Mercurial > dovecot > original-hg > dovecot-1.2
annotate src/auth/mech-gssapi.c @ 9658:8ba4253adc9b HEAD tip
*-login: SSL connections didn't get closed when the client got destroyed.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Thu, 08 May 2014 16:41:29 +0300 |
parents | 6862d534e5b1 |
children |
rev | line source |
---|---|
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1 /* |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 * GSSAPI Module |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 * |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 * Copyright (c) 2005 Jelmer Vernooij <jelmer@samba.org> |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 * |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 * Related standards: |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
7 * - draft-ietf-sasl-gssapi-03 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
8 * - RFC2222 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 * |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
10 * Some parts inspired by an older patch from Colin Walters |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
11 * |
4382
f8d37e26a2b3
Relicensed dovecot-auth to MIT.
Timo Sirainen <tss@iki.fi>
parents:
4004
diff
changeset
|
12 * This software is released under the MIT license. |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
13 */ |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
14 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
15 #include "common.h" |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
16 #include "mech.h" |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
17 #include "passdb.h" |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
18 #include "str.h" |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
19 #include "str-sanitize.h" |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
20 #include "buffer.h" |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
21 #include "hex-binary.h" |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
22 #include "safe-memset.h" |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
23 |
8191
f14e68845b6b
GSSAPI: stdlib.h wasn't included with all OSes, causing crash at startup with 64bit systems.
Timo Sirainen <tss@iki.fi>
parents:
8095
diff
changeset
|
24 #include <stdlib.h> |
f14e68845b6b
GSSAPI: stdlib.h wasn't included with all OSes, causing crash at startup with 64bit systems.
Timo Sirainen <tss@iki.fi>
parents:
8095
diff
changeset
|
25 |
8872
643a96aec996
Fixed --with-ldap=plugin and --with-gssapi=plugin
Timo Sirainen <tss@iki.fi>
parents:
8827
diff
changeset
|
26 #if defined(BUILTIN_GSSAPI) || defined(PLUGIN_BUILD) |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
27 |
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
28 #ifndef HAVE___GSS_USEROK |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
29 # define USE_KRB5_USEROK |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
30 # include <krb5.h> |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
31 #endif |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
32 |
4862
bddfbc560857
Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
33 #ifdef HAVE_GSSAPI_GSSAPI_H |
bddfbc560857
Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
34 # include <gssapi/gssapi.h> |
bddfbc560857
Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
35 #elif defined (HAVE_GSSAPI_H) |
bddfbc560857
Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
36 # include <gssapi.h> |
7610
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
37 #endif |
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
38 |
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
39 #ifdef HAVE_GSSAPI_GSSAPI_KRB5_H |
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
40 # include <gssapi/gssapi_krb5.h> |
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
41 #elif defined (HAVE_GSSAPI_KRB5_H) |
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
42 # include <gssapi_krb5.h> |
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
43 #else |
280e570a5ced
gssapi: Check for gssapi_krb5.h existence before trying to use it.
Timo Sirainen <tss@iki.fi>
parents:
7480
diff
changeset
|
44 # undef USE_KRB5_USEROK |
4862
bddfbc560857
Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
45 #endif |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
46 |
5859
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
47 #ifdef HAVE_GSSAPI_GSSAPI_EXT_H |
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
48 # include <gssapi/gssapi_ext.h> |
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
49 #endif |
dfdedb187b26
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
Timo Sirainen <tss@iki.fi>
parents:
5439
diff
changeset
|
50 |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
51 /* Non-zero flags defined in RFC 2222 */ |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
52 enum sasl_gssapi_qop { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
53 SASL_GSSAPI_QOP_UNSPECIFIED = 0x00, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
54 SASL_GSSAPI_QOP_AUTH_ONLY = 0x01, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
55 SASL_GSSAPI_QOP_AUTH_INT = 0x02, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
56 SASL_GSSAPI_QOP_AUTH_CONF = 0x04 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
57 }; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
58 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
59 struct gssapi_auth_request { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
60 struct auth_request auth_request; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
61 gss_ctx_id_t gss_ctx; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
62 gss_cred_id_t service_cred; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
63 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
64 enum { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
65 GSS_STATE_SEC_CONTEXT, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
66 GSS_STATE_WRAP, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
67 GSS_STATE_UNWRAP |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
68 } sasl_gssapi_state; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
69 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
70 gss_name_t authn_name; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
71 gss_name_t authz_name; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
72 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
73 pool_t pool; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
74 }; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
75 |
8068
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
76 static bool gssapi_initialized = FALSE; |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
77 |
9267
ac2e37e4c2c1
gssapi: Fixed compiling for non-MIT/Heimdal GSSAPI implementations (Solaris).
