[CalendarServer-changes] [2449] PyKerberos/branches/more-kerberos/src
source_changes at macosforge.org
source_changes at macosforge.org
Thu May 22 19:18:54 PDT 2008
Revision: 2449
http://trac.macosforge.org/projects/calendarserver/changeset/2449
Author: wsanchez at apple.com
Date: 2008-05-22 19:18:53 -0700 (Thu, 22 May 2008)
Log Message:
-----------
Undo indent, made merge harder, not easier. Sigh.
Modified Paths:
--------------
PyKerberos/branches/more-kerberos/src/base64.c
PyKerberos/branches/more-kerberos/src/kerberos.c
PyKerberos/branches/more-kerberos/src/kerberosbasic.c
PyKerberos/branches/more-kerberos/src/kerberosgss.c
PyKerberos/branches/more-kerberos/src/kerberosgss.h
Modified: PyKerberos/branches/more-kerberos/src/base64.c
===================================================================
--- PyKerberos/branches/more-kerberos/src/base64.c 2008-05-23 02:17:38 UTC (rev 2448)
+++ PyKerberos/branches/more-kerberos/src/base64.c 2008-05-23 02:18:53 UTC (rev 2449)
@@ -23,7 +23,7 @@
// base64 tables
static char basis_64[] =
- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static signed char index_64[128] =
{
-1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1,
@@ -44,25 +44,25 @@
// (result) : new char[] - c-str of result
char *base64_encode(const unsigned char *value, int vlen)
{
- char *result = (char *)malloc((vlen * 4) / 3 + 5);
- char *out = result;
+ char *result = (char *)malloc((vlen * 4) / 3 + 5);
+ char *out = result;
while (vlen >= 3)
{
- *out++ = basis_64[value[0] >> 2];
- *out++ = basis_64[((value[0] << 4) & 0x30) | (value[1] >> 4)];
- *out++ = basis_64[((value[1] << 2) & 0x3C) | (value[2] >> 6)];
- *out++ = basis_64[value[2] & 0x3F];
- value += 3;
- vlen -= 3;
+ *out++ = basis_64[value[0] >> 2];
+ *out++ = basis_64[((value[0] << 4) & 0x30) | (value[1] >> 4)];
+ *out++ = basis_64[((value[1] << 2) & 0x3C) | (value[2] >> 6)];
+ *out++ = basis_64[value[2] & 0x3F];
+ value += 3;
+ vlen -= 3;
}
if (vlen > 0)
{
- *out++ = basis_64[value[0] >> 2];
- unsigned char oval = (value[0] << 4) & 0x30;
- if (vlen > 1) oval |= value[1] >> 4;
- *out++ = basis_64[oval];
- *out++ = (vlen < 2) ? '=' : basis_64[(value[1] << 2) & 0x3C];
- *out++ = '=';
+ *out++ = basis_64[value[0] >> 2];
+ unsigned char oval = (value[0] << 4) & 0x30;
+ if (vlen > 1) oval |= value[1] >> 4;
+ *out++ = basis_64[oval];
+ *out++ = (vlen < 2) ? '=' : basis_64[(value[1] << 2) & 0x3C];
+ *out++ = '=';
}
*out = '\0';
@@ -79,44 +79,44 @@
*rlen = 0;
int c1, c2, c3, c4;
- int vlen = strlen(value);
- unsigned char *result =(unsigned char *)malloc((vlen * 3) / 4 + 1);
- unsigned char *out = result;
+ int vlen = strlen(value);
+ unsigned char *result =(unsigned char *)malloc((vlen * 3) / 4 + 1);
+ unsigned char *out = result;
- while (1)
+ while (1)
{
if (value[0]==0)
- return result;
- c1 = value[0];
- if (CHAR64(c1) == -1)
- goto base64_decode_error;;
- c2 = value[1];
- if (CHAR64(c2) == -1)
- goto base64_decode_error;;
- c3 = value[2];
- if ((c3 != '=') && (CHAR64(c3) == -1))
- goto base64_decode_error;;
- c4 = value[3];
- if ((c4 != '=') && (CHAR64(c4) == -1))
- goto base64_decode_error;;
+ return result;
+ c1 = value[0];
+ if (CHAR64(c1) == -1)
+ goto base64_decode_error;;
+ c2 = value[1];
+ if (CHAR64(c2) == -1)
+ goto base64_decode_error;;
+ c3 = value[2];
+ if ((c3 != '=') && (CHAR64(c3) == -1))
+ goto base64_decode_error;;
+ c4 = value[3];
+ if ((c4 != '=') && (CHAR64(c4) == -1))
+ goto base64_decode_error;;
- value += 4;
- *out++ = (CHAR64(c1) << 2) | (CHAR64(c2) >> 4);
- *rlen += 1;
- if (c3 != '=')
- {
- *out++ = ((CHAR64(c2) << 4) & 0xf0) | (CHAR64(c3) >> 2);
- *rlen += 1;
- if (c4 != '=')
- {
- *out++ = ((CHAR64(c3) << 6) & 0xc0) | CHAR64(c4);
- *rlen += 1;
- }
- }
+ value += 4;
+ *out++ = (CHAR64(c1) << 2) | (CHAR64(c2) >> 4);
+ *rlen += 1;
+ if (c3 != '=')
+ {
+ *out++ = ((CHAR64(c2) << 4) & 0xf0) | (CHAR64(c3) >> 2);
+ *rlen += 1;
+ if (c4 != '=')
+ {
+ *out++ = ((CHAR64(c3) << 6) & 0xc0) | CHAR64(c4);
+ *rlen += 1;
+ }
+ }
}
base64_decode_error:
- *result = 0;
- *rlen = 0;
- return result;
+ *result = 0;
+ *rlen = 0;
+ return result;
}
Modified: PyKerberos/branches/more-kerberos/src/kerberos.c
===================================================================
--- PyKerberos/branches/more-kerberos/src/kerberos.c 2008-05-23 02:17:38 UTC (rev 2448)
+++ PyKerberos/branches/more-kerberos/src/kerberos.c 2008-05-23 02:18:53 UTC (rev 2449)
@@ -38,10 +38,10 @@
result = authenticate_user_krb5pwd(user, pswd, service, default_realm);
- if (result)
- return Py_INCREF(Py_True), Py_True;
- else
- return NULL;
+ if (result)
+ return Py_INCREF(Py_True), Py_True;
+ else
+ return NULL;
}
static PyObject *getServerPrincipalDetails(PyObject *self, PyObject *args)
@@ -53,7 +53,7 @@
if (!PyArg_ParseTuple(args, "ss", &service, &hostname))
return NULL;
- result = server_principal_details(service, hostname);
+ result = server_principal_details(service, hostname);
if (result != NULL)
{
@@ -61,26 +61,26 @@
free(result);
return pyresult;
}
- else
- return NULL;
+ else
+ return NULL;
}
static PyObject *authGSSClientInit(PyObject *self, PyObject *args)
{
const char *service;
gss_client_state *state;
- PyObject *pystate;
+ PyObject *pystate;
int result = 0;
if (!PyArg_ParseTuple(args, "s", &service))
return NULL;
- state = (gss_client_state *) malloc(sizeof(gss_client_state));
- pystate = PyCObject_FromVoidPtr(state, NULL);
+ state = (gss_client_state *) malloc(sizeof(gss_client_state));
+ pystate = PyCObject_FromVoidPtr(state, NULL);
- result = authenticate_gss_client_init(service, state);
- if (result == AUTH_GSS_ERROR)
- return NULL;
+ result = authenticate_gss_client_init(service, state);
+ if (result == AUTH_GSS_ERROR)
+ return NULL;
return Py_BuildValue("(iO)", result, pystate);
}
@@ -88,20 +88,20 @@
static PyObject *authGSSClientClean(PyObject *self, PyObject *args)
{
gss_client_state *state;
- PyObject *pystate;
+ PyObject *pystate;
