search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
x
[heimdal.git] / lib / gssapi / krb5 / accept_sec_context.c
blob2a4145b50cdc79d74a76cf7c134b27e3f6b34929
1 /*
2 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "gssapi_locl.h"
35
36 RCSID("$Id$");
37
38 static krb5_keytab gss_keytab;
39
40 OM_uint32
41 gsskrb5_register_acceptor_identity (char *identity)
42 {
43 char *p;
44 if(gss_keytab != NULL) {
45 krb5_kt_close(gssapi_krb5_context, gss_keytab);
46 gss_keytab = NULL;
47 }
48 asprintf(&p, "FILE:%s", identity);
49 if(p == NULL)
50 return GSS_S_FAILURE;
51 krb5_kt_resolve(gssapi_krb5_context, p, &gss_keytab);
52 free(p);
53 return GSS_S_COMPLETE;
54 }
55
56 OM_uint32
57 gss_accept_sec_context
58 (OM_uint32 * minor_status,
59 gss_ctx_id_t * context_handle,
60 const gss_cred_id_t acceptor_cred_handle,
61 const gss_buffer_t input_token_buffer,
62 const gss_channel_bindings_t input_chan_bindings,
63 gss_name_t * src_name,
64 gss_OID * mech_type,
65 gss_buffer_t output_token,
66 OM_uint32 * ret_flags,
67 OM_uint32 * time_rec,
68 gss_cred_id_t * delegated_cred_handle
69 )
70 {
71 krb5_error_code kret;
72 OM_uint32 ret;
73 krb5_data indata;
74 krb5_flags ap_options;
75 OM_uint32 flags;
76 krb5_ticket *ticket = NULL;
77 krb5_keytab keytab = NULL;
78 krb5_data fwd_data;
79 OM_uint32 minor;
80
81 gssapi_krb5_init ();
82
83 krb5_data_zero (&fwd_data);
84 output_token->length = 0;
85 output_token->value = NULL;
86
87 if (*context_handle == GSS_C_NO_CONTEXT) {
88 *context_handle = malloc(sizeof(**context_handle));
89 if (*context_handle == GSS_C_NO_CONTEXT) {
90 *minor_status = ENOMEM;
91 return GSS_S_FAILURE;
92 }
93 }
94
95 (*context_handle)->auth_context = NULL;
96 (*context_handle)->source = NULL;
97 (*context_handle)->target = NULL;
98 (*context_handle)->flags = 0;
99 (*context_handle)->more_flags = 0;
100 (*context_handle)->ticket = NULL;
101
102 if (src_name != NULL)
103 *src_name = NULL;
104
105 kret = krb5_auth_con_init (gssapi_krb5_context,
106 &(*context_handle)->auth_context);
107 if (kret) {
108 ret = GSS_S_FAILURE;
109 *minor_status = kret;
110 gssapi_krb5_set_error_string ();
111 goto failure;
112 }
113
114 if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS
115 && input_chan_bindings->application_data.length ==
116 2 * sizeof((*context_handle)->auth_context->local_port)
117 ) {
118
119 /* Port numbers are expected to be in application_data.value,
120 * initator's port first */
121
122 krb5_address initiator_addr, acceptor_addr;
123
124 memset(&initiator_addr, 0, sizeof(initiator_addr));
125 memset(&acceptor_addr, 0, sizeof(acceptor_addr));
126
127 (*context_handle)->auth_context->remote_port =
128 *(int16_t *) input_chan_bindings->application_data.value;
129
130 (*context_handle)->auth_context->local_port =
131 *((int16_t *) input_chan_bindings->application_data.value + 1);
132
133
134 kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype,
135 &input_chan_bindings->acceptor_address,
136 (*context_handle)->auth_context->local_port,
137 &acceptor_addr);
138 if (kret) {
139 *minor_status = kret;
140 gssapi_krb5_set_error_string ();
141 ret = GSS_S_BAD_BINDINGS;
142 goto failure;
143 }
144
145 kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype,
146 &input_chan_bindings->initiator_address,
147 (*context_handle)->auth_context->remote_port,
148 &initiator_addr);
149 if (kret) {
150 krb5_free_address (gssapi_krb5_context, &acceptor_addr);
151 *minor_status = kret;
152 gssapi_krb5_set_error_string ();
153 ret = GSS_S_BAD_BINDINGS;
154 goto failure;
155 }
156
157 kret = krb5_auth_con_setaddrs(gssapi_krb5_context,
158 (*context_handle)->auth_context,
159 &acceptor_addr, /* local address */
160 &initiator_addr); /* remote address */
161
162 krb5_free_address (gssapi_krb5_context, &initiator_addr);
163 krb5_free_address (gssapi_krb5_context, &acceptor_addr);
164
165 #if 0
166 free(input_chan_bindings->application_data.value);
167 input_chan_bindings->application_data.value = NULL;
168 input_chan_bindings->application_data.length = 0;
169 #endif
170
171 if (kret) {
172 *minor_status = kret;
173 gssapi_krb5_set_error_string ();
174 ret = GSS_S_BAD_BINDINGS;
175 goto failure;
176 }
177 }
178
179
180
181 {
182 int32_t tmp;
183
184 krb5_auth_con_getflags(gssapi_krb5_context,
185 (*context_handle)->auth_context,
186 &tmp);
187 tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE;
188 krb5_auth_con_setflags(gssapi_krb5_context,
189 (*context_handle)->auth_context,
190 tmp);
191 }
192
193 ret = gssapi_krb5_decapsulate (input_token_buffer,
194 &indata,
195 "\x01\x00");
196 if (ret) {
