From 7da2990b199225140bf1adea4caf7fa7b55e4f4b Mon Sep 17 00:00:00 2001
From: Patrick Monnerat <patrick@monnerat.net>
Date: Mon, 16 Aug 2021 08:35:22 +0200
Subject: auth: do not append zero-terminator to authorisation id in kerberos

RFC4752 Section 3.1 states "The authorization identity is not terminated
with a zero-valued (%x00) octet". Although a comment in code said it may
be needed anyway, nothing confirms it. In addition, servers may consider
it as part of the identity, causing a failure.

Closes #7008
---
 lib/vauth/krb5_gssapi.c | 11 ++++-------
 lib/vauth/krb5_sspi.c   | 11 ++++-------
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/lib/vauth/krb5_gssapi.c b/lib/vauth/krb5_gssapi.c
index 5c126eb59..67d43bd56 100644
--- a/lib/vauth/krb5_gssapi.c
+++ b/lib/vauth/krb5_gssapi.c
@@ -247,8 +247,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
 
   /* Allocate our message */
   messagelen = 4;
-  if(authzid && *authzid)
-    messagelen += strlen(authzid) + 1;
+  if(authzid)
+    messagelen += strlen(authzid);
   message = malloc(messagelen);
   if(!message)
     return CURLE_OUT_OF_MEMORY;
@@ -260,13 +260,10 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   message[2] = (max_size >> 8) & 0xFF;
   message[3] = max_size & 0xFF;
 
-  /* If given, append the authorization identity including the 0x00 based
-     terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
-     identity is not terminated with the zero-valued (%x00) octet." it seems
-     necessary to include it. */
+  /* If given, append the authorization identity. */
 
   if(authzid && *authzid)
-    strcpy((char *) message + 4, authzid);
+    memcpy(message + 4, authzid, messagelen - 4);
 
   /* Setup the "authentication data" security buffer */
   input_token.value = message;
diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c
index 2e6368871..c652fd736 100644
--- a/lib/vauth/krb5_sspi.c
+++ b/lib/vauth/krb5_sspi.c
@@ -344,8 +344,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
 
   /* Allocate our message */
   messagelen = 4;
-  if(authzid && *authzid)
-    messagelen += strlen(authzid) + 1;
+  if(authzid)
+    messagelen += strlen(authzid);
   message = malloc(messagelen);
   if(!message) {
     free(trailer);
@@ -360,13 +360,10 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   message[2] = (max_size >> 8) & 0xFF;
   message[3] = max_size & 0xFF;
 
-  /* If given, append the authorization identity including the 0x00 based
-     terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
-     identity is not terminated with the zero-valued (%x00) octet." it seems
-     necessary to include it. */
+  /* If given, append the authorization identity. */
 
   if(authzid && *authzid)
-    strcpy((char *) message + 4, authzid);
+    memcpy(message + 4, authzid, messagelen - 4);
 
   /* Allocate the padding */
   padding = malloc(sizes.cbBlockSize);
-- 
cgit v1.2.1