lib/gssapi/krb5/accept_sec_context.c

   1 /*
   2  * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "gssapi_locl.h"
  35
  36 RCSID("$Id$");
  37
  38 static krb5_keytab gss_keytab;
  39
  40 OM_uint32
  41 gsskrb5_register_acceptor_identity (char *identity)
  42 {
  43     char *p;
  44     if(gss_keytab != NULL) {
  45         krb5_kt_close(gssapi_krb5_context, gss_keytab);
  46         gss_keytab = NULL;
  47     }
  48     asprintf(&p, "FILE:%s", identity);
  49     if(p == NULL)
  50         return GSS_S_FAILURE;
  51     krb5_kt_resolve(gssapi_krb5_context, p, &gss_keytab);
  52     free(p);
  53     return GSS_S_COMPLETE;
  54 }
  55
  56 OM_uint32
  57 gss_accept_sec_context
  58            (OM_uint32 * minor_status,
  59             gss_ctx_id_t * context_handle,
  60             const gss_cred_id_t acceptor_cred_handle,
  61             const gss_buffer_t input_token_buffer,
  62             const gss_channel_bindings_t input_chan_bindings,
  63             gss_name_t * src_name,
  64             gss_OID * mech_type,
  65             gss_buffer_t output_token,
  66             OM_uint32 * ret_flags,
  67             OM_uint32 * time_rec,
  68             gss_cred_id_t * delegated_cred_handle
  69            )
  70 {
  71   krb5_error_code kret;
  72   OM_uint32 ret;
  73   krb5_data indata;
  74   krb5_flags ap_options;
  75   OM_uint32 flags;
  76   krb5_ticket *ticket = NULL;
  77   krb5_keytab keytab = NULL;
  78   krb5_data fwd_data;
  79
  80   gssapi_krb5_init ();
  81
  82   krb5_data_zero (&fwd_data);
  83   output_token->length = 0;
  84   output_token->value   = NULL;
  85
  86   if (*context_handle == GSS_C_NO_CONTEXT) {
  87       *context_handle = malloc(sizeof(**context_handle));
  88     if (*context_handle == GSS_C_NO_CONTEXT) {
  89         *minor_status = ENOMEM;
  90         return GSS_S_FAILURE;
  91     }
  92   }
  93
  94   (*context_handle)->auth_context =  NULL;
  95   (*context_handle)->source = NULL;
  96   (*context_handle)->target = NULL;
  97   (*context_handle)->flags = 0;
  98   (*context_handle)->more_flags = 0;
  99   (*context_handle)->ticket = NULL;
 100
 101   kret = krb5_auth_con_init (gssapi_krb5_context,
 102                              &(*context_handle)->auth_context);
 103   if (kret) {
 104     ret = GSS_S_FAILURE;
 105     goto failure;
 106   }
 107
 108   if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS
 109       && input_chan_bindings->application_data.length ==
 110            2 * sizeof((*context_handle)->auth_context->local_port)
 111            ) {
 112
 113      /* Port numbers are expected to be in application_data.value,
 114       * initator's port first */
 115
 116      krb5_address initiator_addr, acceptor_addr;
 117
 118      memset(&initiator_addr, 0, sizeof(initiator_addr));
 119      memset(&acceptor_addr, 0, sizeof(acceptor_addr));
 120
 121      (*context_handle)->auth_context->remote_port =
 122         *(int16_t *) input_chan_bindings->application_data.value;
 123
 124      (*context_handle)->auth_context->local_port =
 125         *((int16_t *) input_chan_bindings->application_data.value + 1);
 126
 127
 128      kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype,
 129                                &input_chan_bindings->acceptor_address,
 130                                (*context_handle)->auth_context->local_port,
 131                                &acceptor_addr);
 132      if (kret) {
 133         *minor_status = kret;
 134         ret = GSS_S_BAD_BINDINGS;
 135         goto failure;
 136      }
 137
 138      kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype,
 139                                &input_chan_bindings->initiator_address,
 140                                (*context_handle)->auth_context->remote_port,
 141                                &initiator_addr);
 142      if (kret) {
 143         krb5_free_address (gssapi_krb5_context, &acceptor_addr);
 144         *minor_status = kret;
 145         ret = GSS_S_BAD_BINDINGS;
 146         goto failure;
 147      }
 148
 149      kret = krb5_auth_con_setaddrs(gssapi_krb5_context,
 150                                    (*context_handle)->auth_context,
 151                                    &acceptor_addr,    /* local address */
 152                                    &initiator_addr);  /* remote address */
 153
 154      krb5_free_address (gssapi_krb5_context, &initiator_addr);
 155      krb5_free_address (gssapi_krb5_context, &acceptor_addr);
 156
 157 #if 0
 158      free(input_chan_bindings->application_data.value);
 159      input_chan_bindings->application_data.value = NULL;
 160      input_chan_bindings->application_data.length = 0;
 161 #endif
 162
 163      if (kret) {
 164         *minor_status = kret;
 165         ret = GSS_S_BAD_BINDINGS;
 166         goto failure;
 167      }
 168   }
 169
 170
 171
 172   {
 173     int32_t tmp;
 174
 175     krb5_auth_con_getflags(gssapi_krb5_context,
 176                            (*context_handle)->auth_context,
 177                            &tmp);
 178     tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE;
 179     krb5_auth_con_setflags(gssapi_krb5_context,
 180                            (*context_handle)->auth_context,
 181                            tmp);
 182   }
 183
 184   ret = gssapi_krb5_decapsulate (input_token_buffer,
 185                                  &indata,
 186                                  "\x01\x00");
 187   if (ret) {
 188       kret = 0;
 189       goto failure;
 190   }
 191
 192   if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