int result = 0;
if (!PyArg_ParseTuple(args, "O", &pystate) || !PyCObject_Check(pystate))
return NULL;
- state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
- if (state != NULL)
- {
- result = authenticate_gss_client_clean(state);
+ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
+ if (state != NULL)
+ {
+ result = authenticate_gss_client_clean(state);
- free(state);
- PyCObject_SetVoidPtr(pystate, NULL);
- }
+ free(state);
+ PyCObject_SetVoidPtr(pystate, NULL);
+ }
return Py_BuildValue("i", result);
}
@@ -109,20 +109,20 @@
static PyObject *authGSSClientStep(PyObject *self, PyObject *args)
{
gss_client_state *state;
- PyObject *pystate;
- char *challenge;
+ PyObject *pystate;
+ char *challenge;
int result = 0;
if (!PyArg_ParseTuple(args, "Os", &pystate, &challenge) || !PyCObject_Check(pystate))
return NULL;
- state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
- if (state == NULL)
- return NULL;
+ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
+ if (state == NULL)
+ return NULL;
- result = authenticate_gss_client_step(state, challenge);
- if (result == AUTH_GSS_ERROR)
- return NULL;
+ result = authenticate_gss_client_step(state, challenge);
+ if (result == AUTH_GSS_ERROR)
+ return NULL;
return Py_BuildValue("i", result);
}
@@ -130,14 +130,14 @@
static PyObject *authGSSClientResponse(PyObject *self, PyObject *args)
{
gss_client_state *state;
- PyObject *pystate;
+ PyObject *pystate;
if (!PyArg_ParseTuple(args, "O", &pystate) || !PyCObject_Check(pystate))
return NULL;
- state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
- if (state == NULL)
- return NULL;
+ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
+ if (state == NULL)
+ return NULL;
return Py_BuildValue("s", state->response);
}
@@ -145,76 +145,76 @@
static PyObject *authGSSClientUserName(PyObject *self, PyObject *args)
{
gss_client_state *state;
- PyObject *pystate;
+ PyObject *pystate;
if (!PyArg_ParseTuple(args, "O", &pystate) || !PyCObject_Check(pystate))
return NULL;
- state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
- if (state == NULL)
- return NULL;
+ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
+ if (state == NULL)
+ return NULL;
return Py_BuildValue("s", state->username);
}
static PyObject *authGSSClientUnwrap(PyObject *self, PyObject *args)
{
- gss_client_state *state;
- PyObject *pystate;
- char *challenge;
- int result = 0;
+ gss_client_state *state;
+ PyObject *pystate;
+ char *challenge;
+ int result = 0;
- if (!PyArg_ParseTuple(args, "Os", &pystate, &challenge) || !PyCObject_Check(pystate))
- return NULL;
+ if (!PyArg_ParseTuple(args, "Os", &pystate, &challenge) || !PyCObject_Check(pystate))
+ return NULL;
- state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
- if (state == NULL)
- return NULL;
+ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
+ if (state == NULL)
+ return NULL;
- result = authenticate_gss_client_unwrap(state, challenge);
- if (result == AUTH_GSS_ERROR)
- return NULL;
+ result = authenticate_gss_client_unwrap(state, challenge);
+ if (result == AUTH_GSS_ERROR)
+ return NULL;
- return Py_BuildValue("i", result);
+ return Py_BuildValue("i", result);
}
static PyObject *authGSSClientWrap(PyObject *self, PyObject *args)
{
- gss_client_state *state;
- PyObject *pystate;
- char *challenge, *user;
- int result = 0;
+ gss_client_state *state;
+ PyObject *pystate;
+ char *challenge, *user;
+ int result = 0;
- if (!PyArg_ParseTuple(args, "Oss", &pystate, &challenge, &user) || !PyCObject_Check(pystate))
- return NULL;
+ if (!PyArg_ParseTuple(args, "Oss", &pystate, &challenge, &user) || !PyCObject_Check(pystate))
+ return NULL;
- state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
- if (state == NULL)
- return NULL;
+ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
+ if (state == NULL)
+ return NULL;
- result = authenticate_gss_client_wrap(state, challenge, user);
- if (result == AUTH_GSS_ERROR)
- return NULL;
+ result = authenticate_gss_client_wrap(state, challenge, user);
+ if (result == AUTH_GSS_ERROR)
+ return NULL;
- return Py_BuildValue("i", result);
+ return Py_BuildValue("i", result);
}
static PyObject *authGSSServerInit(PyObject *self, PyObject *args)
{
const char *service;
gss_server_state *state;
- PyObject *pystate;
+ PyObject *pystate;
int result = 0;
if (!PyArg_ParseTuple(args, "s", &service))
return NULL;
- state = (gss_server_state *) malloc(sizeof(gss_server_state));
- pystate = PyCObject_FromVoidPtr(state, NULL);
+ state = (gss_server_state *) malloc(sizeof(gss_server_state));
+ pystate = PyCObject_FromVoidPtr(state, NULL);
- result = authenticate_gss_server_init(service, state);
- if (result == AUTH_GSS_ERROR)
- return NULL;
+ result = authenticate_gss_server_init(service, state);
+ if (result == AUTH_GSS_ERROR)
+ return NULL;
return Py_BuildValue("(iO)", result, pystate);
}
@@ -222,20 +222,20 @@
static PyObject *authGSSServerClean(PyObject *self, PyObject *args)
{
gss_server_state *state;
- PyObject *pystate;
+ PyObject *pystate;
int result = 0;
if (!PyArg_ParseTuple(args, "O", &pystate) || !PyCObject_Check(pystate))
return NULL;
- state = (gss_server_state *)PyCObject_AsVoidPtr(pystate);
- if (state != NULL)
- {
- result = authenticate_gss_server_clean(state);
+ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate);
+ if (state != NULL)
+ {
+ result = authenticate_gss_server_clean(state);
- free(state);
- PyCObject_SetVoidPtr(pystate, NULL);
- }
+ free(state);
+ PyCObject_SetVoidPtr(pystate, NULL);
+ }
return Py_BuildValue("i", result);
}
@@ -243,20 +243,20 @@
static PyObject *authGSSServerStep(PyObject *self, PyObject *args)
{
gss_server_state *state;
- PyObject *pystate;
- char *challenge;
+ PyObject *pystate;
+ char *challenge;
int result = 0;
if (!PyArg_ParseTuple(args, "Os", &pystate, &challenge) || !PyCObject_Check(pystate))
return NULL;
- state = (gss_server_state *)PyCObject_AsVoidPtr(pystate);
- if (state == NULL)
- return NULL;
+ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate);
+ if (state == NULL)
+ return NULL;
- result = authenticate_gss_server_step(state, challenge);
- if (result == AUTH_GSS_ERROR)
- return NULL;
+ result = authenticate_gss_server_step(state, challenge);
+ if (result == AUTH_GSS_ERROR)
+ return NULL;
return Py_BuildValue("i", result);
}
@@ -264,14 +264,14 @@
static PyObject *authGSSServerResponse(PyObject *self, PyObject *args)
{
gss_server_state *state;
- PyObject *pystate;
+ PyObject *pystate;
if (!PyArg_ParseTuple(args, "O", &pystate) || !PyCObject_Check(pystate))
return NULL;
- state = (gss_server_state *)PyCObject_AsVoidPtr(pystate);
- if (state == NULL)
- return NULL;
+ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate);
+ if (state == NULL)
+ return NULL;
return Py_BuildValue("s", state->response);
}
@@ -279,47 +279,47 @@
static PyObject *authGSSServerUserName(PyObject *self, PyObject *args)
{
gss_server_state *state;
- PyObject *pystate;
+ PyObject *pystate;
if (!PyArg_ParseTuple(args, "O", &pystate) || !PyCObject_Check(pystate))
return NULL;
- state = (gss_server_state *)PyCObject_AsVoidPtr(pystate);
- if (state == NULL)
- return NULL;
+ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate);
+ if (state == NULL)
+ return NULL;
return Py_BuildValue("s", state->username);
}
static PyMethodDef KerberosMethods[] = {
{"checkPassword", checkPassword, METH_VARARGS,
- "Check the supplied user/password against Kerberos KDC."},
+ "Check the supplied user/password against Kerberos KDC."},
{"getServerPrincipalDetails", getServerPrincipalDetails, METH_VARARGS,
- "Return the service principal for a given service and hostname."},
+ "Return the service principal for a given service and hostname."},
{"authGSSClientInit", authGSSClientInit, METH_VARARGS,
- "Initialize client-side GSSAPI operations."},
+ "Initialize client-side GSSAPI operations."},
{"authGSSClientClean", authGSSClientClean, METH_VARARGS,
- "Terminate client-side GSSAPI operations."},
+ "Terminate client-side GSSAPI operations."},
{"authGSSClientStep", authGSSClientStep, METH_VARARGS,
- "Do a client-side GSSAPI step."},
+ "Do a client-side GSSAPI step."},
{"authGSSClientResponse", authGSSClientResponse, METH_VARARGS,
- "Get the response from the last client-side GSSAPI step."},
+ "Get the response from the last client-side GSSAPI step."},
{"authGSSClientUserName", authGSSClientUserName, METH_VARARGS,
- "Get the user name from the last client-side GSSAPI step."},
- {"authGSSClientWrap", authGSSClientWrap, METH_VARARGS,
- "Do a GSSAPI wrap."},
- {"authGSSClientUnwrap", authGSSClientUnwrap, METH_VARARGS,
- "Do a GSSAPI unwrap."},
- {"authGSSServerInit", authGSSServerInit, METH_VARARGS,
- "Initialize server-side GSSAPI operations."},
+ "Get the user name from the last client-side GSSAPI step."},
+ {"authGSSClientWrap", authGSSClientWrap, METH_VARARGS,
+ "Do a GSSAPI wrap."},
+ {"authGSSClientUnwrap", authGSSClientUnwrap, METH_VARARGS,
+ "Do a GSSAPI unwrap."},
+ {"authGSSServerInit", authGSSServerInit, METH_VARARGS,
+ "Initialize server-side GSSAPI operations."},
{"authGSSServerClean", authGSSServerClean, METH_VARARGS,
- "Terminate server-side GSSAPI operations."},
+ "Terminate server-side GSSAPI operations."},
{"authGSSServerStep", authGSSServerStep, METH_VARARGS,
- "Do a server-side GSSAPI step."},
+ "Do a server-side GSSAPI step."},
{"authGSSServerResponse", authGSSServerResponse, METH_VARARGS,
- "Get the response from the last server-side GSSAPI step."},
+ "Get the response from the last server-side GSSAPI step."},
{"authGSSServerUserName", authGSSServerUserName, METH_VARARGS,
- "Get the user name from the last server-side GSSAPI step."},
+ "Get the user name from the last server-side GSSAPI step."},
{NULL, NULL, 0, NULL} /* Sentinel */
};
@@ -344,7 +344,7 @@
PyDict_SetItemString(d, "BasicAuthError", BasicAuthException_class);
if (!(GssException_class = PyErr_NewException("kerberos.GSSError", KrbException_class, NULL)))
- goto error;
+ goto error;
Py_INCREF(GssException_class);
PyDict_SetItemString(d, "GSSError", GssException_class);
@@ -353,5 +353,5 @@
error:
if (PyErr_Occurred())
- PyErr_SetString(PyExc_ImportError, "kerberos: init failed");
+ PyErr_SetString(PyExc_ImportError, "kerberos: init failed");
}
Modified: PyKerberos/branches/more-kerberos/src/kerberosbasic.c
===================================================================
--- PyKerberos/branches/more-kerberos/src/kerberosbasic.c 2008-05-23 02:17:38 UTC (rev 2448)
+++ PyKerberos/branches/more-kerberos/src/kerberosbasic.c 2008-05-23 02:18:53 UTC (rev 2449)
@@ -32,122 +32,122 @@
int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm)
{
- krb5_context kcontext = NULL;
- krb5_error_code code;
- krb5_principal client = NULL;
- krb5_principal server = NULL;
- int ret = 0;
- char *name = NULL;
- char *p = NULL;
+ krb5_context kcontext = NULL;
+ krb5_error_code code;
+ krb5_principal client = NULL;
+ krb5_principal server = NULL;
+ int ret = 0;
+ char *name = NULL;
+ char *p = NULL;
- code = krb5_init_context(&kcontext);
- if (code)
- {
- PyErr_SetObject(BasicAuthException_class, Py_BuildValue("((s:i))",
- "Cannot initialize Kerberos5 context", code));
- return 0;
- }
+ code = krb5_init_context(&kcontext);
+ if (code)
+ {
+ PyErr_SetObject(BasicAuthException_class, Py_BuildValue("((s:i))",
+ "Cannot initialize Kerberos5 context", code));
+ return 0;
+ }
- ret = krb5_parse_name (kcontext, service, &server);
+ ret = krb5_parse_name (kcontext, service, &server);
- if (ret)
- {
- set_basicauth_error(kcontext, ret);
- ret = 0;
- goto end;
- }
+ if (ret)
+ {
+ set_basicauth_error(kcontext, ret);
+ ret = 0;
+ goto end;
+ }
- code = krb5_unparse_name(kcontext, server, &name);
- if (code)
- {
- set_basicauth_error(kcontext, code);
- ret = 0;
- goto end;
- }
+ code = krb5_unparse_name(kcontext, server, &name);
+ if (code)
+ {
+ set_basicauth_error(kcontext, code);
+ ret = 0;
