/*
- * Copyright 2010 PADL Software Pty Ltd. All rights reserved.
+ * Copyright (c) 2010, JANET(UK)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*/
/*
- * Portions Copyright (c) 1998-2003 Carnegie Mellon University.
+ * Copyright (c) 1998-2003 Carnegie Mellon University.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
#include <config.h>
#include <gssapi/gssapi.h>
+#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
#include <gssapi/gssapi_ext.h>
+#endif
#include <fcntl.h>
#include <stdio.h>
#include <sasl.h>
#include "gs2_token.h"
#define GS2_CB_FLAG_MASK 0x0F
+#define GS2_CB_FLAG_N 0x00
#define GS2_CB_FLAG_P 0x01
-#define GS2_CB_FLAG_N 0x02
-#define GS2_CB_FLAG_Y 0x03
+#define GS2_CB_FLAG_Y 0x02
#define GS2_NONSTD_FLAG 0x10
typedef struct context {
} plug;
gss_OID mechanism;
int gs2_flags;
- char *cb_name;
- struct gss_channel_bindings_struct bindings;
+ char *cbindingname;
+ struct gss_channel_bindings_struct gss_cbindings;
sasl_secret_t *password;
unsigned int free_password;
OM_uint32 lifetime;
static gss_OID_set gs2_mechs = GSS_C_NO_OID_SET;
-static int gs2_ask_user_info(context_t *context,
- sasl_client_params_t *params,
- char **realms, int nrealm,
- sasl_interact_t **prompt_need,
- sasl_out_params_t *oparams);
+static int gs2_get_init_creds(context_t *context,
+ sasl_client_params_t *params,
+ sasl_interact_t **prompt_need,
+ sasl_out_params_t *oparams);
static int gs2_verify_initial_message(context_t *text,
sasl_server_params_t *sparams,
static int gs2_get_mech_attrs(const sasl_utils_t *utils,
const gss_OID mech,
unsigned int *security_flags,
- unsigned int *features);
+ unsigned int *features,
+ const unsigned long **prompts);
static int gs2_indicate_mechs(const sasl_utils_t *utils);
context_t *ret;
ret = utils->malloc(sizeof(context_t));
- if (!ret)
+ if (ret == NULL)
return NULL;
memset(ret, 0, sizeof(context_t));
text->authzid = NULL;
}
- if (text->mechanism != NULL) {
- gss_release_oid(&min_stat, &text->mechanism);
- text->mechanism = GSS_C_NO_OID;
- }
-
- gss_release_buffer(&min_stat, &text->bindings.application_data);
+ gss_release_buffer(&min_stat, &text->gss_cbindings.application_data);
if (text->out_buf != NULL) {
text->utils->free(text->out_buf);
text->out_buf_len = 0;
- if (text->cb_name != NULL) {
- text->utils->free(text->cb_name);
- text->cb_name = NULL;
+ if (text->cbindingname != NULL) {
+ text->utils->free(text->cbindingname);
+ text->cbindingname = NULL;
}
if (text->free_password)
gss_buffer_desc short_name_buf = GSS_C_EMPTY_BUFFER;
gss_name_t without = GSS_C_NO_NAME;
gss_OID_set_desc mechs;
- gss_OID actual_mech = GSS_C_NO_OID;
OM_uint32 out_flags = 0;
int ret = 0, equal = 0;
int initialContextToken = (text->gss_ctx == GSS_C_NO_CONTEXT);
maj_stat = gss_accept_sec_context(&min_stat,
&text->gss_ctx,
(params->gss_creds != GSS_C_NO_CREDENTIAL)
- ? params->gss_creds
+ ? (gss_cred_id_t)params->gss_creds
: text->server_creds,
&input_token,
- &text->bindings,
+ &text->gss_cbindings,
&text->client_name,
- &actual_mech,
+ NULL,
&output_token,
&out_flags,
&text->lifetime,
sasl_gs2_log(text->utils, maj_stat, min_stat);
