Mercurial > dovecot > original-hg > dovecot-1.2
annotate src/auth/mech-gssapi.c @ 7610:280e570a5ced HEAD
gssapi: Check for gssapi_krb5.h existence before trying to use it.
| author | Timo Sirainen <tss@iki.fi> |
|---|---|
| date | Wed, 04 Jun 2008 20:32:33 +0300 |
| parents | ad0f32abda6d |
| children | 9569038e0816 |
| rev | line source |
|---|---|
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1 /* |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 * GSSAPI Module |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 * |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 * Copyright (c) 2005 Jelmer Vernooij <jelmer@samba.org> |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 * |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 * Related standards: |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
7 * - draft-ietf-sasl-gssapi-03 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
8 * - RFC2222 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 * |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
10 * Some parts inspired by an older patch from Colin Walters |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
11 * |
|
4382
f8d37e26a2b3
Relicensed dovecot-auth to MIT.
Timo Sirainen <tss@iki.fi>
parents:
4004
diff
changeset
|
12 * This software is released under the MIT license. |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
13 */ |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
14 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
15 #include "common.h" |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
16 #include "mech.h" |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
17 #include "passdb.h" |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
18 #include "str.h" |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
19 #include "str-sanitize.h" |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
20 #include "buffer.h" |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
21 #include "hex-binary.h" |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
22 #include "safe-memset.h" |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
23 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
24 #ifdef HAVE_GSSAPI |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
25 |
|
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
26 #ifndef HAVE___GSS_USEROK |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
27 # define USE_KRB5_USEROK |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
28 # include <krb5.h> |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
29 #endif |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
30 |
|
4862
bddfbc560857
Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
31 #ifdef HAVE_GSSAPI_GSSAPI_H |
|
bddfbc560857
Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
32 # include <gssapi/gssapi.h> |
|
bddfbc560857
Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
33 #elif defined (HAVE_GSSAPI_H) |
|
bddfbc560857
Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
34 # include <gssapi.h> |
|
7610
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
35 #endif |
|
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
36 |
|
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
37 #ifdef HAVE_GSSAPI_GSSAPI_KRB5_H |
|
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
38 # include <gssapi/gssapi_krb5.h> |
|
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
39 #elif defined (HAVE_GSSAPI_KRB5_H) |
|
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
40 # include <gssapi_krb5.h> |
|
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
41 #else |
|
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
42 # undef USE_KRB5_USEROK |
|
4862
bddfbc560857
Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
43 #endif |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
44 |
|
5859
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
45 #ifdef HAVE_GSSAPI_GSSAPI_EXT_H |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
46 # include <gssapi/gssapi_ext.h> |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
47 #endif |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
48 |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
49 /* Non-zero flags defined in RFC 2222 */ |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
50 enum sasl_gssapi_qop { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
51 SASL_GSSAPI_QOP_UNSPECIFIED = 0x00, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
52 SASL_GSSAPI_QOP_AUTH_ONLY = 0x01, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
53 SASL_GSSAPI_QOP_AUTH_INT = 0x02, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
54 SASL_GSSAPI_QOP_AUTH_CONF = 0x04 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
55 }; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
56 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
57 struct gssapi_auth_request { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
58 struct auth_request auth_request; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
59 gss_ctx_id_t gss_ctx; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
60 gss_cred_id_t service_cred; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
61 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
62 enum { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
63 GSS_STATE_SEC_CONTEXT, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
64 GSS_STATE_WRAP, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
65 GSS_STATE_UNWRAP |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
66 } sasl_gssapi_state; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
67 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
68 gss_name_t authn_name; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
69 gss_name_t authz_name; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
70 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
71 pool_t pool; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
72 }; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
73 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
74 static void auth_request_log_gss_error(struct auth_request *request, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
75 OM_uint32 status_value, int status_type, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
76 const char *description) |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
77 { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
78 OM_uint32 message_context = 0; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
79 OM_uint32 major_status, minor_status; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
80 gss_buffer_desc status_string; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
81 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
82 do { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
83 major_status = gss_display_status(&minor_status, status_value, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
84 status_type, GSS_C_NO_OID, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
85 &message_context, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
86 &status_string); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
87 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
88 auth_request_log_error(request, "gssapi", |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
89 "While %s: %s", description, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
90 str_sanitize(status_string.value, (size_t)-1)); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
