diff options
Diffstat (limited to 'lib/gssapi/accept_sec_context.c')
| -rw-r--r-- | lib/gssapi/accept_sec_context.c | 445 |
1 files changed, 445 insertions, 0 deletions
diff --git a/lib/gssapi/accept_sec_context.c b/lib/gssapi/accept_sec_context.c new file mode 100644 index 0000000..d923c36 --- /dev/null +++ b/lib/gssapi/accept_sec_context.c @@ -0,0 +1,445 @@ +/* + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapi_locl.h" + +RCSID("$Id: accept_sec_context.c,v 1.33.2.2 2003/12/19 00:37:06 lha Exp $"); + +krb5_keytab gssapi_krb5_keytab; + +OM_uint32 +gsskrb5_register_acceptor_identity (const char *identity) +{ + krb5_error_code ret; + char *p; + + ret = gssapi_krb5_init(); + if(ret) + return GSS_S_FAILURE; + + if(gssapi_krb5_keytab != NULL) { + krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab); + gssapi_krb5_keytab = NULL; + } + asprintf(&p, "FILE:%s", identity); + if(p == NULL) + return GSS_S_FAILURE; + ret = krb5_kt_resolve(gssapi_krb5_context, p, &gssapi_krb5_keytab); + free(p); + if(ret) + return GSS_S_FAILURE; + return GSS_S_COMPLETE; +} + +OM_uint32 +gss_accept_sec_context + (OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + const gss_cred_id_t acceptor_cred_handle, + const gss_buffer_t input_token_buffer, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t * src_name, + gss_OID * mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec, + gss_cred_id_t * delegated_cred_handle + ) +{ + krb5_error_code kret; + OM_uint32 ret = GSS_S_COMPLETE; + krb5_data indata; + krb5_flags ap_options; + OM_uint32 flags; + krb5_ticket *ticket = NULL; + krb5_keytab keytab = NULL; + krb5_data fwd_data; + OM_uint32 minor; + + GSSAPI_KRB5_INIT(); + + krb5_data_zero (&fwd_data); + output_token->length = 0; + output_token->value = NULL; + + if (src_name != NULL) + *src_name = NULL; + if (mech_type) + *mech_type = GSS_KRB5_MECHANISM; + + if (*context_handle == GSS_C_NO_CONTEXT) { + *context_handle = malloc(sizeof(**context_handle)); + if (*context_handle == GSS_C_NO_CONTEXT) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + } + + (*context_handle)->auth_context = NULL; + (*context_handle)->source = NULL; + (*context_handle)->target = NULL; + (*context_handle)->flags = 0; + (*context_handle)->more_flags = 0; + (*context_handle)->ticket = NULL; + (*context_handle)->lifetime = GSS_C_INDEFINITE; + + kret = krb5_auth_con_init (gssapi_krb5_context, + &(*context_handle)->auth_context); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; + } + + if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS + && input_chan_bindings->application_data.length == + 2 * sizeof((*context_handle)->auth_context->local_port) + ) { + + /* Port numbers are expected to be in application_data.value, + * initator's port first */ + + krb5_address initiator_addr, acceptor_addr; + + memset(&initiator_addr, 0, sizeof(initiator_addr)); + memset(&acceptor_addr, 0, sizeof(acceptor_addr)); + + (*context_handle)->auth_context->remote_port = + *(int16_t *) input_chan_bindings->application_data.value; + + (*context_handle)->auth_context->local_port = + *((int16_t *) input_chan_bindings->application_data.value + 1); + + + kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, + &input_chan_bindings->acceptor_address, + (*context_handle)->auth_context->local_port, + &acceptor_addr); + if (kret) { + gssapi_krb5_set_error_string (); + ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; + goto failure; + } + + kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, + &input_chan_bindings->initiator_address, + (*context_handle)->auth_context->remote_port, + &initiator_addr); + if (kret) { + krb5_free_address (gssapi_krb5_context, &acceptor_addr); + gssapi_krb5_set_error_string (); + ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; + goto failure; + } + + kret = krb5_auth_con_setaddrs(gssapi_krb5_context, + (*context_handle)->auth_context, + &acceptor_addr, /* local address */ + &initiator_addr); /* remote address */ + + krb5_free_address (gssapi_krb5_context, &initiator_addr); + krb5_free_address (gssapi_krb5_context, &acceptor_addr); + +#if 0 + free(input_chan_bindings->application_data.value); + input_chan_bindings->application_data.value = NULL; + input_chan_bindings->application_data.length = 0; +#endif + + if (kret) { + gssapi_krb5_set_error_string (); + ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; + goto failure; + } + } + + + + { + int32_t tmp; + + krb5_auth_con_getflags(gssapi_krb5_context, + (*context_handle)->auth_context, + &tmp); + tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE; + krb5_auth_con_setflags(gssapi_krb5_context, + (*context_handle)->auth_context, + tmp); + } + + ret = gssapi_krb5_decapsulate (minor_status, + input_token_buffer, + &indata, + "\x01\x00"); + if (ret) + goto failure; + + if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { + if (gssapi_krb5_keytab != NULL) { + keytab = gssapi_krb5_keytab; + } + } else if (acceptor_cred_handle->keytab != NULL) { + keytab = acceptor_cred_handle->keytab; + } + + kret = krb5_rd_req (gssapi_krb5_context, + &(*context_handle)->auth_context, + &indata, + (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL + : acceptor_cred_handle->principal, + keytab, + &ap_options, + &ticket); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; + } + + kret = krb5_copy_principal (gssapi_krb5_context, + ticket->client, + &(*context_handle)->source); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; + } + + kret = krb5_copy_principal (gssapi_krb5_context, + ticket->server, + &(*context_handle)->target); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; + } + + ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); + if (ret) + goto failure; + + if (src_name != NULL) { + kret = krb5_copy_principal (gssapi_krb5_context, + ticket->client, + src_name); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; + } + } + + { + krb5_authenticator authenticator; + + kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, + (*context_handle)->auth_context, + &authenticator); + if(kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; + } + + ret = gssapi_krb5_verify_8003_checksum(minor_status, + input_chan_bindings, + authenticator->cksum, + &flags, + &fwd_data); + krb5_free_authenticator(gssapi_krb5_context, &authenticator); + if (ret) + goto failure; + } + + if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { + krb5_ccache ccache; + int32_t ac_flags; + + if (delegated_cred_handle == NULL) + /* XXX Create a new delegated_cred_handle? */ + kret = krb5_cc_default (gssapi_krb5_context, &ccache); + else if (*delegated_cred_handle == NULL) { + if ((*delegated_cred_handle = + calloc(1, sizeof(**delegated_cred_handle))) == NULL) { + ret = GSS_S_FAILURE; + *minor_status = ENOMEM; + krb5_set_error_string(gssapi_krb5_context, "out of memory"); + gssapi_krb5_set_error_string(); + goto failure; + } + if ((ret = gss_duplicate_name(minor_status, ticket->client, + &(*delegated_cred_handle)->principal)) != 0) { + flags &= ~GSS_C_DELEG_FLAG; + free(*delegated_cred_handle); + *delegated_cred_handle = NULL; + goto end_fwd; + } + } + if (delegated_cred_handle != NULL && + (*delegated_cred_handle)->ccache == NULL) { + kret = krb5_cc_gen_new (gssapi_krb5_context, + &krb5_mcc_ops, + &(*delegated_cred_handle)->ccache); + ccache = (*delegated_cred_handle)->ccache; + } + if (delegated_cred_handle != NULL && + (*delegated_cred_handle)->mechanisms == NULL) { + ret = gss_create_empty_oid_set(minor_status, + &(*delegated_cred_handle)->mechanisms); + if (ret) + goto failure; + ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + &(*delegated_cred_handle)->mechanisms); + if (ret) + goto failure; + } + + if (kret) { + flags &= ~GSS_C_DELEG_FLAG; + goto end_fwd; + } + + kret = krb5_cc_initialize(gssapi_krb5_context, + ccache, + *src_name); + if (kret) { + flags &= ~GSS_C_DELEG_FLAG; + goto end_fwd; + } + + krb5_auth_con_getflags(gssapi_krb5_context, + (*context_handle)->auth_context, + &ac_flags); + krb5_auth_con_setflags(gssapi_krb5_context, + (*context_handle)->auth_context, + ac_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); + kret = krb5_rd_cred2(gssapi_krb5_context, + (*context_handle)->auth_context, + ccache, + &fwd_data); + krb5_auth_con_setflags(gssapi_krb5_context, + (*context_handle)->auth_context, + ac_flags); + if (kret) { + flags &= ~GSS_C_DELEG_FLAG; + goto end_fwd; + } + + end_fwd: + free(fwd_data.data); + } + + + flags |= GSS_C_TRANS_FLAG; + + if (ret_flags) + *ret_flags = flags; + (*context_handle)->lifetime = ticket->ticket.endtime; + (*context_handle)->flags = flags; + (*context_handle)->more_flags |= OPEN; + + if (mech_type) + *mech_type = GSS_KRB5_MECHANISM; + + if (time_rec) { + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + time_rec); + if (ret) + goto failure; + } + + if(flags & GSS_C_MUTUAL_FLAG) { + krb5_data outbuf; + + kret = krb5_mk_rep (gssapi_krb5_context, + (*context_handle)->auth_context, + &outbuf); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; + } + ret = gssapi_krb5_encapsulate (minor_status, + &outbuf, + output_token, + "\x02\x00"); + krb5_data_free (&outbuf); + if (ret) + goto failure; + } else { + output_token->length = 0; + output_token->value = NULL; + } + + (*context_handle)->ticket = ticket; + ticket = NULL; + +#if 0 + krb5_free_ticket (context, ticket); +#endif + + *minor_status = 0; + return GSS_S_COMPLETE; + + failure: + if (fwd_data.length > 0) + free(fwd_data.data); + if (ticket != NULL) + krb5_free_ticket (gssapi_krb5_context, ticket); + krb5_auth_con_free (gssapi_krb5_context, + (*context_handle)->auth_context); + if((*context_handle)->source) + krb5_free_principal (gssapi_krb5_context, + (*context_handle)->source); + if((*context_handle)->target) + krb5_free_principal (gssapi_krb5_context, + (*context_handle)->target); + free (*context_handle); + if (src_name != NULL) { + gss_release_name (&minor, src_name); + *src_name = NULL; + } + *context_handle = GSS_C_NO_CONTEXT; + return ret; +} |
