kdc: use attribute dictionary in altsec authorizer plugin
This commit is contained in:
Luke Howard
@@ -51,7 +51,6 @@ struct gss_client_params {
|
||||
OM_uint32 flags;
|
||||
OM_uint32 lifetime;
|
||||
krb5_checksum req_body_checksum;
|
||||
krb5_data pac_data;
|
||||
};
|
||||
|
||||
static void
|
||||
@@ -501,7 +500,6 @@ struct pa_gss_authorize_plugin_ctx {
|
||||
struct gss_client_params *gcp;
|
||||
krb5_boolean authorized;
|
||||
krb5_principal initiator_princ;
|
||||
krb5_data pac_data;
|
||||
};
|
||||
|
||||
static krb5_error_code KRB5_LIB_CALL
|
||||
@@ -519,8 +517,7 @@ pa_gss_authorize_cb(krb5_context context,
|
||||
pa_gss_authorize_plugin_ctx->gcp->mech_type,
|
||||
pa_gss_authorize_plugin_ctx->gcp->flags,
|
||||
&pa_gss_authorize_plugin_ctx->authorized,
|
||||
&pa_gss_authorize_plugin_ctx->initiator_princ,
|
||||
&pa_gss_authorize_plugin_ctx->pac_data);
|
||||
&pa_gss_authorize_plugin_ctx->initiator_princ);
|
||||
}
|
||||
|
||||
static const char *plugin_deps[] = {
|
||||
@@ -545,8 +542,7 @@ pa_gss_authorize_plugin(astgs_request_t r,
|
||||
struct gss_client_params *gcp,
|
||||
gss_const_buffer_t display_name,
|
||||
krb5_boolean *authorized,
|
||||
krb5_principal *initiator_princ,
|
||||
krb5_data *pac_data)
|
||||
krb5_principal *initiator_princ)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
struct pa_gss_authorize_plugin_ctx ctx;
|
||||
@@ -555,7 +551,6 @@ pa_gss_authorize_plugin(astgs_request_t r,
|
||||
ctx.gcp = gcp;
|
||||
ctx.authorized = 0;
|
||||
ctx.initiator_princ = NULL;
|
||||
krb5_data_zero(&ctx.pac_data);
|
||||
|
||||
krb5_clear_error_message(r->context);
|
||||
ret = _krb5_plugin_run_f(r->context, &gss_preauth_authorizer_data,
|
||||
@@ -576,7 +571,6 @@ pa_gss_authorize_plugin(astgs_request_t r,
|
||||
|
||||
*authorized = ctx.authorized;
|
||||
*initiator_princ = ctx.initiator_princ;
|
||||
*pac_data = ctx.pac_data;
|
||||
|
||||
return ret;
|
||||
}
|
||||
@@ -586,8 +580,7 @@ pa_gss_authorize_default(astgs_request_t r,
|
||||
struct gss_client_params *gcp,
|
||||
gss_const_buffer_t display_name,
|
||||
krb5_boolean *authorized,
|
||||
krb5_principal *initiator_princ,
|
||||
krb5_data *pac_data)
|
||||
krb5_principal *initiator_princ)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_principal principal;
|
||||
@@ -689,14 +682,12 @@ _kdc_gss_check_client(astgs_request_t r,
|
||||
krb5_principal initiator_princ = NULL;
|
||||
hdb_entry_ex *initiator = NULL;
|
||||
krb5_boolean authorized = FALSE;
|
||||
krb5_data pac_data;
|
||||
|
||||
OM_uint32 minor;
|
||||
gss_buffer_desc display_name = GSS_C_EMPTY_BUFFER;
|
||||
gss_const_buffer_t display_name_p;
|
||||
|
||||
*client_name = NULL;
|
||||
krb5_data_zero(&pac_data);
|
||||
|
||||
pa_gss_display_name(gcp->initiator_name, &display_name, &display_name_p);
|
||||
|
||||
@@ -705,10 +696,10 @@ _kdc_gss_check_client(astgs_request_t r,
|
||||
* are authorized as the directly corresponding Kerberos principal.
|
||||
*/
|
||||
ret = pa_gss_authorize_plugin(r, gcp, display_name_p,
|
||||
&authorized, &initiator_princ, &pac_data);
|
||||
&authorized, &initiator_princ);
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
ret = pa_gss_authorize_default(r, gcp, display_name_p,
|
||||
&authorized, &initiator_princ, &pac_data);
|
||||
&authorized, &initiator_princ);
|
||||
if (ret == 0 && !authorized)
|
||||
ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
|
||||
if (ret)
|
||||
@@ -766,14 +757,10 @@ _kdc_gss_check_client(astgs_request_t r,
|
||||
goto out;
|
||||
}
|
||||
|
||||
gcp->pac_data = pac_data;
|
||||
krb5_data_zero(&pac_data);
|
||||
|
||||
out:
|
||||
krb5_free_principal(r->context, initiator_princ);
|
||||
if (initiator)
|
||||
_kdc_free_ent(r->context, initiator);
|
||||
krb5_data_free(&pac_data);
|
||||
gss_release_buffer(&minor, &display_name);
|
||||
|
||||
return ret;
|
||||
@@ -880,7 +867,6 @@ pa_gss_dealloc_client_params(void *ptr)
|
||||
gss_release_name(&minor, &gcp->initiator_name);
|
||||
gss_release_buffer(&minor, &gcp->output_token);
|
||||
free_Checksum(&gcp->req_body_checksum);
|
||||
krb5_data_free(&gcp->pac_data);
|
||||
memset(gcp, 0, sizeof(*gcp));
|
||||
}
|
||||
|
||||
@@ -1015,11 +1001,6 @@ pa_gss_display_name(gss_name_t name,
|
||||
*namebuf_p = namebuf;
|
||||
}
|
||||
|
||||
struct pa_gss_finalize_pac_plugin_ctx {
|
||||
astgs_request_t r;
|
||||
krb5_data *pac_data;
|
||||
};
|
||||
|
||||
static krb5_error_code KRB5_LIB_CALL
|
||||
pa_gss_finalize_pac_cb(krb5_context context,
|
||||
const void *plug,
|
||||
@@ -1027,11 +1008,8 @@ pa_gss_finalize_pac_cb(krb5_context context,
|
||||
void *userctx)
|
||||
{
|
||||
const krb5plugin_gss_preauth_authorizer_ftable *authorizer = plug;
|
||||
struct pa_gss_finalize_pac_plugin_ctx *pa_gss_finalize_pac_ctx = userctx;
|
||||
|
||||
return authorizer->finalize_pac(plugctx,
|
||||
pa_gss_finalize_pac_ctx->r,
|
||||
pa_gss_finalize_pac_ctx->pac_data);
|
||||
return authorizer->finalize_pac(plugctx, userctx);
|
||||
}
|
||||
|
||||
|
||||
@@ -1040,14 +1018,10 @@ _kdc_gss_finalize_pac(astgs_request_t r,
|
||||
gss_client_params *gcp)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
struct pa_gss_finalize_pac_plugin_ctx ctx;
|
||||
|
||||
ctx.r = r;
|
||||
ctx.pac_data = &gcp->pac_data;
|
||||
|
||||
krb5_clear_error_message(r->context);
|
||||
ret = _krb5_plugin_run_f(r->context, &gss_preauth_authorizer_data,
|
||||
0, &ctx, pa_gss_finalize_pac_cb);
|
||||
0, r, pa_gss_finalize_pac_cb);
|
||||
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
ret = 0;
|
||||
|
||||
Reference in New Issue
Block a user