projects
/
cyrus-sasl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
GSS_S_PROMPTING_NEEDED is a bit
[cyrus-sasl.git]
/
plugins
/
gs2.c
diff --git
a/plugins/gs2.c
b/plugins/gs2.c
index
5afe7bb
..
6faa70d
100644
(file)
--- a/
plugins/gs2.c
+++ b/
plugins/gs2.c
@@
-97,6
+97,10
@@
#define GS2_CB_FLAG_Y 0x02
#define GS2_NONSTD_FLAG 0x10
#define GS2_CB_FLAG_Y 0x02
#define GS2_NONSTD_FLAG 0x10
+#ifndef GSS_S_PROMPTING_NEEDED
+#define GSS_S_PROMPTING_NEEDED (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 5))
+#endif
+
typedef struct context {
gss_ctx_id_t gss_ctx;
gss_name_t client_name;
typedef struct context {
gss_ctx_id_t gss_ctx;
gss_name_t client_name;
@@
-440,11
+444,6
@@
gs2_server_mech_step(void *conn_context,
assert(maj_stat == GSS_S_COMPLETE);
assert(maj_stat == GSS_S_COMPLETE);
- if ((out_flags & GSS_C_SEQUENCE_FLAG) == 0) {
- ret = SASL_BADAUTH;
- goto cleanup;
- }
-
maj_stat = gss_display_name(&min_stat, text->client_name,
&name_buf, NULL);
if (GSS_ERROR(maj_stat))
maj_stat = gss_display_name(&min_stat, text->client_name,
&name_buf, NULL);
if (GSS_ERROR(maj_stat))
@@
-539,7
+538,7
@@
cleanup:
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
ret = SASL_FAIL;
}
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
ret = SASL_FAIL;
}
- if (ret
!= SASL_OK && ret != SASL_CONTINUE
)
+ if (ret
< SASL_OK
)
sasl_gs2_free_context_contents(text);
return ret;
sasl_gs2_free_context_contents(text);
return ret;
@@
-689,7
+688,7
@@
static int gs2_client_mech_step(void *conn_context,
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER;
OM_uint32 maj_stat = GSS_S_FAILURE, min_stat = 0;
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER;
OM_uint32 maj_stat = GSS_S_FAILURE, min_stat = 0;
- OM_uint32 re
q_flags, re
t_flags;
+ OM_uint32 ret_flags;
int ret = SASL_FAIL;
int initialContextToken;
int ret = SASL_FAIL;
int initialContextToken;
@@
-766,8
+765,6
@@
static int gs2_client_mech_step(void *conn_context,
goto cleanup;
}
goto cleanup;
}
- req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
-
maj_stat = gss_init_sec_context(&min_stat,
(params->gss_creds != GSS_C_NO_CREDENTIAL)
? (gss_cred_id_t)params->gss_creds
maj_stat = gss_init_sec_context(&min_stat,
(params->gss_creds != GSS_C_NO_CREDENTIAL)
? (gss_cred_id_t)params->gss_creds
@@
-775,7
+772,7
@@
static int gs2_client_mech_step(void *conn_context,
&text->gss_ctx,
text->server_name,
(gss_OID)text->mechanism,
&text->gss_ctx,
text->server_name,
(gss_OID)text->mechanism,
-
req_flags
,
+
GSS_C_MUTUAL_FLAG
,
GSS_C_INDEFINITE,
&text->gss_cbindings,
serverinlen ? &input_token : GSS_C_NO_BUFFER,
GSS_C_INDEFINITE,
&text->gss_cbindings,
serverinlen ? &input_token : GSS_C_NO_BUFFER,
@@
-814,7
+811,8
@@
static int gs2_client_mech_step(void *conn_context,
if (GSS_ERROR(maj_stat))
goto cleanup;
if (GSS_ERROR(maj_stat))
goto cleanup;
- if ((ret_flags & req_flags) != req_flags) {
+ if (params->cbindingdisp != SASL_CB_DISP_NONE &&
+ (ret_flags & GSS_C_MUTUAL_FLAG) == 0) {
maj_stat = SASL_BADAUTH;
goto cleanup;
}
maj_stat = SASL_BADAUTH;
goto cleanup;
}
@@
-840,9
+838,9
@@
cleanup:
if (ret == SASL_OK && maj_stat != GSS_S_COMPLETE) {
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
if (ret == SASL_OK && maj_stat != GSS_S_COMPLETE) {
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
- ret = SASL_FAIL;
+ ret =
(maj_stat & GSS_S_PROMPTING_NEEDED) ? SASL_INTERACT :
SASL_FAIL;
}
}
- if (ret
!= SASL_OK && ret != SASL_CONTINUE
)
+ if (ret
< SASL_OK
)
