dovecot/original-hg/dovecot-1.2: src/auth/mech-gssapi.c annotate

annotate src/auth/mech-gssapi.c @ 9658:8ba4253adc9b HEAD tip

*-login: SSL connections didn't get closed when the client got destroyed.

author	Timo Sirainen <tss@iki.fi>
date	Thu, 08 May 2014 16:41:29 +0300
parents	6862d534e5b1
children

rev	line source
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	1 /*
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	2 * GSSAPI Module
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	3 *
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	4 * Copyright (c) 2005 Jelmer Vernooij <jelmer@samba.org>
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	5 *
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	6 * Related standards:
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	7 * - draft-ietf-sasl-gssapi-03
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	8 * - RFC2222
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	9 *
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	10 * Some parts inspired by an older patch from Colin Walters
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	11 *
4382 f8d37e26a2b3 Relicensed dovecot-auth to MIT. Timo Sirainen <tss@iki.fi> parents: 4004 diff changeset	12 * This software is released under the MIT license.
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	13 */
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	14
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	15 #include "common.h"
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	16 #include "mech.h"
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	17 #include "passdb.h"
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	18 #include "str.h"
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	19 #include "str-sanitize.h"
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	20 #include "buffer.h"
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	21 #include "hex-binary.h"
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	22 #include "safe-memset.h"
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	23
8191 f14e68845b6b GSSAPI: stdlib.h wasn't included with all OSes, causing crash at startup with 64bit systems. Timo Sirainen <tss@iki.fi> parents: 8095 diff changeset	24 #include <stdlib.h>
f14e68845b6b GSSAPI: stdlib.h wasn't included with all OSes, causing crash at startup with 64bit systems. Timo Sirainen <tss@iki.fi> parents: 8095 diff changeset	25
8872 643a96aec996 Fixed --with-ldap=plugin and --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 8827 diff changeset	26 #if defined(BUILTIN_GSSAPI) \|\| defined(PLUGIN_BUILD)
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	27
7477 841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	28 #ifndef HAVE___GSS_USEROK
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	29 # define USE_KRB5_USEROK
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	30 # include <krb5.h>
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	31 #endif
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	32
4862 bddfbc560857 Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain Timo Sirainen <tss@iki.fi> parents: 4782 diff changeset	33 #ifdef HAVE_GSSAPI_GSSAPI_H
bddfbc560857 Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain Timo Sirainen <tss@iki.fi> parents: 4782 diff changeset	34 # include <gssapi/gssapi.h>
bddfbc560857 Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain Timo Sirainen <tss@iki.fi> parents: 4782 diff changeset	35 #elif defined (HAVE_GSSAPI_H)
bddfbc560857 Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain Timo Sirainen <tss@iki.fi> parents: 4782 diff changeset	36 # include <gssapi.h>
7610 280e570a5ced gssapi: Check for gssapi_krb5.h existence before trying to use it. Timo Sirainen <tss@iki.fi> parents: 7480 diff changeset	37 #endif
280e570a5ced gssapi: Check for gssapi_krb5.h existence before trying to use it. Timo Sirainen <tss@iki.fi> parents: 7480 diff changeset	38
280e570a5ced gssapi: Check for gssapi_krb5.h existence before trying to use it. Timo Sirainen <tss@iki.fi> parents: 7480 diff changeset	39 #ifdef HAVE_GSSAPI_GSSAPI_KRB5_H
280e570a5ced gssapi: Check for gssapi_krb5.h existence before trying to use it. Timo Sirainen <tss@iki.fi> parents: 7480 diff changeset	40 # include <gssapi/gssapi_krb5.h>
280e570a5ced gssapi: Check for gssapi_krb5.h existence before trying to use it. Timo Sirainen <tss@iki.fi> parents: 7480 diff changeset	41 #elif defined (HAVE_GSSAPI_KRB5_H)
280e570a5ced gssapi: Check for gssapi_krb5.h existence before trying to use it. Timo Sirainen <tss@iki.fi> parents: 7480 diff changeset	42 # include <gssapi_krb5.h>
280e570a5ced gssapi: Check for gssapi_krb5.h existence before trying to use it. Timo Sirainen <tss@iki.fi> parents: 7480 diff changeset	43 #else
280e570a5ced gssapi: Check for gssapi_krb5.h existence before trying to use it. Timo Sirainen <tss@iki.fi> parents: 7480 diff changeset	44 # undef USE_KRB5_USEROK
4862 bddfbc560857 Some systems have gssapi elsewhere than gssapi/gssapi.h. So check also plain Timo Sirainen <tss@iki.fi> parents: 4782 diff changeset	45 #endif
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	46
5859 dfdedb187b26 If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson. Timo Sirainen <tss@iki.fi> parents: 5439 diff changeset	47 #ifdef HAVE_GSSAPI_GSSAPI_EXT_H
dfdedb187b26 If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson. Timo Sirainen <tss@iki.fi> parents: 5439 diff changeset	48 # include <gssapi/gssapi_ext.h>
dfdedb187b26 If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson. Timo Sirainen <tss@iki.fi> parents: 5439 diff changeset	49 #endif
dfdedb187b26 If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson. Timo Sirainen <tss@iki.fi> parents: 5439 diff changeset	50
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	51 /* Non-zero flags defined in RFC 2222 */
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	52 enum sasl_gssapi_qop {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	53 SASL_GSSAPI_QOP_UNSPECIFIED = 0x00,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	54 SASL_GSSAPI_QOP_AUTH_ONLY = 0x01,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	55 SASL_GSSAPI_QOP_AUTH_INT = 0x02,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	56 SASL_GSSAPI_QOP_AUTH_CONF = 0x04
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	57 };
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	58
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	59 struct gssapi_auth_request {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	60 struct auth_request auth_request;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	61 gss_ctx_id_t gss_ctx;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	62 gss_cred_id_t service_cred;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	63
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	64 enum {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	65 GSS_STATE_SEC_CONTEXT,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	66 GSS_STATE_WRAP,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	67 GSS_STATE_UNWRAP
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	68 } sasl_gssapi_state;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	69
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	70 gss_name_t authn_name;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	71 gss_name_t authz_name;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	72
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	73 pool_t pool;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	74 };
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	75
8068 9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	76 static bool gssapi_initialized = FALSE;
