lib/gssapi/krb5/accept_sec_context.c

   1 /*
   2  * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. All advertising materials mentioning features or use of this software
  18  *    must display the following acknowledgement:
  19  *      This product includes software developed by Kungliga Tekniska
  20  *      Högskolan and its contributors.
  21  *
  22  * 4. Neither the name of the Institute nor the names of its contributors
  23  *    may be used to endorse or promote products derived from this software
  24  *    without specific prior written permission.
  25  *
  26  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  36  * SUCH DAMAGE.
  37  */
  38
  39 #include "gssapi_locl.h"
  40
  41 RCSID("$Id$");
  42
  43 static krb5_keytab gss_keytab;
  44
  45 OM_uint32
  46 gsskrb5_register_acceptor_identity (char *identity)
  47 {
  48     char *p;
  49     if(gss_keytab != NULL) {
  50         krb5_kt_close(gssapi_krb5_context, gss_keytab);
  51         gss_keytab = NULL;
  52     }
  53     asprintf(&p, "FILE:%s", identity);
  54     if(p == NULL)
  55         return GSS_S_FAILURE;
  56     krb5_kt_resolve(gssapi_krb5_context, p, &gss_keytab);
  57     free(p);
  58     return GSS_S_COMPLETE;
  59 }
  60
  61 OM_uint32 gss_accept_sec_context
  62            (OM_uint32 * minor_status,
  63             gss_ctx_id_t * context_handle,
  64             const gss_cred_id_t acceptor_cred_handle,
  65             const gss_buffer_t input_token_buffer,
  66             const gss_channel_bindings_t input_chan_bindings,
  67             gss_name_t * src_name,
  68             gss_OID * mech_type,
  69             gss_buffer_t output_token,
  70             OM_uint32 * ret_flags,
  71             OM_uint32 * time_rec,
  72             gss_cred_id_t * delegated_cred_handle
  73            )
  74 {
  75   krb5_error_code kret;
  76   OM_uint32 ret;
  77   krb5_data indata;
  78   krb5_flags ap_options;
  79   OM_uint32 flags;
  80   krb5_ticket *ticket;
  81   krb5_keytab keytab = NULL;
  82
  83   gssapi_krb5_init ();
  84
  85   if (*context_handle == GSS_C_NO_CONTEXT) {
  86     *context_handle = malloc(sizeof(**context_handle));
  87     if (*context_handle == GSS_C_NO_CONTEXT)
  88       return GSS_S_FAILURE;
  89   }
  90
  91   (*context_handle)->auth_context =  NULL;
  92   (*context_handle)->source = NULL;
  93   (*context_handle)->target = NULL;
  94   (*context_handle)->flags = 0;
  95   (*context_handle)->more_flags = 0;
  96
  97   kret = krb5_auth_con_init (gssapi_krb5_context,
  98                              &(*context_handle)->auth_context);
  99   if (kret) {
 100     ret = GSS_S_FAILURE;
 101     goto failure;
 102   }
 103
 104   {
 105     int32_t tmp;
 106
 107     krb5_auth_con_getflags(gssapi_krb5_context,
 108                            (*context_handle)->auth_context,
 109                            &tmp);
 110     tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE;
 111     krb5_auth_con_setflags(gssapi_krb5_context,
 112                            (*context_handle)->auth_context,
 113                            tmp);
 114   }
 115
 116   ret = gssapi_krb5_decapsulate (input_token_buffer,
 117                                  &indata,
 118                                  "\x01\x00");
 119   if (ret)
 120     goto failure;
 121
 122   if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
 123       if (gss_keytab != NULL) {
 124           keytab = gss_keytab;
 125      }
 126   } else if (acceptor_cred_handle->keytab != NULL) {
 127      keytab = acceptor_cred_handle->keytab;
 128   }
 129
 130   kret = krb5_rd_req (gssapi_krb5_context,
 131                       &(*context_handle)->auth_context,
 132                       &indata,
 133                       (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL
 134                         : acceptor_cred_handle->principal,
 135                       keytab,
 136                       &ap_options,
 137                       &ticket);
 138   if (kret) {
 139     ret = GSS_S_FAILURE;
 140     goto failure;
 141   }
 142
 143   kret = krb5_copy_principal (gssapi_krb5_context,
 144                               ticket->client,
 145                               &(*context_handle)->source);
 146   if (kret) {
 147     ret = GSS_S_FAILURE;
 148     goto failure;
 149   }
 150
 151   if (src_name) {
 152     kret = krb5_copy_principal (gssapi_krb5_context,
 153                                 ticket->client,
 154                                 src_name);
 155     if (kret) {
 156       ret = GSS_S_FAILURE;
 157       goto failure;
 158     }
 159   }
 160
 161   {
 162       krb5_authenticator authenticator;
 163
 164       kret = krb5_auth_getauthenticator(gssapi_krb5_context,
 165                                         (*context_handle)->auth_context,
 166                                         &authenticator);
 167       if(kret) {
 168           ret = GSS_S_FAILURE;
 169           goto failure;
 170       }
 171
 172       kret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
 173                                               authenticator->cksum,
 174                                               &flags);
 175       krb5_free_authenticator(gssapi_krb5_context, &authenticator);
 176       if (kret) {
 177           ret = GSS_S_FAILURE;
 178           goto failure;
 179       }
 180   }
 181
 182   if (ret_flags)
 183     *ret_flags = flags;
 184   (*context_handle)->flags = flags;
 185   (*context_handle)->more_flags |= OPEN;
 186
 187   if (mech_type)
 188     *mech_type = GSS_KRB5_MECHANISM;
 189
 190   if (time_rec)
 191     *time_rec = GSS_C_INDEFINITE;
 192
 193   if(flags & GSS_C_MUTUAL_FLAG) {
 194     krb5_data outbuf;
 195
 196     kret = krb5_mk_rep (gssapi_krb5_context,
 197                         &(*context_handle)->auth_context,
 198                         &outbuf);
 199     if (kret) {
 200       krb5_data_free (&outbuf);
 201       ret = GSS_S_FAILURE;
 202       goto failure;
 203     }
 204     ret = gssapi_krb5_encapsulate (&outbuf,
 205                                    output_token,
 206                                    "\x02\x00");
 207     if (ret)
 208       goto failure;
 209   } else {
 210     output_token->length = 0;
 211   }
 212
 213   return GSS_S_COMPLETE;
 214
 215 failure:
 216   krb5_auth_con_free (gssapi_krb5_context,
 217                       (*context_handle)->auth_context);
 218   if((*context_handle)->source)
 219     krb5_free_principal (gssapi_krb5_context,
 220                          (*context_handle)->source);
 221   if((*context_handle)->target)
 222     krb5_free_principal (gssapi_krb5_context,
 223                          (*context_handle)->target);
 224   free (*context_handle);
 225   *context_handle = GSS_C_NO_CONTEXT;
 226   return GSS_S_FAILURE;
 227 }