implement gss_authorize_localname

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/moonshot-mechglue-fixes@24855 dc483132-0cff-0310-8789-dd5450dbe970

6 files changed, 102 insertions, 64 deletions

diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h
index 5350dd3..8fe2d88 100644
--- a/src/lib/gssapi/generic/gssapi_ext.h
+++ b/src/lib/gssapi/generic/gssapi_ext.h
@@ -41,11 +41,15 @@ gss_pname_to_uid
 	 const gss_OID mech_type,
 	 uid_t *uidOut);
 
+int KRB5_CALLCONV
+gss_userok(const gss_name_t name,
+           const char *username);
+
 OM_uint32 KRB5_CALLCONV
-gss_userok(OM_uint32 *minor,
-           const gss_name_t name,
-           const char *user,
-           int *user_ok);
+gss_authorize_localname(OM_uint32 *minor,
+                        const gss_name_t name,
+                        const gss_name_t user,
+                        int *user_ok);
 
 OM_uint32 KRB5_CALLCONV
 gss_acquire_cred_with_password(
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index a503744..02fd64c 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -797,36 +797,47 @@ krb5_gss_pname_to_uid(OM_uint32 *minor,
 #endif /* !NO_PASSWORD */
 
 static OM_uint32
-krb5_gss_userok(OM_uint32 *minor,
-                const gss_name_t pname,
-                const char *local_user,
-                int *user_ok)
+krb5_gss_authorize_localname(OM_uint32 *minor,
+                             const gss_name_t pname,
+                             gss_const_buffer_t local_user,
+                             int *user_ok)
 {
     krb5_context context;
     krb5_error_code code;
     krb5_gss_name_t kname;
+    char *user;
 
-    *minor = 0;
     *user_ok = 0;
 
+    if (!kg_validate_name(pname)) {
+        *minor = (OM_uint32)G_VALIDATE_FAILED;
+        return GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME;
+    }
+
+    kname = (krb5_gss_name_t)pname;
+
     code = krb5_gss_init_context(&context);
     if (code != 0) {
         *minor = code;
         return GSS_S_FAILURE;
     }
 
-    if (!kg_validate_name(pname)) {
-        *minor = (OM_uint32)G_VALIDATE_FAILED;
+    user = k5alloc(local_user->length + 1, &code);
+    if (user == NULL) {
+        *minor = code;
         krb5_free_context(context);
-        return GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME;
+        return GSS_S_FAILURE;
     }
 
-    kname = (krb5_gss_name_t)pname;
+    memcpy(user, local_user->value, local_user->length);
+    user[local_user->length] = '\0';
 
-    *user_ok = krb5_kuserok(context, kname->princ, local_user);
+    *user_ok = krb5_kuserok(context, kname->princ, user);
 
+    free(user);
     krb5_free_context(context);
 
+    *minor = 0;
     return GSS_S_COMPLETE;
 }
 
@@ -881,7 +892,7 @@ static struct gss_config krb5_mechanism = {
 #else
     krb5_gss_pname_to_uid,
 #endif
-    krb5_gss_userok,
+    krb5_gss_authorize_localname,
     krb5_gss_export_name,
     krb5_gss_duplicate_name,
     krb5_gss_store_cred,
diff --git a/src/lib/gssapi/libgssapi_krb5.exports b/src/lib/gssapi/libgssapi_krb5.exports
index 4b767da..2f85a71 100644
--- a/src/lib/gssapi/libgssapi_krb5.exports
+++ b/src/lib/gssapi/libgssapi_krb5.exports
@@ -43,6 +43,7 @@ gss_add_buffer_set_member
 gss_add_cred
 gss_add_cred_impersonate_name
 gss_add_oid_set_member
+gss_authorize_localname
 gss_canonicalize_name
 gss_compare_name
 gss_complete_auth_token
diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c
index c29ec4a..d351569 100644
--- a/src/lib/gssapi/mechglue/g_initialize.c
+++ b/src/lib/gssapi/mechglue/g_initialize.c
@@ -777,7 +777,7 @@ build_dynamicMech(void *dl, const gss_OID mech_type)
 	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_internal_release_oid);
 	GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_wrap_size_limit);
 	GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_pname_to_uid);
-	GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_userok);
+	GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_authorize_localname);
 	GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_export_name);
 	GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_duplicate_name);
 	GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_store_cred);
diff --git a/src/lib/gssapi/mechglue/g_userok.c b/src/lib/gssapi/mechglue/g_userok.c
index 318c7cc..ff2f23a 100644
--- a/src/lib/gssapi/mechglue/g_userok.c
+++ b/src/lib/gssapi/mechglue/g_userok.c
@@ -44,10 +44,10 @@
 #include <gssapi/gssapi.h>
 
