/*
- * Copyright (c) 2010 PADL Software Pty Ltd.
+ * Copyright (c) 2010, JANET(UK)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * 3. Redistributions in any form must be accompanied by information on
- * how to obtain complete source code for the GS2 software and any
- * accompanying software that uses the GS2 software. The source code
- * must either be included in the distribution or be available for no
- * more than the cost of distribution plus a nominal fee, and must be
- * freely redistributable under reasonable conditions. For an
- * executable file, complete source code means the source code for all
- * modules it contains. It does not include source code for modules or
- * files that typically accompany the major components of the operating
- * system on which the executable file runs.
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
*
- * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE ``AS IS'' AND ANY EXPRESS
- * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
- * NON-INFRINGEMENT, ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*/
/*
* Copyright (c) 1998-2003 Carnegie Mellon University.
#include <config.h>
#include <gssapi/gssapi.h>
+#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
#include <gssapi/gssapi_ext.h>
+#endif
#include <fcntl.h>
#include <stdio.h>
#include <sasl.h>
context_t *ret;
ret = utils->malloc(sizeof(context_t));
- if (!ret)
+ if (ret == NULL)
return NULL;
memset(ret, 0, sizeof(context_t));
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
ret = SASL_FAIL;
}
- if (ret != SASL_OK && ret != SASL_CONTINUE)
+ if (ret < SASL_OK)
sasl_gs2_free_context_contents(text);
return ret;
return SASL_NOMECH;
}
- plugs = utils->malloc(2 * gs2_mechs->count * plugsize);
+ plugs = utils->malloc(gs2_mechs->count * plugsize);
if (plugs == NULL) {
MEMERROR(utils);
return SASL_NOMEM;
}
- memset(plugs, 0, 2 * gs2_mechs->count * plugsize);
+ memset(plugs, 0, gs2_mechs->count * plugsize);
for (i = 0; i < gs2_mechs->count; i++) {
gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER;
snprintf(name_buf.value, name_buf.length + 1,
"%s@%s", params->service, params->serverFQDN);
- maj_stat = gss_import_name (&min_stat,
- &name_buf,
- GSS_C_NT_HOSTBASED_SERVICE,
- &text->server_name);
+ maj_stat = gss_import_name(&min_stat,
+ &name_buf,
+ GSS_C_NT_HOSTBASED_SERVICE,
+ &text->server_name);
params->utils->free(name_buf.value);
name_buf.value = NULL;
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
ret = SASL_FAIL;
}
- if (ret != SASL_OK && ret != SASL_CONTINUE)
+ if (ret < SASL_OK)
sasl_gs2_free_context_contents(text);
return ret;
unsigned inlen,
gss_buffer_t token)
{
+ OM_uint32 major, minor;
char *p = (char *)in;
unsigned remain = inlen;
int ret;
if (ret != SASL_OK)
return ret;
- buf.length = remain;
- buf.value = p;
-
if (text->gs2_flags & GS2_NONSTD_FLAG) {
- token->value = text->utils->malloc(buf.length);
- if (token->value == NULL)
- return SASL_NOMEM;
-
- token->length = buf.length;
- memcpy(token->value, buf.value, buf.length);
+ buf.length = remain;
+ buf.value = p;
} else {
- unsigned int token_size;
+ gss_buffer_desc tmp;
+
+ tmp.length = remain;
+ tmp.value = p;
- /* create a properly formed GSS token */
- token_size = gs2_token_size(text->mechanism, buf.length);
- token->value = text->utils->malloc(token_size);
- if (token->value == NULL)
+ major = gss_encapsulate_token(&tmp, text->mechanism, &buf);
+ if (GSS_ERROR(major))
return SASL_NOMEM;
+ }
- token->length = token_size;
+ token->value = text->utils->malloc(buf.length);
+ if (token->value == NULL)
+ return SASL_NOMEM;
- p = (char *)token->value;
- gs2_make_token_header(text->mechanism, buf.length,
- (unsigned char **)&p);
- memcpy(p, buf.value, buf.length);
- }
+ token->length = buf.length;
+ memcpy(token->value, buf.value, buf.length);
+