Timo Sirainen <tss@iki.fi>
parents:
9258
diff
changeset
|
78 static gss_OID_desc mech_gssapi_krb5_oid = |
ac2e37e4c2c1
gssapi: Fixed compiling for non-MIT/Heimdal GSSAPI implementations (Solaris).
Timo Sirainen <tss@iki.fi>
parents:
9258
diff
changeset
|
79 { 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; |
ac2e37e4c2c1
gssapi: Fixed compiling for non-MIT/Heimdal GSSAPI implementations (Solaris).
Timo Sirainen <tss@iki.fi>
parents:
9258
diff
changeset
|
80 |
9200 | 81 static void mech_gssapi_log_error(struct auth_request *request, |
82 OM_uint32 status_value, int status_type, | |
83 const char *description) | |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
84 { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
85 OM_uint32 message_context = 0; |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
86 OM_uint32 minor_status; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
87 gss_buffer_desc status_string; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
88 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
89 do { |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
90 (void)gss_display_status(&minor_status, status_value, |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
91 status_type, GSS_C_NO_OID, |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
92 &message_context, &status_string); |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
93 |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
94 auth_request_log_info(request, "gssapi", |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
95 "While %s: %s", description, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
96 str_sanitize(status_string.value, (size_t)-1)); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
97 |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
98 (void)gss_release_buffer(&minor_status, &status_string); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
99 } while (message_context != 0); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
100 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
101 |
8068
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
102 static void mech_gssapi_initialize(void) |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
103 { |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
104 const char *path; |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
105 |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
106 path = getenv("KRB5_KTNAME"); |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
107 if (path != NULL) { |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
108 #ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
109 gsskrb5_register_acceptor_identity(path); |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
110 #elif defined (HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY) |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
111 krb5_gss_register_acceptor_identity(path); |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
112 #endif |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
113 } |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
114 } |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
115 |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
116 static struct auth_request *mech_gssapi_auth_new(void) |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
117 { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
118 struct gssapi_auth_request *request; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
119 pool_t pool; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
120 |
8068
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
121 if (!gssapi_initialized) { |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
122 gssapi_initialized = TRUE; |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
123 mech_gssapi_initialize(); |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
124 } |
9569038e0816
gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
Timo Sirainen <tss@iki.fi>
parents:
7610
diff
changeset
|
125 |
3695
4f8598b0ca62
Use a bit larger initial pool sizes
Timo Sirainen <tss@iki.fi>
parents:
3683
diff
changeset
|
126 pool = pool_alloconly_create("gssapi_auth_request", 1024); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
127 request = p_new(pool, struct gssapi_auth_request, 1); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
128 request->pool = pool; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
129 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
130 request->gss_ctx = GSS_C_NO_CONTEXT; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
131 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
132 request->auth_request.pool = pool; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
133 return &request->auth_request; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
134 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
135 |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
136 static OM_uint32 |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
137 obtain_service_credentials(struct auth_request *request, gss_cred_id_t *ret_r) |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
138 { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
139 OM_uint32 major_status, minor_status; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
140 string_t *principal_name; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
141 gss_buffer_desc inbuf; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
142 gss_name_t gss_principal; |
4628
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
143 const char *service_name; |
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
144 |
8093
9ca5e8f66d10
Added support for gssapi_hostname=$ALL for multihomed hosts.
Timo Sirainen <tss@iki.fi>
parents:
8068
diff
changeset
|
145 if (strcmp(request->auth->gssapi_hostname, "$ALL") == 0) { |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
146 auth_request_log_debug(request, "gssapi", |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
147 "Using all keytab entries"); |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
148 *ret_r = GSS_C_NO_CREDENTIAL; |
8093
9ca5e8f66d10
Added support for gssapi_hostname=$ALL for multihomed hosts.
Timo Sirainen <tss@iki.fi>
parents:
8068
diff
changeset
|
149 return GSS_S_COMPLETE; |
9ca5e8f66d10
Added support for gssapi_hostname=$ALL for multihomed hosts.
Timo Sirainen <tss@iki.fi>
parents:
8068
diff
changeset
|
150 } |
9ca5e8f66d10
Added support for gssapi_hostname=$ALL for multihomed hosts.
