search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
krb5_build_authenticator is private
[heimdal.git] / lib / gssapi / krb5 / init_sec_context.c
blob7f84efe35408a1ae169dad3af24411a24a952dea
1 /*
2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "gsskrb5_locl.h"
35
36 /*
37 * copy the addresses from `input_chan_bindings' (if any) to
38 * the auth context `ac'
39 */
40
41 static OM_uint32
42 set_addresses (krb5_context context,
43 krb5_auth_context ac,
44 const gss_channel_bindings_t input_chan_bindings)
45 {
46 /* Port numbers are expected to be in application_data.value,
47 * initator's port first */
48
49 krb5_address initiator_addr, acceptor_addr;
50 krb5_error_code kret;
51
52 if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS
53 || input_chan_bindings->application_data.length !=
54 2 * sizeof(ac->local_port))
55 return 0;
56
57 memset(&initiator_addr, 0, sizeof(initiator_addr));
58 memset(&acceptor_addr, 0, sizeof(acceptor_addr));
59
60 ac->local_port =
61 *(int16_t *) input_chan_bindings->application_data.value;
62
63 ac->remote_port =
64 *((int16_t *) input_chan_bindings->application_data.value + 1);
65
66 kret = _gsskrb5i_address_to_krb5addr(context,
67 input_chan_bindings->acceptor_addrtype,
68 &input_chan_bindings->acceptor_address,
69 ac->remote_port,
70 &acceptor_addr);
71 if (kret)
72 return kret;
73
74 kret = _gsskrb5i_address_to_krb5addr(context,
75 input_chan_bindings->initiator_addrtype,
76 &input_chan_bindings->initiator_address,
77 ac->local_port,
78 &initiator_addr);
79 if (kret) {
80 krb5_free_address (context, &acceptor_addr);
81 return kret;
82 }
83
84 kret = krb5_auth_con_setaddrs(context,
85 ac,
86 &initiator_addr, /* local address */
87 &acceptor_addr); /* remote address */
88
89 krb5_free_address (context, &initiator_addr);
90 krb5_free_address (context, &acceptor_addr);
91
92 #if 0
93 free(input_chan_bindings->application_data.value);
94 input_chan_bindings->application_data.value = NULL;
95 input_chan_bindings->application_data.length = 0;
96 #endif
97
98 return kret;
99 }
100
101 OM_uint32
102 _gsskrb5_create_ctx(
103 OM_uint32 * minor_status,
104 gss_ctx_id_t * context_handle,
105 krb5_context context,
106 const gss_channel_bindings_t input_chan_bindings,
107 enum gss_ctx_id_t_state state)
108 {
109 krb5_error_code kret;
110 gsskrb5_ctx ctx;
111
112 *context_handle = NULL;
113
114 ctx = malloc(sizeof(*ctx));
115 if (ctx == NULL) {
116 *minor_status = ENOMEM;
117 return GSS_S_FAILURE;
118 }
119 ctx->auth_context = NULL;
120 ctx->source = NULL;
121 ctx->target = NULL;
122 ctx->kcred = NULL;
123 ctx->ccache = NULL;
124 ctx->state = state;
125 ctx->flags = 0;
126 ctx->more_flags = 0;
127 ctx->service_keyblock = NULL;
128 ctx->ticket = NULL;
129 krb5_data_zero(&ctx->fwd_data);
130 ctx->lifetime = GSS_C_INDEFINITE;
131 ctx->order = NULL;
132 ctx->crypto = NULL;
133 HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
134
135 kret = krb5_auth_con_init (context, &ctx->auth_context);
136 if (kret) {
137 *minor_status = kret;
138 HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
139 return GSS_S_FAILURE;
140 }
141
142 kret = set_addresses(context, ctx->auth_context, input_chan_bindings);
143 if (kret) {
144 *minor_status = kret;
145
146 HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