+ if ((text->gs2_flags & GS2_NONSTD_FLAG) == 0)
+ gss_release_buffer(&minor, &buf);
return SASL_OK;
}
unsigned *outlen)
{
OM_uint32 major, minor;
- unsigned char *mech_token_data;
- size_t mech_token_size;
- char *p;
- unsigned header_len = 0;
int ret;
-
- mech_token_size = token->length;
- mech_token_data = (unsigned char *)token->value;
+ unsigned header_len = 0;
+ gss_buffer_desc decap_token = GSS_C_EMPTY_BUFFER;
if (initialContextToken) {
header_len = *outlen;
- major = gs2_verify_token_header(&minor, text->mechanism,
- &mech_token_size, &mech_token_data,
- token->length);
+ major = gss_decapsulate_token(token, text->mechanism, &decap_token);
if ((major == GSS_S_DEFECTIVE_TOKEN &&
(text->plug.client->features & SASL_FEAT_GSS_FRAMING)) ||
GSS_ERROR(major))
return SASL_FAIL;
+
+ token = &decap_token;
}
ret = _plug_buf_alloc(text->utils, out, outlen,
- header_len + mech_token_size);
+ header_len + token->length);
if (ret != 0)
return ret;
- p = *out + header_len;
- memcpy(p, mech_token_data, mech_token_size);
+ memcpy(*out + header_len, token->value, token->length);
+ *outlen = header_len + token->length;
- *outlen = header_len + mech_token_size;
+ if (initialContextToken)
+ gss_release_buffer(&minor, &decap_token);
return SASL_OK;
}
}
#define GOT_CREDS(text, params) ((text)->client_creds != NULL || (params)->gss_creds != NULL)
+#define CRED_ERROR(status) ((status) == GSS_S_CRED_UNAVAIL || (status) == GSS_S_NO_CRED)
+/*
+ * Determine the authentication identity from the application supplied
+ * GSS credential, the application supplied identity, and the default
+ * GSS credential, in that order. Then, acquire credentials.
+ */
static int
gs2_get_init_creds(context_t *text,
sasl_client_params_t *params,
int user_result = SASL_OK;
int auth_result = SASL_OK;
int pass_result = SASL_OK;
- OM_uint32 maj_stat, min_stat;
+ OM_uint32 maj_stat = GSS_S_COMPLETE, min_stat = 0;
gss_OID_set_desc mechs;
gss_buffer_desc cred_authid = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER;
mechs.count = 1;
mechs.elements = (gss_OID)text->mechanism;
/*
- * Determine the authentication identity from the application supplied
- * GSS credential, the default GSS credential, and the application
- * supplied identity, in that order.
+ * Get the authentication identity from the application.
*/
if (oparams->authid == NULL) {
- assert(text->client_name == GSS_C_NO_NAME);
-
- if (!GOT_CREDS(text, params)) {
- maj_stat = gss_acquire_cred(&min_stat,
- GSS_C_NO_NAME,
- GSS_C_INDEFINITE,
- &mechs,
- GSS_C_INITIATE,
- &text->client_creds,
- NULL,
- &text->lifetime);
- } else
- maj_stat = GSS_S_COMPLETE;
-
- if (maj_stat == GSS_S_COMPLETE) {
- maj_stat = gss_inquire_cred(&min_stat,
- params->gss_creds
- ? (gss_cred_id_t)params->gss_creds
- : text->client_creds,
- &text->client_name,
- NULL,
- NULL,
- NULL);
- if (GSS_ERROR(maj_stat))
- goto cleanup;
- } else if (maj_stat != GSS_S_CRED_UNAVAIL)
+ auth_result = _plug_get_authid(params->utils, &authid, prompt_need);
+ if (auth_result != SASL_OK && auth_result != SASL_INTERACT) {
+ result = auth_result;
goto cleanup;
+ }
+ }
- if (text->client_name != GSS_C_NO_NAME) {
- maj_stat = gss_display_name(&min_stat,
- text->client_name,
- &cred_authid,
- NULL);
- if (GSS_ERROR(maj_stat))
- goto cleanup;
-
- authid = cred_authid.value;
- } else {
- auth_result = _plug_get_authid(params->utils, &authid, prompt_need);
- if (auth_result != SASL_OK && auth_result != SASL_INTERACT) {
- result = auth_result;
- goto cleanup;
- }
+ /*
+ * Get the authorization identity from the application.
+ */
+ if (oparams->user == NULL) {
+ user_result = _plug_get_userid(params->utils, &userid, prompt_need);
+ if (user_result != SASL_OK && user_result != SASL_INTERACT) {
+ result = user_result;
+ goto cleanup;
}
}
/*
- * If the application has provided an authentication identity, parse it.