Timo Sirainen <tss@iki.fi>
parents:
8068
diff
changeset
|
151 |
4628
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
152 if (strcasecmp(request->service, "POP3") == 0) { |
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
153 /* The standard POP3 service name with GSSAPI is called |
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
154 just "pop". */ |
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
155 service_name = "pop"; |
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
156 } else { |
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
157 service_name = t_str_lcase(request->service); |
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
158 } |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
159 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
160 principal_name = t_str_new(128); |
4628
fc5ae043fdcc
POP3 service name is "pop" with GSSAPI.
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
161 str_append(principal_name, service_name); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
162 str_append_c(principal_name, '@'); |
5439
c5401a8f4679
Added auth_gssapi_hostname setting.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
163 str_append(principal_name, request->auth->gssapi_hostname); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
164 |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
165 auth_request_log_debug(request, "gssapi", |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
166 "Obtaining credentials for %s", str_c(principal_name)); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
167 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
168 inbuf.length = str_len(principal_name); |
4451
1a35d53c18fc
Array API redesigned to work using unions. It now provides type safety
Timo Sirainen <tss@iki.fi>
parents:
4382
diff
changeset
|
169 inbuf.value = str_c_modifiable(principal_name); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
170 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
171 major_status = gss_import_name(&minor_status, &inbuf, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
172 GSS_C_NT_HOSTBASED_SERVICE, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
173 &gss_principal); |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3766
diff
changeset
|
174 str_free(&principal_name); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
175 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
176 if (GSS_ERROR(major_status)) { |
9200 | 177 mech_gssapi_log_error(request, major_status, GSS_C_GSS_CODE, |
178 "importing principal name"); | |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
179 return major_status; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
180 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
181 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
182 major_status = gss_acquire_cred(&minor_status, gss_principal, 0, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
183 GSS_C_NULL_OID_SET, GSS_C_ACCEPT, |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
184 ret_r, NULL, NULL); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
185 if (GSS_ERROR(major_status)) { |
9200 | 186 mech_gssapi_log_error(request, major_status, GSS_C_GSS_CODE, |
187 "acquiring service credentials"); | |
188 mech_gssapi_log_error(request, minor_status, GSS_C_MECH_CODE, | |
189 "acquiring service credentials"); | |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
190 return major_status; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
191 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
192 |
4004 | 193 gss_release_name(&minor_status, &gss_principal); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
194 return major_status; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
195 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
196 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
197 static gss_name_t |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
198 import_name(struct auth_request *request, void *str, size_t len) |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
199 { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
200 OM_uint32 major_status, minor_status; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
201 gss_buffer_desc name_buf; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
202 gss_name_t name; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
203 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
204 name_buf.value = str; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
205 name_buf.length = len; |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
206 major_status = gss_import_name(&minor_status, &name_buf, |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
207 GSS_C_NO_OID, &name); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
208 if (GSS_ERROR(major_status)) { |
9200 | 209 mech_gssapi_log_error(request, major_status, GSS_C_GSS_CODE, |
210 "gss_import_name"); | |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
211 return GSS_C_NO_NAME; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
212 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
213 return name; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
214 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
215 |
9324
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
216 static bool data_has_nuls(const void *data, unsigned int len) |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
217 { |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
218 const unsigned char *c = data; |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
219 unsigned int i; |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
220 |
9347
a37fa30b0072
gssapi: Apparently all usernames end with NUL. Allow it.
Timo Sirainen <tss@iki.fi>
parents:
9324
diff
changeset
|
221 /* apparently all names end with NUL? */ |
a37fa30b0072
gssapi: Apparently all usernames end with NUL. Allow it.
Timo Sirainen <tss@iki.fi>
parents:
9324
diff
changeset
|
222 if (len > 0 && c[len-1] == '\0') |
a37fa30b0072
gssapi: Apparently all usernames end with NUL. Allow it.
Timo Sirainen <tss@iki.fi>
parents:
9324
diff
changeset
|
223 len--; |
a37fa30b0072
gssapi: Apparently all usernames end with NUL. Allow it.