91 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
92 major_status = gss_release_buffer(&minor_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
93 &status_string); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
94 } while (message_context != 0); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
95 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
96 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
97 static struct auth_request *mech_gssapi_auth_new(void) |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
98 { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
99 struct gssapi_auth_request *request; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
100 pool_t pool; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
101 |
|
3695
4f8598b0ca62
Use a bit larger initial pool sizes
Timo Sirainen <tss@iki.fi>
parents:
3683
diff
changeset
|
102 pool = pool_alloconly_create("gssapi_auth_request", 1024); |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
103 request = p_new(pool, struct gssapi_auth_request, 1); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
104 request->pool = pool; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
105 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
106 request->gss_ctx = GSS_C_NO_CONTEXT; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
107 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
108 request->auth_request.pool = pool; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
109 return &request->auth_request; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
110 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
111 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
112 static OM_uint32 obtain_service_credentials(struct auth_request *request, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
113 gss_cred_id_t *ret) |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
114 { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
115 OM_uint32 major_status, minor_status; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
116 string_t *principal_name; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
117 gss_buffer_desc inbuf; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
118 gss_name_t gss_principal; |
|
4628
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
119 const char *service_name; |
|
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
120 |
|
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
121 if (strcasecmp(request->service, "POP3") == 0) { |
|
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
122 /* The standard POP3 service name with GSSAPI is called |
|
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
123 just "pop". */ |
|
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
124 service_name = "pop"; |
|
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
125 } else { |
|
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
126 service_name = t_str_lcase(request->service); |
|
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
127 } |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
128 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
129 principal_name = t_str_new(128); |
|
4628
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
130 str_append(principal_name, service_name); |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
131 str_append_c(principal_name, '@'); |
|
5439
c5401a8f4679
Added auth_gssapi_hostname setting.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
132 str_append(principal_name, request->auth->gssapi_hostname); |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
133 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
134 auth_request_log_info(request, "gssapi", |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
135 "Obtaining credentials for %s", str_c(principal_name)); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
136 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
137 inbuf.length = str_len(principal_name); |
|
4451
1a35d53c18fc
Array API redesigned to work using unions. It now provides type safety
Timo Sirainen <tss@iki.fi>
parents:
4382
diff
changeset
|
138 inbuf.value = str_c_modifiable(principal_name); |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
139 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
140 major_status = gss_import_name(&minor_status, &inbuf, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
141 GSS_C_NT_HOSTBASED_SERVICE, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
142 &gss_principal); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
143 |
|
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3766
diff
changeset
|
144 str_free(&principal_name); |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
145 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
146 if (GSS_ERROR(major_status)) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
147 auth_request_log_gss_error(request, major_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
148 GSS_C_GSS_CODE, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
149 "importing principal name"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
150 return major_status; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
151 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
152 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
153 major_status = gss_acquire_cred(&minor_status, gss_principal, 0, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
154 GSS_C_NULL_OID_SET, GSS_C_ACCEPT, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
155 ret, NULL, NULL); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
156 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
157 if (GSS_ERROR(major_status)) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
158 auth_request_log_gss_error(request, major_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
159 GSS_C_GSS_CODE, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
160 "acquiring service credentials"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
161 auth_request_log_gss_error(request, minor_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
162 GSS_C_MECH_CODE, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
163 "acquiring service credentials"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
164 return major_status; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
165 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
166 |
| 4004 | 167 gss_release_name(&minor_status, &gss_principal); |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
168 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
169 return major_status; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
170 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
171 |
|
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
172 #ifndef HAVE___GSS_USEROK |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
173 static gss_name_t |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
174 import_name(struct auth_request *request, void *str, size_t len) |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
175 { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
176 OM_uint32 major_status, minor_status; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
177 gss_buffer_desc name_buf; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
178 gss_name_t name; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
179 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
180 name_buf.value = str; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
