oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Merge branch 'master' into lukeh/acquire-cred-ex-moonshot-integ

Browse Source 
Conflicts:
	lib/gssapi/Makefile.am
	lib/gssapi/mech/gss_acquire_cred_with_password.c
	lib/gssapi/test_context.c
	lib/gssapi/version-script.map
This commit is contained in:
Luke Howard
2011-05-14 16:48:49 +02:00
parent 3069d80734 2a8dc252b6
commit dfba868910
24 changed files with 1185 additions and 221 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
lib/gssapi/mech/compat.h Normal file
View File

@@ -0,0 +1,63 @@
/*
* Copyright (c) 2010, PADL Software Pty Ltd.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of PADL Software nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_saslname_for_mech_t (
OM_uint32 *, /* minor_status */
const gss_OID, /* desired_mech */
gss_buffer_t, /* sasl_mech_name */
gss_buffer_t, /* mech_name */
gss_buffer_t /* mech_description */
);
typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_mech_for_saslname_t (
OM_uint32 *, /* minor_status */
const gss_buffer_t, /* sasl_mech_name */
gss_OID * /* mech_type */
);
typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_attrs_for_mech_t (
OM_uint32 *, /* minor_status */
gss_const_OID, /* mech */
gss_OID_set *, /* mech_attrs */
gss_OID_set * /* known_mech_attrs */
);
/*
* API-as-SPI compatibility for compatibility with MIT mechanisms;
* native Heimdal mechanisms should not use these.
*/
struct gss_mech_compat_desc_struct {
_gss_inquire_saslname_for_mech_t *gmc_inquire_saslname_for_mech;
_gss_inquire_mech_for_saslname_t *gmc_inquire_mech_for_saslname;
_gss_inquire_attrs_for_mech_t *gmc_inquire_attrs_for_mech;
};

3
lib/gssapi/mech/cred.h
View File

@@ -39,3 +39,6 @@ struct _gss_cred {
struct _gss_mechanism_cred_list gc_mc;
};
struct _gss_mechanism_cred *
_gss_copy_cred(struct _gss_mechanism_cred *mc);

151
lib/gssapi/mech/gss_add_cred_with_password.c Normal file
View File

@@ -0,0 +1,151 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_add_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include "mech_locl.h"
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_add_cred_with_password(OM_uint32 *minor_status,
const gss_cred_id_t input_cred_handle,
const gss_name_t desired_name,
const gss_OID desired_mech,
const gss_buffer_t password,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
OM_uint32 acceptor_time_req,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
OM_uint32 major_status;
gssapi_mech_interface m;
struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle;
struct _gss_cred *new_cred;
gss_cred_id_t release_cred;
struct _gss_mechanism_cred *mc, *target_mc, *copy_mc;
struct _gss_mechanism_name *mn;
OM_uint32 junk;
*minor_status = 0;
*output_cred_handle = GSS_C_NO_CREDENTIAL;
if (initiator_time_rec)
*initiator_time_rec = 0;
if (acceptor_time_rec)
*acceptor_time_rec = 0;
if (actual_mechs)
*actual_mechs = GSS_C_NO_OID_SET;
new_cred = malloc(sizeof(struct _gss_cred));
if (!new_cred) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
HEIM_SLIST_INIT(&new_cred->gc_mc);
/*
* We go through all the mc attached to the input_cred_handle
* and check the mechanism. If it matches, we call
* gss_add_cred for that mechanism, otherwise we copy the mc
* to new_cred.
*/
target_mc = 0;
if (cred) {
HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
if (gss_oid_equal(mc->gmc_mech_oid, desired_mech)) {
target_mc = mc;
}
copy_mc = _gss_copy_cred(mc);
if (!copy_mc) {
release_cred = (gss_cred_id_t)new_cred;
gss_release_cred(&junk, &release_cred);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, copy_mc, gmc_link);
}
}
/*
* Figure out a suitable mn, if any.
*/
if (desired_name) {
major_status = _gss_find_mn(minor_status,
(struct _gss_name *) desired_name,
desired_mech,
&mn);
if (major_status != GSS_S_COMPLETE) {
free(new_cred);
return major_status;
}
} else {
mn = 0;
}
m = __gss_get_mechanism(desired_mech);
if (m->gm_add_cred_with_password == NULL) {
release_cred = (gss_cred_id_t)new_cred;
gss_release_cred(&junk, &release_cred);
return (GSS_S_UNAVAILABLE);
}
mc = malloc(sizeof(struct _gss_mechanism_cred));
if (!mc) {
release_cred = (gss_cred_id_t)new_cred;
gss_release_cred(&junk, &release_cred);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
mc->gmc_mech = m;
mc->gmc_mech_oid = &m->gm_mech_oid;
major_status = m->gm_add_cred_with_password(minor_status,
target_mc ? target_mc->gmc_cred : GSS_C_NO_CREDENTIAL,
desired_name ? mn->gmn_name : GSS_C_NO_NAME,
desired_mech,
password,
cred_usage,
initiator_time_req,
acceptor_time_req,
&mc->gmc_cred,
actual_mechs,
initiator_time_rec,
acceptor_time_rec);
if (major_status) {
_gss_mg_error(m, major_status, *minor_status);
release_cred = (gss_cred_id_t)new_cred;
gss_release_cred(&junk, &release_cred);
free(mc);
return (major_status);
}
HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link);
*output_cred_handle = (gss_cred_id_t) new_cred;
return (GSS_S_COMPLETE);
}