Timo Sirainen <tss@iki.fi>
parents:
9324
diff
changeset
|
224 |
9324
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
225 for (i = 0; i < len; i++) { |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
226 if (c[i] == '\0') |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
227 return TRUE; |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
228 } |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
229 return FALSE; |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
230 } |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
231 |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
232 static int get_display_name(struct auth_request *auth_request, gss_name_t name, |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
233 gss_OID *name_type_r, const char **display_name_r) |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
234 { |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
235 OM_uint32 major_status, minor_status; |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
236 gss_buffer_desc buf; |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
237 |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
238 major_status = gss_display_name(&minor_status, name, |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
239 &buf, name_type_r); |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
240 if (major_status != GSS_S_COMPLETE) { |
9200 | 241 mech_gssapi_log_error(auth_request, major_status, |
242 GSS_C_GSS_CODE, "gss_display_name"); | |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
243 return -1; |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
244 } |
9324
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
245 if (data_has_nuls(buf.value, buf.length)) { |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
246 auth_request_log_info(auth_request, "gssapi", |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
247 "authn_name has NULs"); |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
248 return -1; |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
249 } |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
250 *display_name_r = t_strndup(buf.value, buf.length); |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
251 (void)gss_release_buffer(&minor_status, &buf); |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
252 return 0; |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
253 } |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
254 |
9258
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
255 static bool mech_gssapi_oid_cmp(const gss_OID_desc *oid1, |
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
256 const gss_OID_desc *oid2) |
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
257 { |
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
258 return oid1->length == oid2->length && |
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
259 memcmp(oid1->elements, oid2->elements, oid1->length) == 0; |
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
260 } |
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
261 |
9199
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
262 static int |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
263 mech_gssapi_sec_context(struct gssapi_auth_request *request, |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
264 gss_buffer_desc inbuf) |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
265 { |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
266 struct auth_request *auth_request = &request->auth_request; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
267 OM_uint32 major_status, minor_status; |
9232
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
268 gss_buffer_desc output_token; |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
269 gss_OID name_type; |
9258
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
270 gss_OID mech_type; |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
271 const char *username, *error; |
9232
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
272 int ret = 0; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
273 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
274 major_status = gss_accept_sec_context ( |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
275 &minor_status, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
276 &request->gss_ctx, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
277 request->service_cred, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
278 &inbuf, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
279 GSS_C_NO_CHANNEL_BINDINGS, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
280 &request->authn_name, |
9258
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
281 &mech_type, |
9232
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
282 &output_token, |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
283 NULL, /* ret_flags */ |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
284 NULL, /* time_rec */ |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
285 NULL /* delegated_cred_handle */ |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
286 ); |
9258
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
287 |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
288 if (GSS_ERROR(major_status)) { |
9200 | 289 mech_gssapi_log_error(auth_request, major_status, |
290 GSS_C_GSS_CODE, | |
291 "processing incoming data"); | |
292 mech_gssapi_log_error(auth_request, minor_status, | |
293 GSS_C_MECH_CODE, | |
294 "processing incoming data"); | |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
295 return -1; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
296 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
297 |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
298 switch (major_status) { |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
299 case GSS_S_COMPLETE: |
9267
ac2e37e4c2c1
gssapi: Fixed compiling for non-MIT/Heimdal GSSAPI implementations (Solaris).
Timo Sirainen <tss@iki.fi>
parents:
9258
diff
changeset
|
300 if (!mech_gssapi_oid_cmp(mech_type, &mech_gssapi_krb5_oid)) { |
9258
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
301 auth_request_log_info(auth_request, "gssapi", |
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
302 "GSSAPI mechanism not Kerberos5"); |
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
303 ret = -1; |
9268 | 304 } else if (get_display_name(auth_request, request->authn_name, |
305 &name_type, &username) < 0) | |
9232
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
306 ret = -1; |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
307 else if (!auth_request_set_username(auth_request, username, |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
308 &error)) { |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
309 auth_request_log_info(auth_request, "gssapi", |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
310 "authn_name: %s", error); |
9232
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
311 ret = -1; |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
312 } else { |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
313 request->sasl_gssapi_state = GSS_STATE_WRAP; |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
314 auth_request_log_debug(auth_request, "gssapi", |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
315 "security context state completed."); |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
316 } |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
317 break; |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
318 case GSS_S_CONTINUE_NEEDED: |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
319 auth_request_log_debug(auth_request, "gssapi", |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
320 "Processed incoming packet correctly, " |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
321 "waiting for another."); |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
322 break; |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
323 default: |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
324 auth_request_log_error(auth_request, "gssapi", |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
325 "Received unexpected major status %d", major_status); |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
326 break; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
327 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
328 |
9232
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
329 if (ret == 0) { |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
330 auth_request->callback(auth_request, |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
331 AUTH_CLIENT_RESULT_CONTINUE, |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
332 output_token.value, output_token.length); |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
333 } |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
334 (void)gss_release_buffer(&minor_status, &output_token); |
f57f9dab059b
GSSAPI: Fixed memory leak on error conditions.