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	77
9267 ac2e37e4c2c1 gssapi: Fixed compiling for non-MIT/Heimdal GSSAPI implementations (Solaris). Timo Sirainen <tss@iki.fi> parents: 9258 diff changeset	78 static gss_OID_desc mech_gssapi_krb5_oid =
ac2e37e4c2c1 gssapi: Fixed compiling for non-MIT/Heimdal GSSAPI implementations (Solaris). Timo Sirainen <tss@iki.fi> parents: 9258 diff changeset	79 { 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
ac2e37e4c2c1 gssapi: Fixed compiling for non-MIT/Heimdal GSSAPI implementations (Solaris). Timo Sirainen <tss@iki.fi> parents: 9258 diff changeset	80
9200 5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	81 static void mech_gssapi_log_error(struct auth_request *request,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	82 OM_uint32 status_value, int status_type,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	83 const char *description)
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	84 {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	85 OM_uint32 message_context = 0;
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	86 OM_uint32 minor_status;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	87 gss_buffer_desc status_string;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	88
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	89 do {
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	90 (void)gss_display_status(&minor_status, status_value,
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	91 status_type, GSS_C_NO_OID,
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	92 &message_context, &status_string);
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	93
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	94 auth_request_log_info(request, "gssapi",
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	95 "While %s: %s", description,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	96 str_sanitize(status_string.value, (size_t)-1));
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	97
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	98 (void)gss_release_buffer(&minor_status, &status_string);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	99 } while (message_context != 0);
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	100 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	101
8068 9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	102 static void mech_gssapi_initialize(void)
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	103 {
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	104 const char *path;
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	105
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	106 path = getenv("KRB5_KTNAME");
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	107 if (path != NULL) {
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	108 #ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	109 gsskrb5_register_acceptor_identity(path);
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	110 #elif defined (HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY)
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	111 krb5_gss_register_acceptor_identity(path);
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	112 #endif
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	113 }
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	114 }
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	115
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	116 static struct auth_request *mech_gssapi_auth_new(void)
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	117 {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	118 struct gssapi_auth_request *request;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	119 pool_t pool;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	120
8068 9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	121 if (!gssapi_initialized) {
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	122 gssapi_initialized = TRUE;
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	123 mech_gssapi_initialize();
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	124 }
9569038e0816 gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity() Timo Sirainen <tss@iki.fi> parents: 7610 diff changeset	125
3695 4f8598b0ca62 Use a bit larger initial pool sizes Timo Sirainen <tss@iki.fi> parents: 3683 diff changeset	126 pool = pool_alloconly_create("gssapi_auth_request", 1024);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	127 request = p_new(pool, struct gssapi_auth_request, 1);
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	128 request->pool = pool;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	129
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	130 request->gss_ctx = GSS_C_NO_CONTEXT;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	131
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	132 request->auth_request.pool = pool;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	133 return &request->auth_request;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	134 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	135
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	136 static OM_uint32
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	137 obtain_service_credentials(struct auth_request request, gss_cred_id_t ret_r)
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	138 {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	139 OM_uint32 major_status, minor_status;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	140 string_t *principal_name;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	141 gss_buffer_desc inbuf;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	142 gss_name_t gss_principal;
4628 fc5ae043fdcc POP3 service name is "pop" with GSSAPI. Timo Sirainen <tss@iki.fi> parents: 4451 diff changeset	143 const char *service_name;
fc5ae043fdcc POP3 service name is "pop" with GSSAPI. Timo Sirainen <tss@iki.fi> parents: 4451 diff changeset	144
8093 9ca5e8f66d10 Added support for gssapi_hostname=$ALL for multihomed hosts. Timo Sirainen <tss@iki.fi> parents: 8068 diff changeset	145 if (strcmp(request->auth->gssapi_hostname, "$ALL") == 0) {
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	146 auth_request_log_debug(request, "gssapi",
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	147 "Using all keytab entries");
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	148 *ret_r = GSS_C_NO_CREDENTIAL;
8093 9ca5e8f66d10 Added support for gssapi_hostname=$ALL for multihomed hosts. Timo Sirainen <tss@iki.fi> parents: 8068 diff changeset	149 return GSS_S_COMPLETE;
9ca5e8f66d10 Added support for gssapi_hostname=$ALL for multihomed hosts. Timo Sirainen <tss@iki.fi> parents: 8068 diff changeset	150 }
9ca5e8f66d10 Added support for gssapi_hostname=$ALL for multihomed hosts. Timo Sirainen <tss@iki.fi> parents: 8068 diff changeset	151
4628 fc5ae043fdcc POP3 service name is "pop" with GSSAPI. Timo Sirainen <tss@iki.fi> parents: 4451 diff changeset	152 if (strcasecmp(request->service, "POP3") == 0) {
fc5ae043fdcc POP3 service name is "pop" with GSSAPI. Timo Sirainen <tss@iki.fi> parents: 4451 diff changeset	153 /* The standard POP3 service name with GSSAPI is called
fc5ae043fdcc POP3 service name is "pop" with GSSAPI. Timo Sirainen <tss@iki.fi> parents: 4451 diff changeset	154 just "pop". */
fc5ae043fdcc POP3 service name is "pop" with GSSAPI. Timo Sirainen <tss@iki.fi> parents: 4451 diff changeset	155 service_name = "pop";
fc5ae043fdcc POP3 service name is "pop" with GSSAPI. Timo Sirainen <tss@iki.fi> parents: 4451 diff changeset	156 } else {
fc5ae043fdcc POP3 service name is "pop" with GSSAPI. Timo Sirainen <tss@iki.fi> parents: 4451 diff changeset	157 service_name = t_str_lcase(request->service);
