/* Populate mech_oid with OID for the current SASL mechanism name. A bit silly given that we only support Kerberos V5 today, but will be useful when that changes. */ int gs2_get_oid (Gsasl_session * sctx, gss_OID * mech_oid) { gss_buffer_desc sasl_mech_name; OM_uint32 maj_stat, min_stat; sasl_mech_name.value = (void *) gsasl_mechanism_name (sctx); if (!sasl_mech_name.value) return GSASL_AUTHENTICATION_ERROR; sasl_mech_name.length = strlen (sasl_mech_name.value); maj_stat = gss_inquire_mech_for_saslname (&min_stat, &sasl_mech_name, mech_oid); if (GSS_ERROR (maj_stat)) return GSASL_GSSAPI_INQUIRE_MECH_FOR_SASLNAME_ERROR; return GSASL_OK; }
/** move the stream to the auth state */ void _sx_sasl_open(sx_t s, Gsasl_session *sd) { char *method, *authzid; const char *realm = NULL; struct sx_sasl_creds_st creds = {NULL, NULL, NULL, NULL}; _sx_sasl_t ctx = gsasl_session_hook_get(sd); const char *mechname = gsasl_mechanism_name (sd); /* get the method */ method = (char *) malloc(sizeof(char) * (strlen(mechname) + 6)); sprintf(method, "SASL/%s", mechname); /* and the authorization identifier */ creds.authzid = gsasl_property_fast(sd, GSASL_AUTHZID); creds.authnid = gsasl_property_fast(sd, GSASL_AUTHID); creds.realm = gsasl_property_fast(sd, GSASL_REALM); if(0 && ctx && ctx->cb) { /* not supported yet */ if((ctx->cb)(sx_sasl_cb_CHECK_AUTHZID, &creds, NULL, s, ctx->cbarg)!=sx_sasl_ret_OK) { _sx_debug(ZONE, "stream authzid: %s verification failed, not advancing to auth state", creds.authzid); free(method); return; } } else if (NULL != gsasl_property_fast(sd, GSASL_GSSAPI_DISPLAY_NAME)) { creds.authzid = strdup(gsasl_property_fast(sd, GSASL_GSSAPI_DISPLAY_NAME)); authzid = NULL; } else { /* override unchecked arbitrary authzid */ if(creds.realm && creds.realm[0] != '\0') { realm = creds.realm; } else { realm = s->req_to; } authzid = (char *) malloc(sizeof(char) * (strlen(creds.authnid) + strlen(realm) + 2)); sprintf(authzid, "%s@%s", creds.authnid, realm); creds.authzid = authzid; } /* proceed stream to authenticated state */ sx_auth(s, method, creds.authzid); free(method); if(authzid) free(authzid); }