Timo Sirainen <tss@iki.fi>
parents:
9200
diff
changeset
|
335 return ret; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
336 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
337 |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
338 static int |
9199
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
339 mech_gssapi_wrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf) |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
340 { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
341 OM_uint32 major_status, minor_status; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
342 gss_buffer_desc outbuf; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
343 unsigned char ret[4]; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
344 |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
345 /* The client's return data should be empty here */ |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
346 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
347 /* Only authentication, no integrity or confidentiality |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
348 protection (yet?) */ |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
349 ret[0] = (SASL_GSSAPI_QOP_UNSPECIFIED | |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
350 SASL_GSSAPI_QOP_AUTH_ONLY); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
351 ret[1] = 0xFF; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
352 ret[2] = 0xFF; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
353 ret[3] = 0xFF; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
354 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
355 inbuf.length = 4; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
356 inbuf.value = ret; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
357 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
358 major_status = gss_wrap(&minor_status, request->gss_ctx, 0, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
359 GSS_C_QOP_DEFAULT, &inbuf, NULL, &outbuf); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
360 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
361 if (GSS_ERROR(major_status)) { |
9200 | 362 mech_gssapi_log_error(&request->auth_request, major_status, |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
363 GSS_C_GSS_CODE, "sending security layer negotiation"); |
9200 | 364 mech_gssapi_log_error(&request->auth_request, minor_status, |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
365 GSS_C_MECH_CODE, "sending security layer negotiation"); |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
366 return -1; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
367 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
368 |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
369 auth_request_log_debug(&request->auth_request, "gssapi", |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
370 "Negotiated security layer"); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
371 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
372 request->auth_request.callback(&request->auth_request, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
373 AUTH_CLIENT_RESULT_CONTINUE, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
374 outbuf.value, outbuf.length); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
375 |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
376 (void)gss_release_buffer(&minor_status, &outbuf); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
377 request->sasl_gssapi_state = GSS_STATE_UNWRAP; |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
378 return 0; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
379 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
380 |
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
381 #ifdef USE_KRB5_USEROK |
8826
ff6378d7b209
gssapi: Cross-realm authentication fix.
Timo Sirainen <tss@iki.fi>
parents:
8605
diff
changeset
|
382 static bool |
9199
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
383 mech_gssapi_krb5_userok(struct gssapi_auth_request *request, |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
384 gss_name_t name, const char *login_user, |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
385 bool check_name_type) |
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
386 { |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
387 krb5_context ctx; |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
388 krb5_principal princ; |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
389 krb5_error_code krb5_err; |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
390 gss_OID name_type; |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
391 const char *princ_display_name; |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
392 bool ret = FALSE; |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
393 |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
394 /* Parse out the principal's username */ |
9656
6862d534e5b1
auth: Fixed error handling in GSSAPI when __gss_userok() was used.
Timo Sirainen <tss@iki.fi>
parents:
9347
diff
changeset
|
395 if (get_display_name(&request->auth_request, name, &name_type, |
6862d534e5b1
auth: Fixed error handling in GSSAPI when __gss_userok() was used.
Timo Sirainen <tss@iki.fi>
parents:
9347
diff
changeset
|
396 &princ_display_name) < 0) |
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
397 return FALSE; |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
398 |
9258
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
399 if (!mech_gssapi_oid_cmp(name_type, GSS_KRB5_NT_PRINCIPAL_NAME) && |
b36b0291e1c1
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Timo Sirainen <tss@iki.fi>
parents:
9257
diff
changeset
|
400 check_name_type) { |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
401 auth_request_log_info(&request->auth_request, "gssapi", |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
402 "OID not kerberos principal name"); |
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
403 return FALSE; |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
404 } |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
405 |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
406 /* Init a krb5 context and parse the principal username */ |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
407 krb5_err = krb5_init_context(&ctx); |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
408 if (krb5_err != 0) { |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
409 auth_request_log_error(&request->auth_request, "gssapi", |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
410 "krb5_init_context() failed: %d", (int)krb5_err); |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
411 return FALSE; |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
412 } |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
413 krb5_err = krb5_parse_name(ctx, princ_display_name, &princ); |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
414 if (krb5_err != 0) { |
7480
ad0f32abda6d
Don't use krb5_get_error_message(), it doesn't work with Heimdal Kerberos.
Timo Sirainen <tss@iki.fi>
parents:
7477
diff
changeset
|
415 /* writing the error string would be better, but we probably |
ad0f32abda6d
Don't use krb5_get_error_message(), it doesn't work with Heimdal Kerberos.
Timo Sirainen <tss@iki.fi>
parents:
7477
diff
changeset
|
416 rarely get here and there doesn't seem to be a standard |
ad0f32abda6d
Don't use krb5_get_error_message(), it doesn't work with Heimdal Kerberos.