fc5ae043fdcc POP3 service name is "pop" with GSSAPI. Timo Sirainen <tss@iki.fi> parents: 4451 diff changeset	158 }
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	159
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	160 principal_name = t_str_new(128);
4628 fc5ae043fdcc POP3 service name is "pop" with GSSAPI. Timo Sirainen <tss@iki.fi> parents: 4451 diff changeset	161 str_append(principal_name, service_name);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	162 str_append_c(principal_name, '@');
5439 c5401a8f4679 Added auth_gssapi_hostname setting. Timo Sirainen <tss@iki.fi> parents: 5259 diff changeset	163 str_append(principal_name, request->auth->gssapi_hostname);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	164
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	165 auth_request_log_debug(request, "gssapi",
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	166 "Obtaining credentials for %s", str_c(principal_name));
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	167
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	168 inbuf.length = str_len(principal_name);
4451 1a35d53c18fc Array API redesigned to work using unions. It now provides type safety Timo Sirainen <tss@iki.fi> parents: 4382 diff changeset	169 inbuf.value = str_c_modifiable(principal_name);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	170
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	171 major_status = gss_import_name(&minor_status, &inbuf,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	172 GSS_C_NT_HOSTBASED_SERVICE,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	173 &gss_principal);
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3766 diff changeset	174 str_free(&principal_name);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	175
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	176 if (GSS_ERROR(major_status)) {
9200 5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	177 mech_gssapi_log_error(request, major_status, GSS_C_GSS_CODE,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	178 "importing principal name");
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	179 return major_status;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	180 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	181
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	182 major_status = gss_acquire_cred(&minor_status, gss_principal, 0,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	183 GSS_C_NULL_OID_SET, GSS_C_ACCEPT,
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	184 ret_r, NULL, NULL);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	185 if (GSS_ERROR(major_status)) {
9200 5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	186 mech_gssapi_log_error(request, major_status, GSS_C_GSS_CODE,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	187 "acquiring service credentials");
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	188 mech_gssapi_log_error(request, minor_status, GSS_C_MECH_CODE,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	189 "acquiring service credentials");
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	190 return major_status;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	191 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	192
4004 10d1c3301b87 Crashfix. Patch by Mark Davies Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	193 gss_release_name(&minor_status, &gss_principal);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	194 return major_status;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	195 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	196
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	197 static gss_name_t
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	198 import_name(struct auth_request request, void str, size_t len)
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	199 {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	200 OM_uint32 major_status, minor_status;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	201 gss_buffer_desc name_buf;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	202 gss_name_t name;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	203
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	204 name_buf.value = str;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	205 name_buf.length = len;
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	206 major_status = gss_import_name(&minor_status, &name_buf,
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	207 GSS_C_NO_OID, &name);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	208 if (GSS_ERROR(major_status)) {
9200 5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	209 mech_gssapi_log_error(request, major_status, GSS_C_GSS_CODE,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	210 "gss_import_name");
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	211 return GSS_C_NO_NAME;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	212 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	213 return name;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	214 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	215
9324 5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	216 static bool data_has_nuls(const void *data, unsigned int len)
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	217 {
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	218 const unsigned char *c = data;
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	219 unsigned int i;
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	220
9347 a37fa30b0072 gssapi: Apparently all usernames end with NUL. Allow it. Timo Sirainen <tss@iki.fi> parents: 9324 diff changeset	221 /* apparently all names end with NUL? */
a37fa30b0072 gssapi: Apparently all usernames end with NUL. Allow it. Timo Sirainen <tss@iki.fi> parents: 9324 diff changeset	222 if (len > 0 && c[len-1] == '\0')
a37fa30b0072 gssapi: Apparently all usernames end with NUL. Allow it. Timo Sirainen <tss@iki.fi> parents: 9324 diff changeset	223 len--;
a37fa30b0072 gssapi: Apparently all usernames end with NUL. Allow it. Timo Sirainen <tss@iki.fi> parents: 9324 diff changeset	224
9324 5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	225 for (i = 0; i < len; i++) {
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	226 if (c[i] == '\0')
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	227 return TRUE;
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	228 }
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	229 return FALSE;
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	230 }
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	231
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	232 static int get_display_name(struct auth_request *auth_request, gss_name_t name,
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	233 gss_OID name_type_r, const char *display_name_r)
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	234 {
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	235 OM_uint32 major_status, minor_status;
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	236 gss_buffer_desc buf;
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	237
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	238 major_status = gss_display_name(&minor_status, name,
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	239 &buf, name_type_r);
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	240 if (major_status != GSS_S_COMPLETE) {
9200 5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	241 mech_gssapi_log_error(auth_request, major_status,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	242 GSS_C_GSS_CODE, "gss_display_name");
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	243 return -1;
