gss: Add way to set authenticator authz-data

Now we can set Authenticator authorization-data with gss_set_name_attribute().
2022-01-07 15:55:15 -06:00
parent fe11481cc5
commit c2e3c5b66e
8 changed files with 159 additions and 3 deletions
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -33,6 +33,12 @@

 #include "gsskrb5_locl.h"

+static OM_uint32
+gsskrb5_set_authorization_data(OM_uint32 *,
+                               krb5_context,
+                               krb5_auth_context,
+                               gss_const_name_t);
+
 /*
 * copy the addresses from `input_chan_bindings' (if any) to
 * the auth context `ac'
@@ -418,6 +424,11 @@ init_auth
    if (ret)
 	goto failure;

+    ret = gsskrb5_set_authorization_data(minor_status, context,
+                                         ctx->auth_context, name);
+    if (ret)
+	goto failure;
+
    ctx->endtime = ctx->kcred->times.endtime;

    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
@@ -977,3 +988,31 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
    return ret;

 }
+
+static OM_uint32
+gsskrb5_set_authorization_data(OM_uint32 *minor_status,
+                               krb5_context context,
+                               krb5_auth_context auth_context,
+                               gss_const_name_t gn)
+{
+    const CompositePrincipal *name = (const void *)gn;
+    AuthorizationData *ad;
+    krb5_error_code kret = 0;
+    size_t i;
+
+    if (name->nameattrs == NULL || name->nameattrs->want_ad == NULL)
+        return GSS_S_COMPLETE;
+
+    ad = name->nameattrs->want_ad;
+    for (i = 0; kret == 0 && i < ad->len; i++) {
+        kret = krb5_auth_con_add_AuthorizationData(context, auth_context,
+                                                   ad->val[0].ad_type,
+                                                   &ad->val[0].ad_data);
+    }
+
+    if (kret) {
+        *minor_status = kret;
+        return GSS_S_FAILURE;
+    }
+    return GSS_S_COMPLETE;
+}
--- a/lib/gssapi/krb5/name_attrs.c
+++ b/lib/gssapi/krb5/name_attrs.c
@@ -172,6 +172,7 @@ static get_name_attr_f get_pac;
 static get_name_attr_f get_authz_data;
 static get_name_attr_f get_ticket_authz_data;
 static get_name_attr_f get_authenticator_authz_data;
+static set_name_attr_f set_authenticator_authz_data;
 static get_name_attr_f get_transited;
 static get_name_attr_f get_canonical_name;

@@ -209,7 +210,8 @@ static struct krb5_name_attrs {
    { NB("ticket-authz-data"),
         get_ticket_authz_data, NULL, NULL, 1, 1 },
    { NB("authenticator-authz-data"),
-         get_authenticator_authz_data, NULL, NULL, 1, 1 },
+         get_authenticator_authz_data,
+         set_authenticator_authz_data, NULL, 1, 1 },
    { NB("authz-data"),     get_authz_data,  NULL, NULL, 1, 1 },
    { NB("transit-path"),   get_transited,   NULL, NULL, 1, 1 },
    { NB("canonical-name"), get_canonical_name, NULL, NULL, 1, 1 },
@@ -922,6 +924,62 @@ get_authenticator_authz_data(OM_uint32 *minor_status,
    return kret == 0 ? GSS_S_COMPLETE : GSS_S_FAILURE;
 }

+static OM_uint32
+set_authenticator_authz_data(OM_uint32 *minor_status,
+                             CompositePrincipal *name,
+                             gss_const_buffer_t prefix,
+                             gss_const_buffer_t attr,
+                             gss_const_buffer_t frag,
+                             int complete,
+                             gss_buffer_t value)
+{
+    AuthorizationDataElement e;
+    krb5_error_code kret;
+    size_t sz;
+
+    if (!value)
+        return GSS_S_CALL_INACCESSIBLE_READ;
+    if (frag->length &&
+        !ATTR_EQ(frag, "if-relevant"))
+        return GSS_S_UNAVAILABLE;
+
+    if ((name->nameattrs == NULL &&
+        (name->nameattrs = calloc(1, sizeof(*name->nameattrs))) == NULL) ||
+        (name->nameattrs->want_ad == NULL &&
+         (name->nameattrs->want_ad =
+          calloc(1, sizeof(*name->nameattrs->want_ad))) == NULL)) {
+        *minor_status = ENOMEM;
+        return GSS_S_FAILURE;
+    }
+
+    memset(&e, 0, sizeof(e));
+    kret = decode_AuthorizationDataElement(value->value, value->length, &e,
+                                           &sz);
+    if (kret == 0) {
+        if (frag->length) {
+            AuthorizationData ir;
+
+            ir.len = 0;
+            ir.val = NULL;
+            kret = add_AuthorizationData(&ir, &e);
+            free_AuthorizationDataElement(&e);
+            if (kret == 0) {
+                e.ad_type = KRB5_AUTHDATA_IF_RELEVANT;
+                ASN1_MALLOC_ENCODE(AuthorizationData, e.ad_data.data,
+                                   e.ad_data.length, &ir, &sz, kret);
+                kret = add_AuthorizationData(name->nameattrs->want_ad, &e);
+            }
+            free_AuthorizationData(&ir);
+        } else {
+            kret = add_AuthorizationData(name->nameattrs->want_ad, &e);
+            free_AuthorizationDataElement(&e);
+        }
+    }
+
+    *minor_status = kret;
+    return kret == 0 ? GSS_S_COMPLETE : GSS_S_FAILURE;
+}
+
 static OM_uint32
 get_transited(OM_uint32 *minor_status,
              const CompositePrincipal *name,