181 name_buf.length = len; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
182 major_status = gss_import_name(&minor_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
183 &name_buf, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
184 GSS_C_NO_OID, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
185 &name); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
186 if (GSS_ERROR(major_status)) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
187 auth_request_log_gss_error(request, major_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
188 GSS_C_GSS_CODE, "gss_import_name"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
189 return GSS_C_NO_NAME; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
190 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
191 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
192 return name; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
193 } |
|
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
194 #endif |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
195 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
196 static void gssapi_sec_context(struct gssapi_auth_request *request, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
197 gss_buffer_desc inbuf) |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
198 { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
199 OM_uint32 major_status, minor_status; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
200 gss_buffer_desc outbuf; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
201 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
202 major_status = gss_accept_sec_context ( |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
203 &minor_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
204 &request->gss_ctx, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
205 request->service_cred, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
206 &inbuf, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
207 GSS_C_NO_CHANNEL_BINDINGS, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
208 &request->authn_name, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
209 NULL, /* mech_type */ |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
210 &outbuf, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
211 NULL, /* ret_flags */ |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
212 NULL, /* time_rec */ |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
213 NULL /* delegated_cred_handle */ |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
214 ); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
215 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
216 if (GSS_ERROR(major_status)) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
217 auth_request_log_gss_error(&request->auth_request, major_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
218 GSS_C_GSS_CODE, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
219 "processing incoming data"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
220 auth_request_log_gss_error(&request->auth_request, minor_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
221 GSS_C_MECH_CODE, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
222 "processing incoming data"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
223 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
224 auth_request_fail(&request->auth_request); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
225 return; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
226 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
227 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
228 if (major_status == GSS_S_COMPLETE) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
229 request->sasl_gssapi_state = GSS_STATE_WRAP; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
230 auth_request_log_info(&request->auth_request, "gssapi", |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
231 "security context state completed."); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
232 } else { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
233 auth_request_log_info(&request->auth_request, "gssapi", |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
234 "Processed incoming packet correctly, " |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
235 "waiting for another."); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
236 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
237 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
238 request->auth_request.callback(&request->auth_request, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
239 AUTH_CLIENT_RESULT_CONTINUE, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
240 outbuf.value, outbuf.length); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
241 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
242 major_status = gss_release_buffer(&minor_status, &outbuf); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
243 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
244 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
245 static void gssapi_wrap(struct gssapi_auth_request *request, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
246 gss_buffer_desc inbuf) |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
247 { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
248 OM_uint32 major_status, minor_status; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
249 gss_buffer_desc outbuf; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
250 unsigned char ret[4]; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
251 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
252 /* The clients return data should be empty here */ |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
253 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
254 /* Only authentication, no integrity or confidentiality |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
255 protection (yet?) */ |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
256 ret[0] = (SASL_GSSAPI_QOP_UNSPECIFIED | |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
257 SASL_GSSAPI_QOP_AUTH_ONLY); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
258 ret[1] = 0xFF; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
259 ret[2] = 0xFF; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
260 ret[3] = 0xFF; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
261 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
262 inbuf.length = 4; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
263 inbuf.value = ret; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
264 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
265 major_status = gss_wrap(&minor_status, request->gss_ctx, 0, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
266 GSS_C_QOP_DEFAULT, &inbuf, NULL, &outbuf); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
267 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
268 if (GSS_ERROR(major_status)) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
269 auth_request_log_gss_error(&request->auth_request, major_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
270 GSS_C_GSS_CODE, "sending security layer negotiation"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
271 auth_request_log_gss_error(&request->auth_request, minor_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
272 GSS_C_MECH_CODE, "sending security layer negotiation"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
