Line data Source code
1 : /*
2 : * Copyright (c) 2011, PADL Software Pty Ltd.
3 : * All rights reserved.
4 : *
5 : * Redistribution and use in source and binary forms, with or without
6 : * modification, are permitted provided that the following conditions
7 : * are met:
8 : *
9 : * 1. Redistributions of source code must retain the above copyright
10 : * notice, this list of conditions and the following disclaimer.
11 : *
12 : * 2. Redistributions in binary form must reproduce the above copyright
13 : * notice, this list of conditions and the following disclaimer in the
14 : * documentation and/or other materials provided with the distribution.
15 : *
16 : * 3. Neither the name of PADL Software nor the names of its contributors
17 : * may be used to endorse or promote products derived from this software
18 : * without specific prior written permission.
19 : *
20 : * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 : * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 : * SUCH DAMAGE.
31 : */
32 :
33 : #include "mech_locl.h"
34 :
35 : gss_buffer_desc GSSAPI_LIB_VARIABLE __gss_c_attr_local_login_user = {
36 : sizeof("local-login-user") - 1,
37 : "local-login-user"
38 : };
39 :
40 : static OM_uint32
41 0 : mech_authorize_localname(OM_uint32 *minor_status,
42 : const struct _gss_name *name,
43 : const struct _gss_name *user)
44 : {
45 0 : OM_uint32 major_status = GSS_S_NAME_NOT_MN;
46 0 : struct _gss_mechanism_name *mn;
47 :
48 0 : HEIM_TAILQ_FOREACH(mn, &name->gn_mn, gmn_link) {
49 0 : gssapi_mech_interface m = mn->gmn_mech;
50 :
51 0 : if (m->gm_authorize_localname == NULL) {
52 0 : major_status = GSS_S_UNAVAILABLE;
53 0 : continue;
54 : }
55 :
56 0 : major_status = m->gm_authorize_localname(minor_status,
57 0 : mn->gmn_name,
58 : &user->gn_value,
59 0 : user->gn_type);
60 0 : if (major_status != GSS_S_UNAUTHORIZED)
61 0 : break;
62 : }
63 :
64 0 : return major_status;
65 : }
66 :
67 : /*
68 : * Naming extensions based local login authorization.
69 : */
70 : static OM_uint32
71 0 : attr_authorize_localname(OM_uint32 *minor_status,
72 : const struct _gss_name *name,
73 : const struct _gss_name *user)
74 : {
75 0 : OM_uint32 major_status = GSS_S_UNAVAILABLE;
76 0 : int more = -1;
77 :
78 0 : if (!gss_oid_equal(user->gn_type, GSS_C_NT_USER_NAME))
79 0 : return GSS_S_BAD_NAMETYPE;
80 :
81 0 : while (more != 0 && major_status != GSS_S_COMPLETE) {
82 0 : OM_uint32 tmpMajor, tmpMinor;
83 0 : gss_buffer_desc value;
84 0 : gss_buffer_desc display_value;
85 0 : int authenticated = 0, complete = 0;
86 :
87 0 : tmpMajor = gss_get_name_attribute(minor_status,
88 : (gss_name_t)name,
89 : GSS_C_ATTR_LOCAL_LOGIN_USER,
90 : &authenticated,
91 : &complete,
92 : &value,
93 : &display_value,
94 : &more);
95 0 : if (GSS_ERROR(tmpMajor)) {
96 0 : major_status = tmpMajor;
97 0 : break;
98 : }
99 :
100 : /* If attribute is present, return an authoritative error code. */
101 0 : if (authenticated &&
102 0 : value.length == user->gn_value.length &&
103 0 : memcmp(value.value, user->gn_value.value, user->gn_value.length) == 0)
104 0 : major_status = GSS_S_COMPLETE;
105 : else
106 0 : major_status = GSS_S_UNAUTHORIZED;
107 :
108 0 : gss_release_buffer(&tmpMinor, &value);
109 0 : gss_release_buffer(&tmpMinor, &display_value);
110 : }
111 :
112 0 : return major_status;
113 : }
114 :
115 : GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
116 0 : gss_authorize_localname(OM_uint32 *minor_status,
117 : gss_const_name_t gss_name,
118 : gss_const_name_t gss_user)
119 :
120 : {
121 0 : OM_uint32 major_status;
122 0 : const struct _gss_name *name = (const struct _gss_name *) gss_name;
123 0 : const struct _gss_name *user = (const struct _gss_name *) gss_user;
124 0 : int mechAvailable = 0;
125 :
126 0 : *minor_status = 0;
127 :
128 0 : if (gss_name == GSS_C_NO_NAME || gss_user == GSS_C_NO_NAME)
129 0 : return GSS_S_CALL_INACCESSIBLE_READ;
130 :
131 : /*
132 : * We should check that the user name is not a mechanism name, but
133 : * as Heimdal always calls the mechanism's gss_import_name(), it's
134 : * not possible to make this check.
135 : */
136 : #if 0
137 : if (HEIM_TAILQ_FIRST(&user->gn_mn) != NULL)
138 : return GSS_S_BAD_NAME;
139 : #endif
140 :
141 : /* If mech returns yes, we return yes */
142 0 : major_status = mech_authorize_localname(minor_status, name, user);
143 0 : if (major_status == GSS_S_COMPLETE)
144 0 : return GSS_S_COMPLETE;
145 0 : else if (major_status != GSS_S_UNAVAILABLE)
146 0 : mechAvailable = 1;
147 :
148 : /* If attribute exists, it is authoritative */
149 0 : major_status = attr_authorize_localname(minor_status, name, user);
150 0 : if (major_status == GSS_S_COMPLETE || major_status == GSS_S_UNAUTHORIZED)
151 0 : return major_status;
152 :
153 : /* If mechanism did not implement SPI, compare the local name */
154 0 : if (mechAvailable == 0) {
155 0 : int match = 0;
156 :
157 0 : major_status = gss_compare_name(minor_status, gss_name,
158 : gss_user, &match);
159 0 : if (major_status == GSS_S_COMPLETE && match == 0)
160 0 : major_status = GSS_S_UNAUTHORIZED;
161 : }
162 :
163 0 : return major_status;
164 : }
165 :
166 : GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
167 0 : gss_userok(gss_const_name_t name,
168 : const char *user)
169 : {
170 0 : OM_uint32 major_status, minor_status;
171 0 : gss_buffer_desc userBuf;
172 0 : gss_name_t userName;
173 :
174 0 : userBuf.value = (void *)user;
175 0 : userBuf.length = strlen(user);
176 :
177 0 : major_status = gss_import_name(&minor_status, &userBuf,
178 : GSS_C_NT_USER_NAME, &userName);
179 0 : if (GSS_ERROR(major_status))
180 0 : return 0;
181 :
182 0 : major_status = gss_authorize_localname(&minor_status, name, userName);
183 :
184 0 : gss_release_name(&minor_status, &userName);
185 :
186 0 : return (major_status == GSS_S_COMPLETE);
187 : }
|