189
lib/gssapi/mech/gss_authorize_localname.c Normal file
View File

@@ -0,0 +1,189 @@
/*
* Copyright (c) 2011, PADL Software Pty Ltd.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of PADL Software nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "mech_locl.h"
static gss_buffer_desc localLoginUserAttr = {
sizeof("local-login-user"),
"local-login-user"
};
gss_buffer_t GSSAPI_LIB_VARIABLE GSS_C_ATTR_LOCAL_LOGIN_USER = &localLoginUserAttr;
static OM_uint32
mech_authorize_localname(OM_uint32 *minor_status,
const struct _gss_name *name,
const struct _gss_name *user)
{
OM_uint32 major_status = GSS_S_NAME_NOT_MN;
struct _gss_mechanism_name *mn;
HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
gssapi_mech_interface m = mn->gmn_mech;
if (m->gm_authorize_localname == NULL) {
major_status = GSS_S_UNAVAILABLE;
continue;
}
major_status = m->gm_authorize_localname(minor_status,
mn->gmn_name,
&user->gn_value,
&user->gn_type);
if (major_status != GSS_S_UNAUTHORIZED)
break;
}
return major_status;
}
/*
* Naming extensions based local login authorization.
*/
static OM_uint32
attr_authorize_localname(OM_uint32 *minor_status,
const struct _gss_name *name,
const struct _gss_name *user)
{
OM_uint32 major_status = GSS_S_UNAVAILABLE;
int more = -1;
if (!gss_oid_equal(&user->gn_type, GSS_C_NT_USER_NAME))
return GSS_S_BAD_NAMETYPE;
while (more != 0 && major_status != GSS_S_COMPLETE) {
OM_uint32 tmpMajor, tmpMinor;
gss_buffer_desc value;
gss_buffer_desc display_value;
int authenticated = 0, complete = 0;
tmpMajor = gss_get_name_attribute(minor_status,
(gss_name_t)name,
GSS_C_ATTR_LOCAL_LOGIN_USER,
&authenticated,
&complete,
&value,
&display_value,
&more);
if (GSS_ERROR(major_status)) {
major_status = tmpMajor;
break;
}
/* If attribute is present, return an authoritative error code. */
if (authenticated &&
value.length == user->gn_value.length &&
memcmp(value.value, user->gn_value.value, user->gn_value.length) == 0)
major_status = GSS_S_COMPLETE;
else
major_status = GSS_S_UNAUTHORIZED;
gss_release_buffer(&tmpMinor, &value);
gss_release_buffer(&tmpMinor, &display_value);
}
return major_status;
}
OM_uint32
gss_authorize_localname(OM_uint32 *minor_status,
const gss_name_t gss_name,
const gss_name_t gss_user)
{
OM_uint32 major_status;
const struct _gss_name *name = (const struct _gss_name *) gss_name;
const struct _gss_name *user = (const struct _gss_name *) gss_user;
int mechAvailable = 0;
*minor_status = 0;
if (gss_name == GSS_C_NO_NAME || gss_user == GSS_C_NO_NAME)
return GSS_S_CALL_INACCESSIBLE_READ;
/*
* We should check that the user name is not a mechanism name, but
* as Heimdal always calls the mechanism's gss_import_name(), it's
* not possible to make this check.
*/
#if 0
if (HEIM_SLIST_FIRST(&user->gn_mn) != NULL)
return GSS_S_BAD_NAME;
#endif
/* If mech returns yes, we return yes */
major_status = mech_authorize_localname(minor_status, name, user);
if (major_status == GSS_S_COMPLETE)
return GSS_S_COMPLETE;
else if (major_status != GSS_S_UNAVAILABLE)
mechAvailable = 1;
/* If attribute exists, it is authoritative */
major_status = attr_authorize_localname(minor_status, name, user);
if (major_status == GSS_S_COMPLETE || major_status == GSS_S_UNAUTHORIZED)
return major_status;
/* If mechanism did not implement SPI, compare the local name */
if (mechAvailable == 0) {
int match = 0;
major_status = gss_compare_name(minor_status, gss_name,
gss_user, &match);
if (major_status == GSS_S_COMPLETE && match == 0)
major_status = GSS_S_UNAUTHORIZED;
}
return major_status;
}
int
gss_userok(const gss_name_t name,
const char *user)
{
OM_uint32 major_status, minor_status;
gss_buffer_desc userBuf;
gss_name_t userName;
userBuf.value = (void *)user;
userBuf.length = strlen(user);
major_status = gss_import_name(&minor_status, &userBuf,
GSS_C_NT_USER_NAME, &userName);
if (GSS_ERROR(major_status))
return 0;
major_status = gss_authorize_localname(&minor_status, name, userName);
gss_release_name(&minor_status, &userName);
return (major_status == GSS_S_COMPLETE);
}