147
148 krb5_auth_con_free(context, ctx->auth_context);
149
150 return GSS_S_BAD_BINDINGS;
151 }
152
153 /*
154 * We need a sequence number
155 */
156
157 krb5_auth_con_addflags(context,
158 ctx->auth_context,
159 KRB5_AUTH_CONTEXT_DO_SEQUENCE |
160 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
161 NULL);
162
163 *context_handle = (gss_ctx_id_t)ctx;
164
165 return GSS_S_COMPLETE;
166 }
167
168
169 static OM_uint32
170 gsskrb5_get_creds(
171 OM_uint32 * minor_status,
172 krb5_context context,
173 krb5_ccache ccache,
174 gsskrb5_ctx ctx,
175 const gss_name_t target_name,
176 int use_dns,
177 OM_uint32 time_req,
178 OM_uint32 * time_rec)
179 {
180 OM_uint32 ret;
181 krb5_error_code kret;
182 krb5_creds this_cred;
183 OM_uint32 lifetime_rec;
184
185 if (ctx->target) {
186 krb5_free_principal(context, ctx->target);
187 ctx->target = NULL;
188 }
189 if (ctx->kcred) {
190 krb5_free_creds(context, ctx->kcred);
191 ctx->kcred = NULL;
192 }
193
194 ret = _gsskrb5_canon_name(minor_status, context, use_dns,
195 ctx->source, target_name, &ctx->target);
196 if (ret)
197 return ret;
198
199 memset(&this_cred, 0, sizeof(this_cred));
200 this_cred.client = ctx->source;
201 this_cred.server = ctx->target;
202
203 if (time_req && time_req != GSS_C_INDEFINITE) {
204 krb5_timestamp ts;
205
206 krb5_timeofday (context, &ts);
207 this_cred.times.endtime = ts + time_req;
208 } else {
209 this_cred.times.endtime = 0;
210 }
211
212 this_cred.session.keytype = KEYTYPE_NULL;
213
214 kret = krb5_get_credentials(context,
215 0,
216 ccache,
217 &this_cred,
218 &ctx->kcred);
219 if (kret) {
220 *minor_status = kret;
221 return GSS_S_FAILURE;
222 }
223
224 ctx->lifetime = ctx->kcred->times.endtime;
225
226 ret = _gsskrb5_lifetime_left(minor_status, context,
227 ctx->lifetime, &lifetime_rec);
228 if (ret) return ret;
229
230 if (lifetime_rec == 0) {
231 *minor_status = 0;
232 return GSS_S_CONTEXT_EXPIRED;
233 }
234
235 if (time_rec) *time_rec = lifetime_rec;
236
237 return GSS_S_COMPLETE;
238 }
239
240 static OM_uint32
241 gsskrb5_initiator_ready(
242 OM_uint32 * minor_status,
243 gsskrb5_ctx ctx,
244 krb5_context context)
245 {
246 OM_uint32 ret;
247 int32_t seq_number;
248 int is_cfx = 0;
249 OM_uint32 flags = ctx->flags;
250
251 krb5_free_creds(context, ctx->kcred);
252 ctx->kcred = NULL;
253
254 if (ctx->more_flags & CLOSE_CCACHE)
255 krb5_cc_close(context, ctx->ccache);
256 ctx->ccache = NULL;
257
258 krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number);
259
260 _gsskrb5i_is_cfx(context, ctx, 0);
261 is_cfx = (ctx->more_flags & IS_CFX);
262
263 ret = _gssapi_msg_order_create(minor_status,
264 &ctx->order,
265 _gssapi_msg_order_f(flags),
266 seq_number, 0, is_cfx);
267 if (ret) return ret;
268
269 ctx->state = INITIATOR_READY;
270 ctx->more_flags |= OPEN;
271
272 return GSS_S_COMPLETE;
273 }
274
275 /*
276 * handle delegated creds in init-sec-context
277 */
278
279 static void
280 do_delegation (krb5_context context,
281 krb5_auth_context ac,
282 krb5_ccache ccache,
283 krb5_creds *cred,
284 krb5_const_principal name,
285 krb5_data *fwd_data,
286 uint32_t flagmask,
287 uint32_t *flags)
288 {
289 krb5_creds creds;
290 KDCOptions fwd_flags;
291 krb5_error_code kret;
292
293 memset (&creds, 0, sizeof(creds));
