[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU shishi branch, master, updated. shishi-1-0-1-7-g74af980
|
From: |
Simon Josefsson |
|
Subject: |
[SCM] GNU shishi branch, master, updated. shishi-1-0-1-7-g74af980 |
|
Date: |
Wed, 08 Aug 2012 10:43:05 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU shishi".
http://git.savannah.gnu.org/cgit/shishi.git/commit/?id=74af980d3ee73c31523c65768ed01f768c84e3fa
The branch, master has been updated
via 74af980d3ee73c31523c65768ed01f768c84e3fa (commit)
via e2fe88509f248f2889de6c44a767c91788fc2500 (commit)
via e996b923abbfec3b1b26e97a70d0955d6b28755f (commit)
from 577f7696bfe86997ad5b4413b5929ff42fd7a2b5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 74af980d3ee73c31523c65768ed01f768c84e3fa
Author: Mats Erik Andersson <address@hidden>
Date: Tue Aug 7 21:34:29 2012 +0200
Support LOGNAME in guessing principals.
Signed-off-by: Simon Josefsson <address@hidden>
commit e2fe88509f248f2889de6c44a767c91788fc2500
Author: Mats Erik Andersson <address@hidden>
Date: Tue Aug 7 21:26:48 2012 +0200
Segfault in config list parsing.
Signed-off-by: Simon Josefsson <address@hidden>
commit e996b923abbfec3b1b26e97a70d0955d6b28755f
Author: Mats Erik Andersson <address@hidden>
Date: Tue Aug 7 21:19:13 2012 +0200
Authentication type k5login.
Repair the completely broken k5login type for
authentication of user access.
Signed-off-by: Simon Josefsson <address@hidden>
-----------------------------------------------------------------------
Summary of changes:
lib/authorize.c | 95 ++++++++++++++++++++++++++++++++++++++++++++----------
lib/cfg.c | 32 +++++++++++++------
lib/principal.c | 84 +++++++++++++++++++++++++-----------------------
3 files changed, 142 insertions(+), 69 deletions(-)
diff --git a/lib/authorize.c b/lib/authorize.c
index 860b1db..c1f095c 100644
--- a/lib/authorize.c
+++ b/lib/authorize.c
@@ -26,6 +26,19 @@
# include <pwd.h>
#endif
+/**
+ * shishi_authorize_strcmp:
+ * @handle: shishi handle allocated by shishi_init().
+ * @principal: string with desired principal name.
+ * @authzname: authorization name.
+ *
+ * Authorization of @authzname against desired @principal
+ * according to "basic" authentication, i.e., testing for
+ * identical strings.
+ *
+ * Return value: Returns 1 if @authzname is authorized for services
+ * by the encrypted principal, and 0 otherwise.
+ **/
int
shishi_authorize_strcmp (Shishi * handle, const char *principal,
const char *authzname)
@@ -37,6 +50,18 @@ shishi_authorize_strcmp (Shishi * handle, const char
*principal,
}
/* MIT/Heimdal authorization method */
+/**
+ * shishi_authorize_k5login:
+ * @handle: shishi handle allocated by shishi_init().
+ * @principal: string with desired principal name and realm.
+ * @authzname: authorization name.
+ *
+ * Authorization of @authzname against desired @principal
+ * in accordance with the MIT/Heimdal authorization method.
+ *
+ * Return value: Returns 1 if @authzname is authorized for services
+ * by @principal, and returns 0 otherwise.
