search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
x
[heimdal.git] / lib / gssapi / krb5 / accept_sec_context.c
blob8f1f6fdbc1c688f4664e2390d9a6f2c1f4ab3682
1 /*
2 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "gssapi_locl.h"
35
36 RCSID("$Id$");
37
38 krb5_keytab gssapi_krb5_keytab;
39
40 OM_uint32
41 gsskrb5_register_acceptor_identity (char *identity)
42 {
43 krb5_error_code ret;
44 char *p;
45
46 ret = gssapi_krb5_init();
47 if(ret)
48 return GSS_S_FAILURE;
49
50 if(gssapi_krb5_keytab != NULL) {
51 krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab);
52 gssapi_krb5_keytab = NULL;
53 }
54 asprintf(&p, "FILE:%s", identity);
55 if(p == NULL)
56 return GSS_S_FAILURE;
57 ret = krb5_kt_resolve(gssapi_krb5_context, p, &gssapi_krb5_keytab);
58 free(p);
59 if(ret)
60 return GSS_S_FAILURE;
61 return GSS_S_COMPLETE;
62 }
63
64 OM_uint32
65 gss_accept_sec_context
66 (OM_uint32 * minor_status,
67 gss_ctx_id_t * context_handle,
68 const gss_cred_id_t acceptor_cred_handle,
69 const gss_buffer_t input_token_buffer,
70 const gss_channel_bindings_t input_chan_bindings,
71 gss_name_t * src_name,
72 gss_OID * mech_type,
73 gss_buffer_t output_token,
74 OM_uint32 * ret_flags,
75 OM_uint32 * time_rec,
76 gss_cred_id_t * delegated_cred_handle
77 )
78 {
79 krb5_error_code kret;
80 OM_uint32 ret;
81 krb5_data indata;
82 krb5_flags ap_options;
83 OM_uint32 flags;
84 krb5_ticket *ticket = NULL;
85 krb5_keytab keytab = NULL;
86 krb5_data fwd_data;
87 OM_uint32 minor;
88
89 ret = 0;
90 gssapi_krb5_init ();
91
92 krb5_data_zero (&fwd_data);
93 output_token->length = 0;
94 output_token->value = NULL;
95
96 if (*context_handle == GSS_C_NO_CONTEXT) {
97 *context_handle = malloc(sizeof(**context_handle));
98 if (*context_handle == GSS_C_NO_CONTEXT) {
99 *minor_status = ENOMEM;
100 return GSS_S_FAILURE;
101 }
102 }
103
104 (*context_handle)->auth_context = NULL;
105 (*context_handle)->source = NULL;
106 (*context_handle)->target = NULL;
107 (*context_handle)->flags = 0;
108 (*context_handle)->more_flags = 0;
109 (*context_handle)->ticket = NULL;
110
111 if (src_name != NULL)
112 *src_name = NULL;
113
114 kret = krb5_auth_con_init (gssapi_krb5_context,
115 &(*context_handle)->auth_context);
116 if (kret) {
117 ret = GSS_S_FAILURE;
118 *minor_status = kret;
119 gssapi_krb5_set_error_string ();
120 goto failure;
121 }
122
123 if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS
124 && input_chan_bindings->application_data.length ==
125 2 * sizeof((*context_handle)->auth_context->local_port)
126 ) {
127
128 /* Port numbers are expected to be in application_data.value,
129 * initator's port first */
130
131 krb5_address initiator_addr, acceptor_addr;
132
133 memset(&initiator_addr, 0, sizeof(initiator_addr));
134 memset(&acceptor_addr, 0, sizeof(acceptor_addr));
135
136 (*context_handle)->auth_context->remote_port =
137 *(int16_t *) input_chan_bindings->application_data.value;
138
139 (*context_handle)->auth_context->local_port =
140 *((int16_t *) input_chan_bindings->application_data.value + 1);
141
142
143 kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype,
144 &input_chan_bindings->acceptor_address,
145 (*context_handle)->auth_context->local_port,
146 &acceptor_addr);
147 if (kret) {
148 gssapi_krb5_set_error_string ();
149 ret = GSS_S_BAD_BINDINGS;
150 *minor_status = kret;
151 goto failure;
152 }
153