294 krb5_data_zero (fwd_data);
295
296 kret = krb5_cc_get_principal(context, ccache, &creds.client);
297 if (kret)
298 goto out;
299
300 kret = krb5_make_principal(context,
301 &creds.server,
302 creds.client->realm,
303 KRB5_TGS_NAME,
304 creds.client->realm,
305 NULL);
306 if (kret)
307 goto out;
308
309 creds.times.endtime = 0;
310
311 memset(&fwd_flags, 0, sizeof(fwd_flags));
312 fwd_flags.forwarded = 1;
313 fwd_flags.forwardable = 1;
314
315 if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/
316 name->name.name_string.len < 2)
317 goto out;
318
319 kret = krb5_get_forwarded_creds(context,
320 ac,
321 ccache,
322 KDCOptions2int(fwd_flags),
323 name->name.name_string.val[1],
324 &creds,
325 fwd_data);
326
327 out:
328 if (kret)
329 *flags &= ~flagmask;
330 else
331 *flags |= flagmask;
332
333 if (creds.client)
334 krb5_free_principal(context, creds.client);
335 if (creds.server)
336 krb5_free_principal(context, creds.server);
337 }
338
339 /*
340 * first stage of init-sec-context
341 */
342
343 static OM_uint32
344 init_auth
345 (OM_uint32 * minor_status,
346 gsskrb5_cred cred,
347 gsskrb5_ctx ctx,
348 krb5_context context,
349 gss_name_t name,
350 const gss_OID mech_type,
351 OM_uint32 req_flags,
352 OM_uint32 time_req,
353 const gss_buffer_t input_token,
354 gss_OID * actual_mech_type,
355 gss_buffer_t output_token,
356 OM_uint32 * ret_flags,
357 OM_uint32 * time_rec
358 )
359 {
360 OM_uint32 ret = GSS_S_FAILURE;
361 krb5_error_code kret;
362 krb5_data outbuf;
363 krb5_data fwd_data;
364 OM_uint32 lifetime_rec;
365 int allow_dns = 1;
366
367 krb5_data_zero(&outbuf);
368 krb5_data_zero(&fwd_data);
369
370 *minor_status = 0;
371
372 if (actual_mech_type)
373 *actual_mech_type = GSS_KRB5_MECHANISM;
374
375 if (cred == NULL) {
376 kret = krb5_cc_default (context, &ctx->ccache);
377 if (kret) {
378 *minor_status = kret;
379 ret = GSS_S_FAILURE;
380 goto failure;
381 }
382 ctx->more_flags |= CLOSE_CCACHE;
383 } else
384 ctx->ccache = cred->ccache;
385
386 kret = krb5_cc_get_principal (context, ctx->ccache, &ctx->source);
387 if (kret) {
388 *minor_status = kret;
389 ret = GSS_S_FAILURE;
390 goto failure;
391 }
392
393 ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
394 if (ret)
395 goto failure;
396
397
398 /*
399 * This is hideous glue for (NFS) clients that wants to limit the
400 * available enctypes to what it can support (encryption in
401 * kernel). If there is no enctypes selected for this credential,
402 * reset it to the default set of enctypes.
403 */
404 {
405 krb5_enctype *enctypes = NULL;
406
407 if (cred && cred->enctypes)
408 enctypes = cred->enctypes;
409 krb5_set_default_in_tkt_etypes(context, enctypes);
410 }
411
412 /* canon name if needed for client + target realm */
413 kret = krb5_cc_get_config(context, ctx->ccache, NULL,
414 "realm-config", &outbuf);
415 if (kret == 0) {
416 /* XXX 2 is no server canon */
417 if (outbuf.length < 1 || ((((unsigned char *)outbuf.data)[0]) & 2))
418 allow_dns = 0;
419 krb5_data_free(&outbuf);
420 }
421
422 /*
423 * First we try w/o dns, hope that the KDC have register alias
424 * (and referrals if cross realm) for this principal. If that
425 * fails and if we are allowed to using this realm try again with
426 * DNS canonicalizion.