Timo Sirainen <tss@iki.fi>
parents:
7477
diff
changeset
|
417 way of getting it */ |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
418 auth_request_log_info(&request->auth_request, "gssapi", |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
419 "krb5_parse_name() failed: %d", |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
420 (int)krb5_err); |
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
421 } else { |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
422 /* See if the principal is authorized to act as the |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
423 specified user */ |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
424 ret = krb5_kuserok(ctx, princ, login_user); |
7477
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
425 krb5_free_principal(ctx, princ); |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
426 } |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
427 krb5_free_context(ctx); |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
428 return ret; |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
429 } |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
430 #endif |
841209428d2d
Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek.
Timo Sirainen <tss@iki.fi>
parents:
7451
diff
changeset
|
431 |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
432 static int |
9199
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
433 mech_gssapi_userok(struct gssapi_auth_request *request, const char *login_user) |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
434 { |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
435 struct auth_request *auth_request = &request->auth_request; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
436 OM_uint32 major_status, minor_status; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
437 int equal_authn_authz; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
438 #ifdef HAVE___GSS_USEROK |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
439 int login_ok; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
440 #endif |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
441 |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
442 /* if authn and authz names equal, don't bother checking further. */ |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
443 major_status = gss_compare_name(&minor_status, |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
444 request->authn_name, |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
445 request->authz_name, |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
446 &equal_authn_authz); |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
447 if (GSS_ERROR(major_status)) { |
9200 | 448 mech_gssapi_log_error(auth_request, major_status, |
449 GSS_C_GSS_CODE, | |
450 "gss_compare_name failed"); | |
9199
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
451 return -1; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
452 } |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
453 |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
454 if (equal_authn_authz != 0) |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
455 return 0; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
456 |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
457 /* handle cross-realm authentication */ |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
458 #ifdef HAVE___GSS_USEROK |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
459 /* Solaris */ |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
460 major_status = __gss_userok(&minor_status, request->authn_name, |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
461 login_user, &login_ok); |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
462 if (GSS_ERROR(major_status)) { |
9200 | 463 mech_gssapi_log_error(auth_request, major_status, |
464 GSS_C_GSS_CODE, "__gss_userok failed"); | |
9199
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
465 return -1; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
466 } |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
467 |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
468 if (login_ok == 0) { |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
469 auth_request_log_info(auth_request, "gssapi", |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
470 "User not authorized to log in as %s", login_user); |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
471 return -1; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
472 } |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
473 return 0; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
474 #elif defined(USE_KRB5_USEROK) |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
475 if (!mech_gssapi_krb5_userok(request, request->authn_name, |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
476 login_user, TRUE)) { |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
477 auth_request_log_info(auth_request, "gssapi", |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
478 "User not authorized to log in as %s", login_user); |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
479 return -1; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
480 } |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
481 |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
482 return 0; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
483 #else |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
484 auth_request_log_info(auth_request, "gssapi", |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
485 "Cross-realm authentication not supported " |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
486 "(authz_name=%s)", login_user); |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
487 return -1; |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
488 #endif |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
489 } |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
490 |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
491 static int |
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
492 mech_gssapi_unwrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf) |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
493 { |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
494 struct auth_request *auth_request = &request->auth_request; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
495 OM_uint32 major_status, minor_status; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
496 gss_buffer_desc outbuf; |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
497 const char *login_user, *error; |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
498 unsigned char *name; |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
499 unsigned int name_len; |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
500 |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
501 major_status = gss_unwrap(&minor_status, request->gss_ctx, |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
502 &inbuf, &outbuf, NULL, NULL); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
503 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
504 if (GSS_ERROR(major_status)) { |
9200 | 505 mech_gssapi_log_error(auth_request, major_status, |
506 GSS_C_GSS_CODE, | |
507 "final negotiation: gss_unwrap"); | |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
508 return -1; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
509 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
510 |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
511 /* outbuf[0] contains bitmask for selected security layer, |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
512 outbuf[1..3] contains maximum output_message size */ |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
513 if (outbuf.length <= 4) { |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
514 auth_request_log_error(auth_request, "gssapi", |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
515 "Invalid response length"); |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
516 return -1; |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
517 } |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
518 name = (unsigned char *)outbuf.value + 4; |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
519 name_len = outbuf.length - 4; |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
520 |
9324
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
521 if (data_has_nuls(name, name_len)) { |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
522 auth_request_log_info(auth_request, "gssapi", |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
523 "authz_name has NULs"); |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
524 return -1; |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
525 } |
5d53b1d66d1b
auth: Check for potentially dangerous NULs in usernames.
