diff options
| author | Luke Howard <lukeh@padl.com> | 2011-04-09 03:38:07 +0000 |
|---|---|---|
| committer | Luke Howard <lukeh@padl.com> | 2011-04-09 03:38:07 +0000 |
| commit | cbb457a9df5982a0e81a1063da3ea0868081d6ee (patch) | |
| tree | a9a96af3936928b5f9317d8b8b4771c6fa8f9cec | |
| parent | e10aea05d0d120e74d77886737892eac1eb02508 (diff) | |
| download | krb5-cbb457a9df5982a0e81a1063da3ea0868081d6ee.zip krb5-cbb457a9df5982a0e81a1063da3ea0868081d6ee.tar.gz krb5-cbb457a9df5982a0e81a1063da3ea0868081d6ee.tar.bz2 | |
remove user_ok outparam from gss_authorize_localname
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/moonshot-mechglue-fixes@24867 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/lib/gssapi/generic/gssapi_ext.h | 3 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/gssapi_krb5.c | 10 | ||||
| -rw-r--r-- | src/lib/gssapi/mechglue/g_authorize_localname.c | 77 | ||||
| -rw-r--r-- | src/lib/gssapi/mechglue/mglueP.h | 3 |
4 files changed, 39 insertions, 54 deletions
diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h index 8fe2d88..c61955e 100644 --- a/src/lib/gssapi/generic/gssapi_ext.h +++ b/src/lib/gssapi/generic/gssapi_ext.h @@ -48,8 +48,7 @@ gss_userok(const gss_name_t name, OM_uint32 KRB5_CALLCONV gss_authorize_localname(OM_uint32 *minor, const gss_name_t name, - const gss_name_t user, - int *user_ok); + const gss_name_t user); OM_uint32 KRB5_CALLCONV gss_acquire_cred_with_password( diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index d752b70..bc02a07 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -800,15 +800,13 @@ static OM_uint32 krb5_gss_authorize_localname(OM_uint32 *minor, const gss_name_t pname, gss_const_buffer_t local_user, - gss_const_OID name_type, - int *user_ok) + gss_const_OID name_type) { krb5_context context; krb5_error_code code; krb5_gss_name_t kname; char *user; - - *user_ok = 0; + int user_ok; if (name_type != GSS_C_NO_OID && !g_OID_equal(name_type, GSS_C_NT_USER_NAME)) { @@ -838,13 +836,13 @@ krb5_gss_authorize_localname(OM_uint32 *minor, memcpy(user, local_user->value, local_user->length); user[local_user->length] = '\0'; - *user_ok = krb5_kuserok(context, kname->princ, user); + user_ok = krb5_kuserok(context, kname->princ, user); free(user); krb5_free_context(context); *minor = 0; - return GSS_S_COMPLETE; + return user_ok ? GSS_S_COMPLETE : GSS_S_UNAUTHORIZED; } static struct gss_config krb5_mechanism = { diff --git a/src/lib/gssapi/mechglue/g_authorize_localname.c b/src/lib/gssapi/mechglue/g_authorize_localname.c index 077938a..286904d 100644 --- a/src/lib/gssapi/mechglue/g_authorize_localname.c +++ b/src/lib/gssapi/mechglue/g_authorize_localname.c @@ -46,8 +46,7 @@ static OM_uint32 mech_authorize_localname(OM_uint32 *minor, const gss_union_name_t unionName, - const gss_union_name_t unionUser, - int *user_ok) + const gss_union_name_t unionUser) { OM_uint32 major = GSS_S_UNAVAILABLE; gss_mechanism mech; @@ -63,8 +62,7 @@ mech_authorize_localname(OM_uint32 *minor, major = mech->gssspi_authorize_localname(minor, unionName->mech_name, unionUser->external_name, - unionUser->name_type, - user_ok); + unionUser->name_type); if (major != GSS_S_COMPLETE) map_error(minor, mech); } @@ -78,16 +76,12 @@ mech_authorize_localname(OM_uint32 *minor, static OM_uint32 attr_authorize_localname(OM_uint32 *minor, const gss_name_t name, - const gss_union_name_t unionUser, - int *user_ok) + const gss_union_name_t unionUser) { - OM_uint32 major = GSS_S_UNAVAILABLE; - OM_uint32 tmpMinor; + OM_uint32 major = GSS_S_UNAVAILABLE; /* attribute not present */ gss_buffer_t externalName; int more = -1; - *user_ok = 0; - if (unionUser->name_type != GSS_C_NO_OID && !g_OID_equal(unionUser->name_type, GSS_C_NT_USER_NAME)) return (GSS_S_BAD_NAMETYPE); @@ -95,26 +89,31 @@ attr_authorize_localname(OM_uint32 *minor, externalName = unionUser->external_name; assert(externalName != GSS_C_NO_BUFFER); - while (more != 0 && *user_ok == 0) { + while (more != 0 && major != GSS_S_COMPLETE) { + OM_uint32 tmpMajor, tmpMinor; gss_buffer_desc value; gss_buffer_desc display_value; int authenticated = 0, complete = 0; - major = gss_get_name_attribute(minor, - name, - GSS_C_ATTR_LOCAL_LOGIN_USER, - &authenticated, - &complete, - &value, - &display_value, - &more); - if (GSS_ERROR(major)) + tmpMajor = gss_get_name_attribute(minor, + name, + GSS_C_ATTR_LOCAL_LOGIN_USER, + &authenticated, + &complete, + &value, + &display_value, + &more); + if (GSS_ERROR(tmpMajor)) { + major = tmpMajor; break; + } if (authenticated && value.length == externalName->length && memcmp(value.value, externalName->value, externalName->length) == 0) - *user_ok = 1; + major = GSS_S_COMPLETE; + else + major = GSS_S_UNAUTHORIZED; gss_release_buffer(&tmpMinor, &value); gss_release_buffer(&tmpMinor, &display_value); @@ -129,16 +128,13 @@ attr_authorize_localname(OM_uint32 *minor, static OM_uint32 compare_names_authorize_localname(OM_uint32 *minor, const gss_union_name_t unionName, - const gss_name_t user, - int *user_ok) + const gss_name_t user) { OM_uint32 status, tmpMinor; gss_name_t canonName; int match = 0; - *user_ok = 0; - status = gss_canonicalize_name(minor, user, unionName->mech_type, @@ -150,8 +146,8 @@ compare_names_authorize_localname(OM_uint32 *minor, (gss_name_t)unionName, canonName, &match); - if (status == GSS_S_COMPLETE && match) - *user_ok = 1; /* remote user is a-ok */ + if (status == GSS_S_COMPLETE && match == 0) + status = GSS_S_UNAUTHORIZED; (void) gss_release_name(&tmpMinor, &canonName); @@ -161,21 +157,19 @@ compare_names_authorize_localname(OM_uint32 *minor, OM_uint32 gss_authorize_localname(OM_uint32 *minor, const gss_name_t name, - const gss_name_t user, - int *user_ok) + const gss_name_t user) { OM_uint32 major; gss_union_name_t unionName; gss_union_name_t unionUser; - if (minor == NULL || user_ok == NULL) + if (minor == NULL) return (GSS_S_CALL_INACCESSIBLE_WRITE); if (name == GSS_C_NO_NAME || user == GSS_C_NO_NAME) return (GSS_S_CALL_INACCESSIBLE_READ); - *user_ok = 0; *minor = 0; unionName = (gss_union_name_t)name; @@ -185,23 +179,21 @@ gss_authorize_localname(OM_uint32 *minor, return (GSS_S_BAD_NAME); /* If mech returns yes, we return yes */ - major = mech_authorize_localname(minor, unionName, - unionUser, user_ok); - if (major == GSS_S_COMPLETE && *user_ok) + major = mech_authorize_localname(minor, unionName, unionUser); + if (major == GSS_S_COMPLETE) return (GSS_S_COMPLETE); /* If attribute exists, we evaluate attribute */ - if (attr_authorize_localname(minor, unionName, - unionUser, user_ok) == GSS_S_COMPLETE) - return (GSS_S_COMPLETE); + major = attr_authorize_localname(minor, unionName, unionUser); + if (major == GSS_S_COMPLETE || major == GSS_S_UNAUTHORIZED) + return (major); /* If mech returns unavail, we compare the local name */ if (major == GSS_S_UNAVAILABLE && unionName->mech_type != GSS_C_NO_OID) { major = compare_names_authorize_localname(minor, unionName, - unionUser, - user_ok); + unionUser); } return (major); @@ -214,7 +206,6 @@ gss_userok(const gss_name_t name, OM_uint32 major, minor; gss_buffer_desc userBuf; gss_name_t userName; - int user_ok = 0; userBuf.value = (void *)user; userBuf.length = strlen(user); @@ -223,11 +214,9 @@ gss_userok(const gss_name_t name, if (GSS_ERROR(major)) return (0); - major = gss_authorize_localname(&minor, name, userName, &user_ok); - if (GSS_ERROR(major)) - user_ok = 0; + major = gss_authorize_localname(&minor, name, userName); (void) gss_release_name(&minor, &userName); - return (user_ok); + return (major == GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h index 25e2af4..426b70c 100644 --- a/src/lib/gssapi/mechglue/mglueP.h +++ b/src/lib/gssapi/mechglue/mglueP.h @@ -347,8 +347,7 @@ typedef struct gss_config { OM_uint32 *, /* minor_status */ const gss_name_t, /* pname */ gss_const_buffer_t, /* local user */ - gss_const_OID, /* local nametype */ - int * /* user ok? */ + gss_const_OID /* local nametype */ /* */); OM_uint32 (*gss_export_name) ( |