text->utils->seterror(text->utils->conn, SASL_NOLOG,
"GS2 Failure: gss_accept_sec_context");
- ret = SASL_BADAUTH;
+ ret = (maj_stat == GSS_S_BAD_BINDINGS) ? SASL_BADBINDING : SASL_BADAUTH;
goto cleanup;
}
assert(maj_stat == GSS_S_COMPLETE);
- if (!g_OID_equal(text->mechanism, actual_mech)) {
- ret = SASL_WRONGMECH;
- goto cleanup;
- }
if ((out_flags & GSS_C_SEQUENCE_FLAG) == 0) {
ret = SASL_BADAUTH;
goto cleanup;
GSS_C_NT_USER_NAME,
&without);
if (GSS_ERROR(maj_stat)) {
- ret = SASL_BADAUTH;
+ ret = SASL_FAIL;
goto cleanup;
}
maj_stat = gss_compare_name(&min_stat, text->client_name,
without, &equal);
if (GSS_ERROR(maj_stat)) {
- ret = SASL_BADAUTH;
+ ret = SASL_FAIL;
goto cleanup;
}
switch (text->gs2_flags & GS2_CB_FLAG_MASK) {
case GS2_CB_FLAG_N:
- oparams->chanbindingflag = SASL_CB_FLAG_NONE;
+ oparams->cbindingdisp = SASL_CB_DISP_NONE;
break;
case GS2_CB_FLAG_P:
- oparams->chanbindingflag = SASL_CB_FLAG_USED;
+ oparams->cbindingdisp = SASL_CB_DISP_USED;
+ oparams->cbindingname = text->cbindingname;
break;
case GS2_CB_FLAG_Y:
- oparams->chanbindingflag = SASL_CB_FLAG_WANT;
+ oparams->cbindingdisp = SASL_CB_DISP_WANT;
break;
}
gss_release_buffer(&min_stat, &short_name_buf);
gss_release_buffer(&min_stat, &output_token);
gss_release_name(&min_stat, &without);
- gss_release_oid(&min_stat, &actual_mech);
if (ret == SASL_OK && maj_stat != GSS_S_COMPLETE) {
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
return SASL_NOMECH;
}
- plugs = utils->malloc(2 * gs2_mechs->count * plugsize);
+ plugs = utils->malloc(gs2_mechs->count * plugsize);
if (plugs == NULL) {
MEMERROR(utils);
return SASL_NOMEM;
}
- memset(plugs, 0, 2 * gs2_mechs->count * plugsize);
+ memset(plugs, 0, gs2_mechs->count * plugsize);
for (i = 0; i < gs2_mechs->count; i++) {
gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER;
ret = gs2_get_mech_attrs(utils, mech,
&splug->security_flags,
- &splug->features);
+ &splug->features,
+ NULL);
if (ret != SASL_OK)
return ret;
gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER;
OM_uint32 maj_stat = GSS_S_FAILURE, min_stat = 0;
OM_uint32 req_flags, ret_flags;
- gss_OID actual_mech = GSS_C_NO_OID;
int ret = SASL_FAIL;
int initialContextToken;
*clientoutlen = 0;
if (text->gss_ctx == GSS_C_NO_CONTEXT) {
- ret = gs2_ask_user_info(text, params, NULL, 0, prompt_need, oparams);
+ ret = gs2_get_init_creds(text, params, prompt_need, oparams);
if (ret != SASL_OK)
goto cleanup;
- if (params->gss_creds == GSS_C_NO_CREDENTIAL &&
- text->password != NULL && text->password->len != 0) {
- gss_buffer_desc password_buf;
- gss_buffer_desc name_buf;
- gss_OID_set_desc mechs;
-
- name_buf.length = strlen(oparams->authid);
- name_buf.value = (void *)oparams->authid;
-
- password_buf.length = text->password->len;
- password_buf.value = text->password->data;
-
- mechs.count = 1;
- mechs.elements = (gss_OID)text->mechanism;
-
- maj_stat = gss_import_name(&min_stat,
- &name_buf,
- GSS_C_NT_USER_NAME,
- &text->client_name);
- if (GSS_ERROR(maj_stat))
- goto cleanup;
-
- maj_stat = gss_acquire_cred_with_password(&min_stat,