427 */
428 ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
429 ctx, name, 0, time_req,
430 time_rec);
431 if (ret && allow_dns)
432 ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
433 ctx, name, 1, time_req,
434 time_rec);
435 if (ret)
436 goto failure;
437
438 ctx->lifetime = ctx->kcred->times.endtime;
439
440 ret = _gsskrb5_lifetime_left(minor_status,
441 context,
442 ctx->lifetime,
443 &lifetime_rec);
444 if (ret)
445 goto failure;
446
447 if (lifetime_rec == 0) {
448 *minor_status = 0;
449 ret = GSS_S_CONTEXT_EXPIRED;
450 goto failure;
451 }
452
453 krb5_auth_con_setkey(context,
454 ctx->auth_context,
455 &ctx->kcred->session);
456
457 kret = krb5_auth_con_generatelocalsubkey(context,
458 ctx->auth_context,
459 &ctx->kcred->session);
460 if(kret) {
461 *minor_status = kret;
462 ret = GSS_S_FAILURE;
463 goto failure;
464 }
465
466 return GSS_S_COMPLETE;
467
468 failure:
469 if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE))
470 krb5_cc_close(context, ctx->ccache);
471 ctx->ccache = NULL;
472
473 return ret;
474
475 }
476
477 static OM_uint32
478 init_auth_restart
479 (OM_uint32 * minor_status,
480 gsskrb5_cred cred,
481 gsskrb5_ctx ctx,
482 krb5_context context,
483 OM_uint32 req_flags,
484 const gss_channel_bindings_t input_chan_bindings,
485 const gss_buffer_t input_token,
486 gss_OID * actual_mech_type,
487 gss_buffer_t output_token,
488 OM_uint32 * ret_flags,
489 OM_uint32 * time_rec
490 )
491 {
492 OM_uint32 ret = GSS_S_FAILURE;
493 krb5_error_code kret;
494 krb5_flags ap_options;
495 krb5_data outbuf;
496 uint32_t flags;
497 krb5_data authenticator;
498 Checksum cksum;
499 krb5_enctype enctype;
500 krb5_data fwd_data, timedata;
501 int32_t offset = 0, oldoffset;
502 uint32_t flagmask;
503
504 krb5_data_zero(&outbuf);
505 krb5_data_zero(&fwd_data);
506
507 *minor_status = 0;
508
509 /*
510 * If the credential doesn't have ok-as-delegate, check if there
511 * is a realm setting and use that.
512 */
513 if (!ctx->kcred->flags.b.ok_as_delegate) {
514 krb5_data data;
515
516 ret = krb5_cc_get_config(context, ctx->ccache, NULL,
517 "realm-config", &data);
518 if (ret == 0) {
519 /* XXX 1 is use ok-as-delegate */
520 if (data.length < 1 || ((((unsigned char *)data.data)[0]) & 1) == 0)
521 req_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
522 krb5_data_free(&data);
523 }
524 }
525
526 flagmask = 0;
527
528 /* if we used GSS_C_DELEG_POLICY_FLAG, trust KDC */
529 if ((req_flags & GSS_C_DELEG_POLICY_FLAG)
530 && ctx->kcred->flags.b.ok_as_delegate)
531 flagmask |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
532 /* if there still is a GSS_C_DELEG_FLAG, use that */
533 if (req_flags & GSS_C_DELEG_FLAG)
534 flagmask |= GSS_C_DELEG_FLAG;
535
536
537 flags = 0;
538 ap_options = 0;
539 if (flagmask & GSS_C_DELEG_FLAG) {
540 do_delegation (context,
541 ctx->auth_context,
542 ctx->ccache, ctx->kcred, ctx->target,
543 &fwd_data, flagmask, &flags);
544 }
545