+ **/
int
shishi_authorize_k5login (Shishi * handle, const char *principal,
const char *authzname)
@@ -54,20 +79,29 @@ shishi_authorize_k5login (Shishi * handle, const char
*principal,
if (pwd == NULL || pwd->pw_dir == NULL)
return 0;
- asprintf (&ficname, "%s%s", pwd->pw_dir, ".k5login");
+ asprintf (&ficname, "%s/%s", pwd->pw_dir, ".k5login");
if (stat (ficname, &sta) != 0)
- /* If file .k5login does not exist */
- if (strcmp (principal, authzname) == 0)
- return shishi_authorize_strcmp (handle, principal, authzname);
+ {
+ /* File .k5login does not exist. */
+ free (ficname);
+ return 0;
+ }
- /* Owner should be user or root */
+ /* Owner should be acting user, or root. */
if ((sta.st_uid != pwd->pw_uid) && (sta.st_uid != 0))
{
free (ficname);
return 0;
}
+ /* Write access is forbidden for group and world. */
+ if ((sta.st_mode & S_IWGRP) || (sta.st_mode & S_IWOTH))
+ {
+ free (ficname);
+ return 0;
+ }
+
fic = fopen (ficname, "r");
if (fic == NULL)
{
@@ -77,9 +111,13 @@ shishi_authorize_k5login (Shishi * handle, const char
*principal,
while (!feof (fic))
{
+ char *p;
+
if (getline (&line, &linelength, fic) == -1)
break;
- line[linelength - 1] = '\0';
+ p = strchr (line, '\n');
+ if (p)
+ *p = '\0';
if (strcmp (principal, line) == 0)
{
@@ -111,11 +149,11 @@ static const struct Authorization_aliases
authorization_aliases[] = {
/**
* shishi_authorization_parse:
- * @authorization: name of authorization type, e.g. "basic".
+ * @authorization: name of authorization type, "basic" or "k5login".
*
* Parse authorization type name.
*
- * Return value: Return authorization type corresponding to a string.
+ * Return value: Returns authorization type corresponding to a string.
**/
int
shishi_authorization_parse (const char *authorization)
@@ -139,21 +177,23 @@ shishi_authorization_parse (const char *authorization)
/**
* shishi_authorized_p:
- * @handle: shishi handle as allocated by shishi_init().
+ * @handle: shishi handle allocated by shishi_init().
* @tkt: input variable with ticket info.
* @authzname: authorization name.
*
* Simplistic authorization of @authzname against encrypted client
- * principal name inside ticket. Currently this function only compare
- * the principal name with @authzname using strcmp().
+ * principal name inside ticket. For "basic" authentication type,
+ * the principal name must coincide with @authzname. The "k5login"
+ * authentication type attempts the MIT/Heimdal method of parsing
+ * the file "~/.k5login" for additional equivalence names.
*
- * Return value: Returns 1 if authzname is authorized for services by
- * authenticated client principal, or 0 otherwise.
+ * Return value: Returns 1 if @authzname is authorized for services
+ * by the encrypted principal, and 0 otherwise.
**/
int
shishi_authorized_p (Shishi * handle, Shishi_tkt * tkt, const char *authzname)
{
- char *client;
+ char *client = NULL, *clientrealm = NULL;
size_t i;
int rc;
@@ -162,24 +202,43 @@ shishi_authorized_p (Shishi * handle, Shishi_tkt * tkt,
const char *authzname)
if (rc != SHISHI_OK)
return 0;
+ rc = shishi_encticketpart_clientrealm (handle,
+ shishi_tkt_encticketpart (tkt),
+ &clientrealm, NULL);
+ if (rc != SHISHI_OK)
+ {
+ free (client);
+ return 0;
+ }
+
for (i = 0; i < handle->nauthorizationtypes; i++)
{
switch (handle->authorizationtypes[i])
{
case SHISHI_AUTHORIZATION_BASIC:
if (shishi_authorize_strcmp (handle, client, authzname))
- return 1;
+ {
+ free (client);
+ free (clientrealm);
+ return 1;
+ }
break;
case SHISHI_AUTHORIZATION_K5LOGIN:
- if (shishi_authorize_k5login (handle, client, authzname))
- return 1;
+ if (shishi_authorize_k5login (handle, clientrealm, authzname))
+ {
+ free (client);
+ free (clientrealm);
+ return 1;
+ }
break;
default:
- return 0;
+ break; /* Ignore unknown types. Continue searching. */
}
}
+ free (client);
+ free (clientrealm);
return 0;
}
diff --git a/lib/cfg.c b/lib/cfg.c
index ce06da9..a0e39b3 100644
--- a/lib/cfg.c
+++ b/lib/cfg.c
@@ -584,7 +584,7 @@ shishi_cfg_clientkdcetype_fast (Shishi * handle)
/**
* shishi_cfg_clientkdcetype_set:
- * @handle: Shishi library handle create by shishi_init().