13
lib/gssapi/mech/gss_mech_switch.c
View File

@@ -310,6 +310,9 @@ _gss_load_mech(void)
m->gm_so = so;
m->gm_mech.gm_mech_oid = mech_oid;
m->gm_mech.gm_flags = 0;
m->gm_mech.gm_compat = calloc(1, sizeof(struct gss_mech_compat_desc_struct));
if (m->gm_mech.gm_compat == NULL)
goto bad;
major_status = gss_add_oid_set_member(&minor_status,
&m->gm_mech.gm_mech_oid, &_gss_mech_oids);
@@ -369,6 +372,10 @@ _gss_load_mech(void)
OPTSYM(set_name_attribute);
OPTSYM(delete_name_attribute);
OPTSYM(export_name_composite);
OPTSPISYM(acquire_cred_with_password);
OPTSYM(add_cred_with_password);
OPTSYM(pname_to_uid);
OPTSPISYM(authorize_localname);
mi = dlsym(so, "gss_mo_init");
if (mi != NULL) {
@@ -376,6 +383,11 @@ _gss_load_mech(void)
&m->gm_mech.gm_mo, &m->gm_mech.gm_mo_num);
if (GSS_ERROR(major_status))
goto bad;
} else {
/* API-as-SPI compatibility */
COMPATSYM(inquire_saslname_for_mech);
COMPATSYM(inquire_mech_for_saslname);
COMPATSYM(inquire_attrs_for_mech);
}
/* pick up the oid sets of names */
@@ -392,6 +404,7 @@ _gss_load_mech(void)
bad:
if (m != NULL) {
free(m->gm_mech.gm_compat);
free(m->gm_mech.gm_mech_oid.elements);
free(m);
}