+ goto end;
+ }
#ifdef PRINTFS
- printf("Using %s as server principal for password verification\n", name);
+ printf("Using %s as server principal for password verification\n", name);
#endif
- free(name);
- name = NULL;
+ free(name);
+ name = NULL;
- name = (char *)malloc(256);
- p = strchr(user, '@');
- if (p == NULL)
- {
- snprintf(name, 256, "%s@%s", user, default_realm);
- }
- else
- {
- snprintf(name, 256, "%s", user);
- }
+ name = (char *)malloc(256);
+ p = strchr(user, '@');
+ if (p == NULL)
+ {
+ snprintf(name, 256, "%s@%s", user, default_realm);
+ }
+ else
+ {
+ snprintf(name, 256, "%s", user);
+ }
- code = krb5_parse_name(kcontext, name, &client);
- if (code)
- {
- set_basicauth_error(kcontext, code);
- ret = 0;
- goto end;
- }
+ code = krb5_parse_name(kcontext, name, &client);
+ if (code)
+ {
+ set_basicauth_error(kcontext, code);
+ ret = 0;
+ goto end;
+ }
- code = verify_krb5_user(kcontext, client, pswd, server);
+ code = verify_krb5_user(kcontext, client, pswd, server);
- if (code)
- {
- ret = 0;
- goto end;
- }
+ if (code)
+ {
+ ret = 0;
+ goto end;
+ }
- ret = 1;
+ ret = 1;
end:
#ifdef PRINTFS
- printf("kerb_authenticate_user_krb5pwd ret=%d user=%s authtype=%s\n", ret, user, "Basic");
+ printf("kerb_authenticate_user_krb5pwd ret=%d user=%s authtype=%s\n", ret, user, "Basic");
#endif
- if (name)
- free(name);
- if (client)
- krb5_free_principal(kcontext, client);
- if (server)
- krb5_free_principal(kcontext, server);
- krb5_free_context(kcontext);
+ if (name)
+ free(name);
+ if (client)
+ krb5_free_principal(kcontext, client);
+ if (server)
+ krb5_free_principal(kcontext, server);
+ krb5_free_context(kcontext);
- return ret;
+ return ret;
}
/* Inspired by krb5_verify_user from Heimdal */
static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server)
{
- krb5_creds creds;
- krb5_get_init_creds_opt gic_options;
- krb5_error_code ret;
- char *name = NULL;
+ krb5_creds creds;
+ krb5_get_init_creds_opt gic_options;
+ krb5_error_code ret;
+ char *name = NULL;
- memset(&creds, 0, sizeof(creds));
+ memset(&creds, 0, sizeof(creds));
- ret = krb5_unparse_name(context, principal, &name);
- if (ret == 0)
- {
+ ret = krb5_unparse_name(context, principal, &name);
+ if (ret == 0)
+ {
#ifdef PRINTFS
- printf("Trying to get TGT for user %s\n", name);
+ printf("Trying to get TGT for user %s\n", name);
#endif
- free(name);
- }
+ free(name);
+ }
- krb5_get_init_creds_opt_init(&gic_options);
- ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, &gic_options);
- if (ret)
- {
- set_basicauth_error(context, ret);
- goto end;
- }
+ krb5_get_init_creds_opt_init(&gic_options);
+ ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, &gic_options);
+ if (ret)
+ {
+ set_basicauth_error(context, ret);
+ goto end;
+ }
end:
- krb5_free_cred_contents(context, &creds);
+ krb5_free_cred_contents(context, &creds);
- return ret;
+ return ret;
}
static void set_basicauth_error(krb5_context context, krb5_error_code code)
{
- PyErr_SetObject(BasicAuthException_class, Py_BuildValue("(s:i)", krb5_get_err_text(context, code), code));
+ PyErr_SetObject(BasicAuthException_class, Py_BuildValue("(s:i)", krb5_get_err_text(context, code), code));
}
Modified: PyKerberos/branches/more-kerberos/src/kerberosgss.c
===================================================================
--- PyKerberos/branches/more-kerberos/src/kerberosgss.c 2008-05-23 02:17:38 UTC (rev 2448)
+++ PyKerberos/branches/more-kerberos/src/kerberosgss.c 2008-05-23 02:18:53 UTC (rev 2449)
@@ -33,540 +33,541 @@
char *server_principal_details(const char *service, const char *hostname)
{
- char match[1024];
- int match_len = 0;
- char *result = NULL;
+ char match[1024];
+ int match_len = 0;
+ char *result = NULL;
- int code;
+ int code;
krb5_context kcontext;
krb5_keytab kt = NULL;
krb5_kt_cursor cursor = NULL;
krb5_keytab_entry entry;
char *pname = NULL;
- // Generate the principal prefix we want to match
- snprintf(match, 1024, "%s/%s@", service, hostname);
- match_len = strlen(match);
+ // Generate the principal prefix we want to match
+ snprintf(match, 1024, "%s/%s@", service, hostname);
+ match_len = strlen(match);
- code = krb5_init_context(&kcontext);
- if (code)
- {
- PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
- "Cannot initialize Kerberos5 context", code));
- return NULL;
- }
+ code = krb5_init_context(&kcontext);
+ if (code)
+ {
+ PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
+ "Cannot initialize Kerberos5 context", code));
+ return NULL;
+ }
if ((code = krb5_kt_default(kcontext, &kt)))
{
- PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
- "Cannot get default keytab", code));
- goto end;
+ PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
+ "Cannot get default keytab", code));
+ goto end;
}
if ((code = krb5_kt_start_seq_get(kcontext, kt, &cursor)))
{
- PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
- "Cannot get sequence cursor from keytab", code));
- goto end;
+ PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
+ "Cannot get sequence cursor from keytab", code));
+ goto end;
}
while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0)
{
- if ((code = krb5_unparse_name(kcontext, entry.principal, &pname)))
- {
- PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
- "Cannot parse principal name from keytab", code));
- goto end;
- }
+ if ((code = krb5_unparse_name(kcontext, entry.principal, &pname)))
+ {
+ PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
+ "Cannot parse principal name from keytab", code));
+ goto end;
+ }
- if (strncmp(pname, match, match_len) == 0)
- {
- result = malloc(strlen(pname) + 1);
- strcpy(result, pname);
- krb5_free_unparsed_name(kcontext, pname);
- break;
- }
+ if (strncmp(pname, match, match_len) == 0)
+ {
+ result = malloc(strlen(pname) + 1);
+ strcpy(result, pname);
+ krb5_free_unparsed_name(kcontext, pname);
+ break;
+ }
- krb5_free_unparsed_name(kcontext, pname);