546 if (req_flags & GSS_C_MUTUAL_FLAG) {
547 flags |= GSS_C_MUTUAL_FLAG;
548 ap_options |= AP_OPTS_MUTUAL_REQUIRED;
549 }
550
551 if (req_flags & GSS_C_REPLAY_FLAG)
552 flags |= GSS_C_REPLAY_FLAG;
553 if (req_flags & GSS_C_SEQUENCE_FLAG)
554 flags |= GSS_C_SEQUENCE_FLAG;
555 #if 0
556 if (req_flags & GSS_C_ANON_FLAG)
557 ; /* XXX */
558 #endif
559 if (req_flags & GSS_C_DCE_STYLE) {
560 /* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */
561 flags |= GSS_C_DCE_STYLE | GSS_C_MUTUAL_FLAG;
562 ap_options |= AP_OPTS_MUTUAL_REQUIRED;
563 }
564 if (req_flags & GSS_C_IDENTIFY_FLAG)
565 flags |= GSS_C_IDENTIFY_FLAG;
566 if (req_flags & GSS_C_EXTENDED_ERROR_FLAG)
567 flags |= GSS_C_EXTENDED_ERROR_FLAG;
568
569 if (req_flags & GSS_C_CONF_FLAG) {
570 flags |= GSS_C_CONF_FLAG;
571 }
572 if (req_flags & GSS_C_INTEG_FLAG) {
573 flags |= GSS_C_INTEG_FLAG;
574 }
575 if (cred == NULL || !(cred->cred_flags & GSS_CF_NO_CI_FLAGS)) {
576 flags |= GSS_C_CONF_FLAG;
577 flags |= GSS_C_INTEG_FLAG;
578 }
579 flags |= GSS_C_TRANS_FLAG;
580
581 if (ret_flags)
582 *ret_flags = flags;
583 ctx->flags = flags;
584 ctx->more_flags |= LOCAL;
585
586 ret = _gsskrb5_create_8003_checksum (minor_status,
587 input_chan_bindings,
588 flags,
589 &fwd_data,
590 &cksum);
591 krb5_data_free (&fwd_data);
592 if (ret)
593 goto failure;
594
595 enctype = ctx->auth_context->keyblock->keytype;
596
597 ret = krb5_cc_get_config(context, ctx->ccache, ctx->target,
598 "time-offset", &timedata);
599 if (ret == 0) {
600 if (timedata.length == 4) {
601 const u_char *p = timedata.data;
602 offset = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0);
603 }
604 krb5_data_free(&timedata);
605 }
606
607 if (offset) {
608 krb5_get_kdc_sec_offset (context, &oldoffset, NULL);
609 krb5_set_kdc_sec_offset (context, offset, -1);
610 }
611
612 kret = _krb5_build_authenticator(context,
613 ctx->auth_context,
614 enctype,
615 ctx->kcred,
616 &cksum,
617 &authenticator,
618 KRB5_KU_AP_REQ_AUTH);
619
620 if (kret) {
621 if (offset)
622 krb5_set_kdc_sec_offset (context, oldoffset, -1);
623 *minor_status = kret;
624 ret = GSS_S_FAILURE;
625 goto failure;
626 }
627
628 kret = krb5_build_ap_req (context,
629 enctype,
630 ctx->kcred,
631 ap_options,
632 authenticator,
633 &outbuf);
634 if (offset)
635 krb5_set_kdc_sec_offset (context, oldoffset, -1);
636 if (kret) {
637 *minor_status = kret;
638 ret = GSS_S_FAILURE;
639 goto failure;
640 }
641
642 if (flags & GSS_C_DCE_STYLE) {
643 output_token->value = outbuf.data;
644 output_token->length = outbuf.length;
645 } else {
646 ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
647 (u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
648 krb5_data_free (&outbuf);
649 if (ret)
650 goto failure;
651 }
652
653 free_Checksum(&cksum);
654
655 if (flags & GSS_C_MUTUAL_FLAG) {
656 ctx->state = INITIATOR_WAIT_FOR_MUTAL;
657 return GSS_S_CONTINUE_NEEDED;
658 }
659
660 return gsskrb5_initiator_ready(minor_status, ctx, context);
661 failure:
662 if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE))
663 krb5_cc_close(context, ctx->ccache);
664 ctx->ccache = NULL;
665
666 return ret;
667 }
668
669
670 static OM_uint32
671 repl_mutual
672 (OM_uint32 * minor_status,
673 gsskrb5_ctx ctx,
674 krb5_context context,
675 const gss_OID mech_type,
676 OM_uint32 req_flags,
677 OM_uint32 time_req,
678 const gss_channel_bindings_t input_chan_bindings,
679 const gss_buffer_t input_token,
680 gss_OID * actual_mech_type,
681 gss_buffer_t output_token,
682 OM_uint32 * ret_flags,
683 OM_uint32 * time_rec
684 )
685 {
686 OM_uint32 ret;
687 krb5_error_code kret;
688 krb5_data indata;
689 krb5_ap_rep_enc_part *repl;
690
691 output_token->length = 0;
692 output_token->value = NULL;
693
694 if (actual_mech_type)
695 *actual_mech_type = GSS_KRB5_MECHANISM;
696
697 if (IS_DCE_STYLE(ctx)) {
698 /* There is no OID wrapping. */
699 indata.length = input_token->length;
700 indata.data = input_token->value;
701 } else {
702 ret = _gsskrb5_decapsulate (minor_status,
703 input_token,
704 &indata,
705 "\x02\x00",
706 GSS_KRB5_MECHANISM);
707 if (ret == GSS_S_DEFECTIVE_TOKEN) {
708 /* check if there is an error token sent instead */
709 ret = _gsskrb5_decapsulate (minor_status,
710 input_token,
711 &indata,
712 "\x03\x00",
713 GSS_KRB5_MECHANISM);
714 if (ret == GSS_S_COMPLETE) {
715 KRB_ERROR error;
716
717 kret = krb5_rd_error(context, &indata, &error);
718 if (kret == 0) {
719 kret = krb5_error_from_rd_error(context, &error, NULL);
720
721 /* save the time skrew for this host */
722 if (kret == KRB5KRB_AP_ERR_SKEW) {
723 krb5_data timedata;
724 unsigned char p[4];
725 int32_t t = error.stime - time(NULL);
726
727 p[0] = (t >> 24) & 0xFF;
728 p[1] = (t >> 16) & 0xFF;
729 p[2] = (t >> 8) & 0xFF;
730 p[3] = (t >> 0) & 0xFF;
731
732 timedata.data = p;
733 timedata.length = sizeof(p);
734
735 krb5_cc_set_config(context, ctx->ccache, ctx->target,
736 "time-offset", &timedata);
737
738 if ((ctx->more_flags & RETRIED) == 0)
739 ctx->state = INITIATOR_RESTART;
740 ctx->more_flags |= RETRIED;
741 }
742 free_KRB_ERROR (&error);
743 }
744 *minor_status = kret;
745 return GSS_S_FAILURE;
746 }
747 return ret;
748 }
749 }
750
751 kret = krb5_rd_rep (context,
752 ctx->auth_context,
753 &indata,
754 &repl);
755 if (kret) {
756 *minor_status = kret;
757 return GSS_S_FAILURE;
758 }
759 krb5_free_ap_rep_enc_part (context,
760 repl);
761
762 *minor_status = 0;
763 if (time_rec) {
764 ret = _gsskrb5_lifetime_left(minor_status,
765 context,
766 ctx->lifetime,
767 time_rec);
768 } else {
769 ret = GSS_S_COMPLETE;
770 }
771 if (ret_flags)
772 *ret_flags = ctx->flags;
773
774 if (req_flags & GSS_C_DCE_STYLE) {
775 int32_t local_seq, remote_seq;
776 krb5_data outbuf;
777
778 /*
779 * So DCE_STYLE is strange. The client echos the seq number
780 * that the server used in the server's mk_rep in its own
781 * mk_rep(). After when done, it resets to it's own seq number
782 * for the gss_wrap calls.
