lib/gssapi/accept_sec_context.c

   1 /*
   2  * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "gssapi_locl.h"
  35
  36 RCSID("$Id$");
  37
  38 static krb5_keytab gss_keytab;
  39
  40 OM_uint32
  41 gsskrb5_register_acceptor_identity (char *identity)
  42 {
  43     char *p;
  44     if(gss_keytab != NULL) {
  45         krb5_kt_close(gssapi_krb5_context, gss_keytab);
  46         gss_keytab = NULL;
  47     }
  48     asprintf(&p, "FILE:%s", identity);
  49     if(p == NULL)
  50         return GSS_S_FAILURE;
  51     krb5_kt_resolve(gssapi_krb5_context, p, &gss_keytab);
  52     free(p);
  53     return GSS_S_COMPLETE;
  54 }
  55
  56 OM_uint32
  57 gss_accept_sec_context
  58            (OM_uint32 * minor_status,
  59             gss_ctx_id_t * context_handle,
  60             const gss_cred_id_t acceptor_cred_handle,
  61             const gss_buffer_t input_token_buffer,
  62             const gss_channel_bindings_t input_chan_bindings,
  63             gss_name_t * src_name,
  64             gss_OID * mech_type,
  65             gss_buffer_t output_token,
  66             OM_uint32 * ret_flags,
  67             OM_uint32 * time_rec,
  68             gss_cred_id_t * delegated_cred_handle
  69            )
  70 {
  71   krb5_error_code kret;
  72   OM_uint32 ret;
  73   krb5_data indata;
  74   krb5_flags ap_options;
  75   OM_uint32 flags;
  76   krb5_ticket *ticket = NULL;
  77   krb5_keytab keytab = NULL;
  78
  79   gssapi_krb5_init ();
  80
  81   output_token->length = 0;
  82   output_token->value   = NULL;
  83
  84   if (*context_handle == GSS_C_NO_CONTEXT) {
  85       *context_handle = malloc(sizeof(**context_handle));
  86     if (*context_handle == GSS_C_NO_CONTEXT) {
  87         *minor_status = ENOMEM;
  88         return GSS_S_FAILURE;
  89     }
  90   }
  91
  92   (*context_handle)->auth_context =  NULL;
  93   (*context_handle)->source = NULL;
  94   (*context_handle)->target = NULL;
  95   (*context_handle)->flags = 0;
  96   (*context_handle)->more_flags = 0;
  97   (*context_handle)->ticket = NULL;
  98
  99   kret = krb5_auth_con_init (gssapi_krb5_context,
 100                              &(*context_handle)->auth_context);
 101   if (kret) {
 102     ret = GSS_S_FAILURE;
 103     goto failure;
 104   }
 105
 106   {
 107     int32_t tmp;
 108
 109     krb5_auth_con_getflags(gssapi_krb5_context,
 110                            (*context_handle)->auth_context,
 111                            &tmp);
 112     tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE;
 113     krb5_auth_con_setflags(gssapi_krb5_context,
 114                            (*context_handle)->auth_context,
 115                            tmp);
 116   }
 117
 118   ret = gssapi_krb5_decapsulate (input_token_buffer,
 119                                  &indata,
 120                                  "\x01\x00");
 121   if (ret) {
 122       kret = 0;
 123       goto failure;
 124   }
 125
 126   if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
 127       if (gss_keytab != NULL) {
 128           keytab = gss_keytab;
 129      }
 130   } else if (acceptor_cred_handle->keytab != NULL) {
 131      keytab = acceptor_cred_handle->keytab;
 132   }
 133
 134   kret = krb5_rd_req (gssapi_krb5_context,
 135                       &(*context_handle)->auth_context,
 136                       &indata,
 137                       (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL
 138                         : acceptor_cred_handle->principal,
 139                       keytab,
 140                       &ap_options,
 141                       &ticket);
 142   if (kret) {
 143     ret = GSS_S_FAILURE;
 144     goto failure;
 145   }
 146
 147   kret = krb5_copy_principal (gssapi_krb5_context,
 148                               ticket->client,
 149                               &(*context_handle)->source);
 150   if (kret) {
 151     ret = GSS_S_FAILURE;
 152     goto failure;
 153   }
 154
 155   kret = krb5_copy_principal (gssapi_krb5_context,
 156                               ticket->server,
 157                               &(*context_handle)->target);
 158   if (kret) {
 159     ret = GSS_S_FAILURE;
 160     goto failure;
 161   }
 162
 163   if (src_name) {
 164     kret = krb5_copy_principal (gssapi_krb5_context,
 165                                 ticket->client,
 166                                 src_name);
 167     if (kret) {
 168       ret = GSS_S_FAILURE;
 169       goto failure;
 170     }
 171   }
 172
 173   {
 174       krb5_authenticator authenticator;
 175
 176       kret = krb5_auth_getauthenticator(gssapi_krb5_context,
 177                                         (*context_handle)->auth_context,
 178                                         &authenticator);
 179       if(kret) {
 180           ret = GSS_S_FAILURE;
 181           goto failure;
 182       }
 183
 184       kret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
 185                                               authenticator->cksum,
 186                                               &flags);
 187       krb5_free_authenticator(gssapi_krb5_context, &authenticator);
 188       if (kret) {
 189           ret = GSS_S_FAILURE;
 190           goto failure;
 191       }
 192   }
 193
 194   flags |= GSS_C_TRANS_FLAG;
 195
 196   if (ret_flags)
 197     *ret_flags = flags;
 198   (*context_handle)->flags = flags;
 199   (*context_handle)->more_flags |= OPEN;
 200
 201   if (mech_type)
 202     *mech_type = GSS_KRB5_MECHANISM;
 203
 204   if (time_rec)
 205     *time_rec = GSS_C_INDEFINITE;
 206
 207   if(flags & GSS_C_MUTUAL_FLAG) {
 208     krb5_data outbuf;
 209
 210     kret = krb5_mk_rep (gssapi_krb5_context,
 211                         &(*context_handle)->auth_context,
 212                         &outbuf);
 213     if (kret) {
 214       krb5_data_free (&outbuf);
 215       ret = GSS_S_FAILURE;
 216       goto failure;
 217     }
 218     ret = gssapi_krb5_encapsulate (&outbuf,
 219                                    output_token,
 220                                    "\x02\x00");
 221     if (ret) {
 222         kret = 0;
 223       goto failure;
 224     }
 225   } else {
 226     output_token->length = 0;
 227   }
 228
 229   (*context_handle)->ticket = ticket;
 230   ticket = NULL;
 231
 232 #if 0
 233   krb5_free_ticket (context, ticket);
 234 #endif
 235
 236   return GSS_S_COMPLETE;
 237
 238 failure:
 239   if (ticket != NULL)
 240     krb5_free_ticket (gssapi_krb5_context, ticket);
 241   krb5_auth_con_free (gssapi_krb5_context,
 242                       (*context_handle)->auth_context);
 243   if((*context_handle)->source)
 244     krb5_free_principal (gssapi_krb5_context,
 245                          (*context_handle)->source);
 246   if((*context_handle)->target)
 247     krb5_free_principal (gssapi_krb5_context,
 248                          (*context_handle)->target);
 249   free (*context_handle);
 250   *context_handle = GSS_C_NO_CONTEXT;
 251   *minor_status = kret;
 252   return GSS_S_FAILURE;
 253 }