dovecot-1.2: gssapi: Cross-realm authentication fix.
dovecot at dovecot.org
dovecot at dovecot.org
Fri Mar 13 23:42:11 EET 2009
details: http://hg.dovecot.org/dovecot-1.2/rev/ff6378d7b209
changeset: 8826:ff6378d7b209
user: Timo Sirainen <tss at iki.fi>
date: Fri Mar 13 17:42:05 2009 -0400
description:
gssapi: Cross-realm authentication fix.
Patch by Bryan Jacobs.
diffstat:
1 file changed, 24 insertions(+), 9 deletions(-)
src/auth/mech-gssapi.c | 33 ++++++++++++++++++++++++---------
diffs (81 lines):
diff -r 2ed5d2250d1d -r ff6378d7b209 src/auth/mech-gssapi.c
--- a/src/auth/mech-gssapi.c Fri Mar 13 17:27:11 2009 -0400
+++ b/src/auth/mech-gssapi.c Fri Mar 13 17:42:05 2009 -0400
@@ -317,7 +317,9 @@ static void gssapi_wrap(struct gssapi_au
}
#ifdef USE_KRB5_USEROK
-static bool gssapi_krb5_userok(struct gssapi_auth_request *request)
+static bool
+gssapi_krb5_userok(struct gssapi_auth_request *request, gss_name_t name,
+ bool check_name_type)
{
krb5_context ctx;
krb5_principal princ;
@@ -329,7 +331,7 @@ static bool gssapi_krb5_userok(struct gs
bool ret = FALSE;
/* Parse out the principal's username */
- major_status = gss_display_name(&minor_status, request->authn_name,
+ major_status = gss_display_name(&minor_status, name,
&princ_name, &name_type);
if (major_status != GSS_S_COMPLETE) {
auth_request_log_gss_error(&request->auth_request, major_status,
@@ -337,7 +339,7 @@ static bool gssapi_krb5_userok(struct gs
"gssapi_krb5_userok");
return FALSE;
}
- if (name_type != GSS_KRB5_NT_PRINCIPAL_NAME) {
+ if (name_type != GSS_KRB5_NT_PRINCIPAL_NAME && check_name_type) {
auth_request_log_error(&request->auth_request, "gssapi",
"OID not kerberos principal name");
return FALSE;
@@ -376,8 +378,9 @@ static void gssapi_unwrap(struct gssapi_
{
OM_uint32 major_status, minor_status;
gss_buffer_desc outbuf;
+#if defined(HAVE___GSS_USEROK) || !defined(USE_KRB5_USEROK)
int equal_authn_authz = 0;
-
+#endif
major_status = gss_unwrap(&minor_status, request->gss_ctx,
&inbuf, &outbuf, NULL, NULL);
@@ -440,20 +443,32 @@ static void gssapi_unwrap(struct gssapi_
(unsigned char *)outbuf.value + 4,
outbuf.length - 4);
+#ifdef USE_KRB5_USEROK
+ if (!gssapi_krb5_userok(request, request->authn_name, TRUE)) {
+ auth_request_log_error(&request->auth_request, "gssapi",
+ "authn_name not authorized");
+ auth_request_fail(&request->auth_request);
+ return;
+ }
+
+ if (!gssapi_krb5_userok(request, request->authz_name, FALSE)) {
+ auth_request_log_error(&request->auth_request, "gssapi",
+ "authz_name not authorized");
+ auth_request_fail(&request->auth_request);
+ return;
+ }
+#else
major_status = gss_compare_name(&minor_status,
request->authn_name,
request->authz_name,
&equal_authn_authz);
-#ifdef USE_KRB5_USEROK
- if (equal_authn_authz == 0)
- equal_authn_authz = gssapi_krb5_userok(request);
-#endif
- if (equal_authn_authz == 0) {
+ if (equal_authn_authz != 0) {
auth_request_log_error(&request->auth_request, "gssapi",
"authn_name and authz_name differ: not supported");
auth_request_fail(&request->auth_request);
return;
}
+#endif
#endif
auth_request_success(&request->auth_request, NULL, 0);
}
More information about the dovecot-cvs
mailing list