gsskrb5: Add simple name attributes support
This adds Kerberos mechanism support for:
- composite principal name export/import
- getting rudimentary name attributes from GSS names using
gss_get_name_attribute():
- all (raw) authorization data from the Ticket
- all (raw) authorization data from the Authenticator
- transit path
- realm
- component count
- each component
- gss_inquire_name()
- gss_display_name_ext() (just for the hostbased service name type
though)
The test exercises almost all of the functionality, except for:
- getting the PAC
- getting authz-data from the Authenticator
- getting the transit path
TBD (much) later:
- amend test_context to do minimal name attribute checks as well
- gss_set_name_attribute() (to request authz-data)
- gss_delete_name_attribute()
- getting specific authorization data elements via URN fragments (as
opposed to all of them)
- parsing the PAC, extracting SIDs (each one as a separate value)
- some configurable local policy (?)
- plugin interface for additional local policy
This commit is contained in:
Nicolas Williams
committed by
Nico Williams
Nico Williams
parent
1cede09a0b
commit
be708ca3cf
@@ -169,9 +169,11 @@ import_export_name (OM_uint32 *minor_status,
|
||||
const gss_buffer_t input_name_buffer,
|
||||
gss_name_t *output_name)
|
||||
{
|
||||
CompositePrincipal *composite;
|
||||
unsigned char *p;
|
||||
uint32_t length;
|
||||
size_t length, sz;
|
||||
OM_uint32 ret;
|
||||
int is_composite;
|
||||
char *name;
|
||||
|
||||
if (input_name_buffer->length < 10 + GSS_KRB5_MECHANISM->length)
|
||||
@@ -181,7 +183,9 @@ import_export_name (OM_uint32 *minor_status,
|
||||
|
||||
p = input_name_buffer->value;
|
||||
|
||||
if (memcmp(&p[0], "\x04\x01\x00", 3) != 0 ||
|
||||
if (p[0] != 0x04 ||
|
||||
(p[1] != 0x01 && p[1] != 0x02) ||
|
||||
p[2] != 0x00 ||
|
||||
p[3] != GSS_KRB5_MECHANISM->length + 2 ||
|
||||
p[4] != 0x06 ||
|
||||
p[5] != GSS_KRB5_MECHANISM->length ||
|
||||
@@ -189,6 +193,8 @@ import_export_name (OM_uint32 *minor_status,
|
||||
GSS_KRB5_MECHANISM->length) != 0)
|
||||
return GSS_S_BAD_NAME;
|
||||
|
||||
is_composite = p[1] == 0x02;
|
||||
|
||||
p += 6 + GSS_KRB5_MECHANISM->length;
|
||||
|
||||
length = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3];
|
||||
@@ -197,6 +203,28 @@ import_export_name (OM_uint32 *minor_status,
|
||||
if (length > input_name_buffer->length - 10 - GSS_KRB5_MECHANISM->length)
|
||||
return GSS_S_BAD_NAME;
|
||||
|
||||
if (is_composite) {
|
||||
if ((composite = calloc(1, sizeof(*composite))) == NULL) {
|
||||
*minor_status = ENOMEM;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
|
||||
ret = decode_CompositePrincipal(p, length, composite, &sz);
|
||||
if (ret) {
|
||||
*minor_status = ret;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
if (sz != length) {
|
||||
free_CompositePrincipal(composite);
|
||||
free(composite);
|
||||
*minor_status = EINVAL;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
|
||||
*output_name = (void *)composite;
|
||||
return GSS_S_COMPLETE;
|
||||
}
|
||||
|
||||
name = malloc(length + 1);
|
||||
if (name == NULL) {
|
||||
*minor_status = ENOMEM;
|
||||
@@ -207,7 +235,6 @@ import_export_name (OM_uint32 *minor_status,
|
||||
|
||||
ret = parse_krb5_name(minor_status, context, name, output_name);
|
||||
free(name);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -239,7 +266,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_import_name
|
||||
context,
|
||||
input_name_buffer,
|
||||
output_name);
|
||||
else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) {
|
||||
else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME) ||
|
||||
gss_oid_equal(input_name_type, GSS_C_NT_COMPOSITE_EXPORT)) {
|
||||
return import_export_name(minor_status,
|
||||
context,
|
||||
input_name_buffer,
|
||||
|
||||
Reference in New Issue
Block a user