auth: do not append zero-terminator to authorisation id in kerberos

RFC4752 Section 3.1 states "The authorization identity is not terminated
with a zero-valued (%x00) octet". Although a comment in code said it may
be needed anyway, nothing confirms it. In addition, servers may consider
it as part of the identity, causing a failure.

Closes #7008

diff --git a/lib/vauth/krb5_gssapi.c b/lib/vauth/krb5_gssapi.c
index 5c126eb596c0b092dfc6bf782a12d80c13d942d4..67d43bd567b0579d0b408c8d07e1306bcf767e4d 100644 (file)
--- a/lib/vauth/krb5_gssapi.c
+++ b/lib/vauth/krb5_gssapi.c
@@ -247,8 +247,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
 
   /* Allocate our message */
   messagelen = 4;
-  if(authzid && *authzid)
-    messagelen += strlen(authzid) + 1;
+  if(authzid)
+    messagelen += strlen(authzid);
   message = malloc(messagelen);
   if(!message)
     return CURLE_OUT_OF_MEMORY;
@@ -260,13 +260,10 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   message[2] = (max_size >> 8) & 0xFF;
   message[3] = max_size & 0xFF;
 
-  /* If given, append the authorization identity including the 0x00 based
-     terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
-     identity is not terminated with the zero-valued (%x00) octet." it seems
-     necessary to include it. */
+  /* If given, append the authorization identity. */
 
   if(authzid && *authzid)
-    strcpy((char *) message + 4, authzid);
+    memcpy(message + 4, authzid, messagelen - 4);
 
   /* Setup the "authentication data" security buffer */
   input_token.value = message;

diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c
index 2e636887178743f074a44858429dc76c505eefb5..c652fd736573bd63410e5875772cfa91161a1c47 100644 (file)
--- a/lib/vauth/krb5_sspi.c
+++ b/lib/vauth/krb5_sspi.c
@@ -344,8 +344,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
 
   /* Allocate our message */
   messagelen = 4;
-  if(authzid && *authzid)
-    messagelen += strlen(authzid) + 1;
+  if(authzid)
+    messagelen += strlen(authzid);
   message = malloc(messagelen);
   if(!message) {
     free(trailer);
@@ -360,13 +360,10 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
   message[2] = (max_size >> 8) & 0xFF;
   message[3] = max_size & 0xFF;
 
-  /* If given, append the authorization identity including the 0x00 based
-     terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
-     identity is not terminated with the zero-valued (%x00) octet." it seems
-     necessary to include it. */
+  /* If given, append the authorization identity. */
 
   if(authzid && *authzid)
-    strcpy((char *) message + 4, authzid);
+    memcpy(message + 4, authzid, messagelen - 4);
 
   /* Allocate the padding */
   padding = malloc(sizes.cbBlockSize);