# HG changeset patch # User Timo Sirainen # Date 1236980525 14400 # Node ID ff6378d7b209843082d53aa27a084c605675ca05 # Parent 2ed5d2250d1d01909f0dc3ea59592337f022090f gssapi: Cross-realm authentication fix. Patch by Bryan Jacobs. diff -r 2ed5d2250d1d -r ff6378d7b209 src/auth/mech-gssapi.c --- a/src/auth/mech-gssapi.c Fri Mar 13 17:27:11 2009 -0400 +++ b/src/auth/mech-gssapi.c Fri Mar 13 17:42:05 2009 -0400 @@ -317,7 +317,9 @@ } #ifdef USE_KRB5_USEROK -static bool gssapi_krb5_userok(struct gssapi_auth_request *request) +static bool +gssapi_krb5_userok(struct gssapi_auth_request *request, gss_name_t name, + bool check_name_type) { krb5_context ctx; krb5_principal princ; @@ -329,7 +331,7 @@ bool ret = FALSE; /* Parse out the principal's username */ - major_status = gss_display_name(&minor_status, request->authn_name, + major_status = gss_display_name(&minor_status, name, &princ_name, &name_type); if (major_status != GSS_S_COMPLETE) { auth_request_log_gss_error(&request->auth_request, major_status, @@ -337,7 +339,7 @@ "gssapi_krb5_userok"); return FALSE; } - if (name_type != GSS_KRB5_NT_PRINCIPAL_NAME) { + if (name_type != GSS_KRB5_NT_PRINCIPAL_NAME && check_name_type) { auth_request_log_error(&request->auth_request, "gssapi", "OID not kerberos principal name"); return FALSE; @@ -376,8 +378,9 @@ { OM_uint32 major_status, minor_status; gss_buffer_desc outbuf; +#if defined(HAVE___GSS_USEROK) || !defined(USE_KRB5_USEROK) int equal_authn_authz = 0; - +#endif major_status = gss_unwrap(&minor_status, request->gss_ctx, &inbuf, &outbuf, NULL, NULL); @@ -440,21 +443,33 @@ (unsigned char *)outbuf.value + 4, outbuf.length - 4); +#ifdef USE_KRB5_USEROK + if (!gssapi_krb5_userok(request, request->authn_name, TRUE)) { + auth_request_log_error(&request->auth_request, "gssapi", + "authn_name not authorized"); + auth_request_fail(&request->auth_request); + return; + } + + if (!gssapi_krb5_userok(request, request->authz_name, FALSE)) { + auth_request_log_error(&request->auth_request, "gssapi", + "authz_name not authorized"); + auth_request_fail(&request->auth_request); + return; + } +#else major_status = gss_compare_name(&minor_status, request->authn_name, request->authz_name, &equal_authn_authz); -#ifdef USE_KRB5_USEROK - if (equal_authn_authz == 0) - equal_authn_authz = gssapi_krb5_userok(request); -#endif - if (equal_authn_authz == 0) { + if (equal_authn_authz != 0) { auth_request_log_error(&request->auth_request, "gssapi", "authn_name and authz_name differ: not supported"); auth_request_fail(&request->auth_request); return; } #endif +#endif auth_request_success(&request->auth_request, NULL, 0); }