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	244 }
9324 5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	245 if (data_has_nuls(buf.value, buf.length)) {
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	246 auth_request_log_info(auth_request, "gssapi",
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	247 "authn_name has NULs");
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	248 return -1;
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	249 }
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	250 *display_name_r = t_strndup(buf.value, buf.length);
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	251 (void)gss_release_buffer(&minor_status, &buf);
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	252 return 0;
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	253 }
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	254
9258 b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	255 static bool mech_gssapi_oid_cmp(const gss_OID_desc *oid1,
b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	256 const gss_OID_desc *oid2)
b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	257 {
b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	258 return oid1->length == oid2->length &&
b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	259 memcmp(oid1->elements, oid2->elements, oid1->length) == 0;
b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	260 }
b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	261
9199 f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	262 static int
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	263 mech_gssapi_sec_context(struct gssapi_auth_request *request,
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	264 gss_buffer_desc inbuf)
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	265 {
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	266 struct auth_request *auth_request = &request->auth_request;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	267 OM_uint32 major_status, minor_status;
9232 f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	268 gss_buffer_desc output_token;
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	269 gss_OID name_type;
9258 b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	270 gss_OID mech_type;
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	271 const char username, error;
9232 f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	272 int ret = 0;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	273
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	274 major_status = gss_accept_sec_context (
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	275 &minor_status,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	276 &request->gss_ctx,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	277 request->service_cred,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	278 &inbuf,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	279 GSS_C_NO_CHANNEL_BINDINGS,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	280 &request->authn_name,
9258 b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	281 &mech_type,
9232 f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	282 &output_token,
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	283 NULL, /* ret_flags */
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	284 NULL, /* time_rec */
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	285 NULL /* delegated_cred_handle */
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	286 );
9258 b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	287
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	288 if (GSS_ERROR(major_status)) {
9200 5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	289 mech_gssapi_log_error(auth_request, major_status,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	290 GSS_C_GSS_CODE,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	291 "processing incoming data");
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	292 mech_gssapi_log_error(auth_request, minor_status,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	293 GSS_C_MECH_CODE,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	294 "processing incoming data");
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	295 return -1;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	296 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	297
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	298 switch (major_status) {
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	299 case GSS_S_COMPLETE:
9267 ac2e37e4c2c1 gssapi: Fixed compiling for non-MIT/Heimdal GSSAPI implementations (Solaris). Timo Sirainen <tss@iki.fi> parents: 9258 diff changeset	300 if (!mech_gssapi_oid_cmp(mech_type, &mech_gssapi_krb5_oid)) {
9258 b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	301 auth_request_log_info(auth_request, "gssapi",
b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	302 "GSSAPI mechanism not Kerberos5");
b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	303 ret = -1;
9268 0ec0b1f1ac6a gssapi: Error handling fix. Timo Sirainen <tss@iki.fi> parents: 9267 diff changeset	304 } else if (get_display_name(auth_request, request->authn_name,
0ec0b1f1ac6a gssapi: Error handling fix. Timo Sirainen <tss@iki.fi> parents: 9267 diff changeset	305 &name_type, &username) < 0)
9232 f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	306 ret = -1;
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	307 else if (!auth_request_set_username(auth_request, username,
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	308 &error)) {
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	309 auth_request_log_info(auth_request, "gssapi",
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	310 "authn_name: %s", error);
9232 f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	311 ret = -1;
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	312 } else {
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	313 request->sasl_gssapi_state = GSS_STATE_WRAP;
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	314 auth_request_log_debug(auth_request, "gssapi",
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	315 "security context state completed.");
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	316 }
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	317 break;
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	318 case GSS_S_CONTINUE_NEEDED:
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	319 auth_request_log_debug(auth_request, "gssapi",
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	320 "Processed incoming packet correctly, "
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	321 "waiting for another.");
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	322 break;
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	323 default:
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	324 auth_request_log_error(auth_request, "gssapi",
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	325 "Received unexpected major status %d", major_status);
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	326 break;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	327 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	328
9232 f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	329 if (ret == 0) {
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	330 auth_request->callback(auth_request,
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	331 AUTH_CLIENT_RESULT_CONTINUE,
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	332 output_token.value, output_token.length);
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	333 }
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	334 (void)gss_release_buffer(&minor_status, &output_token);