- text->client_name,
- &password_buf,
- GSS_C_INDEFINITE,
- &mechs,
- GSS_C_INITIATE,
- &text->client_creds,
- NULL,
- &text->lifetime);
- if (GSS_ERROR(maj_stat))
- goto cleanup;
- }
-
initialContextToken = 1;
} else
initialContextToken = 0;
snprintf(name_buf.value, name_buf.length + 1,
"%s@%s", params->service, params->serverFQDN);
- maj_stat = gss_import_name (&min_stat,
- &name_buf,
- GSS_C_NT_HOSTBASED_SERVICE,
- &text->server_name);
+ maj_stat = gss_import_name(&min_stat,
+ &name_buf,
+ GSS_C_NT_HOSTBASED_SERVICE,
+ &text->server_name);
params->utils->free(name_buf.value);
name_buf.value = NULL;
if ((text->plug.client->features & SASL_FEAT_GSS_FRAMING) == 0)
text->gs2_flags |= GS2_NONSTD_FLAG;
- switch (params->chanbindingflag) {
- case SASL_CB_FLAG_NONE:
+ switch (params->cbindingdisp) {
+ case SASL_CB_DISP_NONE:
text->gs2_flags |= GS2_CB_FLAG_N;
break;
- case SASL_CB_FLAG_USED:
+ case SASL_CB_DISP_USED:
text->gs2_flags |= GS2_CB_FLAG_P;
break;
- case SASL_CB_FLAG_WANT:
+ case SASL_CB_DISP_WANT:
text->gs2_flags |= GS2_CB_FLAG_Y;
break;
}
maj_stat = gss_init_sec_context(&min_stat,
(params->gss_creds != GSS_C_NO_CREDENTIAL)
- ? params->gss_creds
+ ? (gss_cred_id_t)params->gss_creds
: text->client_creds,
&text->gss_ctx,
text->server_name,
(gss_OID)text->mechanism,
req_flags,
GSS_C_INDEFINITE,
- &text->bindings,
+ &text->gss_cbindings,
serverinlen ? &input_token : GSS_C_NO_BUFFER,
NULL,
&output_token,
&text->client_name,
NULL,
&text->lifetime,
- &actual_mech,
+ NULL,
&ret_flags, /* flags */
NULL,
NULL);
if (GSS_ERROR(maj_stat))
goto cleanup;
- if (!g_OID_equal(text->mechanism, actual_mech)) {
- ret = SASL_WRONGMECH;
- goto cleanup;
- }
if ((ret_flags & req_flags) != req_flags) {
maj_stat = SASL_BADAUTH;
goto cleanup;
cleanup:
gss_release_buffer(&min_stat, &output_token);
gss_release_buffer(&min_stat, &name_buf);
- gss_release_oid(&min_stat, &actual_mech);
if (ret == SASL_OK && maj_stat != GSS_S_COMPLETE) {
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
if (ret != SASL_OK) {
gs2_common_mech_dispose(text, params->utils);
return ret;
- }
+ }
*conn_context = text;
return SASL_OK;
}
-static const unsigned long gs2_required_prompts[] = {
- SASL_CB_LIST_END
-};
-
static int
gs2_client_plug_alloc(const sasl_utils_t *utils,
void *plug,
ret = gs2_get_mech_attrs(utils, mech,
&cplug->security_flags,
- &cplug->features);
+ &cplug->features,
+ &cplug->required_prompts);
if (ret != SASL_OK)
return ret;
cplug->mech_step = gs2_client_mech_step;
cplug->mech_dispose = gs2_common_mech_dispose;
cplug->mech_free = gs2_common_mech_free;
- cplug->required_prompts = gs2_required_prompts;
return SASL_OK;
}
static int
gs2_save_cbindings(context_t *text,
gss_buffer_t header,
- const char *chanbindingdata,
- unsigned int chanbindinglen)
+ const sasl_channel_binding_t *cbinding)
{
- gss_buffer_t gss_bindings = &text->bindings.application_data;
+ gss_buffer_t gss_cbindings = &text->gss_cbindings.application_data;
size_t len;
unsigned char *p;
- assert(gss_bindings->value == NULL);
+ assert(gss_cbindings->value == NULL);
/*
