dovecot-1.2: gssapi: Fail authentication if mechanism type isn't...

Mon Jul 27 05:14:07 EEST 2009

details:   http://hg.dovecot.org/dovecot-1.2/rev/b36b0291e1c1
changeset: 9258:b36b0291e1c1
user:      Timo Sirainen <tss at iki.fi>
date:      Sun Jul 26 22:13:53 2009 -0400
description:
gssapi: Fail authentication if mechanism type isn't Kerberos 5.
Also check GSS_KRB5_NT_PRINCIPAL_NAME more correctly.

diffstat:

1 file changed, 18 insertions(+), 5 deletions(-)
src/auth/mech-gssapi.c |   23 ++++++++++++++++++-----

diffs (66 lines):

diff -r 1b3e90e829de -r b36b0291e1c1 src/auth/mech-gssapi.c

--- a/src/auth/mech-gssapi.c	Sun Jul 26 22:00:46 2009 -0400
+++ b/src/auth/mech-gssapi.c	Sun Jul 26 22:13:53 2009 -0400
@@ -228,6 +228,13 @@ static int get_display_name(struct auth_
 	return 0;
 }
 
+static bool mech_gssapi_oid_cmp(const gss_OID_desc *oid1,
+				const gss_OID_desc *oid2)
+{
+	return oid1->length == oid2->length &&
+		memcmp(oid1->elements, oid2->elements, oid1->length) == 0;
+}
+
 static int
 mech_gssapi_sec_context(struct gssapi_auth_request *request,
 			gss_buffer_desc inbuf)
@@ -236,6 +243,7 @@ mech_gssapi_sec_context(struct gssapi_au
 	OM_uint32 major_status, minor_status;
 	gss_buffer_desc output_token;
 	gss_OID name_type;
+	gss_OID mech_type;
 	const char *username, *error;
 	int ret = 0;
 
@@ -246,13 +254,13 @@ mech_gssapi_sec_context(struct gssapi_au
 		&inbuf,
 		GSS_C_NO_CHANNEL_BINDINGS,
 		&request->authn_name, 
-		NULL, /* mech_type */
+		&mech_type,
 		&output_token,
 		NULL, /* ret_flags */
 		NULL, /* time_rec */
 		NULL  /* delegated_cred_handle */
 	);
-	
+
 	if (GSS_ERROR(major_status)) {
 		mech_gssapi_log_error(auth_request, major_status,
 				      GSS_C_GSS_CODE,
@@ -265,8 +273,12 @@ mech_gssapi_sec_context(struct gssapi_au
 
 	switch (major_status) {
 	case GSS_S_COMPLETE:
-		if (!get_display_name(auth_request, request->authn_name,
-				      &name_type, &username) < 0)
+		if (!mech_gssapi_oid_cmp(mech_type, gss_mech_krb5)) {
+			auth_request_log_info(auth_request, "gssapi",
+					      "GSSAPI mechanism not Kerberos5");
+			ret = -1;
+		} else if (!get_display_name(auth_request, request->authn_name,
+					     &name_type, &username) < 0)
 			ret = -1;
 		else if (!auth_request_set_username(auth_request, username,
 						    &error)) {
@@ -360,7 +372,8 @@ mech_gssapi_krb5_userok(struct gssapi_au
 			      &princ_display_name) < 0)
 		return FALSE;
 
-	if (name_type != GSS_KRB5_NT_PRINCIPAL_NAME && check_name_type) {
+	if (!mech_gssapi_oid_cmp(name_type, GSS_KRB5_NT_PRINCIPAL_NAME) &&
+	    check_name_type) {
 		auth_request_log_info(&request->auth_request, "gssapi",
 				      "OID not kerberos principal name");
 		return FALSE;
