search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
22575: Remove extra ;, From Dennis Davis.
[heimdal.git] / appl / popper / auth_gssapi.c
blob68de4ebe5fef74f02458f252ac085a7cb64f1b3a
1 /*
2 * Copyright (c) 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <popper.h>
35 #include <base64.h>
36 #include <pop_auth.h>
37 RCSID("$Id$");
38
39
40 #if defined(SASL) && defined(KRB5)
41 #include <gssapi.h>
42
43 extern krb5_context gssapi_krb5_context;
44
45 struct gss_state {
46 gss_ctx_id_t context_hdl;
47 gss_OID mech_oid;
48 gss_name_t client_name;
49 int stage;
50 };
51
52 static void
53 gss_set_error (struct gss_state *gs, int min_stat)
54 {
55 OM_uint32 new_stat;
56 OM_uint32 msg_ctx = 0;
57 gss_buffer_desc status_string;
58 OM_uint32 ret;
59
60 do {
61 ret = gss_display_status (&new_stat,
62 min_stat,
63 GSS_C_MECH_CODE,
64 gs->mech_oid,
65 &msg_ctx,
66 &status_string);
67 pop_auth_set_error(status_string.value);
68 gss_release_buffer (&new_stat, &status_string);
69 } while (!GSS_ERROR(ret) && msg_ctx != 0);
70 }
71
72 static int
73 gss_loop(POP *p, void *state,
74 /* const */ void *input, size_t input_length,
75 void **output, size_t *output_length)
76 {
77 struct gss_state *gs = state;
78 gss_buffer_desc real_input_token, real_output_token;
79 gss_buffer_t input_token = &real_input_token,
80 output_token = &real_output_token;
81 OM_uint32 maj_stat, min_stat;
82 gss_channel_bindings_t bindings = GSS_C_NO_CHANNEL_BINDINGS;
83
84 if(gs->stage == 0) {
85 /* we require an initial response, so ask for one if not
86 present */
87 gs->stage++;
88 if(input == NULL && input_length == 0) {
89 /* XXX this could be done better */
90 fputs("+ \r\n", p->output);
91 fflush(p->output);
92 return POP_AUTH_CONTINUE;
93 }
94 }
95 if(gs->stage == 1) {
96 input_token->value = input;
97 input_token->length = input_length;
98 maj_stat =
99 gss_accept_sec_context (&min_stat,
100 &gs->context_hdl,
101 GSS_C_NO_CREDENTIAL,
102 input_token,
103 bindings,
104 &gs->client_name,
105 &gs->mech_oid,
106 output_token,
107 NULL,
108 NULL,
109 NULL);
110 if (GSS_ERROR(maj_stat)) {
111 gss_set_error(gs, min_stat);
112 return POP_AUTH_FAILURE;
113 }
114 if (output_token->length != 0) {
115 *output = output_token->value;
116 *output_length = output_token->length;
117 }
118 if(maj_stat == GSS_S_COMPLETE)
119 gs->stage++;
120
121 return POP_AUTH_CONTINUE;
122 }
123
124 if(gs->stage == 2) {
125 /* send wanted protection levels */
126 unsigned char x[4] = { 1, 0, 0, 0 };
127
128 input_token->value = x;
129 input_token->length = 4;
130
131 maj_stat = gss_wrap(&min_stat,
132 gs->context_hdl,
133 FALSE,
134 GSS_C_QOP_DEFAULT,
135 input_token,
136 NULL,
137 output_token);
138 if (GSS_ERROR(maj_stat)) {
139 gss_set_error(gs, min_stat);
140 return POP_AUTH_FAILURE;
141 }
142 *output = output_token->value;
143 *output_length = output_token->length;
144 gs->stage++;
145 return POP_AUTH_CONTINUE;
146 }
147 if(gs->stage == 3) {
148 /* receive protection levels and username */
149 char *name;
150 krb5_principal principal;
151 gss_buffer_desc export_name;
152 gss_OID oid;
153 unsigned char *ptr;
154
155 input_token->value = input;
156 input_token->length = input_length;
157
158 maj_stat = gss_unwrap (&min_stat,
159 gs->context_hdl,
160 input_token,
161 output_token,
162 NULL,
163 NULL);
164 if (GSS_ERROR(maj_stat)) {
165 gss_set_error(gs, min_stat);
166 return POP_AUTH_FAILURE;
167 }
168 if(output_token->length < 5) {
169 pop_auth_set_error("response too short");
170 return POP_AUTH_FAILURE;
171 }
172 ptr = output_token->value;
173 if(ptr[0] != 1) {
174 pop_auth_set_error("must use clear text");
175 return POP_AUTH_FAILURE;
176 }
177 memmove(output_token->value, ptr + 4, output_token->length - 4);
178 ptr[output_token->length - 4] = '\0';
179
180 maj_stat = gss_display_name(&min_stat, gs->client_name,
181 &export_name, &oid);
182 if(maj_stat != GSS_S_COMPLETE) {
183 gss_set_error(gs, min_stat);
184 return POP_AUTH_FAILURE;
185 }
186 /* XXX kerberos */
187 if(oid != GSS_KRB5_NT_PRINCIPAL_NAME) {
188 pop_auth_set_error("unexpected gss name type");
189 gss_release_buffer(&min_stat, &export_name);
190 return POP_AUTH_FAILURE;
191 }
192 name = malloc(export_name.length + 1);
193 if(name == NULL) {
194 pop_auth_set_error("out of memory");
195 gss_release_buffer(&min_stat, &export_name);
196 return POP_AUTH_FAILURE;
197 }
198 memcpy(name, export_name.value, export_name.length);
199 name[export_name.length] = '\0';
200 gss_release_buffer(&min_stat, &export_name);
201 krb5_parse_name(gssapi_krb5_context, name, &principal);
202
203 if(!krb5_kuserok(gssapi_krb5_context, principal, ptr)) {
204 pop_auth_set_error("Permission denied");
205 return POP_AUTH_FAILURE;
206 }
207
208
209 strlcpy(p->user, ptr, sizeof(p->user));
210 return POP_AUTH_COMPLETE;
211 }
212 return POP_AUTH_FAILURE;
213 }
214
215
216 static int
217 gss_init(POP *p, void **state)
218 {
219 struct gss_state *gs = malloc(sizeof(*gs));
220 if(gs == NULL) {
221 pop_auth_set_error("out of memory");
222 return POP_AUTH_FAILURE;
223 }
224 gs->context_hdl = GSS_C_NO_CONTEXT;
225 gs->stage = 0;
226 *state = gs;
227 return POP_AUTH_CONTINUE;
228 }
229
230 static int
231 gss_cleanup(POP *p, void *state)
232 {
233 OM_uint32 min_stat;
234 struct gss_state *gs = state;
235 if(gs->context_hdl != GSS_C_NO_CONTEXT)
236 gss_delete_sec_context(&min_stat, &gs->context_hdl, GSS_C_NO_BUFFER);
237 free(state);
238 return POP_AUTH_CONTINUE;
239 }
240
241 struct auth_mech gssapi_mech = {
242 "GSSAPI", gss_init, gss_loop, gss_cleanup
243 };
244
245 #endif /* KRB5 */
Heimdal