+ * @handle: Shishi library handle created by shishi_init().
* @value: string with encryption types.
*
* Set the "client-kdc-etypes" configuration option from given string.
@@ -592,20 +592,23 @@ shishi_cfg_clientkdcetype_fast (Shishi * handle)
* by comma or whitespace, e.g. "aes256-cts-hmac-sha1-96
* des3-cbc-sha1-kd des-cbc-md5".
*
- * Return value: Return SHISHI_OK iff successful.
+ * Return value: Returns SHISHI_OK if successful.
**/
int
shishi_cfg_clientkdcetype_set (Shishi * handle, char *value)
{
char *ptrptr;
- char *val;
+ char *val, *tmpvalue;
int i;
int tot = 0;
+ int rc = SHISHI_INVALID_ARGUMENT;
if (value == NULL || *value == '\0')
return SHISHI_OK;
- for (i = 0; (val = strtok_r (i == 0 ? value : NULL, ", \t", &ptrptr)); i++)
+ tmpvalue = xstrdup (value);
+
+ for (i = 0; (val = strtok_r (i == 0 ? tmpvalue : NULL, ", \t", &ptrptr));
i++)
{
int etype = shishi_cipher_parse (val);
@@ -621,35 +624,41 @@ shishi_cfg_clientkdcetype_set (Shishi * handle, char
*value)
handle->clientkdcetypes = new;
handle->clientkdcetypes[tot - 1] = etype;
handle->nclientkdcetypes = tot;
+ rc = SHISHI_OK; /* At least one valid type. */
}
}
- return SHISHI_OK;
+ free (tmpvalue);
+
+ return rc;
}
/**
* shishi_cfg_authorizationtype_set:
- * @handle: Shishi library handle create by shishi_init().
+ * @handle: Shishi library handle created by shishi_init().
* @value: string with authorization types.
*
* Set the "authorization-types" configuration option from given string.
* The string contains authorization types (integer or names) separated
* by comma or whitespace, e.g. "basic k5login".
*
- * Return value: Return SHISHI_OK iff successful.
+ * Return value: Returns SHISHI_OK if successful.
**/
int
shishi_cfg_authorizationtype_set (Shishi * handle, char *value)
{
char *ptrptr;
- char *val;
+ char *val, *tmpvalue;
int i;
int tot = 0;
+ int rc = SHISHI_INVALID_ARGUMENT;
if (value == NULL || *value == '\0')
return SHISHI_OK;
- for (i = 0; (val = strtok_r (i == 0 ? value : NULL, ", \t", &ptrptr)); i++)
+ tmpvalue = xstrdup (value);
+
+ for (i = 0; (val = strtok_r (i == 0 ? tmpvalue : NULL, ", \t", &ptrptr));
i++)
{
int atype = shishi_authorization_parse (val);
@@ -666,8 +675,11 @@ shishi_cfg_authorizationtype_set (Shishi * handle, char
*value)
handle->authorizationtypes = new;
handle->authorizationtypes[tot - 1] = atype;
handle->nauthorizationtypes = tot;
+ rc = SHISHI_OK; /* At least one valid type. */
}
}
- return SHISHI_OK;
+ free (tmpvalue);
+
+ return rc;
}
diff --git a/lib/principal.c b/lib/principal.c
index 1bee931..d9d8e0c 100644
--- a/lib/principal.c
+++ b/lib/principal.c
@@ -26,11 +26,11 @@
* shishi_principal_default_guess:
*
* Guesses the principal name for the user, looking at environment
- * variables SHISHI_USER and USER, or if that fails, returns the
- * string "user".
+ * variables SHISHI_USER, USER and LOGNAME, or if that fails, returns
+ * the string "user".
*
* Return value: Returns guessed default principal for user as a
- * string that has to be deallocated with free() by the caller.
