From 0d7bc0c549a0921aa363c229d60a655b82a12f40 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sat, 9 Apr 2011 13:41:51 +1000 Subject: [PATCH] remove user_ok from gss_authorize_localname --- lib/gssapi/gssapi/gssapi.h | 3 +- lib/gssapi/gssapi_mech.h | 3 +- lib/gssapi/krb5/authorize_localname.c | 8 +-- lib/gssapi/mech/gss_authorize_localname.c | 82 +++++++++++------------ 4 files changed, 47 insertions(+), 49 deletions(-) diff --git a/lib/gssapi/gssapi/gssapi.h b/lib/gssapi/gssapi/gssapi.h index 9b7608953..217c83414 100644 --- a/lib/gssapi/gssapi/gssapi.h +++ b/lib/gssapi/gssapi/gssapi.h @@ -1036,8 +1036,7 @@ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_authorize_localname( OM_uint32 *minor, const gss_name_t name, - const gss_name_t user, - int *authorized); + const gss_name_t user); GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL gss_userok(const gss_name_t name, diff --git a/lib/gssapi/gssapi_mech.h b/lib/gssapi/gssapi_mech.h index b75289085..f8c5db419 100644 --- a/lib/gssapi/gssapi_mech.h +++ b/lib/gssapi/gssapi_mech.h @@ -499,8 +499,7 @@ typedef OM_uint32 GSSAPI_CALLCONV _gss_authorize_localname_t ( OM_uint32 *, /* minor_status */ const gss_name_t, /* name */ gss_const_buffer_t, /* user */ - gss_const_OID, /* user_name_type */ - int * /* user_ok */ + gss_const_OID /* user_name_type */ ); /* mechglue internal */ diff --git a/lib/gssapi/krb5/authorize_localname.c b/lib/gssapi/krb5/authorize_localname.c index 5f7e80ac6..18d1d9623 100644 --- a/lib/gssapi/krb5/authorize_localname.c +++ b/lib/gssapi/krb5/authorize_localname.c @@ -36,12 +36,12 @@ OM_uint32 _gsskrb5_authorize_localname(OM_uint32 *minor_status, const gss_name_t input_name, gss_const_buffer_t user_name, - gss_const_OID user_name_type, - int *user_ok) + gss_const_OID user_name_type) { krb5_context context; krb5_principal princ = (krb5_principal)input_name; char *user; + int user_ok; if (!gss_oid_equal(user_name_type, GSS_C_NT_USER_NAME)) return GSS_S_BAD_NAMETYPE; @@ -58,9 +58,9 @@ _gsskrb5_authorize_localname(OM_uint32 *minor_status, user[user_name->length] = '\0'; *minor_status = 0; - *user_ok = krb5_kuserok(context, princ, user); + user_ok = krb5_kuserok(context, princ, user); free(user); - return GSS_S_COMPLETE; + return user_ok ? GSS_S_COMPLETE : GSS_S_UNAUTHORIZED; } diff --git a/lib/gssapi/mech/gss_authorize_localname.c b/lib/gssapi/mech/gss_authorize_localname.c index 8c77efd23..bbbf3cf4d 100644 --- a/lib/gssapi/mech/gss_authorize_localname.c +++ b/lib/gssapi/mech/gss_authorize_localname.c @@ -42,14 +42,11 @@ gss_buffer_t GSSAPI_LIB_VARIABLE GSS_C_ATTR_LOCAL_LOGIN_USER = &localLoginUserAt static OM_uint32 mech_authorize_localname(OM_uint32 *minor_status, const struct _gss_name *name, - const struct _gss_name *user, - int *user_ok) + const struct _gss_name *user) { OM_uint32 major_status = GSS_S_NAME_NOT_MN; struct _gss_mechanism_name *mn; - *user_ok = 0; - HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { gssapi_mech_interface m = mn->gmn_mech; @@ -61,9 +58,8 @@ mech_authorize_localname(OM_uint32 *minor_status, major_status = m->gm_authorize_localname(minor_status, mn->gmn_name, &user->gn_value, - &user->gn_type, - user_ok); - if (GSS_ERROR(major_status) || *user_ok) + &user->gn_type); + if (major_status != GSS_S_UNAUTHORIZED) break; } @@ -76,38 +72,40 @@ mech_authorize_localname(OM_uint32 *minor_status, static OM_uint32 attr_authorize_localname(OM_uint32 *minor_status, const struct _gss_name *name, - const struct _gss_name *user, - int *user_ok) + const struct _gss_name *user) { OM_uint32 major_status = GSS_S_UNAVAILABLE; - OM_uint32 tmpMinor; int