 193       if (gss_keytab != NULL) {
 194           keytab = gss_keytab;
 195      }
 196   } else if (acceptor_cred_handle->keytab != NULL) {
 197      keytab = acceptor_cred_handle->keytab;
 198   }
 199
 200   kret = krb5_rd_req (gssapi_krb5_context,
 201                       &(*context_handle)->auth_context,
 202                       &indata,
 203                       (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL
 204                         : acceptor_cred_handle->principal,
 205                       keytab,
 206                       &ap_options,
 207                       &ticket);
 208   if (kret) {
 209     ret = GSS_S_FAILURE;
 210     goto failure;
 211   }
 212
 213   kret = krb5_copy_principal (gssapi_krb5_context,
 214                               ticket->client,
 215                               &(*context_handle)->source);
 216   if (kret) {
 217     ret = GSS_S_FAILURE;
 218     goto failure;
 219   }
 220
 221   kret = krb5_copy_principal (gssapi_krb5_context,
 222                               ticket->server,
 223                               &(*context_handle)->target);
 224   if (kret) {
 225     ret = GSS_S_FAILURE;
 226     goto failure;
 227   }
 228
 229   if (src_name) {
 230     kret = krb5_copy_principal (gssapi_krb5_context,
 231                                 ticket->client,
 232                                 src_name);
 233     if (kret) {
 234       ret = GSS_S_FAILURE;
 235       goto failure;
 236     }
 237   }
 238
 239   {
 240       krb5_authenticator authenticator;
 241
 242       kret = krb5_auth_getauthenticator(gssapi_krb5_context,
 243                                         (*context_handle)->auth_context,
 244                                         &authenticator);
 245       if(kret) {
 246           ret = GSS_S_FAILURE;
 247           goto failure;
 248       }
 249
 250       kret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
 251                                               authenticator->cksum,
 252                                               &flags,
 253                                               &fwd_data);
 254       krb5_free_authenticator(gssapi_krb5_context, &authenticator);
 255       if (kret) {
 256           ret = GSS_S_FAILURE;
 257           goto failure;
 258       }
 259   }
 260
 261   if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
 262
 263       krb5_ccache ccache;
 264
 265       if (delegated_cred_handle == NULL || *delegated_cred_handle == NULL)
 266          /* XXX Create a new delegated_cred_handle? */
 267          kret = krb5_cc_default (gssapi_krb5_context, &ccache);
 268
 269       else {
 270          if ((*delegated_cred_handle)->ccache == NULL)
 271             kret = krb5_cc_gen_new (gssapi_krb5_context,
 272                                     &krb5_mcc_ops,
 273                                     &(*delegated_cred_handle)->ccache);
 274          ccache = (*delegated_cred_handle)->ccache;
 275       }
 276
 277       if (kret) {
 278          flags &= ~GSS_C_DELEG_FLAG;
 279          goto end_fwd;
 280       }
 281
 282       kret = krb5_cc_initialize(gssapi_krb5_context,
 283                                 ccache,
 284                                 *src_name);
 285       if (kret) {
 286          flags &= ~GSS_C_DELEG_FLAG;
 287          goto end_fwd;
 288       }
 289
 290       kret = krb5_rd_cred(gssapi_krb5_context,
 291                           (*context_handle)->auth_context,
 292                           ccache,
 293                           &fwd_data);
 294       if (kret) {
 295          flags &= ~GSS_C_DELEG_FLAG;
 296          goto end_fwd;
 297       }
 298
 299 end_fwd:
 300       free(fwd_data.data);
 301   }
 302
 303
 304   flags |= GSS_C_TRANS_FLAG;
 305
 306   if (ret_flags)
 307     *ret_flags = flags;
 308   (*context_handle)->flags = flags;
 309   (*context_handle)->more_flags |= OPEN;
 310
 311   if (mech_type)
 312     *mech_type = GSS_KRB5_MECHANISM;
 313
 314   if (time_rec)
 315     *time_rec = GSS_C_INDEFINITE;
 316
 317   if(flags & GSS_C_MUTUAL_FLAG) {
 318     krb5_data outbuf;
 319
 320     kret = krb5_mk_rep (gssapi_krb5_context,
 321                         &(*context_handle)->auth_context,
 322                         &outbuf);
 323     if (kret) {
 324       krb5_data_free (&outbuf);
 325       ret = GSS_S_FAILURE;
 326       goto failure;
 327     }
 328     ret = gssapi_krb5_encapsulate (&outbuf,
 329                                    output_token,
 330                                    "\x02\x00");
 331     if (ret) {
 332         kret = 0;
 333       goto failure;
 334     }
 335   } else {
 336     output_token->length = 0;
 337   }
 338
 339   (*context_handle)->ticket = ticket;
 340   ticket = NULL;
 341
 342 #if 0
 343   krb5_free_ticket (context, ticket);
 344 #endif
 345
 346   return GSS_S_COMPLETE;
 347
 348 failure:
 349   if (fwd_data.length > 0)
 350     free(fwd_data.data);
 351   if (ticket != NULL)
 352     krb5_free_ticket (gssapi_krb5_context, ticket);
 353   krb5_auth_con_free (gssapi_krb5_context,
 354                       (*context_handle)->auth_context);
 355   if((*context_handle)->source)
 356     krb5_free_principal (gssapi_krb5_context,
 357                          (*context_handle)->source);
 358   if((*context_handle)->target)
 359     krb5_free_principal (gssapi_krb5_context,
 360                          (*context_handle)->target);
 361   free (*context_handle);
 362   *context_handle = GSS_C_NO_CONTEXT;
 363   *minor_status = kret;
 364   return GSS_S_FAILURE;
 365 }