# HG changeset patch
# User Timo Sirainen <tss@iki.fi>
# Date 1248660833 14400
# Node ID b36b0291e1c174a3a79529d5d53b3f82ff49f99f
# Parent  1b3e90e829def0a12cc89d1e06f9d5ea6268b859
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Also check GSS_KRB5_NT_PRINCIPAL_NAME more correctly.

diff -r 1b3e90e829de -r b36b0291e1c1 src/auth/mech-gssapi.c
--- a/src/auth/mech-gssapi.c	Sun Jul 26 22:00:46 2009 -0400
+++ b/src/auth/mech-gssapi.c	Sun Jul 26 22:13:53 2009 -0400
@@ -228,6 +228,13 @@
 	return 0;
 }
 
+static bool mech_gssapi_oid_cmp(const gss_OID_desc *oid1,
+				const gss_OID_desc *oid2)
+{
+	return oid1->length == oid2->length &&
+		memcmp(oid1->elements, oid2->elements, oid1->length) == 0;
+}
+
 static int
 mech_gssapi_sec_context(struct gssapi_auth_request *request,
 			gss_buffer_desc inbuf)
@@ -236,6 +243,7 @@
 	OM_uint32 major_status, minor_status;
 	gss_buffer_desc output_token;
 	gss_OID name_type;
+	gss_OID mech_type;
 	const char *username, *error;
 	int ret = 0;
 
@@ -246,13 +254,13 @@
 		&inbuf,
 		GSS_C_NO_CHANNEL_BINDINGS,
 		&request->authn_name, 
-		NULL, /* mech_type */
+		&mech_type,
 		&output_token,
 		NULL, /* ret_flags */
 		NULL, /* time_rec */
 		NULL  /* delegated_cred_handle */
 	);
-	
+
 	if (GSS_ERROR(major_status)) {
 		mech_gssapi_log_error(auth_request, major_status,
 				      GSS_C_GSS_CODE,
@@ -265,8 +273,12 @@
 
 	switch (major_status) {
 	case GSS_S_COMPLETE:
-		if (!get_display_name(auth_request, request->authn_name,
-				      &name_type, &username) < 0)
+		if (!mech_gssapi_oid_cmp(mech_type, gss_mech_krb5)) {
+			auth_request_log_info(auth_request, "gssapi",
+					      "GSSAPI mechanism not Kerberos5");
+			ret = -1;
+		} else if (!get_display_name(auth_request, request->authn_name,
+					     &name_type, &username) < 0)
 			ret = -1;
 		else if (!auth_request_set_username(auth_request, username,
 						    &error)) {
@@ -360,7 +372,8 @@
 			      &princ_display_name) < 0)
 		return FALSE;
 
-	if (name_type != GSS_KRB5_NT_PRINCIPAL_NAME && check_name_type) {
+	if (!mech_gssapi_oid_cmp(name_type, GSS_KRB5_NT_PRINCIPAL_NAME) &&
+	    check_name_type) {
 		auth_request_log_info(&request->auth_request, "gssapi",
 				      "OID not kerberos principal name");
 		return FALSE;