317
lib/gssapi/mech/gss_mo.c
View File

@@ -4,6 +4,7 @@
* All rights reserved.
*
* Portions Copyright (c) 2010 Apple Inc. All rights reserved.
* Portions Copyright (c) 2010 PADL Software Pty Ltd. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -35,13 +36,14 @@
#include "mech_locl.h"
#include <crypto-headers.h>
static int
get_option_def(int def, gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
{
return def;
}
int
_gss_mo_get_option_1(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
{
@@ -60,10 +62,10 @@ _gss_mo_get_ctx_as_string(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t valu
if (value) {
value->value = strdup((char *)mo->ctx);
if (value->value == NULL)
return 1;
return GSS_S_FAILURE;
value->length = strlen((char *)mo->ctx);
}
return 0;
return GSS_S_COMPLETE;
}
GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
@@ -79,7 +81,8 @@ gss_mo_set(gss_const_OID mech, gss_const_OID option,
for (n = 0; n < m->gm_mo_num; n++)
if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].set)
return m->gm_mo[n].set(mech, &m->gm_mo[n], enable, value);
return 0;
return GSS_S_UNAVAILABLE;
}
GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
@@ -91,13 +94,13 @@ gss_mo_get(gss_const_OID mech, gss_const_OID option, gss_buffer_t value)
_mg_buffer_zero(value);
if ((m = __gss_get_mechanism(mech)) == NULL)
return 0;
return GSS_S_BAD_MECH;
for (n = 0; n < m->gm_mo_num; n++)
if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].get)
return m->gm_mo[n].get(mech, &m->gm_mo[n], value);
return 0;
return GSS_S_UNAVAILABLE;
}
static void
@@ -147,7 +150,8 @@ gss_mo_name(gss_const_OID mech, gss_const_OID option, gss_buffer_t name)
for (n = 0; n < m->gm_mo_num; n++) {
if (gss_oid_equal(option, m->gm_mo[n].option)) {
/*
* If ther is no name, its because its a GSS_C_MA and there is already a table for that.
* If there is no name, its because its a GSS_C_MA and
* there is already a table for that.
*/
if (m->gm_mo[n].name) {
name->value = strdup(m->gm_mo[n].name);
@@ -175,14 +179,86 @@ mo_value(const gss_const_OID mech, gss_const_OID option, gss_buffer_t name)
if (name == NULL)
return GSS_S_COMPLETE;
if (gss_mo_get(mech, option, name) != 0 && name->length == 0)
return GSS_S_FAILURE;
return gss_mo_get(mech, option, name);
}
/* code derived from draft-ietf-cat-sasl-gssapi-01 */
static char basis_32[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
static OM_uint32
make_sasl_name(OM_uint32 *minor, const gss_OID mech, char sasl_name[16])
{
EVP_MD_CTX *ctx;
char *p = sasl_name;
u_char hdr[2], hash[20], *h = hash;
if (mech->length > 127)
return GSS_S_BAD_MECH;
hdr[0] = 0x06;
hdr[1] = mech->length;
ctx = EVP_MD_CTX_create();
EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
EVP_DigestUpdate(ctx, hdr, 2);
EVP_DigestUpdate(ctx, mech->elements, mech->length);
EVP_DigestFinal(ctx, hash, NULL);
memcpy(p, "GS2-", 4);
p += 4;
*p++ = basis_32[(h[0] >> 3)];
*p++ = basis_32[((h[0] & 7) << 2) | (h[1] >> 6)];
*p++ = basis_32[(h[1] & 0x3f) >> 1];
*p++ = basis_32[((h[1] & 1) << 4) | (h[2] >> 4)];
*p++ = basis_32[((h[2] & 0xf) << 1) | (h[3] >> 7)];
*p++ = basis_32[(h[3] & 0x7f) >> 2];
*p++ = basis_32[((h[3] & 3) << 3) | (h[4] >> 5)];
*p++ = basis_32[(h[4] & 0x1f)];
*p++ = basis_32[(h[5] >> 3)];
*p++ = basis_32[((h[5] & 7) << 2) | (h[6] >> 6)];
*p++ = basis_32[(h[6] & 0x3f) >> 1];
*p = '\0';
return GSS_S_COMPLETE;
}
/*
* gss_inquire_saslname_for_mech() wrapper that uses MIT SPI
*/
static OM_uint32
inquire_saslname_for_mech_compat(OM_uint32 *minor,
const gss_OID desired_mech,
gss_buffer_t sasl_mech_name,
gss_buffer_t mech_name,
gss_buffer_t mech_description)
{
struct gss_mech_compat_desc_struct *gmc;
