2 * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "gssapi_locl.h"
40 (OM_uint32
* minor_status
,
41 const gss_cred_id_t initiator_cred_handle
,
42 gss_ctx_id_t
* context_handle
,
43 const gss_name_t target_name
,
44 const gss_OID mech_type
,
47 const gss_channel_bindings_t input_chan_bindings
,
48 const gss_buffer_t input_token
,
49 gss_OID
* actual_mech_type
,
50 gss_buffer_t output_token
,
51 OM_uint32
* ret_flags
,
55 OM_uint32 ret
= GSS_S_FAILURE
;
57 krb5_flags ap_options
;
58 krb5_creds this_cred
, *cred
;
63 krb5_data authenticator
;
67 output_token
->length
= 0;
68 output_token
->value
= NULL
;
75 *context_handle
= malloc(sizeof(**context_handle
));
76 if (*context_handle
== NULL
) {
77 *minor_status
= ENOMEM
;
81 (*context_handle
)->auth_context
= NULL
;
82 (*context_handle
)->source
= NULL
;
83 (*context_handle
)->target
= NULL
;
84 (*context_handle
)->flags
= 0;
85 (*context_handle
)->more_flags
= 0;
86 (*context_handle
)->ticket
= NULL
;
88 kret
= krb5_auth_con_init (gssapi_krb5_context
,
89 &(*context_handle
)->auth_context
);
99 krb5_auth_con_getflags(gssapi_krb5_context
,
100 (*context_handle
)->auth_context
,
102 tmp
|= KRB5_AUTH_CONTEXT_DO_SEQUENCE
;
103 krb5_auth_con_setflags(gssapi_krb5_context
,
104 (*context_handle
)->auth_context
,
108 if (actual_mech_type
)
109 *actual_mech_type
= GSS_KRB5_MECHANISM
;
113 if (req_flags
& GSS_C_DELEG_FLAG
)
115 if (req_flags
& GSS_C_MUTUAL_FLAG
) {
116 flags
|= GSS_C_MUTUAL_FLAG
;
117 ap_options
|= AP_OPTS_MUTUAL_REQUIRED
;
119 if (req_flags
& GSS_C_REPLAY_FLAG
)
121 if (req_flags
& GSS_C_SEQUENCE_FLAG
)
123 if (req_flags
& GSS_C_ANON_FLAG
)
125 flags
|= GSS_C_CONF_FLAG
;
126 flags
|= GSS_C_INTEG_FLAG
;
127 flags
|= GSS_C_SEQUENCE_FLAG
;
128 flags
|= GSS_C_TRANS_FLAG
;
132 (*context_handle
)->flags
= flags
;
133 (*context_handle
)->more_flags
= LOCAL
;
135 kret
= krb5_cc_default (gssapi_krb5_context
, &ccache
);
137 *minor_status
= kret
;
142 kret
= krb5_cc_get_principal (gssapi_krb5_context
,
144 &(*context_handle
)->source
);
146 *minor_status
= kret
;
151 kret
= krb5_copy_principal (gssapi_krb5_context
,
153 &(*context_handle
)->target
);
155 *minor_status
= kret
;
160 memset(&this_cred
, 0, sizeof(this_cred
));
161 this_cred
.client
= (*context_handle
)->source
;
162 this_cred
.server
= (*context_handle
)->target
;
163 this_cred
.times
.endtime
= 0;
164 this_cred
.session
.keytype
= ETYPE_DES_CBC_CRC
;
166 kret
= krb5_get_credentials (gssapi_krb5_context
,
167 KRB5_TC_MATCH_KEYTYPE
,
173 *minor_status
= kret
;
178 krb5_auth_con_setkey(gssapi_krb5_context
,
179 (*context_handle
)->auth_context
,
182 kret
= gssapi_krb5_create_8003_checksum (input_chan_bindings
,
186 *minor_status
= kret
;
192 enctype
= (*context_handle
)->auth_context
->keyblock
->keytype
;
194 if ((*context_handle
)->auth_context
->enctype
)
195 enctype
= (*context_handle
)->auth_context
->enctype
;
197 kret
= krb5_keytype_to_enctype(gssapi_krb5_context
,
198 (*context_handle
)->auth_context
->keyblock
->keytype
,
207 kret
= krb5_build_authenticator (gssapi_krb5_context
,
208 (*context_handle
)->auth_context
,
216 *minor_status
= kret
;
221 kret
= krb5_build_ap_req (gssapi_krb5_context
,
229 *minor_status
= kret
;
234 ret
= gssapi_krb5_encapsulate (&outbuf
,
238 *minor_status
= kret
;
242 if (flags
& GSS_C_MUTUAL_FLAG
) {
243 return GSS_S_CONTINUE_NEEDED
;
245 (*context_handle
)->more_flags
|= OPEN
;
246 return GSS_S_COMPLETE
;
250 krb5_auth_con_free (gssapi_krb5_context
,
251 (*context_handle
)->auth_context
);
252 if((*context_handle
)->source
)
253 krb5_free_principal (gssapi_krb5_context
,
254 (*context_handle
)->source
);
255 if((*context_handle
)->target
)
256 krb5_free_principal (gssapi_krb5_context
,
257 (*context_handle
)->target
);
258 free (*context_handle
);
259 krb5_data_free (&outbuf
);
260 *context_handle
= GSS_C_NO_CONTEXT
;
266 (OM_uint32
* minor_status
,
267 const gss_cred_id_t initiator_cred_handle
,
268 gss_ctx_id_t
* context_handle
,
269 const gss_name_t target_name
,
270 const gss_OID mech_type
,
273 const gss_channel_bindings_t input_chan_bindings
,
274 const gss_buffer_t input_token
,
275 gss_OID
* actual_mech_type
,
276 gss_buffer_t output_token
,
277 OM_uint32
* ret_flags
,
282 krb5_error_code kret
;
284 krb5_ap_rep_enc_part
*repl
;
286 ret
= gssapi_krb5_decapsulate (input_token
,
290 /* XXX - Handle AP_ERROR */
291 return GSS_S_FAILURE
;
294 kret
= krb5_rd_rep (gssapi_krb5_context
,
295 (*context_handle
)->auth_context
,
299 return GSS_S_FAILURE
;
300 krb5_free_ap_rep_enc_part (gssapi_krb5_context
,
303 output_token
->length
= 0;
305 (*context_handle
)->more_flags
|= OPEN
;
307 return GSS_S_COMPLETE
;
311 * gss_init_sec_context
314 OM_uint32 gss_init_sec_context
315 (OM_uint32
* minor_status
,
316 const gss_cred_id_t initiator_cred_handle
,
317 gss_ctx_id_t
* context_handle
,
318 const gss_name_t target_name
,
319 const gss_OID mech_type
,
322 const gss_channel_bindings_t input_chan_bindings
,
323 const gss_buffer_t input_token
,
324 gss_OID
* actual_mech_type
,
325 gss_buffer_t output_token
,
326 OM_uint32
* ret_flags
,
332 if (input_token
== GSS_C_NO_BUFFER
|| input_token
->length
== 0)
333 return init_auth (minor_status
,
334 initiator_cred_handle
,
347 return repl_mutual(minor_status
,
348 initiator_cred_handle
,