- krb5_free_keytab_entry_contents(kcontext, &entry);
+ krb5_free_unparsed_name(kcontext, pname);
+ krb5_free_keytab_entry_contents(kcontext, &entry);
}
if (result == NULL)
{
- PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
- "Principal not found in keytab", -1));
+ PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
+ "Principal not found in keytab", -1));
}
end:
- if (cursor)
- krb5_kt_end_seq_get(kcontext, kt, &cursor);
- if (kt)
- krb5_kt_close(kcontext, kt);
- krb5_free_context(kcontext);
+ if (cursor)
+ krb5_kt_end_seq_get(kcontext, kt, &cursor);
+ if (kt)
+ krb5_kt_close(kcontext, kt);
+ krb5_free_context(kcontext);
- return result;
+ return result;
}
int authenticate_gss_client_init(const char *service, gss_client_state *state)
{
- OM_uint32 maj_stat;
- OM_uint32 min_stat;
- gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
- int ret = AUTH_GSS_COMPLETE;
+ OM_uint32 maj_stat;
+ OM_uint32 min_stat;
+ gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
+ int ret = AUTH_GSS_COMPLETE;
- state->server_name = GSS_C_NO_NAME;
- state->context = GSS_C_NO_CONTEXT;
- state->username = NULL;
- state->response = NULL;
+ state->server_name = GSS_C_NO_NAME;
+ state->context = GSS_C_NO_CONTEXT;
+ state->username = NULL;
+ state->response = NULL;
- // Import server name first
- name_token.length = strlen(service);
- name_token.value = (char *)service;
+ // Import server name first
+ name_token.length = strlen(service);
+ name_token.value = (char *)service;
- maj_stat = gss_import_name(&min_stat, &name_token, gss_krb5_nt_service_name, &state->server_name);
+ maj_stat = gss_import_name(&min_stat, &name_token, gss_krb5_nt_service_name, &state->server_name);
- if (GSS_ERROR(maj_stat))
- {
- set_gss_error(maj_stat, min_stat);
- ret = AUTH_GSS_ERROR;
- goto end;
- }
+ if (GSS_ERROR(maj_stat))
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
end:
- return ret;
+ return ret;
}
int authenticate_gss_client_clean(gss_client_state *state)
{
- OM_uint32 maj_stat;
- OM_uint32 min_stat;
- int ret = AUTH_GSS_COMPLETE;
+ OM_uint32 maj_stat;
+ OM_uint32 min_stat;
+ int ret = AUTH_GSS_COMPLETE;
- if (state->context != GSS_C_NO_CONTEXT)
- maj_stat = gss_delete_sec_context(&min_stat, &state->context, GSS_C_NO_BUFFER);
- if (state->server_name != GSS_C_NO_NAME)
- maj_stat = gss_release_name(&min_stat, &state->server_name);
- if (state->username != NULL)
- {
- free(state->username);
- state->username = NULL;
- }
- if (state->response != NULL)
- {
- free(state->response);
- state->response = NULL;
- }
+ if (state->context != GSS_C_NO_CONTEXT)
+ maj_stat = gss_delete_sec_context(&min_stat, &state->context, GSS_C_NO_BUFFER);
+ if (state->server_name != GSS_C_NO_NAME)
+ maj_stat = gss_release_name(&min_stat, &state->server_name);
+ if (state->username != NULL)
+ {
+ free(state->username);
+ state->username = NULL;
+ }
+ if (state->response != NULL)
+ {
+ free(state->response);
+ state->response = NULL;
+ }
- return ret;
+ return ret;
}
int authenticate_gss_client_step(gss_client_state *state, const char *challenge)
{
- OM_uint32 maj_stat;
- OM_uint32 min_stat;
- gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
- int ret = AUTH_GSS_CONTINUE;
+ OM_uint32 maj_stat;
+ OM_uint32 min_stat;
+ gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
+ int ret = AUTH_GSS_CONTINUE;
- // Always clear out the old response
- if (state->response != NULL)
- {
- free(state->response);
- state->response = NULL;
- }
+ // Always clear out the old response
+ if (state->response != NULL)
+ {
+ free(state->response);
+ state->response = NULL;
+ }
- // If there is a challenge (data from the server) we need to give it to GSS
- if (challenge && *challenge)
- {
- int len;
- input_token.value = base64_decode(challenge, &len);
- input_token.length = len;
- }
+ // If there is a challenge (data from the server) we need to give it to GSS
+ if (challenge && *challenge)
+ {
+ int len;
+ input_token.value = base64_decode(challenge, &len);
+ input_token.length = len;
+ }
- // Do GSSAPI step
- maj_stat = gss_init_sec_context(&min_stat,
- GSS_C_NO_CREDENTIAL,
- &state->context,
- state->server_name,
- GSS_C_NO_OID,
- GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
- 0,
- GSS_C_NO_CHANNEL_BINDINGS,
- &input_token,
- NULL,
- &output_token,
- NULL,
- NULL);
+ // Do GSSAPI step
+ maj_stat = gss_init_sec_context(&min_stat,
+ GSS_C_NO_CREDENTIAL,
+ &state->context,
+ state->server_name,
+ GSS_C_NO_OID,
+ GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
+ 0,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &input_token,
+ NULL,
+ &output_token,
+ NULL,
+ NULL);
- if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED))
- {
- set_gss_error(maj_stat, min_stat);
- ret = AUTH_GSS_ERROR;
- goto end;
- }
+ if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED))
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
- ret = (maj_stat == GSS_S_COMPLETE) ? AUTH_GSS_COMPLETE : AUTH_GSS_CONTINUE;
- // Grab the client response to send back to the server
- if (output_token.length)
- {
- state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);;
- maj_stat = gss_release_buffer(&min_stat, &output_token);
- }
+ ret = (maj_stat == GSS_S_COMPLETE) ? AUTH_GSS_COMPLETE : AUTH_GSS_CONTINUE;
+ // Grab the client response to send back to the server
+ if (output_token.length)
+ {
+ state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);;
+ maj_stat = gss_release_buffer(&min_stat, &output_token);
+ }
- // Try to get the user name if we have completed all GSS operations
- if (ret == AUTH_GSS_COMPLETE)
- {
- gss_name_t gssuser = GSS_C_NO_NAME;
- maj_stat = gss_inquire_context(&min_stat, state->context, &gssuser, NULL, NULL, NULL, NULL, NULL, NULL);
- if (GSS_ERROR(maj_stat))
- {
- set_gss_error(maj_stat, min_stat);
- ret = AUTH_GSS_ERROR;
- goto end;
- }
+ // Try to get the user name if we have completed all GSS operations
+ if (ret == AUTH_GSS_COMPLETE)
+ {
