#include "mech.h"
#include "passdb.h"
-
#if defined(BUILTIN_GSSAPI) || defined(PLUGIN_BUILD)
#ifdef HAVE_GSSAPI_GSSAPI_H
static int
mech_gssapi_wrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf);
-static void mech_gssapi_log_error(struct auth_request *request,
- OM_uint32 status_value, int status_type,
- const char *description)
+static void
+mech_gssapi_log_error(struct auth_request *request,
+ OM_uint32 status_value, int status_type,
+ const char *description)
{
OM_uint32 message_context = 0;
OM_uint32 minor_status;
const char *path = set->krb5_keytab;
if (*path != '\0') {
- /* environment may be used by Kerberos 5 library directly */
+ /* Environment may be used by Kerberos 5 library directly */
env_put("KRB5_KTNAME", path);
#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
gsskrb5_register_acceptor_identity(path);
struct gssapi_auth_request *request;
pool_t pool;
- pool = pool_alloconly_create(MEMPOOL_GROWING"gssapi_auth_request", 2048);
+ pool = pool_alloconly_create(
+ MEMPOOL_GROWING"gssapi_auth_request", 2048);
request = p_new(pool, struct gssapi_auth_request, 1);
request->pool = pool;
return FALSE;
}
-static int get_display_name(struct auth_request *auth_request, gss_name_t name,
- gss_OID *name_type_r, const char **display_name_r)
+static int
+get_display_name(struct auth_request *auth_request, gss_name_t name,
+ gss_OID *name_type_r, const char **display_name_r)
{
OM_uint32 major_status, minor_status;
gss_buffer_desc buf;
return -1;
}
if (data_has_nuls(buf.value, buf.length)) {
- e_info(auth_request->mech_event,
- "authn_name has NULs");
+ e_info(auth_request->mech_event, "authn_name has NULs");
return -1;
}
*display_name_r = t_strndup(buf.value, buf.length);
return 0;
}
-static bool mech_gssapi_oid_cmp(const gss_OID_desc *oid1,
- const gss_OID_desc *oid2)
+static bool
+mech_gssapi_oid_cmp(const gss_OID_desc *oid1, const gss_OID_desc *oid2)
{
- return oid1->length == oid2->length &&
- mem_equals_timing_safe(oid1->elements, oid2->elements, oid1->length);
+ return (oid1->length == oid2->length &&
+ mem_equals_timing_safe(oid1->elements, oid2->elements,
+ oid1->length));
}
static int
/* The client's return data should be empty here */
- /* Only authentication, no integrity or confidentiality
- protection (yet?) */
+ /* Only authentication, no integrity or confidentiality protection
+ (yet?) */
ret[0] = (SASL_GSSAPI_QOP_UNSPECIFIED |
SASL_GSSAPI_QOP_AUTH_ONLY);
ret[1] = 0xFF;
"krb5_parse_name() failed: %d",
(int)krb5_err);
} else {
- /* See if the principal is in the list of authorized
- * principals for the user */
+ /* See if the principal is in the list of authorized principals
+ for the user */
authorized = k5_principal_is_authorized(&request->auth_request,
princ_display_name);
- /* See if the principal is authorized to act as the
- specified (UNIX) user */
+ /* See if the principal is authorized to act as the specified
+ (UNIX) user */
if (!authorized) {
- authorized = krb5_boolean2bool(krb5_kuserok(ctx, princ, login_user));
+ authorized = krb5_boolean2bool(
+ krb5_kuserok(ctx, princ, login_user));
}
krb5_free_principal(ctx, princ);
OM_uint32 major_status, minor_status;
int equal_authn_authz;
- /* if authn and authz names equal, don't bother checking further. */
+ /* If authn and authz names equal, don't bother checking further. */
major_status = gss_compare_name(&minor_status,
request->authn_name,
request->authz_name,
(struct gssapi_auth_request *)request;
/* We don't care much whether the lookup succeeded or not because GSSAPI
- * does not strictly require a passdb. But if a passdb is configured,
- * now the k5principals field will have been filled in. */
+ does not strictly require a passdb. But if a passdb is configured,
+ now the k5principals field will have been filled in. */
switch (result) {
case PASSDB_RESULT_INTERNAL_FAILURE:
auth_request_internal_failure(request);
return;
case PASSDB_RESULT_USER_DISABLED:
case PASSDB_RESULT_PASS_EXPIRED:
- /* user is explicitly disabled, don't allow it to log in */
+ /* User is explicitly disabled, don't allow it to log in */
auth_request_fail(request);
return;
case PASSDB_RESULT_NEXT:
}
/* Set username early, so that the credential lookup is for the
- * authorizing user. This means the username in subsequent log
- * messages will be the authorization name, not the authentication
- * name, which may mean that future log messages should be adjusted
- * to log the right thing. */
+ authorizing user. This means the username in subsequent log messages
+ will be the authorization name, not the authentication name, which
+ may mean that future log messages should be adjusted to log the right
+ thing. */
if (!auth_request_set_username(auth_request, login_user, &error)) {
e_info(auth_request->mech_event,
"authz_name: %s", error);
mech_gssapi_auth_free
};
-/* MTI Kerberos v1.5+ and Heimdal v0.7+ supports SPNEGO for Kerberos tickets
- internally. Nothing else needs to be done here. Note however that this does
- not support SPNEGO when the only available credential is NTLM.. */
+/* MIT Kerberos v1.5+ and Heimdal v0.7+ support SPNEGO for Kerberos tickets
+ internally. Nothing else needs to be done here. Note, however, that this does
+ not support SPNEGO when the only available credential is NTLM. */
const struct mech_module mech_gssapi_spnego = {
"GSS-SPNEGO",
projects / thirdparty / dovecot / core.git / commitdiff