* The application-data field MUST be set to the gs2-header, excluding
assert(len > 2);
len -= 2;
}
- if ((text->gs2_flags & GS2_CB_FLAG_MASK) == GS2_CB_FLAG_P)
- len += chanbindinglen;
+ if ((text->gs2_flags & GS2_CB_FLAG_MASK) == GS2_CB_FLAG_P &&
+ cbinding != NULL) {
+ len += cbinding->len;
+ }
- gss_bindings->length = len;
- gss_bindings->value = text->utils->malloc(len);
- if (gss_bindings->value == NULL)
+ gss_cbindings->length = len;
+ gss_cbindings->value = text->utils->malloc(len);
+ if (gss_cbindings->value == NULL)
return SASL_NOMEM;
- p = (unsigned char *)gss_bindings->value;
+ p = (unsigned char *)gss_cbindings->value;
if (text->gs2_flags & GS2_NONSTD_FLAG) {
memcpy(p, (unsigned char *)header->value + 2, header->length - 2);
p += header->length - 2;
}
if ((text->gs2_flags & GS2_CB_FLAG_MASK) == GS2_CB_FLAG_P &&
- chanbindinglen != 0) {
- memcpy(p, chanbindingdata, chanbindinglen);
+ cbinding != NULL) {
+ memcpy(p, cbinding->data, cbinding->len);
}
return SASL_OK;
}
-#define CHECK_REMAIN(n) do { if (remain < (n)) return SASL_BADAUTH; } while (0)
+#define CHECK_REMAIN(n) do { if (remain < (n)) return SASL_BADPROT; } while (0)
/*
* Verify gs2-header, save authzid and channel bindings to context.
int ret;
gss_buffer_desc buf = GSS_C_EMPTY_BUFFER;
- assert(text->cb_name == NULL);
+ assert(text->cbindingname == NULL);
assert(text->authzid == NULL);
token->length = 0;
CHECK_REMAIN(1); /* = */
remain--;
if (*p++ != '=')
- return SASL_BADAUTH;
+ return SASL_BADPROT;
- ret = gs2_unescape_authzid(text->utils, &p, &remain, &text->cb_name);
+ ret = gs2_unescape_authzid(text->utils, &p, &remain, &text->cbindingname);
if (ret != SASL_OK)
return ret;
CHECK_REMAIN(1); /* , */
remain--;
if (*p++ != ',')
- return SASL_BADAUTH;
+ return SASL_BADPROT;
/* authorization identity */
if (remain > 1 && memcmp(p, "a=", 2) == 0) {
return ret;
}
- /* end of header */
+ /* end of header */
CHECK_REMAIN(1); /* , */
remain--;
if (*p++ != ',')
- return SASL_BADAUTH;
+ return SASL_BADPROT;
buf.length = inlen - remain;
buf.value = (void *)in;
/* stash channel bindings to pass into gss_accept_sec_context() */
- ret = gs2_save_cbindings(text, &buf, sparams->chanbindingdata,
- sparams->chanbindinglen);
+ ret = gs2_save_cbindings(text, &buf, sparams->cbinding);
if (ret != SASL_OK)
return ret;
} else {
unsigned int token_size;
- /* create a properly formed GSS token */
+ /* create a properly formed GSS token */
token_size = gs2_token_size(text->mechanism, buf.length);
token->value = text->utils->malloc(token_size);
if (token->value == NULL)
unsigned *outlen)
{
size_t required = 0;
- size_t wire_authzid_len = 0, cb_name_len = 0;
+ size_t wire_authzid_len = 0, cbnamelen = 0;
char *wire_authzid = NULL;
char *p;
int ret;
/* SASL channel bindings */
switch (text->gs2_flags & GS2_CB_FLAG_MASK) {
case GS2_CB_FLAG_P:
- if (cparams->chanbindingtype == NULL)
+ if (!SASL_CB_PRESENT(cparams))
return SASL_BADPARAM;
- cb_name_len = strlen(cparams->chanbindingtype);
- required += 1 /*=*/ + cb_name_len;
+ cbnamelen = strlen(cparams->cbinding->name);
+ required += 1 /*=*/ + cbnamelen;
/* fallthrough */