more = -1; - *user_ok = 0; - if (!gss_oid_equal(&user->gn_type, GSS_C_NT_USER_NAME)) return GSS_S_BAD_NAMETYPE; - while (more != 0 && *user_ok == 0) { + while (more != 0 && major_status != GSS_S_COMPLETE) { + OM_uint32 tmpMajor, tmpMinor; gss_buffer_desc value; gss_buffer_desc display_value; int authenticated = 0, complete = 0; - major_status = gss_get_name_attribute(minor_status, - (gss_name_t)name, - GSS_C_ATTR_LOCAL_LOGIN_USER, - &authenticated, - &complete, - &value, - &display_value, - &more); - if (GSS_ERROR(major_status)) + tmpMajor = gss_get_name_attribute(minor_status, + (gss_name_t)name, + GSS_C_ATTR_LOCAL_LOGIN_USER, + &authenticated, + &complete, + &value, + &display_value, + &more); + if (GSS_ERROR(major_status)) { + major_status = tmpMajor; break; + } + /* If attribute is present, return an authoritative error code. */ if (authenticated && value.length == user->gn_value.length && memcmp(value.value, user->gn_value.value, user->gn_value.length) == 0) - *user_ok = 1; + major_status = GSS_S_COMPLETE; + else + major_status = GSS_S_UNAUTHORIZED; gss_release_buffer(&tmpMinor, &value); gss_release_buffer(&tmpMinor, &display_value); @@ -119,16 +117,15 @@ attr_authorize_localname(OM_uint32 *minor_status, OM_uint32 gss_authorize_localname(OM_uint32 *minor_status, const gss_name_t gss_name, - const gss_name_t gss_user, - int *user_ok) + const gss_name_t gss_user) { OM_uint32 major_status; const struct _gss_name *name = (const struct _gss_name *) gss_name; const struct _gss_name *user = (const struct _gss_name *) gss_user; + int mechAvailable = 0; *minor_status = 0; - *user_ok = 0; if (gss_name == GSS_C_NO_NAME || gss_user == GSS_C_NO_NAME) return GSS_S_CALL_INACCESSIBLE_READ; @@ -138,20 +135,26 @@ gss_authorize_localname(OM_uint32 *minor_status, return GSS_S_BAD_NAME; /* If mech returns yes, we return yes */ - major_status = mech_authorize_localname(minor_status, - name, user, user_ok); - if (major_status == GSS_S_COMPLETE && *user_ok) + major_status = mech_authorize_localname(minor_status, name, user); + if (major_status == GSS_S_COMPLETE) return GSS_S_COMPLETE; + else if (major_status != GSS_S_UNAVAILABLE) + mechAvailable = 1; - /* If attribute exists, we evaluate attribute */ - if (attr_authorize_localname(minor_status, - name, user, user_ok) == GSS_S_COMPLETE) - return GSS_S_COMPLETE; + /* If attribute exists, it is authoritative */ + major_status = attr_authorize_localname(minor_status, name, user); + if (major_status == GSS_S_COMPLETE || major_status == GSS_S_UNAUTHORIZED) + return major_status; + + /* If mechanism did not implement SPI, compare the local name */ + if (mechAvailable == 0) { + int match = 0; - /* If mech returns unavail, we compare the local name */ - if (major_status == GSS_S_UNAVAILABLE) major_status = gss_compare_name(minor_status, gss_name, - gss_user, user_ok); + gss_user, &match); + if (major_status == GSS_S_COMPLETE && match == 0) + major_status = GSS_S_UNAUTHORIZED; + } return major_status; } @@ -163,7 +166,6 @@ gss_userok(const gss_name_t name, OM_uint32 major_status, minor_status; gss_buffer_desc userBuf; gss_name_t userName; - int user_ok = 0; userBuf.value = (void *)user; userBuf.length = strlen(user); @@ -173,11 +175,9 @@ gss_userok(const gss_name_t name, if (GSS_ERROR(major_status)) return 0; - major_status = gss_authorize_localname(&minor_status, name, userName, &user_ok); - if (GSS_ERROR(major_status)) - user_ok = 0; + major_status = gss_authorize_localname(&minor_status, name, userName); gss_release_name(&minor_status, &userName); - return user_ok; + return (major_status == GSS_S_COMPLETE); }