197 kret = 0;
198 goto failure;
199 }
200
201 if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
202 if (gss_keytab != NULL) {
203 keytab = gss_keytab;
204 }
205 } else if (acceptor_cred_handle->keytab != NULL) {
206 keytab = acceptor_cred_handle->keytab;
207 }
208
209 kret = krb5_rd_req (gssapi_krb5_context,
210 &(*context_handle)->auth_context,
211 &indata,
212 (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL
213 : acceptor_cred_handle->principal,
214 keytab,
215 &ap_options,
216 &ticket);
217 if (kret) {
218 ret = GSS_S_FAILURE;
219 *minor_status = kret;
220 gssapi_krb5_set_error_string ();
221 goto failure;
222 }
223
224 kret = krb5_copy_principal (gssapi_krb5_context,
225 ticket->client,
226 &(*context_handle)->source);
227 if (kret) {
228 ret = GSS_S_FAILURE;
229 *minor_status = kret;
230 gssapi_krb5_set_error_string ();
231 goto failure;
232 }
233
234 kret = krb5_copy_principal (gssapi_krb5_context,
235 ticket->server,
236 &(*context_handle)->target);
237 if (kret) {
238 ret = GSS_S_FAILURE;
239 *minor_status = kret;
240 gssapi_krb5_set_error_string ();
241 goto failure;
242 }
243
244 if (src_name != NULL) {
245 kret = krb5_copy_principal (gssapi_krb5_context,
246 ticket->client,
247 src_name);
248 if (kret) {
249 ret = GSS_S_FAILURE;
250 *minor_status = kret;
251 gssapi_krb5_set_error_string ();
252 goto failure;
253 }
254 }
255
256 {
257 krb5_authenticator authenticator;
258
259 kret = krb5_auth_con_getauthenticator(gssapi_krb5_context,
260 (*context_handle)->auth_context,
261 &authenticator);
262 if(kret) {
263 ret = GSS_S_FAILURE;
264 *minor_status = kret;
265 gssapi_krb5_set_error_string ();
266 goto failure;
267 }
268
269 kret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
270 authenticator->cksum,
271 &flags,
272 &fwd_data);
273 krb5_free_authenticator(gssapi_krb5_context, &authenticator);
274 if (kret) {
275 ret = GSS_S_FAILURE;
276 *minor_status = kret;
277 gssapi_krb5_set_error_string ();
278 goto failure;
279 }
280 }
281
282 if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
283
284 krb5_ccache ccache;
285
286 if (delegated_cred_handle == NULL || *delegated_cred_handle == NULL)
287 /* XXX Create a new delegated_cred_handle? */
288 kret = krb5_cc_default (gssapi_krb5_context, &ccache);
289
290 else {
291 if ((*delegated_cred_handle)->ccache == NULL)
292 kret = krb5_cc_gen_new (gssapi_krb5_context,
293 &krb5_mcc_ops,
294 &(*delegated_cred_handle)->ccache);
295 ccache = (*delegated_cred_handle)->ccache;
296 }
297
298 if (kret) {
299 flags &= ~GSS_C_DELEG_FLAG;
300 goto end_fwd;
301 }
302
303 kret = krb5_cc_initialize(gssapi_krb5_context,
304 ccache,
305 *src_name);
306 if (kret) {
307 flags &= ~GSS_C_DELEG_FLAG;
308 goto end_fwd;
309 }
310
311 kret = krb5_rd_cred2(gssapi_krb5_context,
312 (*context_handle)->auth_context,
313 ccache,
314 &fwd_data);
315 if (kret) {
316 flags &= ~GSS_C_DELEG_FLAG;
317 goto end_fwd;
318 }
319
320 end_fwd:
321 free(fwd_data.data);
322 }
323
324
325 flags |= GSS_C_TRANS_FLAG;
326
327 if (ret_flags)
328 *ret_flags = flags;
329 (*context_handle)->flags = flags;
330 (*context_handle)->more_flags |= OPEN;
331
332 if (mech_type)
333 *mech_type = GSS_KRB5_MECHANISM;
334
335 if (time_rec)
336 *time_rec = GSS_C_INDEFINITE;
337
338 if(flags & GSS_C_MUTUAL_FLAG) {
339 krb5_data outbuf;
340
341 kret = krb5_mk_rep (gssapi_krb5_context,
342 (*context_handle)->auth_context,
343 &outbuf);
344 if (kret) {
345 ret = GSS_S_FAILURE;
346 *minor_status = kret;
347 gssapi_krb5_set_error_string ();
348 goto failure;
349 }
350 ret = gssapi_krb5_encapsulate (&outbuf,
351 output_token,
352 "\x02\x00");
353 krb5_data_free (&outbuf);
354 if (ret) {
355 kret = 0;
356 goto failure;
357 }
358 } else {
359 output_token->length = 0;
360 }
361
362 (*context_handle)->ticket = ticket;
363 ticket = NULL;
364
365 #if 0
366 krb5_free_ticket (context, ticket);
367 #endif
368
369 return GSS_S_COMPLETE;
370
371 failure:
372 if (fwd_data.length > 0)
373 free(fwd_data.data);
374 if (ticket != NULL)
375 krb5_free_ticket (gssapi_krb5_context, ticket);
376 krb5_auth_con_free (gssapi_krb5_context,
377 (*context_handle)->auth_context);
378 if((*context_handle)->source)
379 krb5_free_principal (gssapi_krb5_context,
380 (*context_handle)->source);
381 if((*context_handle)->target)
382 krb5_free_principal (gssapi_krb5_context,
383 (*context_handle)->target);
384 free (*context_handle);
385 if (src_name != NULL) {
386 gss_release_name (&minor, src_name);
387 *src_name = NULL;
388 }
389 *context_handle = GSS_C_NO_CONTEXT;
390 *minor_status = kret;
391 return GSS_S_FAILURE;
392 }
Heimdal