+ * Canonicalize the authentication and authorization identities before
+ * calling GSS_Import_name.
*/
- if (text->client_name == GSS_C_NO_NAME) {
- gss_buffer_desc name_buf;
+ if (auth_result == SASL_OK && user_result == SASL_OK &&
+ oparams->authid == NULL) {
+ if (userid == NULL || userid[0] == '\0') {
+ result = params->canon_user(params->utils->conn, authid, 0,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ oparams);
+ } else {
+ result = params->canon_user(params->utils->conn,
+ authid, 0, SASL_CU_AUTHID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
+
+ result = params->canon_user(params->utils->conn,
+ userid, 0, SASL_CU_AUTHZID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
+ }
if (oparams->authid != NULL) {
name_buf.length = strlen(oparams->authid);
name_buf.value = (void *)oparams->authid;
- } else {
- name_buf.length = strlen(authid);
- name_buf.value = (void *)authid;
- }
- if (name_buf.value != NULL) {
+ assert(text->client_name == GSS_C_NO_NAME);
+
maj_stat = gss_import_name(&min_stat,
&name_buf,
GSS_C_NT_USER_NAME,
}
/*
- * Get the authorization identity.
+ * If application didn't provide an authid, then use the default
+ * credential. If that doesn't work, give up.
*/
- if (oparams->user == NULL) {
- user_result = _plug_get_userid(params->utils, &userid, prompt_need);
- if (user_result != SASL_OK && user_result != SASL_INTERACT) {
- result = user_result;
+ if (!GOT_CREDS(text, params) && oparams->authid == NULL) {
+ maj_stat = gss_acquire_cred(&min_stat,
+ GSS_C_NO_NAME,
+ GSS_C_INDEFINITE,
+ &mechs,
+ GSS_C_INITIATE,
+ &text->client_creds,
+ NULL,
+ &text->lifetime);
+ if (GSS_ERROR(maj_stat))
goto cleanup;
+
+ assert(text->client_name == GSS_C_NO_NAME);
+
+ maj_stat = gss_inquire_cred(&min_stat,
+ params->gss_creds
+ ? (gss_cred_id_t)params->gss_creds
+ : text->client_creds,
+ &text->client_name,
+ NULL,
+ NULL,
+ NULL);
+ if (GSS_ERROR(maj_stat))
+ goto cleanup;
+
+ maj_stat = gss_display_name(&min_stat,
+ text->client_name,
+ &cred_authid,
+ NULL);
+ if (GSS_ERROR(maj_stat))
+ goto cleanup;
+
+ if (userid == NULL || userid[0] == '\0') {
+ result = params->canon_user(params->utils->conn,
+ cred_authid.value, cred_authid.length,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ oparams);
+ } else {
+ result = params->canon_user(params->utils->conn,
+ cred_authid.value, cred_authid.length,
+ SASL_CU_AUTHID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
+
+ result = params->canon_user(params->utils->conn,
+ cred_authid.value, cred_authid.length,
+ SASL_CU_AUTHZID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
}
}
&text->client_creds,
NULL,
&text->lifetime);
- if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CRED_UNAVAIL)
+ if (GSS_ERROR(maj_stat) && !CRED_ERROR(maj_stat))
goto cleanup;
}
NULL, NULL);
if (result == SASL_OK)
result = SASL_INTERACT;
- } else if (oparams->authid == NULL) {
- if (userid == NULL || userid[0] == '\0') {
- result = params->canon_user(params->utils->conn, authid, 0,
- SASL_CU_AUTHID | SASL_CU_AUTHZID,
- oparams);
- } else {
- result = params->canon_user(params->utils->conn,
- authid, 0, SASL_CU_AUTHID, oparams);
- if (result != SASL_OK)
- goto cleanup;
-
- result = params->canon_user(params->utils->conn,
- userid, 0, SASL_CU_AUTHZID, oparams);
- if (result != SASL_OK)
- goto cleanup;
- }
}
cleanup:
int ret;
char *out = NULL;
unsigned int len, curlen = 0;
- const char prefix[] = "GSSAPI Error: ";
+ const char prefix[] = "GS2 Error: ";
len = sizeof(prefix);
ret = _plug_buf_alloc(utils, &out, &curlen, 256);