154 kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype,
155 &input_chan_bindings->initiator_address,
156 (*context_handle)->auth_context->remote_port,
157 &initiator_addr);
158 if (kret) {
159 krb5_free_address (gssapi_krb5_context, &acceptor_addr);
160 gssapi_krb5_set_error_string ();
161 ret = GSS_S_BAD_BINDINGS;
162 *minor_status = kret;
163 goto failure;
164 }
165
166 kret = krb5_auth_con_setaddrs(gssapi_krb5_context,
167 (*context_handle)->auth_context,
168 &acceptor_addr, /* local address */
169 &initiator_addr); /* remote address */
170
171 krb5_free_address (gssapi_krb5_context, &initiator_addr);
172 krb5_free_address (gssapi_krb5_context, &acceptor_addr);
173
174 #if 0
175 free(input_chan_bindings->application_data.value);
176 input_chan_bindings->application_data.value = NULL;
177 input_chan_bindings->application_data.length = 0;
178 #endif
179
180 if (kret) {
181 gssapi_krb5_set_error_string ();
182 ret = GSS_S_BAD_BINDINGS;
183 *minor_status = kret;
184 goto failure;
185 }
186 }
187
188
189
190 {
191 int32_t tmp;
192
193 krb5_auth_con_getflags(gssapi_krb5_context,
194 (*context_handle)->auth_context,
195 &tmp);
196 tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE;
197 krb5_auth_con_setflags(gssapi_krb5_context,
198 (*context_handle)->auth_context,
199 tmp);
200 }
201
202 ret = gssapi_krb5_decapsulate (minor_status,
203 input_token_buffer,
204 &indata,
205 "\x01\x00");
206 if (ret)
207 goto failure;
208
209 if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
210 if (gssapi_krb5_keytab != NULL) {
211 keytab = gssapi_krb5_keytab;
212 }
213 } else if (acceptor_cred_handle->keytab != NULL) {
214 keytab = acceptor_cred_handle->keytab;
215 }
216
217 kret = krb5_rd_req (gssapi_krb5_context,
218 &(*context_handle)->auth_context,
219 &indata,
220 (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL
221 : acceptor_cred_handle->principal,
222 keytab,
223 &ap_options,
224 &ticket);
225 if (kret) {
226 ret = GSS_S_FAILURE;
227 *minor_status = kret;
228 gssapi_krb5_set_error_string ();
229 goto failure;
230 }
231
232 kret = krb5_copy_principal (gssapi_krb5_context,
233 ticket->client,
234 &(*context_handle)->source);
235 if (kret) {
236 ret = GSS_S_FAILURE;
237 *minor_status = kret;
238 gssapi_krb5_set_error_string ();
239 goto failure;
240 }
241
242 kret = krb5_copy_principal (gssapi_krb5_context,
243 ticket->server,
244 &(*context_handle)->target);
245 if (kret) {
246 ret = GSS_S_FAILURE;
247 *minor_status = kret;
248 gssapi_krb5_set_error_string ();
249 goto failure;
250 }
251
252 if (src_name != NULL) {
253 kret = krb5_copy_principal (gssapi_krb5_context,
254 ticket->client,
255 src_name);
256 if (kret) {
257 ret = GSS_S_FAILURE;
258 *minor_status = kret;
259 gssapi_krb5_set_error_string ();
260 goto failure;
261 }
262 }
263
264 {
265 krb5_authenticator authenticator;
266
267 kret = krb5_auth_con_getauthenticator(gssapi_krb5_context,
268 (*context_handle)->auth_context,
269 &authenticator);
270 if(kret) {
271 ret = GSS_S_FAILURE;
272 *minor_status = kret;
273 gssapi_krb5_set_error_string ();
274 goto failure;
275 }
276
277 ret = gssapi_krb5_verify_8003_checksum(minor_status,
278 input_chan_bindings,
279 authenticator->cksum,
280 &flags,
281 &fwd_data);
282 krb5_free_authenticator(gssapi_krb5_context, &authenticator);
283 if (ret)
284 goto failure;
285 }
286
287 if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
288
