# include <arpa/inet.h>
# include <netdb.h>
#endif /* WIN32 */
+#include <assert.h>
#include <fcntl.h>
#include <stdio.h>
#include <sasl.h>
{6, (void *)"\x2b\x06\x01\x05\x05\x02"};
static gss_OID_desc gss_krb5_mechanism_oid_desc =
{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
-static gss_OID_desc gss_eap_mechanism_oid_desc =
- {9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x15\x01" };
typedef struct context {
int state;
gss_OID mech;
int rfc2222_gss : 1;
+
+ sasl_secret_t *password;
+ unsigned int free_password;
+ OM_uint32 lifetime;
} context_t;
enum {
SASL_GSSAPI_STATE_AUTHENTICATED = 4
};
+static int
+gssapi_get_init_creds(context_t *text,
+ sasl_client_params_t *params,
+ sasl_interact_t **prompt_need,
+ sasl_out_params_t *oparams);
+
/* sasl_gss_log: only logs status string returned from gss_display_status() */
#define sasl_gss_log(x,y,z) sasl_gss_seterror_(x,y,z,1)
#define sasl_gss_seterror(x,y,z) sasl_gss_seterror_(x,y,z,0)
text->authid = NULL;
}
- return SASL_OK;
+ if (text->free_password)
+ _plug_free_secret(text->utils, &text->password);
+ memset(text, 0, sizeof(*text));
+
+ return SASL_OK;
}
static void gssapi_common_mech_dispose(void *conn_context,
NULL, /* mech_avail */
NULL /* spare */
},
- {
- "GSS-EAP", /* mech_name */
- 128, /* max_ssf */
- SASL_SEC_NOPLAINTEXT
- | SASL_SEC_NOACTIVE
- | SASL_SEC_MUTUAL_AUTH, /* security_flags */
- SASL_FEAT_WANT_CLIENT_FIRST
- | SASL_FEAT_ALLOWS_PROXY, /* features */
- NULL, /* glob_context */
- &gssapi_server_mech_new, /* mech_new */
- &gssapi_server_mech_step, /* mech_step */
- &gssapi_common_mech_dispose, /* mech_dispose */
- &gssapi_common_mech_free, /* mech_free */
- NULL, /* setpass */
- NULL, /* user_query */
- NULL, /* idle */
- NULL, /* mech_avail */
- NULL /* spare */
- }
};
int gssapiv2_server_plug_init(
0, conn_context);
}
-static int gss_eap_client_mech_new(void *glob_context,
- sasl_client_params_t *params,
- void **conn_context)
-{
- return _gssapi_client_mech_new(glob_context, params, &gss_eap_mechanism_oid_desc,
- 1, conn_context);
-}
-
static int gssapi_client_mech_step(void *conn_context,
sasl_client_params_t *params,
const char *serverin,
case SASL_GSSAPI_STATE_AUTHNEG:
/* try to get the userid */
- if (text->user == NULL) {
- int user_result = SASL_OK;
- int pass_result = SASL_OK;
-
- user_result = _plug_get_userid(params->utils, &text->user,
- prompt_need);
-
- if ((user_result != SASL_OK) && (user_result != SASL_INTERACT)) {
- sasl_gss_free_context_contents(text);
- return user_result;
- }
-
- /* free prompts we got */
- if (prompt_need && *prompt_need) {
- params->utils->free(*prompt_need);
- *prompt_need = NULL;
- }
-
- if (params->gss_creds == GSS_C_NO_CREDENTIAL) {
- unsigned int free_password = 0;
- sasl_secret_t *password = NULL;
-
- pass_result = _plug_get_password(params->utils, &password,
- &free_password, prompt_need);
- if (pass_result == SASL_OK) {
- gss_buffer_desc pwBuf;
- gss_buffer_desc nameBuf;
- gss_OID_set_desc mechs;
-
- nameBuf.length = strlen(text->user);
- nameBuf.value = (void *)text->user;
- pwBuf.length = password->len;
- pwBuf.value = password->data;
- mechs.count = 1;
- mechs.elements = text->mech;
-
- GSS_LOCK_MUTEX(params->utils);
- maj_stat = gss_import_name(&min_stat, &nameBuf,
- GSS_C_NT_USER_NAME, &text->client_name);
- if (maj_stat == GSS_S_COMPLETE) {
- maj_stat = gss_acquire_cred_with_password(&min_stat,
- text->client_name,
- &pwBuf, GSS_C_INDEFINITE,
- &mechs, GSS_C_INITIATE,
- &text->client_creds,
- NULL, NULL);
- if (GSS_ERROR(maj_stat)) {
- if (free_password) _plug_free_secret(params->utils, &password);
- sasl_gss_seterror(text->utils, maj_stat, min_stat);
- GSS_UNLOCK_MUTEX(params->utils);
- sasl_gss_free_context_contents(text);
- return SASL_FAIL;
- }
- }
- GSS_UNLOCK_MUTEX(params->utils);
- if (free_password) _plug_free_secret(params->utils, &password);
- }
- }
- /* if there are prompts not filled in */
- if (user_result == SASL_INTERACT && text->mech != &gss_krb5_mechanism_oid_desc) {
- int result =
- _plug_make_prompts(params->utils, prompt_need,
- user_result == SASL_INTERACT ?