+ * string that has to be deallocated by the caller with free().
**/
char *
shishi_principal_default_guess (void)
@@ -41,6 +41,8 @@ shishi_principal_default_guess (void)
if (!envuser)
envuser = getenv ("USER");
if (!envuser)
+ envuser = getenv ("LOGNAME");
+ if (!envuser)
envuser = "user";
return xstrdup (envuser);
@@ -49,13 +51,13 @@ shishi_principal_default_guess (void)
/**
* shishi_principal_default:
- * @handle: Shishi library handle create by shishi_init().
+ * @handle: Shishi library handle created by shishi_init().
*
* The default principal name is the name in the environment variable
- * USER, but can be overridden by specifying the environment variable
- * SHISHI_USER.
+ * USER, or LOGNAME for some systems, but it can be overridden by
+ * specifying the environment variable SHISHI_USER.
*
- * Return value: Returns the default principal name used in the
+ * Return value: Returns the default principal name used by the
* library. (Not a copy of it, so don't modify or deallocate it.)
**/
const char *
@@ -74,11 +76,11 @@ shishi_principal_default (Shishi * handle)
/**
* shishi_principal_default_set:
- * @handle: Shishi library handle create by shishi_init().
+ * @handle: Shishi library handle created by shishi_init().
* @principal: string with new default principal name, or NULL to
* reset to default.
*
- * Set the default realm used in the library. The string is copied
+ * Set the default realm used by the library. The string is copied
* into the library, so you can dispose of the variable immediately
* after calling this function.
**/
@@ -94,19 +96,19 @@ shishi_principal_default_set (Shishi * handle, const char
*principal)
/**
* shishi_parse_name:
- * @handle: Shishi library handle create by shishi_init().
- * @name: Input principal name string, e.g. imap/address@hidden
+ * @handle: Shishi library handle created by shishi_init().
+ * @name: input principal name string, e.g. imap/address@hidden
* @principal: newly allocated output string with principal name.
* @realm: newly allocated output string with realm name.
*
- * Split up principal name (e.g., "address@hidden") into two
- * newly allocated strings, the principal ("simon") and realm
+ * Split principal name (e.g., "address@hidden") into two
+ * newly allocated strings, the principal ("simon"), and the realm
* ("JOSEFSSON.ORG"). If there is no realm part in NAME, REALM is set
* to NULL.
*
* Return value: Returns SHISHI_INVALID_PRINCIPAL_NAME if NAME is NULL
- * or ends with the escape character "\", or SHISHI_OK iff
- * successful
+ * or ends with the escape character "\", and SHISHI_OK if
+ * successful.
**/
int
shishi_parse_name (Shishi * handle, const char *name,
@@ -158,20 +160,20 @@ shishi_parse_name (Shishi * handle, const char *name,
/**
* shishi_principal_name:
- * @handle: Shishi library handle create by shishi_init().
+ * @handle: Shishi library handle created by shishi_init().
* @namenode: ASN.1 structure with principal in @namefield.
* @namefield: name of field in @namenode containing principal name.
- * @out: pointer to newly allocated zero terminated string containing
+ * @out: pointer to newly allocated, null terminated, string containing
* principal name. May be %NULL (to only populate @outlen).
* @outlen: pointer to length of @out on output, excluding terminating
- * zero. May be %NULL (to only populate @out).
+ * null. May be %NULL (to only populate @out).
*
- * Represent principal name in ASN.1 structure as zero-terminated
- * string. The string is allocate by this function, and it is the
+ * Represent principal name in ASN.1 structure as null-terminated
+ * string. The string is allocated by this function, and it is the
* responsibility of the caller to deallocate it. Note that the
- * output length @outlen does not include the terminating zero.
+ * output length @outlen does not include the terminating null.
*
- * Return value: Returns SHISHI_OK iff successful.
+ * Return value: Returns SHISHI_OK if successful.
**/
int
shishi_principal_name (Shishi * handle,
@@ -239,23 +241,23 @@ shishi_principal_name (Shishi * handle,
/**
* shishi_principal_name_realm:
- * @handle: Shishi library handle create by shishi_init().