f57f9dab059b GSSAPI: Fixed memory leak on error conditions. Timo Sirainen <tss@iki.fi> parents: 9200 diff changeset	335 return ret;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	336 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	337
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	338 static int
9199 f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	339 mech_gssapi_wrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf)
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	340 {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	341 OM_uint32 major_status, minor_status;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	342 gss_buffer_desc outbuf;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	343 unsigned char ret[4];
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	344
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	345 /* The client's return data should be empty here */
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	346
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	347 /* Only authentication, no integrity or confidentiality
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	348 protection (yet?) */
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	349 ret[0] = (SASL_GSSAPI_QOP_UNSPECIFIED \|
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	350 SASL_GSSAPI_QOP_AUTH_ONLY);
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	351 ret[1] = 0xFF;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	352 ret[2] = 0xFF;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	353 ret[3] = 0xFF;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	354
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	355 inbuf.length = 4;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	356 inbuf.value = ret;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	357
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	358 major_status = gss_wrap(&minor_status, request->gss_ctx, 0,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	359 GSS_C_QOP_DEFAULT, &inbuf, NULL, &outbuf);
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	360
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	361 if (GSS_ERROR(major_status)) {
9200 5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	362 mech_gssapi_log_error(&request->auth_request, major_status,
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	363 GSS_C_GSS_CODE, "sending security layer negotiation");
9200 5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	364 mech_gssapi_log_error(&request->auth_request, minor_status,
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	365 GSS_C_MECH_CODE, "sending security layer negotiation");
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	366 return -1;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	367 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	368
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	369 auth_request_log_debug(&request->auth_request, "gssapi",
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	370 "Negotiated security layer");
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	371
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	372 request->auth_request.callback(&request->auth_request,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	373 AUTH_CLIENT_RESULT_CONTINUE,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	374 outbuf.value, outbuf.length);
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	375
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	376 (void)gss_release_buffer(&minor_status, &outbuf);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	377 request->sasl_gssapi_state = GSS_STATE_UNWRAP;
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	378 return 0;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	379 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	380
7477 841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	381 #ifdef USE_KRB5_USEROK
8826 ff6378d7b209 gssapi: Cross-realm authentication fix. Timo Sirainen <tss@iki.fi> parents: 8605 diff changeset	382 static bool
9199 f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	383 mech_gssapi_krb5_userok(struct gssapi_auth_request *request,
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	384 gss_name_t name, const char *login_user,
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	385 bool check_name_type)
7477 841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	386 {
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	387 krb5_context ctx;
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	388 krb5_principal princ;
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	389 krb5_error_code krb5_err;
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	390 gss_OID name_type;
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	391 const char *princ_display_name;
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	392 bool ret = FALSE;
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	393
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	394 /* Parse out the principal's username */
9656 6862d534e5b1 auth: Fixed error handling in GSSAPI when __gss_userok() was used. Timo Sirainen <tss@iki.fi> parents: 9347 diff changeset	395 if (get_display_name(&request->auth_request, name, &name_type,
6862d534e5b1 auth: Fixed error handling in GSSAPI when __gss_userok() was used. Timo Sirainen <tss@iki.fi> parents: 9347 diff changeset	396 &princ_display_name) < 0)
7477 841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	397 return FALSE;
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	398
9258 b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	399 if (!mech_gssapi_oid_cmp(name_type, GSS_KRB5_NT_PRINCIPAL_NAME) &&
b36b0291e1c1 gssapi: Fail authentication if mechanism type isn't Kerberos 5. Timo Sirainen <tss@iki.fi> parents: 9257 diff changeset	400 check_name_type) {
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	401 auth_request_log_info(&request->auth_request, "gssapi",
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	402 "OID not kerberos principal name");
7477 841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	403 return FALSE;
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	404 }
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	405
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	406 /* Init a krb5 context and parse the principal username */
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	407 krb5_err = krb5_init_context(&ctx);
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	408 if (krb5_err != 0) {
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	409 auth_request_log_error(&request->auth_request, "gssapi",
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	410 "krb5_init_context() failed: %d", (int)krb5_err);
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	411 return FALSE;
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	412 }
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	413 krb5_err = krb5_parse_name(ctx, princ_display_name, &princ);
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	414 if (krb5_err != 0) {
7480 ad0f32abda6d Don't use krb5_get_error_message(), it doesn't work with Heimdal Kerberos. Timo Sirainen <tss@iki.fi> parents: 7477 diff changeset	415 /* writing the error string would be better, but we probably
ad0f32abda6d Don't use krb5_get_error_message(), it doesn't work with Heimdal Kerberos. Timo Sirainen <tss@iki.fi> parents: 7477 diff changeset	416 rarely get here and there doesn't seem to be a standard
ad0f32abda6d Don't use krb5_get_error_message(), it doesn't work with Heimdal Kerberos. Timo Sirainen <tss@iki.fi> parents: 7477 diff changeset	417 way of getting it */
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	418 auth_request_log_info(&request->auth_request, "gssapi",