- "Please enter your authorization name" : NULL,
- NULL,
- NULL, NULL,
- pass_result == SASL_INTERACT ?
- "Please enter your password" : NULL, NULL,
- NULL, NULL, NULL,
- NULL, NULL, NULL);
- if (result != SASL_OK) return result;
- return SASL_INTERACT;
- }
-
- }
-
+ if (text->gss_ctx == GSS_C_NO_CONTEXT) {
+ ret = gssapi_get_init_creds(text, params, prompt_need, oparams);
+ if (ret != SASL_OK) {
+ if (ret < SASL_OK)
+ sasl_gss_free_context_contents(text);
+ return ret;
+ }
+ }
if (text->server_name == GSS_C_NO_NAME) { /* only once */
name_token.length = strlen(params->service) + 1 + strlen(params->serverFQDN);
name_token.value = (char *)params->utils->malloc((name_token.length + 1) * sizeof(char));
NULL, /* spare */
NULL /* spare */
},
- {
- "GSS-EAP", /* mech_name */
- 128, /* max_ssf */
- SASL_SEC_NOPLAINTEXT
- | SASL_SEC_NOACTIVE
- | SASL_SEC_NOANONYMOUS
- | SASL_SEC_MUTUAL_AUTH
- | SASL_SEC_PASS_CREDENTIALS, /* security_flags */
- SASL_FEAT_NEEDSERVERFQDN
- | SASL_FEAT_WANT_CLIENT_FIRST
- | SASL_FEAT_ALLOWS_PROXY, /* features */
- gssapi_required_prompts, /* required_prompts */
- NULL, /* glob_context */
- &gss_eap_client_mech_new, /* mech_new */
- &gssapi_client_mech_step, /* mech_step */
- &gssapi_common_mech_dispose, /* mech_dispose */
- &gssapi_common_mech_free, /* mech_free */
- NULL, /* idle */
- NULL, /* spare */
- NULL /* spare */
- },
};
int gssapiv2_client_plug_init(const sasl_utils_t *utils __attribute__((unused)),
return SASL_OK;
}
+
+#define GOT_CREDS(text, params) ((text)->client_creds != NULL || (params)->gss_creds != NULL)
+#define CRED_ERROR(status) ((status) == GSS_S_CRED_UNAVAIL || (status) == GSS_S_NO_CRED)
+
+/*
+ * Determine the authentication identity from the application supplied
+ * GSS credential, the application supplied identity, and the default
+ * GSS credential, in that order. Then, acquire credentials.
+ */
+static int
+gssapi_get_init_creds(context_t *text,
+ sasl_client_params_t *params,
+ sasl_interact_t **prompt_need,
+ sasl_out_params_t *oparams)
+{
+ int result = SASL_OK;
+ const char *authid = NULL, *userid = NULL;
+ int user_result = SASL_OK;
+ int auth_result = SASL_OK;
+ int pass_result = SASL_OK;
+ OM_uint32 maj_stat = GSS_S_COMPLETE, min_stat = 0;
+ gss_OID_set_desc mechs;
+ gss_buffer_desc cred_authid = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER;
+
+ mechs.count = 1;
+ mechs.elements = (gss_OID)text->mech;
+
+ /*
+ * Get the authentication identity from the application.
+ */
+ if (oparams->authid == NULL) {
+ auth_result = _plug_get_authid(params->utils, &authid, prompt_need);
+ if (auth_result != SASL_OK && auth_result != SASL_INTERACT) {
+ result = auth_result;
+ goto cleanup;
+ }
+ }
+
+ /*
+ * Get the authorization identity from the application.
+ */
+ if (oparams->user == NULL) {
+ user_result = _plug_get_userid(params->utils, &userid, prompt_need);
+ if (user_result != SASL_OK && user_result != SASL_INTERACT) {
+ result = user_result;
+ goto cleanup;
+ }
+ }
+
+ /*
+ * Canonicalize the authentication and authorization identities before
+ * calling GSS_Import_name.
+ */
+ if (auth_result == SASL_OK && user_result == SASL_OK &&
+ oparams->authid == NULL) {
+ if (userid == NULL || userid[0] == '\0') {
+ result = params->canon_user(params->utils->conn, authid, 0,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ oparams);
+ } else {
+ result = params->canon_user(params->utils->conn,
+ authid, 0, SASL_CU_AUTHID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
+
+ result = params->canon_user(params->utils->conn,
+ userid, 0, SASL_CU_AUTHZID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
+ }
+
+ if (oparams->authid != NULL) {
+ name_buf.length = strlen(oparams->authid);
+ name_buf.value = (void *)oparams->authid;
+
+ assert(text->client_name == GSS_C_NO_NAME);
+
+ maj_stat = gss_import_name(&min_stat,
+ &name_buf,
+ GSS_C_NT_USER_NAME,
+ &text->client_name);
+ if (GSS_ERROR(maj_stat))
+ goto cleanup;
+
+ /* The authid may have changed after prompting, so free any creds */
+ gss_release_cred(&min_stat, &text->client_creds);
+ }
+ }
+
+ /*
+ * If application didn't provide an authid, then use the default
+ * credential. If that doesn't work, give up.
