X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=plugins%2Fgs2.c;h=5afe7bbbe1a96412424268cd538c2fba1a6e9c85;hb=7098ec6a42fb9edd2fd2b4108f84ac3ba8271bb4;hp=930d70b9ccc5691fbc7a717785fde2c0c91b207f;hpb=ed18ff27f0786f8b53d581bb2ffef7d5a6b246f1;p=cyrus-sasl.git diff --git a/plugins/gs2.c b/plugins/gs2.c index 930d70b..5afe7bb 100644 --- a/plugins/gs2.c +++ b/plugins/gs2.c @@ -72,6 +72,9 @@ #include #include +#ifdef HAVE_GSSAPI_GSSAPI_EXT_H +#include +#endif #include #include #include @@ -1481,7 +1484,13 @@ gs2_escape_authzid(const sasl_utils_t *utils, } #define GOT_CREDS(text, params) ((text)->client_creds != NULL || (params)->gss_creds != NULL) +#define CRED_ERROR(status) ((status) == GSS_S_CRED_UNAVAIL || (status) == GSS_S_NO_CRED) +/* + * Determine the authentication identity from the application supplied + * GSS credential, the application supplied identity, and the default + * GSS credential, in that order. Then, acquire credentials. + */ static int gs2_get_init_creds(context_t *text, sasl_client_params_t *params, @@ -1493,67 +1502,27 @@ gs2_get_init_creds(context_t *text, int user_result = SASL_OK; int auth_result = SASL_OK; int pass_result = SASL_OK; - OM_uint32 maj_stat, min_stat; + OM_uint32 maj_stat = GSS_S_COMPLETE, min_stat = 0; gss_OID_set_desc mechs; gss_buffer_desc cred_authid = GSS_C_EMPTY_BUFFER; + gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER; mechs.count = 1; mechs.elements = (gss_OID)text->mechanism; /* - * Determine the authentication identity from the application supplied - * GSS credential, the default GSS credential, and the application - * supplied identity, in that order. + * Get the authentication identity from the application. */ if (oparams->authid == NULL) { - assert(text->client_name == GSS_C_NO_NAME); - - if (!GOT_CREDS(text, params)) { - maj_stat = gss_acquire_cred(&min_stat, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - &mechs, - GSS_C_INITIATE, - &text->client_creds, - NULL, - &text->lifetime); - } else - maj_stat = GSS_S_COMPLETE; - - if (maj_stat == GSS_S_COMPLETE) { - maj_stat = gss_inquire_cred(&min_stat, - params->gss_creds - ? (gss_cred_id_t)params->gss_creds - : text->client_creds, - &text->client_name, - NULL, - NULL, - NULL); - if (GSS_ERROR(maj_stat)) - goto cleanup; - } else if (maj_stat != GSS_S_CRED_UNAVAIL) + auth_result = _plug_get_authid(params->utils, &authid, prompt_need); + if (auth_result != SASL_OK && auth_result != SASL_INTERACT) { + result = auth_result; goto cleanup; - - if (text->client_name != GSS_C_NO_NAME) { - maj_stat = gss_display_name(&min_stat, - text->client_name, - &cred_authid, - NULL); - if (GSS_ERROR(maj_stat)) - goto cleanup; - - authid = cred_authid.value; - } else { - auth_result = _plug_get_authid(params->utils, &authid, prompt_need); - if (auth_result != SASL_OK && auth_result != SASL_INTERACT) { - result = auth_result; - goto cleanup; - } } } /* - * Get the authorization identity. + * Get the authorization identity from the application. */ if (oparams->user == NULL) { user_result = _plug_get_userid(params->utils, &userid, prompt_need); @@ -1584,24 +1553,76 @@ gs2_get_init_creds(context_t *text, if (result != SASL_OK) goto cleanup; } + + if (oparams->authid != NULL) { + name_buf.length = strlen(oparams->authid); + name_buf.value = (void *)oparams->authid; + + assert(text->client_name == GSS_C_NO_NAME); + + maj_stat = gss_import_name(&min_stat, + &name_buf, + GSS_C_NT_USER_NAME, + &text->client_name); + if (GSS_ERROR(maj_stat)) + goto cleanup; + } } /* - * If the application has provided an authentication identity, parse it. + * If application didn't provide an authid, then use the default + * credential. If that doesn't work, give up. */ - if (text->client_name == GSS_C_NO_NAME && - oparams->authid != NULL && oparams->authid[0] != '\0') { - gss_buffer_desc name_buf; + if (!GOT_CREDS(text, params) && oparams->authid == NULL) { + maj_stat = gss_acquire_cred(&min_stat, + GSS_C_NO_NAME, + GSS_C_INDEFINITE, + &mechs, + GSS_C_INITIATE, + &text->client_creds, + NULL, + &text->lifetime); + if (GSS_ERROR(maj_stat)) + goto cleanup; - name_buf.length = strlen(oparams->authid); - name_buf.value = (void *)oparams->authid; + assert(text->client_name == GSS_C_NO_NAME); - maj_stat = gss_import_name(&min_stat, - &name_buf, - GSS_C_NT_USER_NAME, - &text->client_name); + maj_stat = gss_inquire_cred(&min_stat, + params->gss_creds + ? (gss_cred_id_t)params->gss_creds + : text->client_creds, + &text->client_name, + NULL, + NULL, + NULL); + if (GSS_ERROR(maj_stat)) + goto cleanup; + + maj_stat = gss_display_name(&min_stat, + text->client_name, + &cred_authid, + NULL); if (GSS_ERROR(maj_stat)) goto cleanup; + + if (userid == NULL || userid[0] == '\0') { + result = params->canon_user(params->utils->conn, + cred_authid.value, cred_authid.length, + SASL_CU_AUTHID | SASL_CU_AUTHZID, + oparams); + } else { + result = params->canon_user(params->utils->conn, + cred_authid.value, cred_authid.length, + SASL_CU_AUTHID, oparams); + if (result != SASL_OK) + goto cleanup; + + result = params->canon_user(params->utils->conn, + cred_authid.value, cred_authid.length, + SASL_CU_AUTHZID, oparams); + if (result != SASL_OK) + goto cleanup; + } } /* @@ -1617,7 +1638,7 @@ gs2_get_init_creds(context_t *text, &text->client_creds, NULL, &text->lifetime); - if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CRED_UNAVAIL) + if (GSS_ERROR(maj_stat) && !CRED_ERROR(maj_stat)) goto cleanup; }