gssapi_mech_interface m;
OM_uint32 major;
m = __gss_get_mechanism(desired_mech);
if (m == NULL)
return GSS_S_BAD_MECH;
gmc = m->gm_compat;
if (gmc != NULL && gmc->gmc_inquire_saslname_for_mech != NULL) {
major = gmc->gmc_inquire_saslname_for_mech(minor,
desired_mech,
sasl_mech_name,
mech_name,
mech_description);
} else {
major = GSS_S_UNAVAILABLE;
}
return major;
}
/**
* Returns differnt protocol names and description of the mechanism.
* Returns different protocol names and description of the mechanism.
*
* @param minor_status minor status code
* @param desired_mech mech list query
@@ -215,15 +291,41 @@ gss_inquire_saslname_for_mech(OM_uint32 *minor_status,
return GSS_S_BAD_MECH;
major = mo_value(desired_mech, GSS_C_MA_SASL_MECH_NAME, sasl_mech_name);
if (major) return major;
if (major == GSS_S_COMPLETE) {
/* Native SPI */
major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name);
if (GSS_ERROR(major))
return major;
major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name);
if (major) return major;
major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description);
if (GSS_ERROR(major))
return major;
}
major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description);
if (major) return major;
if (GSS_ERROR(major)) {
/* API-as-SPI compatibility */
major = inquire_saslname_for_mech_compat(minor_status,
desired_mech,
sasl_mech_name,
mech_name,
mech_description);
}
return GSS_S_COMPLETE;
if (GSS_ERROR(major)) {
/* Algorithmically dervied SASL mechanism name */
char buf[16];
gss_buffer_desc tmp = { sizeof(buf) - 1, buf };
major = make_sasl_name(minor_status, desired_mech, buf);
if (GSS_ERROR(major))
return major;
major = _gss_copy_buffer(minor_status, &tmp, sasl_mech_name);
if (GSS_ERROR(major))
return major;
}
return major;
}
/**
@@ -243,29 +345,91 @@ gss_inquire_mech_for_saslname(OM_uint32 *minor_status,
{
struct _gss_mech_switch *m;
gss_buffer_desc name;
OM_uint32 major;
OM_uint32 major, junk;
char buf[16];
_gss_load_mech();
*mech_type = NULL;
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
struct gss_mech_compat_desc_struct *gmc;
major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name);
if (major)
continue;
if (name.length == sasl_mech_name->length &&
memcmp(name.value, sasl_mech_name->value, name.length) == 0) {
gss_release_buffer(&major, &name);
*mech_type = &m->gm_mech_oid;
return 0;
/* Native SPI */
major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name);
if (major == GSS_S_COMPLETE &&
name.length == sasl_mech_name->length &&
memcmp(name.value, sasl_mech_name->value, name.length) == 0) {
gss_release_buffer(&junk, &name);
*mech_type = &m->gm_mech_oid;
return GSS_S_COMPLETE;
}
gss_release_buffer(&major, &name);
gss_release_buffer(&junk, &name);
if (GSS_ERROR(major)) {
/* API-as-SPI compatibility */
gmc = m->gm_mech.gm_compat;
if (gmc && gmc->gmc_inquire_mech_for_saslname) {
major = gmc->gmc_inquire_mech_for_saslname(minor_status,
sasl_mech_name,
mech_type);
if (major == GSS_S_COMPLETE)
return GSS_S_COMPLETE;
}
}
if (GSS_ERROR(major)) {
/* Algorithmically dervied SASL mechanism name */
if (sasl_mech_name->length == 16 &&
make_sasl_name(minor_status, &m->gm_mech_oid, buf) == GSS_S_COMPLETE &&
memcmp(buf, sasl_mech_name->value, 16) == 0) {
*mech_type = &m->gm_mech_oid;
return GSS_S_COMPLETE;
}
}
}
return GSS_S_BAD_MECH;
}
/*
* Test mechanism against indicated attributes using both Heimdal and
* MIT SPIs.
*/
static int
test_mech_attrs(gssapi_mech_interface mi,
gss_const_OID_set mech_attrs,
gss_const_OID_set against_attrs,
int except)
{
size_t n, m;
int eq;
if (against_attrs == GSS_C_NO_OID_SET)
return 1;
