2 * Copyright (c) 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 #if defined(SASL) && defined(KRB5)
43 extern krb5_context gssapi_krb5_context
;
46 gss_ctx_id_t context_hdl
;
48 gss_name_t client_name
;
53 gss_set_error (struct gss_state
*gs
, int min_stat
)
56 OM_uint32 msg_ctx
= 0;
57 gss_buffer_desc status_string
;
63 ret
= gss_display_status (&new_stat
,
69 if (asprintf(&cstr
, "%.*s", (int)status_string
.length
,
70 (const char *)status_string
.value
) >= 0) {
71 pop_auth_set_error(cstr
);
74 pop_auth_set_error("unknown error");
76 gss_release_buffer (&new_stat
, &status_string
);
77 } while (!GSS_ERROR(ret
) && msg_ctx
!= 0);
81 gss_loop(POP
*p
, void *state
,
82 /* const */ void *input
, size_t input_length
,
83 void **output
, size_t *output_length
)
85 struct gss_state
*gs
= state
;
86 gss_buffer_desc real_input_token
, real_output_token
;
87 gss_buffer_t input_token
= &real_input_token
,
88 output_token
= &real_output_token
;
89 OM_uint32 maj_stat
, min_stat
;
90 gss_channel_bindings_t bindings
= GSS_C_NO_CHANNEL_BINDINGS
;
93 /* we require an initial response, so ask for one if not
96 if(input
== NULL
&& input_length
== 0) {
97 /* XXX this could be done better */
98 fputs("+ \r\n", p
->output
);
100 return POP_AUTH_CONTINUE
;
104 input_token
->value
= input
;
105 input_token
->length
= input_length
;
107 gss_accept_sec_context (&min_stat
,
118 if (GSS_ERROR(maj_stat
)) {
119 gss_set_error(gs
, min_stat
);
120 return POP_AUTH_FAILURE
;
122 if (output_token
->length
!= 0) {
123 *output
= output_token
->value
;
124 *output_length
= output_token
->length
;
126 if(maj_stat
== GSS_S_COMPLETE
)
129 return POP_AUTH_CONTINUE
;
133 /* send wanted protection levels */
134 unsigned char x
[4] = { 1, 0, 0, 0 };
136 input_token
->value
= x
;
137 input_token
->length
= 4;
139 maj_stat
= gss_wrap(&min_stat
,
146 if (GSS_ERROR(maj_stat
)) {
147 gss_set_error(gs
, min_stat
);
148 return POP_AUTH_FAILURE
;
150 *output
= output_token
->value
;
151 *output_length
= output_token
->length
;
153 return POP_AUTH_CONTINUE
;
156 /* receive protection levels and username */
158 krb5_principal principal
;
159 gss_buffer_desc export_name
;
163 input_token
->value
= input
;
164 input_token
->length
= input_length
;
166 maj_stat
= gss_unwrap (&min_stat
,
172 if (GSS_ERROR(maj_stat
)) {
173 gss_set_error(gs
, min_stat
);
174 return POP_AUTH_FAILURE
;
176 if(output_token
->length
< 5) {
177 pop_auth_set_error("response too short");
178 return POP_AUTH_FAILURE
;
180 ptr
= output_token
->value
;
182 pop_auth_set_error("must use clear text");
183 return POP_AUTH_FAILURE
;
185 memmove(output_token
->value
, ptr
+ 4, output_token
->length
- 4);
186 ptr
[output_token
->length
- 4] = '\0';
188 maj_stat
= gss_display_name(&min_stat
, gs
->client_name
,
190 if(maj_stat
!= GSS_S_COMPLETE
) {
191 gss_set_error(gs
, min_stat
);
192 return POP_AUTH_FAILURE
;
195 if(oid
!= GSS_KRB5_NT_PRINCIPAL_NAME
) {
196 pop_auth_set_error("unexpected gss name type");
197 gss_release_buffer(&min_stat
, &export_name
);
198 return POP_AUTH_FAILURE
;
200 name
= malloc(export_name
.length
+ 1);
202 pop_auth_set_error("out of memory");
203 gss_release_buffer(&min_stat
, &export_name
);
204 return POP_AUTH_FAILURE
;
206 memcpy(name
, export_name
.value
, export_name
.length
);
207 name
[export_name
.length
] = '\0';
208 gss_release_buffer(&min_stat
, &export_name
);
209 krb5_parse_name(gssapi_krb5_context
, name
, &principal
);
211 if(!krb5_kuserok(gssapi_krb5_context
, principal
, ptr
)) {
212 pop_auth_set_error("Permission denied");
213 return POP_AUTH_FAILURE
;
217 strlcpy(p
->user
, ptr
, sizeof(p
->user
));
218 return POP_AUTH_COMPLETE
;
220 return POP_AUTH_FAILURE
;
225 gss_init(POP
*p
, void **state
)
227 struct gss_state
*gs
= malloc(sizeof(*gs
));
229 pop_auth_set_error("out of memory");
230 return POP_AUTH_FAILURE
;
232 gs
->context_hdl
= GSS_C_NO_CONTEXT
;
235 return POP_AUTH_CONTINUE
;
239 gss_cleanup(POP
*p
, void *state
)
242 struct gss_state
*gs
= state
;
243 if(gs
->context_hdl
!= GSS_C_NO_CONTEXT
)
244 gss_delete_sec_context(&min_stat
, &gs
->context_hdl
, GSS_C_NO_BUFFER
);
246 return POP_AUTH_CONTINUE
;
249 struct auth_mech gssapi_mech
= {
250 "GSSAPI", gss_init
, gss_loop
, gss_cleanup