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	419 "krb5_parse_name() failed: %d",
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	420 (int)krb5_err);
7477 841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	421 } else {
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	422 /* See if the principal is authorized to act as the
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	423 specified user */
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	424 ret = krb5_kuserok(ctx, princ, login_user);
7477 841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	425 krb5_free_principal(ctx, princ);
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	426 }
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	427 krb5_free_context(ctx);
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	428 return ret;
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	429 }
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	430 #endif
841209428d2d Support cross-realm krb5 authentication. Based on patch by Zachary Kotlarek. Timo Sirainen <tss@iki.fi> parents: 7451 diff changeset	431
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	432 static int
9199 f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	433 mech_gssapi_userok(struct gssapi_auth_request request, const char login_user)
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	434 {
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	435 struct auth_request *auth_request = &request->auth_request;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	436 OM_uint32 major_status, minor_status;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	437 int equal_authn_authz;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	438 #ifdef HAVE___GSS_USEROK
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	439 int login_ok;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	440 #endif
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	441
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	442 /* if authn and authz names equal, don't bother checking further. */
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	443 major_status = gss_compare_name(&minor_status,
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	444 request->authn_name,
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	445 request->authz_name,
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	446 &equal_authn_authz);
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	447 if (GSS_ERROR(major_status)) {
9200 5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	448 mech_gssapi_log_error(auth_request, major_status,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	449 GSS_C_GSS_CODE,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	450 "gss_compare_name failed");
9199 f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	451 return -1;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	452 }
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	453
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	454 if (equal_authn_authz != 0)
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	455 return 0;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	456
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	457 /* handle cross-realm authentication */
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	458 #ifdef HAVE___GSS_USEROK
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	459 /* Solaris */
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	460 major_status = __gss_userok(&minor_status, request->authn_name,
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	461 login_user, &login_ok);
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	462 if (GSS_ERROR(major_status)) {
9200 5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	463 mech_gssapi_log_error(auth_request, major_status,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	464 GSS_C_GSS_CODE, "__gss_userok failed");
9199 f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	465 return -1;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	466 }
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	467
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	468 if (login_ok == 0) {
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	469 auth_request_log_info(auth_request, "gssapi",
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	470 "User not authorized to log in as %s", login_user);
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	471 return -1;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	472 }
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	473 return 0;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	474 #elif defined(USE_KRB5_USEROK)
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	475 if (!mech_gssapi_krb5_userok(request, request->authn_name,
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	476 login_user, TRUE)) {
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	477 auth_request_log_info(auth_request, "gssapi",
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	478 "User not authorized to log in as %s", login_user);
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	479 return -1;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	480 }
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	481
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	482 return 0;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	483 #else
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	484 auth_request_log_info(auth_request, "gssapi",
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	485 "Cross-realm authentication not supported "
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	486 "(authz_name=%s)", login_user);
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	487 return -1;
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	488 #endif
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	489 }
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	490
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	491 static int
f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	492 mech_gssapi_unwrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf)
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	493 {
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	494 struct auth_request *auth_request = &request->auth_request;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	495 OM_uint32 major_status, minor_status;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	496 gss_buffer_desc outbuf;
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	497 const char login_user, error;
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	498 unsigned char *name;
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	499 unsigned int name_len;
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	500
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	501 major_status = gss_unwrap(&minor_status, request->gss_ctx,
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	502 &inbuf, &outbuf, NULL, NULL);
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	503
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	504 if (GSS_ERROR(major_status)) {
9200 5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	505 mech_gssapi_log_error(auth_request, major_status,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	506 GSS_C_GSS_CODE,
5d9eab092e97 gssapi: Code cleanup. Timo Sirainen <tss@iki.fi> parents: 9199 diff changeset	507 "final negotiation: gss_unwrap");
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	508 return -1;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	509 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	510