273 auth_request_fail(&request->auth_request); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
274 return; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
275 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
276 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
277 auth_request_log_info(&request->auth_request, "gssapi", |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
278 "Negotiated security layer"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
279 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
280 request->auth_request.callback(&request->auth_request, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
281 AUTH_CLIENT_RESULT_CONTINUE, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
282 outbuf.value, outbuf.length); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
283 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
284 major_status = gss_release_buffer(&minor_status, &outbuf); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
285 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
286 request->sasl_gssapi_state = GSS_STATE_UNWRAP; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
287 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
288 |
|
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
289 #ifdef USE_KRB5_USEROK |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
290 static bool gssapi_krb5_userok(struct gssapi_auth_request *request) |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
291 { |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
292 krb5_context ctx; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
293 krb5_principal princ; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
294 krb5_error_code krb5_err; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
295 OM_uint32 major_status, minor_status; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
296 gss_buffer_desc princ_name; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
297 gss_OID name_type; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
298 const char *princ_display_name; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
299 bool ret = FALSE; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
300 |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
301 /* Parse out the principal's username */ |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
302 major_status = gss_display_name(&minor_status, request->authn_name, |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
303 &princ_name, &name_type); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
304 if (major_status != GSS_S_COMPLETE) { |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
305 auth_request_log_gss_error(&request->auth_request, major_status, |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
306 GSS_C_GSS_CODE, |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
307 "gssapi_krb5_userok"); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
308 return FALSE; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
309 } |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
310 if (name_type != GSS_KRB5_NT_PRINCIPAL_NAME) { |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
311 auth_request_log_error(&request->auth_request, "gssapi", |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
312 "OID not kerberos principal name"); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
313 return FALSE; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
314 } |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
315 princ_display_name = t_strndup(princ_name.value, princ_name.length); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
316 gss_release_buffer(&minor_status, &princ_name); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
317 |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
318 /* Init a krb5 context and parse the principal username */ |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
319 krb5_err = krb5_init_context(&ctx); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
320 if (krb5_err != 0) { |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
321 auth_request_log_error(&request->auth_request, "gssapi", |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
322 "krb5_init_context() failed: %d", (int)krb5_err); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
323 return FALSE; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
324 } |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
325 krb5_err = krb5_parse_name(ctx, princ_display_name, &princ); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
326 if (krb5_err != 0) { |
|
7480
ad0f32abda6d
Don't use krb5_get_error_message(), it doesn't work with Heimdal Kerberos.
Timo Sirainen <tss@iki.fi>
parents:
7477
diff
changeset
|
327 /* writing the error string would be better, but we probably |
|
ad0f32abda6d
Don't use krb5_get_error_message(), it doesn't work with Heimdal Kerberos.
Timo Sirainen <tss@iki.fi>
parents:
7477
diff
changeset
|
328 rarely get here and there doesn't seem to be a standard |
|
ad0f32abda6d
Don't use krb5_get_error_message(), it doesn't work with Heimdal Kerberos.
Timo Sirainen <tss@iki.fi>
parents:
7477
diff
changeset
|
329 way of getting it */ |
|
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
330 auth_request_log_error(&request->auth_request, "gssapi", |
|
7480
ad0f32abda6d
Don't use krb5_get_error_message(), it doesn't work with Heimdal Kerberos.
Timo Sirainen <tss@iki.fi>
parents:
7477
diff
changeset
|
331 "krb5_parse_name() failed: %d", |
|
ad0f32abda6d
Don't use krb5_get_error_message(), it doesn't work with Heimdal Kerberos.
Timo Sirainen <tss@iki.fi>
parents:
7477
diff
changeset
|
332 (int)krb5_err); |
|
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
333 } else { |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
334 /* See if the principal is authorized to act as the |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
335 specified user */ |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
336 ret = krb5_kuserok(ctx, princ, request->auth_request.user); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
337 krb5_free_principal(ctx, princ); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
338 } |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
339 krb5_free_context(ctx); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
340 return ret; |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
341 } |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
342 #endif |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
343 |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
344 static void gssapi_unwrap(struct gssapi_auth_request *request, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
345 gss_buffer_desc inbuf) |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
346 { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
347 OM_uint32 major_status, minor_status; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
348 gss_buffer_desc outbuf; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
349 int equal_authn_authz = 0; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
350 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
351 major_status = gss_unwrap(&minor_status, request->gss_ctx, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
352 &inbuf, &outbuf, NULL, NULL); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
353 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
354 if (GSS_ERROR(major_status)) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
355 auth_request_log_gss_error(&request->auth_request, major_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