for (n = 0; n < against_attrs->count; n++) {
for (m = 0; m < mi->gm_mo_num; m++) {
eq = gss_oid_equal(mi->gm_mo[m].option,
&against_attrs->elements[n]);
if (eq)
break;
}
if (mech_attrs != GSS_C_NO_OID_SET) {
for (m = 0; m < mech_attrs->count; m++) {
eq = gss_oid_equal(&mech_attrs->elements[m],
&against_attrs->elements[n]);
if (eq)
break;
}
}
if (!eq ^ except)
return 0;
}
return 1;
}
/**
* Return set of mechanism that fullfill the criteria
*
@@ -286,57 +450,49 @@ gss_indicate_mechs_by_attrs(OM_uint32 * minor_status,
gss_OID_set *mechs)
{
struct _gss_mech_switch *ms;
gss_OID_set mech_attrs = GSS_C_NO_OID_SET;
gss_OID_set known_mech_attrs = GSS_C_NO_OID_SET;
OM_uint32 major;
size_t n, m;
major = gss_create_empty_oid_set(minor_status, mechs);
if (major)
if (GSS_ERROR(major))
return major;
_gss_load_mech();
HEIM_SLIST_FOREACH(ms, &_gss_mechs, gm_link) {
gssapi_mech_interface mi = &ms->gm_mech;
struct gss_mech_compat_desc_struct *gmc = mi->gm_compat;
OM_uint32 tmp;
if (desired_mech_attrs) {
for (n = 0; n < desired_mech_attrs->count; n++) {
for (m = 0; m < mi->gm_mo_num; m++)
if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
break;
if (m == mi->gm_mo_num)
goto next;
}
}
if (gmc && gmc->gmc_inquire_attrs_for_mech) {
major = gmc->gmc_inquire_attrs_for_mech(minor_status,
&mi->gm_mech_oid,
&mech_attrs,
&known_mech_attrs);
if (GSS_ERROR(major))
continue;
}
if (except_mech_attrs) {
for (n = 0; n < desired_mech_attrs->count; n++) {
for (m = 0; m < mi->gm_mo_num; m++) {
if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
goto next;
}
}
}
/*
* Test mechanism supports all of desired_mech_attrs;
* none of except_mech_attrs;
* and knows of all critical_mech_attrs.
*/
if (test_mech_attrs(mi, mech_attrs, desired_mech_attrs, 0) &&
test_mech_attrs(mi, mech_attrs, except_mech_attrs, 1) &&
test_mech_attrs(mi, known_mech_attrs, critical_mech_attrs, 0)) {
major = gss_add_oid_set_member(minor_status, &mi->gm_mech_oid, mechs);
}
if (critical_mech_attrs) {
for (n = 0; n < desired_mech_attrs->count; n++) {
for (m = 0; m < mi->gm_mo_num; m++) {
if (mi->gm_mo[m].flags & GSS_MO_MA_CRITICAL)
continue;
if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
break;
}
if (m == mi->gm_mo_num)
goto next;
}
}
gss_release_oid_set(&tmp, &mech_attrs);
gss_release_oid_set(&tmp, &known_mech_attrs);
next:
do { } while(0);
if (GSS_ERROR(major))
break;
}
return GSS_S_FAILURE;
return major;
}
/**
@@ -361,30 +517,45 @@ gss_inquire_attrs_for_mech(OM_uint32 * minor_status,
{
OM_uint32 major, junk;
if (known_mech_attrs)
*known_mech_attrs = GSS_C_NO_OID_SET;
if (mech_attr && mech) {
gssapi_mech_interface m;
struct gss_mech_compat_desc_struct *gmc;
if ((m = __gss_get_mechanism(mech)) == NULL) {
*minor_status = 0;
return GSS_S_BAD_MECH;
}
major = gss_create_empty_oid_set(minor_status, mech_attr);
if (major != GSS_S_COMPLETE)
return major;
gmc = m->gm_compat;
add_all_mo(m, mech_attr, GSS_MO_MA);
}
if (gmc && gmc->gmc_inquire_attrs_for_mech) {
major = gmc->gmc_inquire_attrs_for_mech(minor_status,
mech,
mech_attr,
known_mech_attrs);
} else {
major = gss_create_empty_oid_set(minor_status, mech_attr);
if (major == GSS_S_COMPLETE)
add_all_mo(m, mech_attr, GSS_MO_MA);
}
if (GSS_ERROR(major))
return major;
}
if (known_mech_attrs) {
struct _gss_mech_switch *m;
major = gss_create_empty_oid_set(minor_status, known_mech_attrs);
if (major) {
if (mech_attr)
gss_release_oid_set(&junk, mech_attr);
return major;
}
if (*known_mech_attrs == GSS_C_NO_OID_SET) {
major = gss_create_empty_oid_set(minor_status, known_mech_attrs);
if (GSS_ERROR(major)) {
if (mech_attr)
gss_release_oid_set(&junk, mech_attr);
return major;
}
}
_gss_load_mech();

