projects / trust_router.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Whitespace change, remove debug printf.
[trust_router.git] / gsscon / gsscon_passive.c
diff --git a/gsscon/gsscon_passive.c b/gsscon/gsscon_passive.c
index 907153c..1ede6d3 100755 (executable)
--- a/gsscon/gsscon_passive.c
+++ b/gsscon/gsscon_passive.c
@@ -56,35 +56,33 @@
 
 const char *gServiceName = NULL;
 
-int gsscon_passive_authenticate (int           inSocket, 
-                                gss_ctx_id_t *outGSSContext,
-                                client_cb_fn clientCb,
-                                void *clientCbData)
+int gsscon_passive_authenticate (int               inSocket, 
+                                gss_buffer_desc    inNameBuffer,
+                                gss_ctx_id_t      *outGSSContext,
+                                client_cb_fn       clientCb,
+                                void              *clientCbData)
 {
     int err = 0;
     OM_uint32 majorStatus;
-    OM_uint32 minorStatus = 0;
+    OM_uint32 minorStatus = 0, minorStatusToo = 0;
     gss_ctx_id_t gssContext = GSS_C_NO_CONTEXT;
     gss_name_t clientName = GSS_C_NO_NAME, serviceName = GSS_C_NO_NAME;
     gss_cred_id_t acceptorCredentials = NULL;
     gss_buffer_desc clientDisplayName = {0, NULL};
-    gss_buffer_desc nameBuffer = {0, "trustidentity"};
-    
     char *inputTokenBuffer = NULL;
     size_t inputTokenBufferLength = 0;
     gss_buffer_desc inputToken;  /* buffer received from the server */
     
-
-    nameBuffer.length = strlen(nameBuffer.value);
     if (inSocket <  0 ) { err = EINVAL; }
     if (!outGSSContext) { err = EINVAL; }
 
-    if (!err)
-      majorStatus = gss_import_name (&minorStatus, &nameBuffer, (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &serviceName); 
-    if (majorStatus != GSS_S_COMPLETE) {
-       gsscon_print_gss_errors ("gss_import_name(inServiceName)", majorStatus, minorStatus);
+    if (!err) {
+      majorStatus = gss_import_name (&minorStatus, &inNameBuffer, (gss_OID) GSS_C_NT_HOSTBASED_SERVICE, &serviceName); 
+      if (majorStatus != GSS_S_COMPLETE) {
+       gsscon_print_gss_errors ("gss_import_name(serviceName)", majorStatus, minorStatus);
        err = minorStatus ? minorStatus : majorStatus; 
       }
+    }
 
     if (!err) {
       majorStatus = gss_acquire_cred ( &minorStatus, serviceName,
@@ -150,7 +148,7 @@ int gsscon_passive_authenticate (int           inSocket,
                 err = gsscon_write_token (inSocket, outputToken.value, outputToken.length);
                 
                 /* free the output token */
-                gss_release_buffer (&minorStatus, &outputToken);
+                gss_release_buffer (&minorStatusToo, &outputToken);
             }
         }
         
@@ -190,43 +188,7 @@ if (clientDisplayName.value != NULL)
     return err;
 }
 
-/* --------------------------------------------------------------------------- */
-
-static int ServicePrincipalIsValidForService (const char *inServicePrincipal)
-{
-    int err = 0;
-    krb5_context context = NULL;
-    krb5_principal principal = NULL;
     
-    if (!inServicePrincipal) { err = EINVAL; }
-    
-    if (!err) {
-        err = krb5_init_context (&context);
-    }
-    
-    if (!err) {
-        err = krb5_parse_name (context, inServicePrincipal, &principal);
-    }
-    
-    if (!err) {
-        /* 
-         * Here is where we check to see if the service principal the client 
-         * used is valid.  Typically we would just check that the first component 
-         * is the name of the service provided by the server.  This check exists
-         * to make sure the server is using the correct key in its keytab since
-         * we passed GSS_C_NO_CREDENTIAL into gss_accept_sec_context().
-         */
-        if (gServiceName && strcmp (gServiceName, 
-                                    krb5_princ_name (context, principal)->data) != 0) {
-            err = KRB5KRB_AP_WRONG_PRINC;
-        }
-    }
-    
-    if (principal) { krb5_free_principal (context, principal); }
-    if (context  ) { krb5_free_context (context); }
-    
-    return err;
-}
 
 
 /* --------------------------------------------------------------------------- */
@@ -327,15 +289,11 @@ int gsscon_authorize (gss_ctx_id_t  inContext,
     //    if (nameToken.value) { gss_release_buffer (&minorStatus, &nameToken); }
     // }
     
-//    if (!err) {
-//        int authorizationErr = ServicePrincipalIsValidForService (servicePr// incipal);
-//        
-//        if (!authorizationErr) {
 
          int authorizationErr = 0;
          authorizationErr = ClientPrincipalIsAuthorizedForService (clientPrincipal);
 
-//        }
+
         
 //        printf ("'%s' is%s authorized for service '%s'\n", 
 //                clientPrincipal, authorizationErr ? " NOT" : "", servicePrincipal);            
Moonshot Trust Router