+ gss_name_t gssuser = GSS_C_NO_NAME;
+ maj_stat = gss_inquire_context(&min_stat, state->context, &gssuser, NULL, NULL, NULL, NULL, NULL, NULL);
+ if (GSS_ERROR(maj_stat))
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
- gss_buffer_desc name_token;
- name_token.length = 0;
- maj_stat = gss_display_name(&min_stat, gssuser, &name_token, NULL);
- if (GSS_ERROR(maj_stat))
- {
- if (name_token.value)
- gss_release_buffer(&min_stat, &name_token);
- gss_release_name(&min_stat, &gssuser);
+ gss_buffer_desc name_token;
+ name_token.length = 0;
+ maj_stat = gss_display_name(&min_stat, gssuser, &name_token, NULL);
+ if (GSS_ERROR(maj_stat))
+ {
+ if (name_token.value)
+ gss_release_buffer(&min_stat, &name_token);
+ gss_release_name(&min_stat, &gssuser);
- set_gss_error(maj_stat, min_stat);
- ret = AUTH_GSS_ERROR;
- goto end;
- }
- else
- {
- state->username = (char *)malloc(name_token.length + 1);
- strncpy(state->username, (char*) name_token.value, name_token.length);
- state->username[name_token.length] = 0;
- gss_release_buffer(&min_stat, &name_token);
- gss_release_name(&min_stat, &gssuser);
- }
- }
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
+ else
+ {
+ state->username = (char *)malloc(name_token.length + 1);
+ strncpy(state->username, (char*) name_token.value, name_token.length);
+ state->username[name_token.length] = 0;
+ gss_release_buffer(&min_stat, &name_token);
+ gss_release_name(&min_stat, &gssuser);
+ }
+ }
end:
- if (output_token.value)
- gss_release_buffer(&min_stat, &output_token);
- if (input_token.value)
- free(input_token.value);
- return ret;
+ if (output_token.value)
+ gss_release_buffer(&min_stat, &output_token);
+ if (input_token.value)
+ free(input_token.value);
+ return ret;
}
int authenticate_gss_client_unwrap(gss_client_state *state, const char *challenge)
{
- OM_uint32 maj_stat;
- OM_uint32 min_stat;
- gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
- int ret = AUTH_GSS_CONTINUE;
+ OM_uint32 maj_stat;
+ OM_uint32 min_stat;
+ gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
+ int ret = AUTH_GSS_CONTINUE;
- // Always clear out the old response
- if (state->response != NULL)
- {
- free(state->response);
- state->response = NULL;
- }
+ // Always clear out the old response
+ if (state->response != NULL)
+ {
+ free(state->response);
+ state->response = NULL;
+ }
- // If there is a challenge (data from the server) we need to give it to GSS
- if (challenge && *challenge)
- {
- int len;
- input_token.value = base64_decode(challenge, &len);
- input_token.length = len;
- }
+ // If there is a challenge (data from the server) we need to give it to GSS
+ if (challenge && *challenge)
+ {
+ int len;
+ input_token.value = base64_decode(challenge, &len);
+ input_token.length = len;
+ }
- // Do GSSAPI step
- maj_stat = gss_unwrap(&min_stat,
- state->context,
- &input_token,
- &output_token,
- NULL,
- NULL);
+ // Do GSSAPI step
+ maj_stat = gss_unwrap(&min_stat,
+ state->context,
+ &input_token,
+ &output_token,
+ NULL,
+ NULL);
- if (maj_stat != GSS_S_COMPLETE)
- {
- set_gss_error(maj_stat, min_stat);
- ret = AUTH_GSS_ERROR;
- goto end;
- }
- else
- ret = AUTH_GSS_COMPLETE;
+ if (maj_stat != GSS_S_COMPLETE)
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
+ else
+ ret = AUTH_GSS_COMPLETE;
- // Grab the client response
- if (output_token.length)
- {
- state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);
- maj_stat = gss_release_buffer(&min_stat, &output_token);
- }
+ // Grab the client response
+ if (output_token.length)
+ {
+ state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);
+ maj_stat = gss_release_buffer(&min_stat, &output_token);
+ }
end:
- if (output_token.value)
- gss_release_buffer(&min_stat, &output_token);
- if (input_token.value)
- free(input_token.value);
- return ret;
+ if (output_token.value)
+ gss_release_buffer(&min_stat, &output_token);
+ if (input_token.value)
+ free(input_token.value);
+ return ret;
}
int authenticate_gss_client_wrap(gss_client_state *state, const char *challenge, const char *user)
{
- OM_uint32 maj_stat;
- OM_uint32 min_stat;
- gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
- int ret = AUTH_GSS_CONTINUE;
- char buf[4096], server_conf_flags;
- unsigned long buf_size;
+ OM_uint32 maj_stat;
+ OM_uint32 min_stat;
+ gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
+ int ret = AUTH_GSS_CONTINUE;
+ char buf[4096], server_conf_flags;
+ unsigned long buf_size;
- // Always clear out the old response
- if (state->response != NULL)
- {
- free(state->response);
- state->response = NULL;
- }
+ // Always clear out the old response
+ if (state->response != NULL)
+ {
+ free(state->response);
+ state->response = NULL;
+ }
- if (challenge && *challenge)
- {
- int len;
- input_token.value = base64_decode(challenge, &len);
- input_token.length = len;
- }
+ if (challenge && *challenge)
+ {
+ int len;
+ input_token.value = base64_decode(challenge, &len);
+ input_token.length = len;
+ }
- // get bufsize
- server_conf_flags = ((char*) input_token.value)[0];
- ((char*) input_token.value)[0] = 0;
- buf_size = ntohl(*((long *) input_token.value));
- free(input_token.value);
+ // get bufsize
+ server_conf_flags = ((char*) input_token.value)[0];
+ ((char*) input_token.value)[0] = 0;
+ buf_size = ntohl(*((long *) input_token.value));
+ free(input_token.value);
#if 0
- printf("User: %s, %c%c%c\n", user,
- server_conf_flags & GSS_AUTH_P_NONE\xCA \xCA \xCA ? 'N' : '-',
- server_conf_flags & GSS_AUTH_P_INTEGRITY ? 'I' : '-',
- server_conf_flags & GSS_AUTH_P_PRIVACY\xCA \xCA? 'P' : '-');
- printf("Maximum GSS token size is %ld\n", buf_size);
+ printf("User: %s, %c%c%c\n", user,
+ server_conf_flags & GSS_AUTH_P_NONE\xCA \xCA \xCA ? 'N' : '-',
+ server_conf_flags & GSS_AUTH_P_INTEGRITY ? 'I' : '-',
+ server_conf_flags & GSS_AUTH_P_PRIVACY\xCA \xCA? 'P' : '-');
+ printf("Maximum GSS token size is %ld\n", buf_size);
#endif
- // agree to terms (hack!)
