lib/gssapi/accept_sec_context.c

   1 /*
   2  * Copyright (c) 1997 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. All advertising materials mentioning features or use of this software
  18  *    must display the following acknowledgement:
  19  *      This product includes software developed by Kungliga Tekniska
  20  *      Högskolan and its contributors.
  21  *
  22  * 4. Neither the name of the Institute nor the names of its contributors
  23  *    may be used to endorse or promote products derived from this software
  24  *    without specific prior written permission.
  25  *
  26  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  36  * SUCH DAMAGE.
  37  */
  38
  39 #include "gssapi_locl.h"
  40
  41 RCSID("$Id$");
  42
  43 static krb5_keytab_data gss_keytab = { NULL };
  44
  45 OM_uint32 gsskrb5_register_acceptor_identity
  46         (char *identity)
  47 {
  48   if (gss_keytab.filename != NULL)
  49     free(gss_keytab.filename);
  50   gss_keytab.filename = strdup(identity);
  51   return GSS_S_COMPLETE;
  52 }
  53
  54 OM_uint32 gss_accept_sec_context
  55            (OM_uint32 * minor_status,
  56             gss_ctx_id_t * context_handle,
  57             const gss_cred_id_t acceptor_cred_handle,
  58             const gss_buffer_t input_token_buffer,
  59             const gss_channel_bindings_t input_chan_bindings,
  60             gss_name_t * src_name,
  61             gss_OID * mech_type,
  62             gss_buffer_t output_token,
  63             OM_uint32 * ret_flags,
  64             OM_uint32 * time_rec,
  65             gss_cred_id_t * delegated_cred_handle
  66            )
  67 {
  68   krb5_error_code kret;
  69   OM_uint32 ret;
  70   krb5_data indata;
  71   krb5_flags ap_options;
  72   OM_uint32 flags;
  73   krb5_ticket *ticket;
  74   Checksum cksum;
  75   krb5_keytab_data *keytab = NULL;
  76
  77   gssapi_krb5_init ();
  78
  79   if (*context_handle != GSS_C_NO_CONTEXT) {
  80     *context_handle = malloc(sizeof(**context_handle));
  81     if (*context_handle == GSS_C_NO_CONTEXT)
  82       return GSS_S_FAILURE;
  83   }
  84
  85   (*context_handle)->auth_context =  NULL;
  86   (*context_handle)->source = NULL;
  87   (*context_handle)->target = NULL;
  88   (*context_handle)->flags = 0;
  89   (*context_handle)->more_flags = 0;
  90
  91   kret = krb5_auth_con_init (gssapi_krb5_context,
  92                              &(*context_handle)->auth_context);
  93   if (kret) {
  94     ret = GSS_S_FAILURE;
  95     goto failure;
  96   }
  97
  98   {
  99     int32_t tmp;
 100
 101     krb5_auth_con_getflags(gssapi_krb5_context,
 102                            (*context_handle)->auth_context,
 103                            &tmp);
 104     tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE;
 105     krb5_auth_con_setflags(gssapi_krb5_context,
 106                            (*context_handle)->auth_context,
 107                            tmp);
 108   }
 109
 110   ret = gssapi_krb5_decapsulate (input_token_buffer,
 111                                  &indata,
 112                                  "\x01\x00");
 113   if (ret)
 114     goto failure;
 115
 116   if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
 117      if (gss_keytab.filename != NULL) {
 118         keytab = &gss_keytab;
 119      }
 120   } else if (acceptor_cred_handle->keytab != NULL) {
 121      keytab = acceptor_cred_handle->keytab;
 122   }
 123
 124   kret = krb5_rd_req (gssapi_krb5_context,
 125                       &(*context_handle)->auth_context,
 126                       &indata,
 127                       (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL
 128                         : acceptor_cred_handle->principal,
 129                       keytab,
 130                       &ap_options,
 131                       &ticket);
 132   if (kret) {
 133     ret = GSS_S_FAILURE;
 134     goto failure;
 135   }
 136
 137   kret = krb5_copy_principal (gssapi_krb5_context,
 138                               ticket->client,
 139                               &(*context_handle)->source);
 140   if (kret) {
 141     ret = GSS_S_FAILURE;
 142     goto failure;
 143   }
 144
 145   if (src_name) {
 146     kret = krb5_copy_principal (gssapi_krb5_context,
 147                                 ticket->client,
 148                                 src_name);
 149     if (kret) {
 150       ret = GSS_S_FAILURE;
 151       goto failure;
 152     }
 153   }
 154
 155   flags = 0;
 156   if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
 157     flags |= GSS_C_MUTUAL_FLAG;
 158   flags |= GSS_C_CONF_FLAG;
 159   flags |= GSS_C_INTEG_FLAG;
 160   flags |= GSS_C_SEQUENCE_FLAG;
 161
 162   kret = gssapi_krb5_create_8003_checksum (input_chan_bindings,
 163                                            flags,
 164                                            &cksum);
 165
 166   if (kret) {
 167     ret = GSS_S_FAILURE;
 168     goto failure;
 169   }
 170
 171   {
 172     Checksum *c2 = (*context_handle)->auth_context->authenticator->cksum;
 173     if (cksum.cksumtype != c2->cksumtype ||
 174         cksum.checksum.length != c2->checksum.length ||
 175         memcmp(cksum.checksum.data,
 176                c2->checksum.data,
 177                cksum.checksum.length)) {
 178       ret = GSS_S_FAILURE;
 179       goto failure;
 180     }
 181   }
 182
 183   if (ret_flags)
 184     *ret_flags = flags;
 185   (*context_handle)->flags = flags;
 186   (*context_handle)->more_flags |= OPEN;
 187
 188   if (mech_type)
 189     *mech_type = GSS_KRB5_MECHANISM;
 190
 191   if (time_rec)
 192     *time_rec = GSS_C_INDEFINITE;
 193
 194   if(flags & GSS_C_MUTUAL_FLAG) {
 195     krb5_data outbuf;
 196
 197     kret = krb5_mk_rep (gssapi_krb5_context,
 198                         &(*context_handle)->auth_context,
 199                         &outbuf);
 200     if (kret) {
 201       krb5_data_free (&outbuf);
 202       ret = GSS_S_FAILURE;
 203       goto failure;
 204     }
 205     ret = gssapi_krb5_encapsulate (&outbuf,
 206                                    output_token,
 207                                    "\x02\x00");
 208     if (ret)
 209       goto failure;
 210   } else {
 211     output_token->length = 0;
 212   }
 213
 214   return GSS_S_COMPLETE;
 215
 216 failure:
 217   krb5_auth_con_free (gssapi_krb5_context,
 218                       (*context_handle)->auth_context);
 219   if((*context_handle)->source)
 220     krb5_free_principal (gssapi_krb5_context,
 221                          (*context_handle)->source);
 222   if((*context_handle)->target)
 223     krb5_free_principal (gssapi_krb5_context,
 224                          (*context_handle)->target);
 225   free (*context_handle);
 226   *context_handle = GSS_C_NO_CONTEXT;
 227   return GSS_S_FAILURE;
 228 }