 static OM_uint32
-mech_userok(OM_uint32 *minor,
-	    const gss_union_name_t unionName,
-	    const char *user,
-	    int *user_ok)
+mech_authorize_localname(OM_uint32 *minor,
+			 const gss_union_name_t unionName,
+			 gss_const_buffer_t user,
+			 int *user_ok)
 {
 	OM_uint32 major = GSS_S_UNAVAILABLE;
 	gss_mechanism mech;
@@ -60,8 +60,9 @@ mech_userok(OM_uint32 *minor,
 	if (mech == NULL)
 		return (GSS_S_UNAVAILABLE);
 
-	if (mech->gss_userok) {
-		major = mech->gss_userok(minor, unionName->mech_name, user, user_ok);
+	if (mech->gss_authorize_localname) {
+		major = mech->gss_authorize_localname(minor, unionName->mech_name,
+						      user, user_ok);
 		if (major != GSS_S_COMPLETE)
 			map_error(minor, mech);
 	}
@@ -73,14 +74,13 @@ mech_userok(OM_uint32 *minor,
  * Naming extensions based local login authorization.
  */
 static OM_uint32
-attr_userok(OM_uint32 *minor,
-	    const gss_name_t name,
-	    const char *user,
-	    int *user_ok)
+attr_authorize_localname(OM_uint32 *minor,
+			 const gss_name_t name,
+			 gss_const_buffer_t user,
+			 int *user_ok)
 {
 	OM_uint32 major = GSS_S_UNAVAILABLE;
 	OM_uint32 tmpMinor;
-	size_t userLen = strlen(user);
 	int more = -1;
 
 	*user_ok = 0;
@@ -102,8 +102,8 @@ attr_userok(OM_uint32 *minor,
 			break;
 
 		if (authenticated &&
-		    value.length == userLen &&
-		    memcmp(value.value, user, userLen) == 0)
+		    value.length == user->length &&
+		    memcmp(value.value, user->value, user->length) == 0)
 			*user_ok = 1;
 
 		gss_release_buffer(&tmpMinor, &value);
@@ -117,32 +117,27 @@ attr_userok(OM_uint32 *minor,
  * Equality based local login authorization.
  */
 static OM_uint32
-compare_names_userok(OM_uint32 *minor,
-		     const gss_OID mech_type,
-		     const gss_name_t name,
-		     const char *user,
-		     int *user_ok)
+compare_names_authorize_localname(OM_uint32 *minor,
+				 const gss_OID mech_type,
+				 const gss_name_t name,
+				 gss_const_buffer_t user,
+				 int *user_ok)
 {
 
 	OM_uint32 status, tmpMinor;
 	gss_name_t imported_name;
 	gss_name_t canon_name;
-	gss_buffer_desc gss_user;
 	int match = 0;
 
 	*user_ok = 0;
 
-	gss_user.value = (void *)user;
-	if (gss_user.value == NULL ||
-	    name == GSS_C_NO_NAME ||
-	    mech_type == GSS_C_NO_OID)
+	if (mech_type == GSS_C_NO_OID)
 		return (GSS_S_BAD_NAME);
-	gss_user.length = strlen(gss_user.value);
 
 	status = gss_import_name(minor,
-				&gss_user,
-				GSS_C_NT_USER_NAME,
-				&imported_name);
+				 (gss_buffer_t)user,
+				 GSS_C_NT_USER_NAME,
+				 &imported_name);
 	if (status != GSS_S_COMPLETE) {
 		goto out;
 	}
@@ -171,42 +166,77 @@ out:
 	return (status);
 }
 
