stub implementation of gss_userok SPI

The MIT mechglue will fallback to comparing names in the absence
of a mechanism implementation of gss_userok. To avoid this and
force the mechglue to use attribute-based authorization, always
return access denied in gss_userok.

diff --git a/Makefile.am b/Makefile.am
index e4a3823..f87406a 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -68,6 +68,7 @@ mech_eap_la_SOURCES =                         \
        store_cred.c                            \
        unwrap.c                                \
        unwrap_iov.c                            \
+       userok.c                                \
        util_attr.cpp                           \
        util_buffer.c                           \
        util_context.c                          \

diff --git a/mech_eap.exports b/mech_eap.exports
index bd1df48..2c2f09e 100644 (file)
--- a/mech_eap.exports
+++ b/mech_eap.exports
@@ -41,6 +41,7 @@ gss_set_sec_context_option
 gss_store_cred
 gss_unwrap
 gss_unwrap_iov
+gss_userok
 gss_verify_mic
 gss_wrap
 gss_wrap_iov

diff --git a/userok.c b/userok.c
new file mode 100644 (file)
index 0000000..9853992
--- /dev/null
+++ b/userok.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2011, JANET(UK)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Local authorization services.
+ */
+
+#include "gssapiP_eap.h"
+
+OM_uint32 KRB5_CALLCONV
+gss_userok(OM_uint32 *minor,
+           const gss_name_t name GSSEAP_UNUSED,
+           const char *user GSSEAP_UNUSED,
+           int *user_ok)
+{
+    /*
+     * The MIT mechglue will fallback to comparing names in the absence
+     * of a mechanism implementation of gss_userok. To avoid this and
+     * force the mechglue to use attribute-based authorization, always
+     * return access denied here.
+     */
+
+    *minor = 0;
+    *user_ok = 0;
+    return GSS_S_COMPLETE;
+}