356 GSS_C_GSS_CODE, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
357 "final negotiation: gss_unwrap"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
358 auth_request_fail(&request->auth_request); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
359 return; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
360 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
361 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
362 if (outbuf.length <= 4) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
363 auth_request_log_error(&request->auth_request, "gssapi", |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
364 "Invalid response length"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
365 auth_request_fail(&request->auth_request); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
366 return; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
367 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
368 |
|
5859
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
369 #ifdef HAVE___GSS_USEROK |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
370 /* Solaris __gss_userok() correctly handles cross-realm |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
371 authentication. */ |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
372 request->auth_request.user = |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
373 p_strndup(request->auth_request.pool, |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
374 (unsigned char *)outbuf.value + 4, |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
375 outbuf.length - 4); |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
376 |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
377 major_status = __gss_userok(&minor_status, request->authn_name, |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
378 request->auth_request.user, |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
379 &equal_authn_authz); |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
380 if (GSS_ERROR(major_status)) { |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
381 auth_request_log_gss_error(&request->auth_request, major_status, |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
382 GSS_C_GSS_CODE, |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
383 "__gss_userok failed"); |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
384 auth_request_fail(&request->auth_request); |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
385 return; |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
386 } |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
387 |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
388 if (equal_authn_authz == 0) { |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
389 auth_request_log_error(&request->auth_request, "gssapi", |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
390 "credentials not valid"); |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
391 |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
392 auth_request_fail(&request->auth_request); |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
393 return; |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
394 } |
|
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
395 #else |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
396 request->authz_name = import_name(&request->auth_request, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
397 (unsigned char *)outbuf.value + 4, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
398 outbuf.length - 4); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
399 if ((request->authn_name == GSS_C_NO_NAME) || |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
400 (request->authz_name == GSS_C_NO_NAME)) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
401 /* XXX (pod): is this check necessary? */ |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
402 auth_request_log_error(&request->auth_request, "gssapi", |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
403 "one of authn_name or authz_name not determined"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
404 auth_request_fail(&request->auth_request); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
405 return; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
406 } |
|
7451
4a64c2f8e194
GSSAPI: Show username in "autn_name and authz_name differ" error.
Timo Sirainen <tss@iki.fi>
parents:
6428
diff
changeset
|
407 |
|
4a64c2f8e194
GSSAPI: Show username in "autn_name and authz_name differ" error.
Timo Sirainen <tss@iki.fi>
parents:
6428
diff
changeset
|
408 request->auth_request.user = |
|
4a64c2f8e194
GSSAPI: Show username in "autn_name and authz_name differ" error.
Timo Sirainen <tss@iki.fi>
parents:
6428
diff
changeset
|
409 p_strndup(request->auth_request.pool, |
|
4a64c2f8e194
GSSAPI: Show username in "autn_name and authz_name differ" error.
Timo Sirainen <tss@iki.fi>
parents:
6428
diff
changeset
|
410 (unsigned char *)outbuf.value + 4, |
|
4a64c2f8e194
GSSAPI: Show username in "autn_name and authz_name differ" error.
Timo Sirainen <tss@iki.fi>
parents:
6428
diff
changeset
|
411 outbuf.length - 4); |
|
4a64c2f8e194
GSSAPI: Show username in "autn_name and authz_name differ" error.
Timo Sirainen <tss@iki.fi>
parents:
6428
diff
changeset
|
412 |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
413 major_status = gss_compare_name(&minor_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
414 request->authn_name, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
415 request->authz_name, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
416 &equal_authn_authz); |
|
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
417 #ifdef USE_KRB5_USEROK |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
418 if (equal_authn_authz == 0) |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
419 equal_authn_authz = gssapi_krb5_userok(request); |
|
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
420 #endif |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
421 if (equal_authn_authz == 0) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
422 auth_request_log_error(&request->auth_request, "gssapi", |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
423 "authn_name and authz_name differ: not supported"); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
424 auth_request_fail(&request->auth_request); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
425 return; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
426 } |
|
5859
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
427 #endif |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
428 auth_request_success(&request->auth_request, NULL, 0); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
429 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
430 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
431 static void |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
432 mech_gssapi_auth_continue(struct auth_request *request, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
433 const unsigned char *data, size_t data_size) |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
434 { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
435 struct gssapi_auth_request *gssapi_request = |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
436 (struct gssapi_auth_request *)request; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
437 gss_buffer_desc inbuf; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