+ */
+ if (!GOT_CREDS(text, params) && oparams->authid == NULL) {
+ maj_stat = gss_acquire_cred(&min_stat,
+ GSS_C_NO_NAME,
+ GSS_C_INDEFINITE,
+ &mechs,
+ GSS_C_INITIATE,
+ &text->client_creds,
+ NULL,
+ &text->lifetime);
+ if (GSS_ERROR(maj_stat))
+ goto cleanup;
+
+ assert(text->client_name == GSS_C_NO_NAME);
+
+ maj_stat = gss_inquire_cred(&min_stat,
+ params->gss_creds
+ ? (gss_cred_id_t)params->gss_creds
+ : text->client_creds,
+ &text->client_name,
+ NULL,
+ NULL,
+ NULL);
+ if (GSS_ERROR(maj_stat)) {
+ /* Maybe there was no default credential */
+ auth_result = SASL_INTERACT;
+ goto interact;
+ }
+
+ maj_stat = gss_display_name(&min_stat,
+ text->client_name,
+ &cred_authid,
+ NULL);
+ if (GSS_ERROR(maj_stat))
+ goto cleanup;
+
+ if (userid == NULL || userid[0] == '\0') {
+ result = params->canon_user(params->utils->conn,
+ cred_authid.value, cred_authid.length,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ oparams);
+ } else {
+ result = params->canon_user(params->utils->conn,
+ cred_authid.value, cred_authid.length,
+ SASL_CU_AUTHID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
+
+ result = params->canon_user(params->utils->conn,
+ cred_authid.value, cred_authid.length,
+ SASL_CU_AUTHZID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
+ }
+ }
+
+ /*
+ * Armed with the authentication identity, try to get a credential without
+ * a password.
+ */
+ if (!GOT_CREDS(text, params) && text->client_name != GSS_C_NO_NAME) {
+ maj_stat = gss_acquire_cred(&min_stat,
+ text->client_name,
+ GSS_C_INDEFINITE,
+ &mechs,
+ GSS_C_INITIATE,
+ &text->client_creds,
+ NULL,
+ &text->lifetime);
+ if (GSS_ERROR(maj_stat) && !CRED_ERROR(maj_stat))
+ goto cleanup;
+ }
+
+ /*
+ * If that failed, try to get a credential with a password.
+ */
+ if (!GOT_CREDS(text, params)) {
+ if (text->password == NULL) {
+ pass_result = _plug_get_password(params->utils, &text->password,
+ &text->free_password, prompt_need);
+ if (pass_result != SASL_OK && pass_result != SASL_INTERACT) {
+ result = pass_result;
+ goto cleanup;
+ }
+ }
+
+ if (text->password != NULL) {
+ gss_buffer_desc password_buf;
+
+ password_buf.length = text->password->len;
+ password_buf.value = text->password->data;
+
+ maj_stat = gss_acquire_cred_with_password(&min_stat,
+ text->client_name,
+ &password_buf,
+ GSS_C_INDEFINITE,
+ &mechs,
+ GSS_C_INITIATE,
+ &text->client_creds,
+ NULL,
+ &text->lifetime);
+ if (GSS_ERROR(maj_stat))
+ goto cleanup;
+ }
+ }
+
+ maj_stat = GSS_S_COMPLETE;
+
+interact:
+
+ /* free prompts we got */
+ if (prompt_need && *prompt_need) {
+ params->utils->free(*prompt_need);
+ *prompt_need = NULL;
+ }
+
+ /* if there are prompts not filled in */
+ if (user_result == SASL_INTERACT || auth_result == SASL_INTERACT ||
+ pass_result == SASL_INTERACT) {
+ /* make the prompt list */
+ result =
+ _plug_make_prompts(params->utils, prompt_need,
+ user_result == SASL_INTERACT ?
+ "Please enter your authorization name" : NULL,
+ NULL,
+ auth_result == SASL_INTERACT ?
+ "Please enter your authentication name" : NULL,
+ NULL,
+ pass_result == SASL_INTERACT ?
+ "Please enter your password" : NULL, NULL,
+ NULL, NULL, NULL,
+ NULL,
+ NULL, NULL);
+ if (result == SASL_OK)
+ result = SASL_INTERACT;
+ }
+
+cleanup:
+ if (result == SASL_OK && maj_stat != GSS_S_COMPLETE) {
+ sasl_gss_seterror(text->utils, maj_stat, min_stat);
+ result = SASL_FAIL;
+ }
+
+ gss_release_buffer(&min_stat, &cred_authid);
+
+ return result;
+}