289 krb5_ccache ccache;
290
291 if (delegated_cred_handle == NULL)
292 /* XXX Create a new delegated_cred_handle? */
293 kret = krb5_cc_default (gssapi_krb5_context, &ccache);
294 else if (*delegated_cred_handle == NULL) {
295 if ((*delegated_cred_handle =
296 calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
297 ret = GSS_S_FAILURE;
298 *minor_status = ENOMEM;
299 krb5_set_error_string(gssapi_krb5_context, "out of memory");
300 gssapi_krb5_set_error_string();
301 goto failure;
302 }
303 if ((ret = gss_duplicate_name(minor_status, ticket->client,
304 &(*delegated_cred_handle)->principal)) != 0) {
305 flags &= ~GSS_C_DELEG_FLAG;
306 free(*delegated_cred_handle);
307 *delegated_cred_handle = NULL;
308 goto end_fwd;
309 }
310 }
311 if (delegated_cred_handle != NULL &&
312 (*delegated_cred_handle)->ccache == NULL) {
313 kret = krb5_cc_gen_new (gssapi_krb5_context,
314 &krb5_mcc_ops,
315 &(*delegated_cred_handle)->ccache);
316 ccache = (*delegated_cred_handle)->ccache;
317 }
318 if (delegated_cred_handle != NULL &&
319 (*delegated_cred_handle)->mechanisms == NULL) {
320 ret = gss_create_empty_oid_set(minor_status,
321 &(*delegated_cred_handle)->mechanisms);
322 if (ret)
323 goto failure;
324 ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
325 &(*delegated_cred_handle)->mechanisms);
326 if (ret)
327 goto failure;
328 }
329
330 if (kret) {
331 flags &= ~GSS_C_DELEG_FLAG;
332 goto end_fwd;
333 }
334
335 kret = krb5_cc_initialize(gssapi_krb5_context,
336 ccache,
337 *src_name);
338 if (kret) {
339 flags &= ~GSS_C_DELEG_FLAG;
340 goto end_fwd;
341 }
342
343 kret = krb5_rd_cred2(gssapi_krb5_context,
344 (*context_handle)->auth_context,
345 ccache,
346 &fwd_data);
347 if (kret) {
348 flags &= ~GSS_C_DELEG_FLAG;
349 goto end_fwd;
350 }
351
352 end_fwd:
353 free(fwd_data.data);
354 }
355
356
357 flags |= GSS_C_TRANS_FLAG;
358
359 if (ret_flags)
360 *ret_flags = flags;
361 (*context_handle)->flags = flags;
362 (*context_handle)->more_flags |= OPEN;
363
364 if (mech_type)
365 *mech_type = GSS_KRB5_MECHANISM;
366
367 if (time_rec)
368 *time_rec = GSS_C_INDEFINITE;
369
370 if(flags & GSS_C_MUTUAL_FLAG) {
371 krb5_data outbuf;
372
373 kret = krb5_mk_rep (gssapi_krb5_context,
374 (*context_handle)->auth_context,
375 &outbuf);
376 if (kret) {
377 ret = GSS_S_FAILURE;
378 *minor_status = kret;
379 gssapi_krb5_set_error_string ();
380 goto failure;
381 }
382 ret = gssapi_krb5_encapsulate (minor_status,
383 &outbuf,
384 output_token,
385 "\x02\x00");
386 krb5_data_free (&outbuf);
387 if (ret)
388 goto failure;
389 } else {
390 output_token->length = 0;
391 }
392
393 (*context_handle)->ticket = ticket;
394 ticket = NULL;
395
396 #if 0
397 krb5_free_ticket (context, ticket);
398 #endif
399
400 return GSS_S_COMPLETE;
401
402 failure:
403 if (fwd_data.length > 0)
404 free(fwd_data.data);
405 if (ticket != NULL)
406 krb5_free_ticket (gssapi_krb5_context, ticket);
407 krb5_auth_con_free (gssapi_krb5_context,
408 (*context_handle)->auth_context);
409 if((*context_handle)->source)
410 krb5_free_principal (gssapi_krb5_context,
411 (*context_handle)->source);
412 if((*context_handle)->target)
413 krb5_free_principal (gssapi_krb5_context,
414 (*context_handle)->target);
415 free (*context_handle);
416 if (src_name != NULL) {
417 gss_release_name (&minor, src_name);
418 *src_name = NULL;
419 }
420 *context_handle = GSS_C_NO_CONTEXT;
421 return ret;
422 }
Heimdal