?
> > > 
> > 
> > Thank you.
> > 
> > It looks like the test is picking up the string terminator.
> 
> OK, I guess this fixes it then?
> http://hg.dovecot.org/dovecot-1.2/rev/a37fa30b0072

Yes.  Thank you!

-- 
John Marshall


pgpnBR5DBRCzL.pgp
Description: PGP signature

Re: [Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 -> 1.2.4 Upgrade

2009-08-28 Thread Timo Sirainen 
On Sat, 2009-08-29 at 06:08 +1000, John Marshall wrote:
> > > It turned out to be a recent change in Dovecot's mech-gssapi.c to do
> > > with checking for NULs in usernames: everything worked fine when I
> > > disabled that test.
> > 
> > What exactly is the username? What does it say with the attached patch?
> > 
> 
> Thank you.
> 
> It looks like the test is picking up the string terminator.

OK, I guess this fixes it then?
http://hg.dovecot.org/dovecot-1.2/rev/a37fa30b0072



signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 -> 1.2.4 Upgrade

2009-08-28 Thread John Marshall 
On Fri, 28 Aug 2009, 13:38 -0400, Timo Sirainen wrote:
> On Fri, 2009-08-28 at 15:20 +1000, John Marshall wrote:
> > This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a
> > FreeBSD 7.2 server, and then spent 3 hours trying to figure out why
> > GSSAPI authentication had broken.
> > 
> > It turned out to be a recent change in Dovecot's mech-gssapi.c to do
> > with checking for NULs in usernames: everything worked fine when I
> > disabled that test.
> 
> What exactly is the username? What does it say with the attached patch?
> 

Thank you.

It looks like the test is picking up the string terminator.

auth(default): gssapi(j...@mby.riverwillow.net.au,192.0.2.168): authz_name has 
NULs: 6a6f686e404d42592e524956455257494c4c4f572e4e45542e415500

-- 
John Marshall


pgpfs0y0IVgOX.pgp
Description: PGP signature

Re: [Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 -> 1.2.4 Upgrade

2009-08-28 Thread Timo Sirainen 
On Fri, 2009-08-28 at 15:20 +1000, John Marshall wrote:
> This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a
> FreeBSD 7.2 server, and then spent 3 hours trying to figure out why
> GSSAPI authentication had broken.
> 
> It turned out to be a recent change in Dovecot's mech-gssapi.c to do
> with checking for NULs in usernames: everything worked fine when I
> disabled that test.

What exactly is the username? What does it say with the attached patch?

diff -r aaa1b2c25c14 src/auth/mech-gssapi.c
--- a/src/auth/mech-gssapi.c	Fri Aug 28 12:57:03 2009 -0400
+++ b/src/auth/mech-gssapi.c	Fri Aug 28 13:37:33 2009 -0400
@@ -516,7 +516,8 @@
 
 	if (data_has_nuls(name, name_len)) {
 		auth_request_log_info(auth_request, "gssapi",
-  "authz_name has NULs");
+  "authz_name has NULs: %s",
+  binary_to_hex(name, name_len));
 		return -1;
 	}
 


signature.asc
Description: This is a digitally signed message part

[Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 -> 1.2.4 Upgrade

2009-08-27 Thread John Marshall 
This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a
FreeBSD 7.2 server, and then spent 3 hours trying to figure out why
GSSAPI authentication had broken.

It turned out to be a recent change in Dovecot's mech-gssapi.c to do
with checking for NULs in usernames: everything worked fine when I
disabled that test.


This is what I was seeing in the log file with auth_debug enabled:

  
  auth(default): client in: AUTH 1   GSSAPI service=imapsecured 
lip=192.0.2.36rip=192.0.2.168   lport=143   rport=51168
  auth(default): gssapi(?,192.0.2.168): Obtaining credentials for 
i...@mail1.example.com
  auth(default): client out: CONT1   
  auth(default): client in: CONT
  auth(default): gssapi(j...@example.com,192.0.2.168): security context state 
completed.
  auth(default): client out: CONT1  
YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgREIuGJR3fqiMdvWjEg6utI7bt3fZuI8Ulk4LoFu59aMgnX+Kivdohxin2A71UCEC7oG0sVYe7vrTjg2N9s27D1BLRuJbQ=
  auth(default): client in: CONT
  auth(default): gssapi(j...@example.com,192.0.2.168): Negotiated security layer
  auth(default): client out: CONT1  
YD8GCSqGSIb3EgECAgIBBAD/MINNkeu5LVS8fiZNSnb8j8iKBuHArr/sHec++VYV+9SSc+RkAf///wQEBAQ=
  auth(default): client in: CONT
  auth(default): gssapi(j...@example.com,192.0.2.168): authz_name has NULs
  auth(default): client out: FAIL1   user=j...@example.com 
imap-login: Disconnected (auth failed, 1 attempts): user=, 
method=GSSAPI, rip=192.0.2.168, lip=192.0.2.36, TLS: Disconnected
  

I commented out the 'return -1;' at the end of the if(data_has_nuls)
block (to preserve the log message but fall through), rebuilt, and
everything works again.

  
  auth(default): gssapi(j...@example.com,192.0.2.168): authz_name has NULs
  auth(default): client out: OK  1   user=j...@example.com
  

I tried building dovecot 1.2.4 with Heimdal 0.6.3, 1.0.1 and 1.2.1 and
all gave the same result.  Is it possible that the data_has_nuls test
doesn't work as intended or that it only works with MIT Kerberos?

Thank you.

-- 
John Marshall


pgpnybzMOS2JQ.pgp
Description: PGP signature