Timo Sirainen <tss@iki.fi>
parents:
9268
diff
changeset
|
526 |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
527 login_user = p_strndup(auth_request->pool, name, name_len); |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
528 request->authz_name = import_name(auth_request, name, name_len); |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
529 if (request->authz_name == GSS_C_NO_NAME) { |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
530 auth_request_log_info(auth_request, "gssapi", "no authz_name"); |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
531 return -1; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
532 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
533 |
9199
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
534 if (mech_gssapi_userok(request, login_user) < 0) |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
535 return -1; |
7451
4a64c2f8e194
GSSAPI: Show username in "autn_name and authz_name differ" error.
Timo Sirainen <tss@iki.fi>
parents:
6428
diff
changeset
|
536 |
9197
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
537 if (!auth_request_set_username(auth_request, login_user, &error)) { |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
538 auth_request_log_info(auth_request, "gssapi", |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
539 "authz_name: %s", error); |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
540 return -1; |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
541 } |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
542 |
a5c5a912769e
gssapi: Set username via auth_request_set_username().
Timo Sirainen <tss@iki.fi>
parents:
9196
diff
changeset
|
543 auth_request_success(auth_request, NULL, 0); |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
544 return 0; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
545 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
546 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
547 static void |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
548 mech_gssapi_auth_continue(struct auth_request *request, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
549 const unsigned char *data, size_t data_size) |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
550 { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
551 struct gssapi_auth_request *gssapi_request = |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
552 (struct gssapi_auth_request *)request; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
553 gss_buffer_desc inbuf; |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
554 int ret; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
555 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
556 inbuf.value = (void *)data; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
557 inbuf.length = data_size; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
558 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
559 switch (gssapi_request->sasl_gssapi_state) { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
560 case GSS_STATE_SEC_CONTEXT: |
9199
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
561 ret = mech_gssapi_sec_context(gssapi_request, inbuf); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
562 break; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
563 case GSS_STATE_WRAP: |
9199
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
564 ret = mech_gssapi_wrap(gssapi_request, inbuf); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
565 break; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
566 case GSS_STATE_UNWRAP: |
9199
f4ff64dd79a9
gssapi: Use *userok() functions only when authz_name != authn_name.
Timo Sirainen <tss@iki.fi>
parents:
9197
diff
changeset
|
567 ret = mech_gssapi_unwrap(gssapi_request, inbuf); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
568 break; |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
569 default: |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
570 ret = -1; |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
571 i_unreached(); |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
572 } |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
573 if (ret < 0) |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
574 auth_request_fail(request); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
575 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
576 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
577 static void |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
578 mech_gssapi_auth_initial(struct auth_request *request, |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
579 const unsigned char *data, size_t data_size) |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
580 { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
581 struct gssapi_auth_request *gssapi_request = |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
582 (struct gssapi_auth_request *)request; |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
583 OM_uint32 major_status; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
584 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
585 major_status = |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
586 obtain_service_credentials(request, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
587 &gssapi_request->service_cred); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
588 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
589 if (GSS_ERROR(major_status)) { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
590 auth_request_internal_failure(request); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
591 return; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
592 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
593 gssapi_request->authn_name = GSS_C_NO_NAME; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
594 gssapi_request->authz_name = GSS_C_NO_NAME; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
595 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
596 gssapi_request->sasl_gssapi_state = GSS_STATE_SEC_CONTEXT; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
597 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
598 if (data_size == 0) { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
599 /* The client should go first */ |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
600 request->callback(request, AUTH_CLIENT_RESULT_CONTINUE, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
601 NULL, 0); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
602 } else { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
603 mech_gssapi_auth_continue(request, data, data_size); |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
604 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
605 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
606 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
607 static void |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
608 mech_gssapi_auth_free(struct auth_request *request) |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
609 { |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
610 struct gssapi_auth_request *gssapi_request = |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
611 (struct gssapi_auth_request *)request; |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
612 OM_uint32 minor_status; |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
613 |
6242
40e324d83d2b
Crashfix for failed GSSAPI requests.
Timo Sirainen <tss@iki.fi>
parents:
6199
diff
changeset
|
614 if (gssapi_request->gss_ctx != GSS_C_NO_CONTEXT) { |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
615 (void)gss_delete_sec_context(&minor_status, |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
616 &gssapi_request->gss_ctx, |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
617 GSS_C_NO_BUFFER); |
6242
40e324d83d2b
Crashfix for failed GSSAPI requests.