+ * @handle: Shishi library handle created by shishi_init().
* @namenode: ASN.1 structure with principal name in @namefield.
* @namefield: name of field in @namenode containing principal name.
* @realmnode: ASN.1 structure with principal realm in @realmfield.
* @realmfield: name of field in @realmnode containing principal realm.
- * @out: pointer to newly allocated zero terminated string containing
+ * @out: pointer to newly allocated null terminated string containing
* principal name. May be %NULL (to only populate @outlen).
* @outlen: pointer to length of @out on output, excluding terminating
- * zero. May be %NULL (to only populate @out).
+ * null. May be %NULL (to only populate @out).
*
* Represent principal name and realm in ASN.1 structure as
- * zero-terminated string. The string is allocate by this function,
- * and it is the responsibility of the caller to deallocate it. Note
+ * null-terminated string. The string is allocated by this function.
+ * It is the responsibility of the caller to deallocate it. Note
* that the output length @outlen does not include the terminating
- * zero.
+ * null character.
*
- * Return value: Returns SHISHI_OK iff successful.
+ * Return value: Returns SHISHI_OK if successful.
**/
int
shishi_principal_name_realm (Shishi * handle,
@@ -322,14 +324,14 @@ shishi_principal_name_realm (Shishi * handle,
* shishi_principal_name_set:
* @handle: shishi handle as allocated by shishi_init().
* @namenode: ASN.1 structure with principal in @namefield.
- * @namefield: name of field in namenode containing principal name.
- * @name_type: type of principial, see Shishi_name_type, usually
+ * @namefield: name of field in @namenode containing principal name.
+ * @name_type: type of principal, see Shishi_name_type, usually
* SHISHI_NT_UNKNOWN.
- * @name: zero-terminated input array with principal name.
+ * @name: null-terminated input array with principal name.
*
- * Set the given principal name field to given name.
+ * Set the given principal name field to the given name.
*
- * Return value: Returns SHISHI_OK iff successful.
+ * Return value: Returns SHISHI_OK if successful.
**/
int
shishi_principal_name_set (Shishi * handle,
@@ -378,12 +380,12 @@ shishi_principal_name_set (Shishi * handle,
* shishi_principal_set:
* @handle: shishi handle as allocated by shishi_init().
* @namenode: ASN.1 structure with principal in @namefield.
- * @namefield: name of field in namenode containing principal name.
- * @name: zero-terminated string with principal name on RFC 1964 form.
+ * @namefield: name of field in @namenode containing principal name.
+ * @name: null-terminated string with principal name in RFC 1964 form.
*
- * Set principal name field in ASN.1 structure to given name.
+ * Set principal name field in an ASN.1 structure to the given name.
*
- * Return value: Returns SHISHI_OK iff successful.
+ * Return value: Returns SHISHI_OK if successful.
**/
int
shishi_principal_set (Shishi * handle,
@@ -426,7 +428,7 @@ shishi_principal_set (Shishi * handle,
* @salt: output variable with newly allocated salt string.
*
* Derive the default salt from a principal. The default salt is the
- * concatenation of the decoded realm and principal.
+ * concatenation of the decoded realm and the principal.
*
* Return value: Return SHISHI_OK if successful.
**/
@@ -459,10 +461,10 @@ shishi_derive_default_salt (Shishi * handle, const char
*name, char **salt)
/**
* shishi_server_for_local_service:
* @handle: shishi handle as allocated by shishi_init().
- * @service: zero terminated string with name of service, e.g., "host".
+ * @service: null terminated string with name of service, e.g., "host".
*
* Construct a service principal (e.g., "imap/yxa.extuno.com") based
- * on supplied service name (i.e., "imap") and the system hostname as
+ * on supplied service name (i.e., "imap") and the system's hostname as
* returned by hostname() (i.e., "yxa.extundo.com"). The string must
* be deallocated by the caller.
*
hooks/post-receive
--
GNU shishi
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU shishi branch, master, updated. shishi-1-0-1-7-g74af980,
Simon Josefsson <=