From 7da2990b199225140bf1adea4caf7fa7b55e4f4b Mon Sep 17 00:00:00 2001 From: Patrick Monnerat Date: Mon, 16 Aug 2021 08:35:22 +0200 Subject: auth: do not append zero-terminator to authorisation id in kerberos RFC4752 Section 3.1 states "The authorization identity is not terminated with a zero-valued (%x00) octet". Although a comment in code said it may be needed anyway, nothing confirms it. In addition, servers may consider it as part of the identity, causing a failure. Closes #7008 --- lib/vauth/krb5_gssapi.c | 11 ++++------- lib/vauth/krb5_sspi.c | 11 ++++------- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/lib/vauth/krb5_gssapi.c b/lib/vauth/krb5_gssapi.c index 5c126eb59..67d43bd56 100644 --- a/lib/vauth/krb5_gssapi.c +++ b/lib/vauth/krb5_gssapi.c @@ -247,8 +247,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data, /* Allocate our message */ messagelen = 4; - if(authzid && *authzid) - messagelen += strlen(authzid) + 1; + if(authzid) + messagelen += strlen(authzid); message = malloc(messagelen); if(!message) return CURLE_OUT_OF_MEMORY; @@ -260,13 +260,10 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data, message[2] = (max_size >> 8) & 0xFF; message[3] = max_size & 0xFF; - /* If given, append the authorization identity including the 0x00 based - terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization - identity is not terminated with the zero-valued (%x00) octet." it seems - necessary to include it. */ + /* If given, append the authorization identity. */ if(authzid && *authzid) - strcpy((char *) message + 4, authzid); + memcpy(message + 4, authzid, messagelen - 4); /* Setup the "authentication data" security buffer */ input_token.value = message; diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c index 2e6368871..c652fd736 100644 --- a/lib/vauth/krb5_sspi.c +++ b/lib/vauth/krb5_sspi.c @@ -344,8 +344,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data, /* Allocate our message */ messagelen = 4; - if(authzid && *authzid) - messagelen += strlen(authzid) + 1; + if(authzid) + messagelen += strlen(authzid); message = malloc(messagelen); if(!message) { free(trailer); @@ -360,13 +360,10 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data, message[2] = (max_size >> 8) & 0xFF; message[3] = max_size & 0xFF; - /* If given, append the authorization identity including the 0x00 based - terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization - identity is not terminated with the zero-valued (%x00) octet." it seems - necessary to include it. */ + /* If given, append the authorization identity. */ if(authzid && *authzid) - strcpy((char *) message + 4, authzid); + memcpy(message + 4, authzid, messagelen - 4); /* Allocate the padding */ padding = malloc(sizes.cbBlockSize); -- cgit v1.2.1