438 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
439 inbuf.value = (void *)data; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
440 inbuf.length = data_size; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
441 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
442 switch (gssapi_request->sasl_gssapi_state) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
443 case GSS_STATE_SEC_CONTEXT: |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
444 gssapi_sec_context(gssapi_request, inbuf); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
445 break; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
446 case GSS_STATE_WRAP: |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
447 gssapi_wrap(gssapi_request, inbuf); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
448 break; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
449 case GSS_STATE_UNWRAP: |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
450 gssapi_unwrap(gssapi_request, inbuf); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
451 break; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
452 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
453 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
454 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
455 static void |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
456 mech_gssapi_auth_initial(struct auth_request *request, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
457 const unsigned char *data, size_t data_size) |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
458 { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
459 OM_uint32 major_status; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
460 struct gssapi_auth_request *gssapi_request = |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
461 (struct gssapi_auth_request *)request; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
462 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
463 major_status = |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
464 obtain_service_credentials(request, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
465 &gssapi_request->service_cred); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
466 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
467 if (GSS_ERROR(major_status)) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
468 auth_request_internal_failure(request); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
469 return; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
470 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
471 gssapi_request->authn_name = GSS_C_NO_NAME; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
472 gssapi_request->authz_name = GSS_C_NO_NAME; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
473 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
474 gssapi_request->sasl_gssapi_state = GSS_STATE_SEC_CONTEXT; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
475 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
476 if (data_size == 0) { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
477 /* The client should go first */ |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
478 request->callback(request, AUTH_CLIENT_RESULT_CONTINUE, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
479 NULL, 0); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
480 } else { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
481 mech_gssapi_auth_continue(request, data, data_size); |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
482 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
483 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
484 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
485 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
486 static void |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
487 mech_gssapi_auth_free(struct auth_request *request) |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
488 { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
489 OM_uint32 major_status, minor_status; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
490 struct gssapi_auth_request *gssapi_request = |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
491 (struct gssapi_auth_request *)request; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
492 |
|
6242
40e324d83d2b
Crashfix for failed GSSAPI requests.
Timo Sirainen <tss@iki.fi>
parents:
6199
diff
changeset
|
493 if (gssapi_request->gss_ctx != GSS_C_NO_CONTEXT) { |
|
40e324d83d2b
Crashfix for failed GSSAPI requests.
Timo Sirainen <tss@iki.fi>
parents:
6199
diff
changeset
|
494 major_status = gss_delete_sec_context(&minor_status, |
|
40e324d83d2b
Crashfix for failed GSSAPI requests.
Timo Sirainen <tss@iki.fi>
parents:
6199
diff
changeset
|
495 &gssapi_request->gss_ctx, |
|
40e324d83d2b
Crashfix for failed GSSAPI requests.
Timo Sirainen <tss@iki.fi>
parents:
6199
diff
changeset
|
496 GSS_C_NO_BUFFER); |
|
40e324d83d2b
Crashfix for failed GSSAPI requests.
Timo Sirainen <tss@iki.fi>
parents:
6199
diff
changeset
|
497 } |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
498 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
499 major_status = gss_release_cred(&minor_status, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
500 &gssapi_request->service_cred); |
| 5259 | 501 if (gssapi_request->authn_name != GSS_C_NO_NAME) { |
| 502 major_status = gss_release_name(&minor_status, | |
| 503 &gssapi_request->authn_name); | |
| 504 } | |
| 505 if (gssapi_request->authz_name != GSS_C_NO_NAME) { | |
| 506 major_status = gss_release_name(&minor_status, | |
| 507 &gssapi_request->authz_name); | |
| 508 } | |
|
6428
7cad076906eb
pool_unref() now takes ** pointer.
Timo Sirainen <tss@iki.fi>
parents:
6242
diff
changeset
|
509 pool_unref(&request->pool); |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
510 } |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
511 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
512 const struct mech_module mech_gssapi = { |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
513 "GSSAPI", |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
514 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
515 MEMBER(flags) 0, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
516 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
517 MEMBER(passdb_need_plain) FALSE, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
518 MEMBER(passdb_need_credentials) FALSE, |
|
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4628
diff
changeset
|
519 MEMBER(passdb_need_set_credentials) FALSE, |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
520 |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
521 mech_gssapi_auth_new, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
522 mech_gssapi_auth_initial, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
523 mech_gssapi_auth_continue, |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
524 mech_gssapi_auth_free |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
525 }; |
|
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
526 |
| 6199 | 527 #ifndef BUILTIN_GSSAPI |
| 528 void mech_gssapi_init(void); | |
| 529 void mech_gssapi_deinit(void); | |
| 530 | |
| 531 void mech_gssapi_init(void) | |
| 532 { | |
| 533 mech_register_module(&mech_gssapi); | |
| 534 } | |
| 535 | |
| 536 void mech_gssapi_deinit(void) | |
| 537 { | |
| 538 mech_unregister_module(&mech_gssapi); | |
| 539 } | |
|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
540 #endif |
| 6199 | 541 |
| 542 #endif |