sasl_gs2_free_context_contents(text);
return ret;
sasl_gs2_free_context_contents(text);
return ret;
@@
-1013,6
+1011,7
@@
gs2_verify_initial_message(context_t *text,
unsigned inlen,
gss_buffer_t token)
{
unsigned inlen,
gss_buffer_t token)
{
+ OM_uint32 major, minor;
char *p = (char *)in;
unsigned remain = inlen;
int ret;
char *p = (char *)in;
unsigned remain = inlen;
int ret;
@@
-1088,32
+1087,29
@@
gs2_verify_initial_message(context_t *text,
if (ret != SASL_OK)
return ret;
if (ret != SASL_OK)
return ret;
- buf.length = remain;
- buf.value = p;
-
if (text->gs2_flags & GS2_NONSTD_FLAG) {
if (text->gs2_flags & GS2_NONSTD_FLAG) {
- token->value = text->utils->malloc(buf.length);
- if (token->value == NULL)
- return SASL_NOMEM;
-
- token->length = buf.length;
- memcpy(token->value, buf.value, buf.length);
+ buf.length = remain;
+ buf.value = p;
} else {
} else {
- unsigned int token_size;
+ gss_buffer_desc tmp;
+
+ tmp.length = remain;
+ tmp.value = p;
- /* create a properly formed GSS token */
- token_size = gs2_token_size(text->mechanism, buf.length);
- token->value = text->utils->malloc(token_size);
- if (token->value == NULL)
+ major = gss_encapsulate_token(&tmp, text->mechanism, &buf);
+ if (GSS_ERROR(major))
return SASL_NOMEM;
return SASL_NOMEM;
+ }
+
+ token->value = text->utils->malloc(buf.length);
+ if (token->value == NULL)
+ return SASL_NOMEM;
- token->length = token_size;
+ token->length = buf.length;
+ memcpy(token->value, buf.value, buf.length);
- p = (char *)token->value;
- gs2_make_token_header(text->mechanism, buf.length,
- (unsigned char **)&p);
- memcpy(p, buf.value, buf.length);
- }
+ if ((text->gs2_flags & GS2_NONSTD_FLAG) == 0)
+ gss_release_buffer(&minor, &buf);
return SASL_OK;
}
return SASL_OK;
}
@@
-1231,36
+1227,32
@@
gs2_make_message(context_t *text,
unsigned *outlen)
{
OM_uint32 major, minor;
unsigned *outlen)
{
OM_uint32 major, minor;
- unsigned char *mech_token_data;
- size_t mech_token_size;
- char *p;
- unsigned header_len = 0;
int ret;
int ret;
-
- mech_token_size = token->length;
- mech_token_data = (unsigned char *)token->value;
+ unsigned header_len = 0;
+ gss_buffer_desc decap_token = GSS_C_EMPTY_BUFFER;
if (initialContextToken) {
header_len = *outlen;
if (initialContextToken) {
header_len = *outlen;
- major = gs2_verify_token_header(&minor, text->mechanism,
- &mech_token_size, &mech_token_data,
- token->length);
+ major = gss_decapsulate_token(token, text->mechanism, &decap_token);
if ((major == GSS_S_DEFECTIVE_TOKEN &&
(text->plug.client->features & SASL_FEAT_GSS_FRAMING)) ||
GSS_ERROR(major))
return SASL_FAIL;
if ((major == GSS_S_DEFECTIVE_TOKEN &&
(text->plug.client->features & SASL_FEAT_GSS_FRAMING)) ||
GSS_ERROR(major))
return SASL_FAIL;
+
+ token = &decap_token;
}
ret = _plug_buf_alloc(text->utils, out, outlen,
}
ret = _plug_buf_alloc(text->utils, out, outlen,
- header_len +
mech_token_size
);
+ header_len +
token->length
);
if (ret != 0)
return ret;
if (ret != 0)
return ret;
-
p = *out + header_len
;
-
memcpy(p, mech_token_data, mech_token_size)
;
+
memcpy(*out + header_len, token->value, token->length)
;
+
*outlen = header_len + token->length
;
- *outlen = header_len + mech_token_size;
+ if (initialContextToken)
+ gss_release_buffer(&minor, &decap_token);
return SASL_OK;
}
return SASL_OK;
}
@@
-1291,7
+1283,7
@@
gs2_get_mech_attrs(const sasl_utils_t *utils,
}
*security_flags = SASL_SEC_NOPLAINTEXT | SASL_SEC_NOACTIVE;
}
*security_flags = SASL_SEC_NOPLAINTEXT | SASL_SEC_NOACTIVE;