case GS2_CB_FLAG_N:
case GS2_CB_FLAG_Y:
switch (text->gs2_flags & GS2_CB_FLAG_MASK) {
case GS2_CB_FLAG_P:
memcpy(p, "p=", 2);
- memcpy(p + 2, cparams->chanbindingtype, cb_name_len);
- p += 2 + cb_name_len;
+ memcpy(p + 2, cparams->cbinding->name, cbnamelen);
+ p += 2 + cbnamelen;
break;
case GS2_CB_FLAG_N:
*p++ = 'n';
buf.length = required;
buf.value = *out;
- ret = gs2_save_cbindings(text, &buf, cparams->chanbindingdata,
- cparams->chanbindinglen);
+ ret = gs2_save_cbindings(text, &buf, cparams->cbinding);
+ if (ret != SASL_OK)
+ return ret;
- return ret;
+ return SASL_OK;
}
/*
return SASL_OK;
}
+static const unsigned long gs2_required_prompts[] = {
+ SASL_CB_LIST_END
+};
+
/*
* Map GSS mechanism attributes to SASL ones
*/
gs2_get_mech_attrs(const sasl_utils_t *utils,
const gss_OID mech,
unsigned int *security_flags,
- unsigned int *features)
+ unsigned int *features,
+ const unsigned long **prompts)
{
OM_uint32 major, minor;
- int present, ret;
+ int present;
gss_OID_set attrs = GSS_C_NO_OID_SET;
major = gss_inquire_attrs_for_mech(&minor, mech, &attrs, NULL);
*security_flags = SASL_SEC_NOPLAINTEXT | SASL_SEC_NOACTIVE;
*features = SASL_FEAT_WANT_CLIENT_FIRST | SASL_FEAT_CHANNEL_BINDING;
+ if (prompts != NULL)
+ *prompts = gs2_required_prompts;
#define MA_PRESENT(a) (gss_test_oid_set_member(&minor, (gss_OID)(a), \
attrs, &present) == GSS_S_COMPLETE && \
present)
- ret = SASL_OK;
-
if (MA_PRESENT(GSS_C_MA_PFS))
*security_flags |= SASL_SEC_FORWARD_SECRECY;
if (!MA_PRESENT(GSS_C_MA_AUTH_INIT_ANON))
*security_flags |= SASL_SEC_PASS_CREDENTIALS;
if (MA_PRESENT(GSS_C_MA_AUTH_TARG))
*security_flags |= SASL_SEC_MUTUAL_AUTH;
+ if (MA_PRESENT(GSS_C_MA_AUTH_INIT_INIT) && prompts != NULL)
+ *prompts = NULL;
if (MA_PRESENT(GSS_C_MA_ITOK_FRAMED))
*features |= SASL_FEAT_GSS_FRAMING;
gss_release_oid_set(&minor, &attrs);
- return ret;
+
+ return SASL_OK;
}
/*
return SASL_OK;
}
+#define GOT_CREDS(text, params) ((text)->client_creds != NULL || (params)->gss_creds != NULL)
+#define CRED_ERROR(status) ((status) == GSS_S_CRED_UNAVAIL || (status) == GSS_S_NO_CRED)
+
+/*
+ * Determine the authentication identity from the application supplied
+ * GSS credential, the application supplied identity, and the default
+ * GSS credential, in that order. Then, acquire credentials.
+ */
static int
-gs2_ask_user_info(context_t *text,
- sasl_client_params_t *params,
- char **realms __attribute__((unused)),
- int nrealm __attribute__((unused)),
- sasl_interact_t **prompt_need,
- sasl_out_params_t *oparams)
+gs2_get_init_creds(context_t *text,
+ sasl_client_params_t *params,
+ sasl_interact_t **prompt_need,
+ sasl_out_params_t *oparams)
{
int result = SASL_OK;
const char *authid = NULL, *userid = NULL;
int user_result = SASL_OK;
int auth_result = SASL_OK;
int pass_result = SASL_OK;
+ OM_uint32 maj_stat = GSS_S_COMPLETE, min_stat = 0;
+ gss_OID_set_desc mechs;
+ gss_buffer_desc cred_authid = GSS_C_EMPTY_BUFFER;
+
+ mechs.count = 1;
+ mechs.elements = (gss_OID)text->mechanism;
- /* try to get the authid */
+ /*
+ * Get the authentication identity from the application.
