From f0bbf08a25286e6af9c806164e6366699cb7862b Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 27 Sep 2010 22:54:56 +0200 Subject: [PATCH] do SASL name canon, whatever it does, before GSS name import --- plugins/gs2.c | 76 +++++++++++++++++++++++++++-------------------------------- 1 file changed, 35 insertions(+), 41 deletions(-) diff --git a/plugins/gs2.c b/plugins/gs2.c index 07f6140..3304968 100644 --- a/plugins/gs2.c +++ b/plugins/gs2.c @@ -1561,38 +1561,52 @@ gs2_get_init_creds(context_t *text, } /* - * If the application has provided an authentication identity, parse it. + * Get the authorization identity. */ - if (text->client_name == GSS_C_NO_NAME) { - gss_buffer_desc name_buf; + if (oparams->user == NULL) { + user_result = _plug_get_userid(params->utils, &userid, prompt_need); + if (user_result != SASL_OK && user_result != SASL_INTERACT) { + result = user_result; + goto cleanup; + } + } - if (oparams->authid != NULL) { - name_buf.length = strlen(oparams->authid); - name_buf.value = (void *)oparams->authid; + if (auth_result == SASL_OK && user_result == SASL_OK && + oparams->authid == NULL) { + if (userid == NULL || userid[0] == '\0') { + result = params->canon_user(params->utils->conn, authid, 0, + SASL_CU_AUTHID | SASL_CU_AUTHZID, + oparams); } else { - name_buf.length = strlen(authid); - name_buf.value = (void *)authid; - } + result = params->canon_user(params->utils->conn, + authid, 0, SASL_CU_AUTHID, oparams); + if (result != SASL_OK) + goto cleanup; - if (name_buf.value != NULL) { - maj_stat = gss_import_name(&min_stat, - &name_buf, - GSS_C_NT_USER_NAME, - &text->client_name); - if (GSS_ERROR(maj_stat)) + result = params->canon_user(params->utils->conn, + userid, 0, SASL_CU_AUTHZID, oparams); + if (result != SASL_OK) goto cleanup; } + + assert(oparams->authid != NULL); } /* - * Get the authorization identity. + * If the application has provided an authentication identity, parse it. */ - if (oparams->user == NULL) { - user_result = _plug_get_userid(params->utils, &userid, prompt_need); - if (user_result != SASL_OK && user_result != SASL_INTERACT) { - result = user_result; + if (text->client_name == GSS_C_NO_NAME && oparams->authid != NULL) { + gss_buffer_desc name_buf; + + name_buf.length = strlen(oparams->authid); + name_buf.value = (void *)oparams->authid; + + maj_stat = gss_import_name(&min_stat, + &name_buf, + GSS_C_NT_USER_NAME, + &text->client_name); + if (GSS_ERROR(maj_stat)) goto cleanup; - } } /* @@ -1672,26 +1686,6 @@ gs2_get_init_creds(context_t *text, NULL, NULL); if (result == SASL_OK) result = SASL_INTERACT; - } else if (oparams->authid == NULL) { - /* - * XXX we acquired GSS credentials pre-canonicalisation. Just noting - * this might cause some problems with applications. - */ - if (userid == NULL || userid[0] == '\0') { - result = params->canon_user(params->utils->conn, authid, 0, - SASL_CU_AUTHID | SASL_CU_AUTHZID, - oparams); - } else { - result = params->canon_user(params->utils->conn, - authid, 0, SASL_CU_AUTHID, oparams); - if (result != SASL_OK) - goto cleanup; - - result = params->canon_user(params->utils->conn, - userid, 0, SASL_CU_AUTHZID, oparams); - if (result != SASL_OK) - goto cleanup; - } } cleanup: -- 2.1.4