- *features = SASL_FEAT_WANT_CLIENT_FIRST
| SASL_FEAT_CHANNEL_BINDING
;
+ *features = SASL_FEAT_WANT_CLIENT_FIRST;
if (prompts != NULL)
*prompts = gs2_required_prompts;
if (prompts != NULL)
*prompts = gs2_required_prompts;
@@
-1305,8
+1297,10
@@
gs2_get_mech_attrs(const sasl_utils_t *utils,
*security_flags |= SASL_SEC_NOANONYMOUS;
if (MA_PRESENT(GSS_C_MA_DELEG_CRED))
*security_flags |= SASL_SEC_PASS_CREDENTIALS;
*security_flags |= SASL_SEC_NOANONYMOUS;
if (MA_PRESENT(GSS_C_MA_DELEG_CRED))
*security_flags |= SASL_SEC_PASS_CREDENTIALS;
- if (MA_PRESENT(GSS_C_MA_AUTH_TARG))
+ if (MA_PRESENT(GSS_C_MA_AUTH_TARG)) {
+ *features |= SASL_FEAT_CHANNEL_BINDING;
*security_flags |= SASL_SEC_MUTUAL_AUTH;
*security_flags |= SASL_SEC_MUTUAL_AUTH;
+ }
if (MA_PRESENT(GSS_C_MA_AUTH_INIT_INIT) && prompts != NULL)
*prompts = NULL;
if (MA_PRESENT(GSS_C_MA_ITOK_FRAMED))
if (MA_PRESENT(GSS_C_MA_AUTH_INIT_INIT) && prompts != NULL)
*prompts = NULL;
if (MA_PRESENT(GSS_C_MA_ITOK_FRAMED))
@@
-1323,7
+1317,7
@@
gs2_get_mech_attrs(const sasl_utils_t *utils,
static int gs2_indicate_mechs(const sasl_utils_t *utils)
{
OM_uint32 major, minor;
static int gs2_indicate_mechs(const sasl_utils_t *utils)
{
OM_uint32 major, minor;
- gss_OID_desc desired_oids[
3
];
+ gss_OID_desc desired_oids[
2
];
gss_OID_set_desc desired_attrs;
gss_OID_desc except_oids[3];
gss_OID_set_desc except_attrs;
gss_OID_set_desc desired_attrs;
gss_OID_desc except_oids[3];
gss_OID_set_desc except_attrs;
@@
-1332,8
+1326,7
@@
static int gs2_indicate_mechs(const sasl_utils_t *utils)
return SASL_OK;
desired_oids[0] = *GSS_C_MA_AUTH_INIT;
return SASL_OK;
desired_oids[0] = *GSS_C_MA_AUTH_INIT;
- desired_oids[1] = *GSS_C_MA_AUTH_TARG;
- desired_oids[2] = *GSS_C_MA_CBINDINGS;
+ desired_oids[1] = *GSS_C_MA_CBINDINGS;
desired_attrs.count = sizeof(desired_oids)/sizeof(desired_oids[0]);
desired_attrs.elements = desired_oids;
desired_attrs.count = sizeof(desired_oids)/sizeof(desired_oids[0]);
desired_attrs.elements = desired_oids;
@@
-1566,6
+1559,9
@@
gs2_get_init_creds(context_t *text,
&text->client_name);
if (GSS_ERROR(maj_stat))
goto cleanup;
&text->client_name);
if (GSS_ERROR(maj_stat))
goto cleanup;
+
+ /* The authid may have changed after prompting, so free any creds */
+ gss_release_cred(&min_stat, &text->client_creds);
}
}
}
}
@@
-1595,8
+1591,11
@@
gs2_get_init_creds(context_t *text,
NULL,
NULL,
NULL);
NULL,
NULL,
NULL);
- if (GSS_ERROR(maj_stat))
- goto cleanup;
+ if (GSS_ERROR(maj_stat)) {
+ /* Maybe there was no default credential */
+ auth_result = SASL_INTERACT;
+ goto interact;
+ }
maj_stat = gss_display_name(&min_stat,
text->client_name,
maj_stat = gss_display_name(&min_stat,
text->client_name,
@@
-1677,6
+1676,8
@@
gs2_get_init_creds(context_t *text,
maj_stat = GSS_S_COMPLETE;
maj_stat = GSS_S_COMPLETE;
+interact:
+
/* free prompts we got */
if (prompt_need && *prompt_need) {
params->utils->free(*prompt_need);
/* free prompts we got */
if (prompt_need && *prompt_need) {
params->utils->free(*prompt_need);
@@
-1707,7
+1708,7
@@
gs2_get_init_creds(context_t *text,
cleanup:
if (result == SASL_OK && maj_stat != GSS_S_COMPLETE) {
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
cleanup:
if (result == SASL_OK && maj_stat != GSS_S_COMPLETE) {
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
- result = SASL_FAIL;
+ result =
(maj_stat & GSS_S_PROMPTING_NEEDED) ? SASL_INTERACT :
SASL_FAIL;
}
gss_release_buffer(&min_stat, &cred_authid);
}
gss_release_buffer(&min_stat, &cred_authid);