- buf_size = htonl(buf_size); // not relevant without integrity/privacy
- memcpy(buf, &buf_size, 4);
- buf[0] = GSS_AUTH_P_NONE;
- // server decides if principal can log in as user
- strncpy(buf + 4, user, sizeof(buf) - 4);
- input_token.value = buf;
- input_token.length = 4 + strlen(user) + 1;
+ // agree to terms (hack!)
+ buf_size = htonl(buf_size); // not relevant without integrity/privacy
+ memcpy(buf, &buf_size, 4);
+ buf[0] = GSS_AUTH_P_NONE;
+ // server decides if principal can log in as user
+ strncpy(buf + 4, user, sizeof(buf) - 4);
+ input_token.value = buf;
+ input_token.length = 4 + strlen(user) + 1;
- // Do GSSAPI wrap
- maj_stat = gss_wrap(&min_stat,
- state->context,
- 0,
- GSS_C_QOP_DEFAULT,
- &input_token,
- NULL,
- &output_token);
+ // Do GSSAPI wrap
+ maj_stat = gss_wrap(&min_stat,
+ state->context,
+ 0,
+ GSS_C_QOP_DEFAULT,
+ &input_token,
+ NULL,
+ &output_token);
- if (maj_stat != GSS_S_COMPLETE)
- {
- set_gss_error(maj_stat, min_stat);
- ret = AUTH_GSS_ERROR;
- goto end;
- }
- else
- ret = AUTH_GSS_COMPLETE;
- // Grab the client response to send back to the server
- if (output_token.length)
- {
- state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);;
- maj_stat = gss_release_buffer(&min_stat, &output_token);
- }
+ if (maj_stat != GSS_S_COMPLETE)
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
+ else
+ ret = AUTH_GSS_COMPLETE;
+ // Grab the client response to send back to the server
+ if (output_token.length)
+ {
+ state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);;
+ maj_stat = gss_release_buffer(&min_stat, &output_token);
+ }
end:
- if (output_token.value)
- gss_release_buffer(&min_stat, &output_token);
- return ret;
+ if (output_token.value)
+ gss_release_buffer(&min_stat, &output_token);
+ return ret;
}
int authenticate_gss_server_init(const char *service, gss_server_state *state)
{
- OM_uint32 maj_stat;
- OM_uint32 min_stat;
- gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
- int ret = AUTH_GSS_COMPLETE;
+ OM_uint32 maj_stat;
+ OM_uint32 min_stat;
+ gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
+ int ret = AUTH_GSS_COMPLETE;
- state->context = GSS_C_NO_CONTEXT;
- state->server_name = GSS_C_NO_NAME;
- state->client_name = GSS_C_NO_NAME;
- state->server_creds = GSS_C_NO_CREDENTIAL;
- state->client_creds = GSS_C_NO_CREDENTIAL;
- state->username = NULL;
- state->response = NULL;
+ state->context = GSS_C_NO_CONTEXT;
+ state->server_name = GSS_C_NO_NAME;
+ state->client_name = GSS_C_NO_NAME;
+ state->server_creds = GSS_C_NO_CREDENTIAL;
+ state->client_creds = GSS_C_NO_CREDENTIAL;
+ state->username = NULL;
+ state->response = NULL;
- // Import server name first
- name_token.length = strlen(service);
+ // Import server name first
+ name_token.length = strlen(service);
name_token.value = (char *)service;
- maj_stat = gss_import_name(&min_stat, &name_token, GSS_C_NT_HOSTBASED_SERVICE, &state->server_name);
+ maj_stat = gss_import_name(&min_stat, &name_token, GSS_C_NT_HOSTBASED_SERVICE, &state->server_name);
- if (GSS_ERROR(maj_stat))
- {
- set_gss_error(maj_stat, min_stat);
- ret = AUTH_GSS_ERROR;
- goto end;
- }
+ if (GSS_ERROR(maj_stat))
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
- // Get credentials
- maj_stat = gss_acquire_cred(&min_stat, state->server_name, GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET, GSS_C_ACCEPT, &state->server_creds, NULL, NULL);
+ // Get credentials
+ maj_stat = gss_acquire_cred(&min_stat, state->server_name, GSS_C_INDEFINITE,
+ GSS_C_NO_OID_SET, GSS_C_ACCEPT, &state->server_creds, NULL, NULL);
- if (GSS_ERROR(maj_stat))
- {
- set_gss_error(maj_stat, min_stat);
- ret = AUTH_GSS_ERROR;
- goto end;
- }
+ if (GSS_ERROR(maj_stat))
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
end:
- return ret;
+ return ret;
}
int authenticate_gss_server_clean(gss_server_state *state)
{
- OM_uint32 maj_stat;
- OM_uint32 min_stat;
- int ret = AUTH_GSS_COMPLETE;
+ OM_uint32 maj_stat;
+ OM_uint32 min_stat;
+ int ret = AUTH_GSS_COMPLETE;
- if (state->context != GSS_C_NO_CONTEXT)
- maj_stat = gss_delete_sec_context(&min_stat, &state->context, GSS_C_NO_BUFFER);
- if (state->server_name != GSS_C_NO_NAME)
- maj_stat = gss_release_name(&min_stat, &state->server_name);
- if (state->client_name != GSS_C_NO_NAME)
- maj_stat = gss_release_name(&min_stat, &state->client_name);
- if (state->server_creds != GSS_C_NO_CREDENTIAL)
- maj_stat = gss_release_cred(&min_stat, &state->server_creds);
- if (state->client_creds != GSS_C_NO_CREDENTIAL)
- maj_stat = gss_release_cred(&min_stat, &state->client_creds);
- if (state->username != NULL)
- {
- free(state->username);
- state->username = NULL;
- }
- if (state->response != NULL)
- {
- free(state->response);
- state->response = NULL;
- }
+ if (state->context != GSS_C_NO_CONTEXT)
+ maj_stat = gss_delete_sec_context(&min_stat, &state->context, GSS_C_NO_BUFFER);
+ if (state->server_name != GSS_C_NO_NAME)
+ maj_stat = gss_release_name(&min_stat, &state->server_name);
+ if (state->client_name != GSS_C_NO_NAME)
+ maj_stat = gss_release_name(&min_stat, &state->client_name);
+ if (state->server_creds != GSS_C_NO_CREDENTIAL)
+ maj_stat = gss_release_cred(&min_stat, &state->server_creds);
+ if (state->client_creds != GSS_C_NO_CREDENTIAL)
+ maj_stat = gss_release_cred(&min_stat, &state->client_creds);
+ if (state->username != NULL)
+ {
+ free(state->username);
+ state->username = NULL;
+ }
+ if (state->response != NULL)
+ {
+ free(state->response);
+ state->response = NULL;
+ }
- return ret;
+ return ret;
}
int authenticate_gss_server_step(gss_server_state *state, const char *challenge)
{
- OM_uint32 maj_stat;
- OM_uint32 min_stat;
- gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
- int ret = AUTH_GSS_CONTINUE;
+ OM_uint32 maj_stat;
+ OM_uint32 min_stat;
+ gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
+ int ret = AUTH_GSS_CONTINUE;
- // Always clear out the old response
- if (state->response != NULL)