166
lib/gssapi/mech/gss_pname_to_uid.c Normal file
View File

@@ -0,0 +1,166 @@
/*
* Copyright (c) 2011, PADL Software Pty Ltd.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of PADL Software nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "mech_locl.h"
static OM_uint32
mech_pname_to_uid(OM_uint32 *minor_status,
struct _gss_mechanism_name *mn,
uid_t *uidp)
{
OM_uint32 major_status = GSS_S_UNAVAILABLE;
*minor_status = 0;
if (mn->gmn_mech->gm_pname_to_uid == NULL)
return GSS_S_UNAVAILABLE;
major_status = mn->gmn_mech->gm_pname_to_uid(minor_status,
mn->gmn_name,
mn->gmn_mech_oid,
uidp);
if (GSS_ERROR(major_status))
_gss_mg_error(mn->gmn_mech, major_status, *minor_status);
return major_status;
}
static OM_uint32
attr_pname_to_uid(OM_uint32 *minor_status,
struct _gss_mechanism_name *mn,
uid_t *uidp)
{
OM_uint32 major_status = GSS_S_UNAVAILABLE;
OM_uint32 tmpMinor;
int more = -1;
*minor_status = 0;
if (mn->gmn_mech->gm_get_name_attribute == NULL)
return GSS_S_UNAVAILABLE;
while (more != 0) {
gss_buffer_desc value;
gss_buffer_desc display_value;
int authenticated = 0, complete = 0, code;
#ifdef POSIX_GETPWNAM_R
char pwbuf[2048];
struct passwd pw, *pwd;
#else
struct passwd *pwd;
#endif
char *localname;
major_status = mn->gmn_mech->gm_get_name_attribute(minor_status,
mn->gmn_name,
GSS_C_ATTR_LOCAL_LOGIN_USER,
&authenticated,
&complete,
&value,
&display_value,
&more);
if (GSS_ERROR(major_status)) {
_gss_mg_error(mn->gmn_mech, major_status, *minor_status);
break;
}
localname = malloc(value.length + 1);
if (localname == NULL) {
major_status = GSS_S_FAILURE;
*minor_status = ENOMEM;
break;
}
memcpy(localname, value.value, value.length);
localname[value.length] = '\0';
#ifdef POSIX_GETPWNAM_R
if (getpwnam_r(localname, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0)
pwd = NULL;
#else
pwd = getpwnam(localname);
#endif
free(localname);
gss_release_buffer(&tmpMinor, &value);
gss_release_buffer(&tmpMinor, &display_value);
if (code == 0 && pwd != NULL) {
*uidp = pwd->pw_uid;
major_status = GSS_S_COMPLETE;
*minor_status = 0;
break;
} else
major_status = GSS_S_UNAVAILABLE;
}
return major_status;
}
OM_uint32
gss_pname_to_uid(OM_uint32 *minor_status,
const gss_name_t pname,
const gss_OID mech_type,
uid_t *uidp)
{
OM_uint32 major_status = GSS_S_UNAVAILABLE;
struct _gss_name *name = (struct _gss_name *) pname;
struct _gss_mechanism_name *mn = NULL;
*minor_status = 0;
if (mech_type != GSS_C_NO_OID) {
major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
if (GSS_ERROR(major_status))
return major_status;
major_status = mech_pname_to_uid(minor_status, mn, uidp);
if (major_status != GSS_S_COMPLETE)
major_status = attr_pname_to_uid(minor_status, mn, uidp);
} else {
HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
if (mn->gmn_mech->gm_pname_to_uid == NULL)
continue;
major_status = mech_pname_to_uid(minor_status, mn, uidp);
if (major_status != GSS_S_COMPLETE)
major_status = attr_pname_to_uid(minor_status, mn, uidp);
if (major_status != GSS_S_UNAVAILABLE)
break;
}
}
if (major_status != GSS_S_COMPLETE && mn != NULL)
_gss_mg_error(mn->gmn_mech, major_status, *minor_status);
return major_status;
}

1
lib/gssapi/mech/mech_locl.h
View File

@@ -62,6 +62,7 @@
#include "mech_switch.h"
#include "name.h"
#include "utils.h"
#include "compat.h"
#define _mg_buffer_zero(buffer) \
do { \