Timo Sirainen <tss@iki.fi>
parents:
6199
diff
changeset
|
618 } |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
619 |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
620 (void)gss_release_cred(&minor_status, &gssapi_request->service_cred); |
5259 | 621 if (gssapi_request->authn_name != GSS_C_NO_NAME) { |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
622 (void)gss_release_name(&minor_status, |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
623 &gssapi_request->authn_name); |
5259 | 624 } |
625 if (gssapi_request->authz_name != GSS_C_NO_NAME) { | |
9196
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
626 (void)gss_release_name(&minor_status, |
4172004c1958
gssapi: Code cleanups. Logging error level changes.
Timo Sirainen <tss@iki.fi>
parents:
8872
diff
changeset
|
627 &gssapi_request->authz_name); |
5259 | 628 } |
6428
7cad076906eb
pool_unref() now takes ** pointer.
Timo Sirainen <tss@iki.fi>
parents:
6242
diff
changeset
|
629 pool_unref(&request->pool); |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
630 } |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
631 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
632 const struct mech_module mech_gssapi = { |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
633 "GSSAPI", |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
634 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
635 MEMBER(flags) 0, |
8605
84eea1977632
auth: Code cleanup for specifying what passdb features auth mechanisms need.
Timo Sirainen <tss@iki.fi>
parents:
8191
diff
changeset
|
636 MEMBER(passdb_need) MECH_PASSDB_NEED_NOTHING, |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
637 |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
638 mech_gssapi_auth_new, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
639 mech_gssapi_auth_initial, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
640 mech_gssapi_auth_continue, |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
641 mech_gssapi_auth_free |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
642 }; |
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
643 |
8094
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
644 /* MTI Kerberos v1.5+ and Heimdal v0.7+ supports SPNEGO for Kerberos tickets |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
645 internally. Nothing else needs to be done here. Note however that this does |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
646 not support SPNEGO when the only available credential is NTLM.. */ |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
647 const struct mech_module mech_gssapi_spnego = { |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
648 "GSS-SPNEGO", |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
649 |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
650 MEMBER(flags) 0, |
8605
84eea1977632
auth: Code cleanup for specifying what passdb features auth mechanisms need.
Timo Sirainen <tss@iki.fi>
parents:
8191
diff
changeset
|
651 MEMBER(passdb_need) MECH_PASSDB_NEED_NOTHING, |
8094
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
652 |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
653 mech_gssapi_auth_new, |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
654 mech_gssapi_auth_initial, |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
655 mech_gssapi_auth_continue, |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
656 mech_gssapi_auth_free |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
657 }; |
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
658 |
6199 | 659 #ifndef BUILTIN_GSSAPI |
660 void mech_gssapi_init(void); | |
661 void mech_gssapi_deinit(void); | |
662 | |
663 void mech_gssapi_init(void) | |
664 { | |
665 mech_register_module(&mech_gssapi); | |
8094
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
666 #ifdef HAVE_GSSAPI_SPNEGO |
8095
1f948670f274
Renamed auth_ntlm_use_winbind to auth_use_winbind,
Timo Sirainen <tss@iki.fi>
parents:
8094
diff
changeset
|
667 if (getenv("NTLM_USE_WINBIND") == NULL) |
1f948670f274
Renamed auth_ntlm_use_winbind to auth_use_winbind,
Timo Sirainen <tss@iki.fi>
parents:
8094
diff
changeset
|
668 mech_register_module(&mech_gssapi_spnego); |
8094
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
669 #endif |
6199 | 670 } |
671 | |
672 void mech_gssapi_deinit(void) | |
673 { | |
674 mech_unregister_module(&mech_gssapi); | |
8094
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
675 #ifdef HAVE_GSSAPI_SPNEGO |
8095
1f948670f274
Renamed auth_ntlm_use_winbind to auth_use_winbind,
Timo Sirainen <tss@iki.fi>
parents:
8094
diff
changeset
|
676 if (getenv("NTLM_USE_WINBIND") == NULL) |
1f948670f274
Renamed auth_ntlm_use_winbind to auth_use_winbind,
Timo Sirainen <tss@iki.fi>
parents:
8094
diff
changeset
|
677 mech_unregister_module(&mech_gssapi_spnego); |
8094
641d761219a6
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Timo Sirainen <tss@iki.fi>
parents:
8093
diff
changeset
|
678 #endif |
6199 | 679 } |
3683
28cca6317829
Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
680 #endif |
6199 | 681 |
682 #endif |