- {
- free(state->response);
- state->response = NULL;
- }
+ // Always clear out the old response
+ if (state->response != NULL)
+ {
+ free(state->response);
+ state->response = NULL;
+ }
- // If there is a challenge (data from the server) we need to give it to GSS
- if (challenge && *challenge)
- {
- int len;
- input_token.value = base64_decode(challenge, &len);
- input_token.length = len;
- }
- else
- {
- PyErr_SetString(KrbException_class, "No challenge parameter in request from client");
- ret = AUTH_GSS_ERROR;
- goto end;
- }
+ // If there is a challenge (data from the server) we need to give it to GSS
+ if (challenge && *challenge)
+ {
+ int len;
+ input_token.value = base64_decode(challenge, &len);
+ input_token.length = len;
+ }
+ else
+ {
+ PyErr_SetString(KrbException_class, "No challenge parameter in request from client");
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
- maj_stat = gss_accept_sec_context(&min_stat,
- &state->context,
- state->server_creds,
- &input_token,
- GSS_C_NO_CHANNEL_BINDINGS,
- &state->client_name,
- NULL,
- &output_token,
- NULL,
- NULL,
- &state->client_creds);
+ maj_stat = gss_accept_sec_context(&min_stat,
+ &state->context,
+ state->server_creds,
+ &input_token,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &state->client_name,
+ NULL,
+ &output_token,
+ NULL,
+ NULL,
+ &state->client_creds);
- if (GSS_ERROR(maj_stat))
- {
- set_gss_error(maj_stat, min_stat);
- ret = AUTH_GSS_ERROR;
- goto end;
- }
+ if (GSS_ERROR(maj_stat))
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
- // Grab the server response to send back to the client
- if (output_token.length)
- {
- state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);;
- maj_stat = gss_release_buffer(&min_stat, &output_token);
- }
+ // Grab the server response to send back to the client
+ if (output_token.length)
+ {
+ state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);;
+ maj_stat = gss_release_buffer(&min_stat, &output_token);
+ }
- maj_stat = gss_display_name(&min_stat, state->client_name, &output_token, NULL);
- if (GSS_ERROR(maj_stat))
- {
- set_gss_error(maj_stat, min_stat);
- ret = AUTH_GSS_ERROR;
- goto end;
- }
- state->username = (char *)malloc(output_token.length + 1);
- strncpy(state->username, (char*) output_token.value, output_token.length);
- state->username[output_token.length] = 0;
+ maj_stat = gss_display_name(&min_stat, state->client_name, &output_token, NULL);
+ if (GSS_ERROR(maj_stat))
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
+ state->username = (char *)malloc(output_token.length + 1);
+ strncpy(state->username, (char*) output_token.value, output_token.length);
+ state->username[output_token.length] = 0;
- ret = AUTH_GSS_COMPLETE;
+ ret = AUTH_GSS_COMPLETE;
end:
- if (output_token.length)
- gss_release_buffer(&min_stat, &output_token);
- if (input_token.value)
- free(input_token.value);
- return ret;
+ if (output_token.length)
+ gss_release_buffer(&min_stat, &output_token);
+ if (input_token.value)
+ free(input_token.value);
+ return ret;
}
static void set_gss_error(OM_uint32 err_maj, OM_uint32 err_min)
{
- OM_uint32 maj_stat, min_stat;
- OM_uint32 msg_ctx = 0;
- gss_buffer_desc status_string;
- char buf_maj[512];
- char buf_min[512];
+ OM_uint32 maj_stat, min_stat;
+ OM_uint32 msg_ctx = 0;
+ gss_buffer_desc status_string;
+ char buf_maj[512];
+ char buf_min[512];
- do
- {
- maj_stat = gss_display_status (&min_stat,
- err_maj,
- GSS_C_GSS_CODE,
- GSS_C_NO_OID,
- &msg_ctx,
- &status_string);
- if (GSS_ERROR(maj_stat))
- break;
- strncpy(buf_maj, (char*) status_string.value, sizeof(buf_maj));
- gss_release_buffer(&min_stat, &status_string);
+ do
+ {
+ maj_stat = gss_display_status (&min_stat,
+ err_maj,
+ GSS_C_GSS_CODE,
+ GSS_C_NO_OID,
+ &msg_ctx,
+ &status_string);
+ if (GSS_ERROR(maj_stat))
+ break;
+ strncpy(buf_maj, (char*) status_string.value, sizeof(buf_maj));
+ gss_release_buffer(&min_stat, &status_string);
- maj_stat = gss_display_status (&min_stat,
- err_min,
- GSS_C_MECH_CODE,
- GSS_C_NULL_OID,
- &msg_ctx,
- &status_string);
- if (!GSS_ERROR(maj_stat))
- {
- strncpy(buf_min, (char*) status_string.value, sizeof(buf_min));
- gss_release_buffer(&min_stat, &status_string);
- }
- } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
+ maj_stat = gss_display_status (&min_stat,
+ err_min,
+ GSS_C_MECH_CODE,
+ GSS_C_NULL_OID,
+ &msg_ctx,
+ &status_string);
+ if (!GSS_ERROR(maj_stat))
+ {
+ strncpy(buf_min, (char*) status_string.value, sizeof(buf_min));
+ gss_release_buffer(&min_stat, &status_string);
+ }
+ } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
- PyErr_SetObject(GssException_class, Py_BuildValue("((s:i)(s:i))", buf_maj, err_maj, buf_min, err_min));
+ PyErr_SetObject(GssException_class, Py_BuildValue("((s:i)(s:i))", buf_maj, err_maj, buf_min, err_min));
}
+
Modified: PyKerberos/branches/more-kerberos/src/kerberosgss.h
===================================================================
--- PyKerberos/branches/more-kerberos/src/kerberosgss.h 2008-05-23 02:17:38 UTC (rev 2448)
+++ PyKerberos/branches/more-kerberos/src/kerberosgss.h 2008-05-23 02:18:53 UTC (rev 2449)
@@ -31,20 +31,20 @@
#define GSS_AUTH_P_PRIVACY 4
typedef struct {
- gss_ctx_id_t context;
- gss_name_t server_name;
- char * username;
- char * response;
+ gss_ctx_id_t context;
+ gss_name_t server_name;
+ char * username;
+ char * response;
} gss_client_state;
typedef struct {
- gss_ctx_id_t context;
- gss_name_t server_name;
- gss_name_t client_name;
+ gss_ctx_id_t context;
+ gss_name_t server_name;
+ gss_name_t client_name;
gss_cred_id_t server_creds;
gss_cred_id_t client_creds;
- char * username;
- char * response;
+ char * username;
+ char * response;
} gss_server_state;
char *server_principal_details(const char *service, const char *hostname);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080522/be04c7ed/attachment-0001.htm
More information about the calendarserver-changes
mailing list