diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-04-10 15:42:11 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-04-10 15:42:11 +0000 |
| commit | 8b62abaa08ba814ce45bde12d8798d3a6e58c209 (patch) | |
| tree | aececc8799269bfccecade6f8ac5fa6292d54a21 /src/lib/gssapi/krb5/gssapi_krb5.c | |
| parent | edb0eef166577992184a09a1404faed5f5b714c8 (diff) | |
| download | krb5-8b62abaa08ba814ce45bde12d8798d3a6e58c209.tar.gz krb5-8b62abaa08ba814ce45bde12d8798d3a6e58c209.tar.xz krb5-8b62abaa08ba814ce45bde12d8798d3a6e58c209.zip | |
Implement gss_authorize_localname, as discussed on the kitten list,
and make gss_userok a wrapper around it matching the Gnu GSS
prototype. The SPI for gss_authorize_localname doesn't match the API
since we have no way of representing the contents of an internal name
to a mech at the moment. From r24855, r24857, r24858, r24862, r24863,
r24864, r24866, r24867, and r24868 in
users/lhoward/moonshot-mechglue-fixes.
ticket: 6891
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24869 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/gssapi/krb5/gssapi_krb5.c')
| -rw-r--r-- | src/lib/gssapi/krb5/gssapi_krb5.c | 41 |
1 files changed, 28 insertions, 13 deletions
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index a503744e52..bc02a0716a 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -797,17 +797,28 @@ krb5_gss_pname_to_uid(OM_uint32 *minor, #endif /* !NO_PASSWORD */ static OM_uint32 -krb5_gss_userok(OM_uint32 *minor, - const gss_name_t pname, - const char *local_user, - int *user_ok) +krb5_gss_authorize_localname(OM_uint32 *minor, + const gss_name_t pname, + gss_const_buffer_t local_user, + gss_const_OID name_type) { krb5_context context; krb5_error_code code; krb5_gss_name_t kname; + char *user; + int user_ok; - *minor = 0; - *user_ok = 0; + if (name_type != GSS_C_NO_OID && + !g_OID_equal(name_type, GSS_C_NT_USER_NAME)) { + return GSS_S_BAD_NAMETYPE; + } + + if (!kg_validate_name(pname)) { + *minor = (OM_uint32)G_VALIDATE_FAILED; + return GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME; + } + + kname = (krb5_gss_name_t)pname; code = krb5_gss_init_context(&context); if (code != 0) { @@ -815,19 +826,23 @@ krb5_gss_userok(OM_uint32 *minor, return GSS_S_FAILURE; } - if (!kg_validate_name(pname)) { - *minor = (OM_uint32)G_VALIDATE_FAILED; + user = k5alloc(local_user->length + 1, &code); + if (user == NULL) { + *minor = code; krb5_free_context(context); - return GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME; + return GSS_S_FAILURE; } - kname = (krb5_gss_name_t)pname; + memcpy(user, local_user->value, local_user->length); + user[local_user->length] = '\0'; - *user_ok = krb5_kuserok(context, kname->princ, local_user); + user_ok = krb5_kuserok(context, kname->princ, user); + free(user); krb5_free_context(context); - return GSS_S_COMPLETE; + *minor = 0; + return user_ok ? GSS_S_COMPLETE : GSS_S_UNAUTHORIZED; } static struct gss_config krb5_mechanism = { @@ -881,7 +896,7 @@ static struct gss_config krb5_mechanism = { #else krb5_gss_pname_to_uid, #endif - krb5_gss_userok, + krb5_gss_authorize_localname, krb5_gss_export_name, krb5_gss_duplicate_name, krb5_gss_store_cred, |