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	511 /* outbuf[0] contains bitmask for selected security layer,
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	512 outbuf[1..3] contains maximum output_message size */
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	513 if (outbuf.length <= 4) {
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	514 auth_request_log_error(auth_request, "gssapi",
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	515 "Invalid response length");
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	516 return -1;
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	517 }
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	518 name = (unsigned char *)outbuf.value + 4;
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	519 name_len = outbuf.length - 4;
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	520
9324 5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	521 if (data_has_nuls(name, name_len)) {
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	522 auth_request_log_info(auth_request, "gssapi",
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	523 "authz_name has NULs");
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	524 return -1;
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	525 }
5d53b1d66d1b auth: Check for potentially dangerous NULs in usernames. Timo Sirainen <tss@iki.fi> parents: 9268 diff changeset	526
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	527 login_user = p_strndup(auth_request->pool, name, name_len);
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	528 request->authz_name = import_name(auth_request, name, name_len);
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	529 if (request->authz_name == GSS_C_NO_NAME) {
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	530 auth_request_log_info(auth_request, "gssapi", "no authz_name");
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	531 return -1;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	532 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	533
9199 f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	534 if (mech_gssapi_userok(request, login_user) < 0)
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	535 return -1;
7451 4a64c2f8e194 GSSAPI: Show username in "autn_name and authz_name differ" error. Timo Sirainen <tss@iki.fi> parents: 6428 diff changeset	536
9197 a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	537 if (!auth_request_set_username(auth_request, login_user, &error)) {
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	538 auth_request_log_info(auth_request, "gssapi",
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	539 "authz_name: %s", error);
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	540 return -1;
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	541 }
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	542
a5c5a912769e gssapi: Set username via auth_request_set_username(). Timo Sirainen <tss@iki.fi> parents: 9196 diff changeset	543 auth_request_success(auth_request, NULL, 0);
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	544 return 0;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	545 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	546
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	547 static void
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	548 mech_gssapi_auth_continue(struct auth_request *request,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	549 const unsigned char *data, size_t data_size)
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	550 {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	551 struct gssapi_auth_request *gssapi_request =
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	552 (struct gssapi_auth_request *)request;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	553 gss_buffer_desc inbuf;
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	554 int ret;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	555
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	556 inbuf.value = (void *)data;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	557 inbuf.length = data_size;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	558
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	559 switch (gssapi_request->sasl_gssapi_state) {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	560 case GSS_STATE_SEC_CONTEXT:
9199 f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	561 ret = mech_gssapi_sec_context(gssapi_request, inbuf);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	562 break;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	563 case GSS_STATE_WRAP:
9199 f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	564 ret = mech_gssapi_wrap(gssapi_request, inbuf);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	565 break;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	566 case GSS_STATE_UNWRAP:
9199 f4ff64dd79a9 gssapi: Use userok() functions only when authz_name != authn_name. Timo Sirainen <tss@iki.fi>* parents: 9197 diff changeset	567 ret = mech_gssapi_unwrap(gssapi_request, inbuf);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	568 break;
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	569 default:
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	570 ret = -1;
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	571 i_unreached();
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	572 }
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	573 if (ret < 0)
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	574 auth_request_fail(request);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	575 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	576
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	577 static void
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	578 mech_gssapi_auth_initial(struct auth_request *request,
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	579 const unsigned char *data, size_t data_size)
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	580 {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	581 struct gssapi_auth_request *gssapi_request =
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	582 (struct gssapi_auth_request *)request;
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	583 OM_uint32 major_status;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	584
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	585 major_status =
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	586 obtain_service_credentials(request,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	587 &gssapi_request->service_cred);
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	588
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	589 if (GSS_ERROR(major_status)) {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	590 auth_request_internal_failure(request);
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	591 return;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	592 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	593 gssapi_request->authn_name = GSS_C_NO_NAME;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	594 gssapi_request->authz_name = GSS_C_NO_NAME;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	595
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	596 gssapi_request->sasl_gssapi_state = GSS_STATE_SEC_CONTEXT;
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	597
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	598 if (data_size == 0) {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	599 /* The client should go first */
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	600 request->callback(request, AUTH_CLIENT_RESULT_CONTINUE,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	601 NULL, 0);