+ */
if (oparams->authid == NULL) {
auth_result = _plug_get_authid(params->utils, &authid, prompt_need);
-
if (auth_result != SASL_OK && auth_result != SASL_INTERACT) {
- return auth_result;
+ result = auth_result;
+ goto cleanup;
}
}
- /* try to get the userid */
+ /*
+ * Get the authorization identity from the application.
+ */
if (oparams->user == NULL) {
user_result = _plug_get_userid(params->utils, &userid, prompt_need);
-
if (user_result != SASL_OK && user_result != SASL_INTERACT) {
- return user_result;
+ result = user_result;
+ goto cleanup;
}
}
- /* try to get the password */
- if (text->password == NULL) {
- pass_result = _plug_get_password(params->utils, &text->password,
- &text->free_password, prompt_need);
- if (pass_result != SASL_OK && pass_result != SASL_INTERACT) {
- return pass_result;
+ /*
+ * Canonicalize the authentication and authorization identities before
+ * calling GSS_Import_name.
+ */
+ if (auth_result == SASL_OK && user_result == SASL_OK &&
+ oparams->authid == NULL) {
+ if (userid == NULL || userid[0] == '\0') {
+ result = params->canon_user(params->utils->conn, authid, 0,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ oparams);
+ } else {
+ result = params->canon_user(params->utils->conn,
+ authid, 0, SASL_CU_AUTHID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
+
+ result = params->canon_user(params->utils->conn,
+ userid, 0, SASL_CU_AUTHZID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
+ }
+
+ if (oparams->authid != NULL) {
+ gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER;
+
+ /*
+ * If no realm in authid, use server FQDN; we have no mechanism-
+ * agnostic way of determing a realm from a service name.
+ */
+ if (strchr(oparams->authid, '@') == NULL &&
+ params->serverFQDN != NULL) {
+ name_buf.length = strlen(oparams->authid) + 1 + strlen(params->serverFQDN);
+
+ name_buf.value = params->utils->malloc(name_buf.length + 1);
+ if (name_buf.value == NULL) {
+ MEMERROR(text->utils);
+ result = SASL_NOMEM;
+ goto cleanup;
+ }
+ snprintf(name_buf.value, name_buf.length + 1,
+ "%s@%s", oparams->authid, params->serverFQDN);
+ } else {
+ name_buf.length = strlen(oparams->authid);
+ name_buf.value = oparams->authid;
+ }
+
+ assert(text->client_name == GSS_C_NO_NAME);
+
+ maj_stat = gss_import_name(&min_stat,
+ &name_buf,
+ GSS_C_NT_USER_NAME,
+ &text->client_name);
+ if (name_buf.value != oparams->authid)
+ params->utils->free(name_buf.value);
+ if (GSS_ERROR(maj_stat))
+ goto cleanup;
+ }
+ }
+
+ /*
+ * If application didn't provide an authid, then use the default
+ * credential. If that doesn't work, give up.
+ */
+ if (!GOT_CREDS(text, params) && oparams->authid == NULL) {
+ maj_stat = gss_acquire_cred(&min_stat,
+ GSS_C_NO_NAME,
+ GSS_C_INDEFINITE,
+ &mechs,
+ GSS_C_INITIATE,
+ &text->client_creds,
+ NULL,
+ &text->lifetime);
+ if (GSS_ERROR(maj_stat))
+ goto cleanup;
+
+ assert(text->client_name == GSS_C_NO_NAME);
+
+ maj_stat = gss_inquire_cred(&min_stat,
+ params->gss_creds
+ ? (gss_cred_id_t)params->gss_creds
+ : text->client_creds,
+ &text->client_name,
+ NULL,
+ NULL,
+ NULL);
+ if (GSS_ERROR(maj_stat))
+ goto cleanup;
+
+ maj_stat = gss_display_name(&min_stat,
+ text->client_name,
+ &cred_authid,
+ NULL);
+ if (GSS_ERROR(maj_stat))
+ goto cleanup;
+
+ if (userid == NULL || userid[0] == '\0') {
+ result = params->canon_user(params->utils->conn,
+ cred_authid.value, cred_authid.length,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ oparams);
+ } else {
+ result = params->canon_user(params->utils->conn,
+ cred_authid.value, cred_authid.length,
+ SASL_CU_AUTHID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
+
+ result = params->canon_user(params->utils->conn,
+ cred_authid.value, cred_authid.length,
+ SASL_CU_AUTHZID, oparams);
+ if (result != SASL_OK)
+ goto cleanup;
+ }
+ }
+
+ /*
+ * Armed with the authentication identity, try to get a credential without
+ * a password.