-
 OM_uint32
-gss_userok(OM_uint32 *minor,
-	   const gss_name_t name,
-	   const char *user,
-	   int *user_ok)
+gss_authorize_localname(OM_uint32 *minor,
+			const gss_name_t name,
+			const gss_name_t user,
+			int *user_ok)
 
 {
 	OM_uint32 major;
 	gss_union_name_t unionName;
+	gss_union_name_t unionUser;
 
 	if (minor == NULL || user_ok == NULL)
 		return (GSS_S_CALL_INACCESSIBLE_WRITE);
 
-	if (name == NULL || user == NULL)
+	if (name == GSS_C_NO_NAME || user == GSS_C_NO_NAME)
 		return (GSS_S_CALL_INACCESSIBLE_READ);
 
 	*user_ok = 0;
 	*minor = 0;
 
 	unionName = (gss_union_name_t)name;
+	unionUser = (gss_union_name_t)user;
+
+	if (unionUser->mech_type != GSS_C_NO_OID)
+		return (GSS_S_BAD_NAME);
 
 	/* If mech returns yes, we return yes */
-	major = mech_userok(minor, unionName, user, user_ok);
+	major = mech_authorize_localname(minor, unionName,
+					 unionUser->external_name, user_ok);
 	if (major == GSS_S_COMPLETE && *user_ok)
 		return (GSS_S_COMPLETE);
 
 	/* If attribute exists, we evaluate attribute */
-	if (attr_userok(minor, name, user, user_ok) == GSS_S_COMPLETE)
+	if (attr_authorize_localname(minor, name,
+				     unionUser->external_name,
+				     user_ok) == GSS_S_COMPLETE)
 		return (GSS_S_COMPLETE);
 
 	/* If mech returns unavail, we compare the local name */
 	if (major == GSS_S_UNAVAILABLE) {
-		major = compare_names_userok(minor, unionName->mech_type,
-					     name, user, user_ok);
+		major = compare_names_authorize_localname(minor,
+							  unionName->mech_type,
+					     		  name,
+							  unionUser->external_name,
+							  user_ok);
 	}
 
 	return (major);
-} /* gss_userok */
+}
+
+int
+gss_userok(const gss_name_t name,
+	   const char *user)
+{
+	OM_uint32 major, minor;
+	gss_buffer_desc userBuf;
+	gss_name_t userName;
+	int user_ok = 0;
+
+	userBuf.value = (void *)user;
+	userBuf.length = strlen(user);
+
+	major = gss_import_name(&minor, &userBuf, GSS_C_NO_OID, &userName);
+	if (GSS_ERROR(major))
+		return (0);
+
+	major = gss_authorize_localname(&minor, name, userName, &user_ok);
+	if (GSS_ERROR(major))
+		user_ok = 0;
+
+	(void) gss_release_name(&minor, &userName);
+
+	return (user_ok);
+}
diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h
index fc7013e..f142274 100644
--- a/src/lib/gssapi/mechglue/mglueP.h
+++ b/src/lib/gssapi/mechglue/mglueP.h
@@ -342,11 +342,11 @@ typedef struct gss_config {
 		    const gss_OID,	/* mech_type */
 		    uid_t *		/* uid */
 	    );
-	OM_uint32		(*gss_userok)
+	OM_uint32		(*gss_authorize_localname)
 	(
 		    OM_uint32 *,	/* minor_status */
 		    const gss_name_t,	/* pname */
-		    const char *,	/* local user */
+		    gss_const_buffer_t,	/* local user */
 		    int *		/* user ok? */
 	/* */);
 	OM_uint32		(*gss_export_name)
@@ -723,14 +723,6 @@ gssint_get_mechanisms(
 	int arrayLen			/* length of passed in array */
 );
 
-OM_uint32
-gssint_userok(
-	OM_uint32 *,		/* minor */
-	const gss_name_t,	/* name */
-	const char *,		/* user */
-	int *			/* user_ok */
-);
-
 int
 gssint_get_der_length(
 	unsigned char **,	/* buf */