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	602 } else {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	603 mech_gssapi_auth_continue(request, data, data_size);
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	604 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	605 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	606
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	607 static void
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	608 mech_gssapi_auth_free(struct auth_request *request)
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	609 {
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	610 struct gssapi_auth_request *gssapi_request =
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	611 (struct gssapi_auth_request *)request;
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	612 OM_uint32 minor_status;
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	613
6242 40e324d83d2b Crashfix for failed GSSAPI requests. Timo Sirainen <tss@iki.fi> parents: 6199 diff changeset	614 if (gssapi_request->gss_ctx != GSS_C_NO_CONTEXT) {
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	615 (void)gss_delete_sec_context(&minor_status,
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	616 &gssapi_request->gss_ctx,
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	617 GSS_C_NO_BUFFER);
6242 40e324d83d2b Crashfix for failed GSSAPI requests. Timo Sirainen <tss@iki.fi> parents: 6199 diff changeset	618 }
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	619
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	620 (void)gss_release_cred(&minor_status, &gssapi_request->service_cred);
5259 228eacfb2647 Added more debug logging. Timo Sirainen <tss@iki.fi> parents: 4862 diff changeset	621 if (gssapi_request->authn_name != GSS_C_NO_NAME) {
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	622 (void)gss_release_name(&minor_status,
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	623 &gssapi_request->authn_name);
5259 228eacfb2647 Added more debug logging. Timo Sirainen <tss@iki.fi> parents: 4862 diff changeset	624 }
228eacfb2647 Added more debug logging. Timo Sirainen <tss@iki.fi> parents: 4862 diff changeset	625 if (gssapi_request->authz_name != GSS_C_NO_NAME) {
9196 4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	626 (void)gss_release_name(&minor_status,
4172004c1958 gssapi: Code cleanups. Logging error level changes. Timo Sirainen <tss@iki.fi> parents: 8872 diff changeset	627 &gssapi_request->authz_name);
5259 228eacfb2647 Added more debug logging. Timo Sirainen <tss@iki.fi> parents: 4862 diff changeset	628 }
6428 7cad076906eb pool_unref() now takes ** pointer. Timo Sirainen <tss@iki.fi> parents: 6242 diff changeset	629 pool_unref(&request->pool);
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	630 }
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	631
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	632 const struct mech_module mech_gssapi = {
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	633 "GSSAPI",
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	634
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	635 MEMBER(flags) 0,
8605 84eea1977632 auth: Code cleanup for specifying what passdb features auth mechanisms need. Timo Sirainen <tss@iki.fi> parents: 8191 diff changeset	636 MEMBER(passdb_need) MECH_PASSDB_NEED_NOTHING,
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	637
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	638 mech_gssapi_auth_new,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	639 mech_gssapi_auth_initial,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	640 mech_gssapi_auth_continue,
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	641 mech_gssapi_auth_free
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	642 };
28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	643
8094 641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	644 /* MTI Kerberos v1.5+ and Heimdal v0.7+ supports SPNEGO for Kerberos tickets
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	645 internally. Nothing else needs to be done here. Note however that this does
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	646 not support SPNEGO when the only available credential is NTLM.. */
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	647 const struct mech_module mech_gssapi_spnego = {
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	648 "GSS-SPNEGO",
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	649
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	650 MEMBER(flags) 0,
8605 84eea1977632 auth: Code cleanup for specifying what passdb features auth mechanisms need. Timo Sirainen <tss@iki.fi> parents: 8191 diff changeset	651 MEMBER(passdb_need) MECH_PASSDB_NEED_NOTHING,
8094 641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	652
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	653 mech_gssapi_auth_new,
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	654 mech_gssapi_auth_initial,
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	655 mech_gssapi_auth_continue,
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	656 mech_gssapi_auth_free
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	657 };
641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	658
6199 c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	659 #ifndef BUILTIN_GSSAPI
c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	660 void mech_gssapi_init(void);
c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	661 void mech_gssapi_deinit(void);
c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	662
c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	663 void mech_gssapi_init(void)
c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	664 {
c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	665 mech_register_module(&mech_gssapi);
8094 641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	666 #ifdef HAVE_GSSAPI_SPNEGO
8095 1f948670f274 Renamed auth_ntlm_use_winbind to auth_use_winbind, Timo Sirainen <tss@iki.fi> parents: 8094 diff changeset	667 if (getenv("NTLM_USE_WINBIND") == NULL)
1f948670f274 Renamed auth_ntlm_use_winbind to auth_use_winbind, Timo Sirainen <tss@iki.fi> parents: 8094 diff changeset	668 mech_register_module(&mech_gssapi_spnego);
8094 641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	669 #endif
6199 c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	670 }
c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	671
c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	672 void mech_gssapi_deinit(void)
c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	673 {
c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	674 mech_unregister_module(&mech_gssapi);
8094 641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	675 #ifdef HAVE_GSSAPI_SPNEGO
8095 1f948670f274 Renamed auth_ntlm_use_winbind to auth_use_winbind, Timo Sirainen <tss@iki.fi> parents: 8094 diff changeset	676 if (getenv("NTLM_USE_WINBIND") == NULL)
1f948670f274 Renamed auth_ntlm_use_winbind to auth_use_winbind, Timo Sirainen <tss@iki.fi> parents: 8094 diff changeset	677 mech_unregister_module(&mech_gssapi_spnego);
8094 641d761219a6 Support GSS-SPNEGO mechanism if GSSAPI library supports it. Timo Sirainen <tss@iki.fi> parents: 8093 diff changeset	678 #endif
6199 c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	679 }
3683 28cca6317829 Added GSSAPI support. Patch by Jelmer Vernooij and some fixes by Timo Sirainen <tss@iki.fi> parents: diff changeset	680 #endif
6199 c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	681
c1d09af8bdda Added --with-gssapi=plugin Timo Sirainen <tss@iki.fi> parents: 5860 diff changeset	682 #endif

Mercurial > dovecot > original-hg > dovecot-1.2

annotate src/auth/mech-gssapi.c @ 9658:8ba4253adc9b HEAD tip