+ */
+ if (!GOT_CREDS(text, params) && text->client_name != GSS_C_NO_NAME) {
+ maj_stat = gss_acquire_cred(&min_stat,
+ text->client_name,
+ GSS_C_INDEFINITE,
+ &mechs,
+ GSS_C_INITIATE,
+ &text->client_creds,
+ NULL,
+ &text->lifetime);
+ if (GSS_ERROR(maj_stat) && !CRED_ERROR(maj_stat))
+ goto cleanup;
+ }
+
+ /*
+ * If that failed, try to get a credential with a password.
+ */
+ if (!GOT_CREDS(text, params)) {
+ if (text->password == NULL) {
+ pass_result = _plug_get_password(params->utils, &text->password,
+ &text->free_password, prompt_need);
+ if (pass_result != SASL_OK && pass_result != SASL_INTERACT) {
+ result = pass_result;
+ goto cleanup;
+ }
+ }
+
+ if (text->password != NULL) {
+ gss_buffer_desc password_buf;
+
+ password_buf.length = text->password->len;
+ password_buf.value = text->password->data;
+
+ maj_stat = gss_acquire_cred_with_password(&min_stat,
+ text->client_name,
+ &password_buf,
+ GSS_C_INDEFINITE,
+ &mechs,
+ GSS_C_INITIATE,
+ &text->client_creds,
+ NULL,
+ &text->lifetime);
+ if (GSS_ERROR(maj_stat))
+ goto cleanup;
}
}
+ maj_stat = GSS_S_COMPLETE;
+
/* free prompts we got */
if (prompt_need && *prompt_need) {
params->utils->free(*prompt_need);
/* if there are prompts not filled in */
if (user_result == SASL_INTERACT || auth_result == SASL_INTERACT ||
pass_result == SASL_INTERACT) {
-
/* make the prompt list */
result =
_plug_make_prompts(params->utils, prompt_need,
NULL, NULL, NULL,
NULL,
NULL, NULL);
- if (result == SASL_OK) return SASL_INTERACT;
-
- return result;
+ if (result == SASL_OK)
+ result = SASL_INTERACT;
}
- if (oparams->authid == NULL) {
- if (userid == NULL || userid[0] == '\0') {
- result = params->canon_user(params->utils->conn, authid, 0,
- SASL_CU_AUTHID | SASL_CU_AUTHZID,
- oparams);
- } else {
- result = params->canon_user(params->utils->conn,
- authid, 0, SASL_CU_AUTHID, oparams);
- if (result != SASL_OK) return result;
-
- result = params->canon_user(params->utils->conn,
- userid, 0, SASL_CU_AUTHZID, oparams);
- }
- if (result != SASL_OK)
- return result;
+cleanup:
+ if (result == SASL_OK && maj_stat != GSS_S_COMPLETE) {
+ sasl_gs2_seterror(text->utils, maj_stat, min_stat);
+ result = SASL_FAIL;
}
+ gss_release_buffer(&min_stat, &cred_authid);
+
return result;
}
int ret;
char *out = NULL;
unsigned int len, curlen = 0;
- const char prefix[] = "GSSAPI Error: ";
+ const char prefix[] = "GS2 Error: ";
len = sizeof(prefix);
ret = _plug_buf_alloc(utils, &out, &curlen, 256);
projects / cyrus-sasl.git / blobdiff