783 */
784
785 krb5_auth_getremoteseqnumber(context, ctx->auth_context, &remote_seq);
786 krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &local_seq);
787 krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, remote_seq);
788
789 kret = krb5_mk_rep(context, ctx->auth_context, &outbuf);
790 if (kret) {
791 *minor_status = kret;
792 return GSS_S_FAILURE;
793 }
794
795 /* reset local seq number */
796 krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq);
797
798 output_token->length = outbuf.length;
799 output_token->value = outbuf.data;
800 }
801
802 return gsskrb5_initiator_ready(minor_status, ctx, context);
803 }
804
805 /*
806 * gss_init_sec_context
807 */
808
809 OM_uint32 _gsskrb5_init_sec_context
810 (OM_uint32 * minor_status,
811 const gss_cred_id_t cred_handle,
812 gss_ctx_id_t * context_handle,
813 const gss_name_t target_name,
814 const gss_OID mech_type,
815 OM_uint32 req_flags,
816 OM_uint32 time_req,
817 const gss_channel_bindings_t input_chan_bindings,
818 const gss_buffer_t input_token,
819 gss_OID * actual_mech_type,
820 gss_buffer_t output_token,
821 OM_uint32 * ret_flags,
822 OM_uint32 * time_rec
823 )
824 {
825 krb5_context context;
826 gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
827 gsskrb5_ctx ctx;
828 OM_uint32 ret;
829
830 GSSAPI_KRB5_INIT (&context);
831
832 output_token->length = 0;
833 output_token->value = NULL;
834
835 if (context_handle == NULL) {
836 *minor_status = 0;
837 return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
838 }
839
840 if (ret_flags)
841 *ret_flags = 0;
842 if (time_rec)
843 *time_rec = 0;
844
845 if (target_name == GSS_C_NO_NAME) {
846 if (actual_mech_type)
847 *actual_mech_type = GSS_C_NO_OID;
848 *minor_status = 0;
849 return GSS_S_BAD_NAME;
850 }
851
852 if (mech_type != GSS_C_NO_OID &&
853 !gss_oid_equal(mech_type, GSS_KRB5_MECHANISM))
854 return GSS_S_BAD_MECH;
855
856 if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
857 OM_uint32 ret;
858
859 if (*context_handle != GSS_C_NO_CONTEXT) {
860 *minor_status = 0;
861 return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
862 }
863
864 ret = _gsskrb5_create_ctx(minor_status,
865 context_handle,
866 context,
867 input_chan_bindings,
868 INITIATOR_START);
869 if (ret)
870 return ret;
871 }
872
873 if (*context_handle == GSS_C_NO_CONTEXT) {
874 *minor_status = 0;
875 return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
876 }
877
878 ctx = (gsskrb5_ctx) *context_handle;
879
880 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
881
882 again:
883 switch (ctx->state) {
884 case INITIATOR_START:
885 ret = init_auth(minor_status,
886 cred,
887 ctx,
888 context,
889 target_name,
890 mech_type,
891 req_flags,
892 time_req,
893 input_token,
894 actual_mech_type,
895 output_token,
896 ret_flags,
897 time_rec);
898 if (ret != GSS_S_COMPLETE)
899 break;
900 /* FALL THOUGH */
901 case INITIATOR_RESTART:
902 ret = init_auth_restart(minor_status,
903 cred,
904 ctx,
905 context,
906 req_flags,
907 input_chan_bindings,
908 input_token,
909 actual_mech_type,
910 output_token,
911 ret_flags,
912 time_rec);
913 break;
914 case INITIATOR_WAIT_FOR_MUTAL:
915 ret = repl_mutual(minor_status,
916 ctx,
917 context,
918 mech_type,
919 req_flags,
920 time_req,
921 input_chan_bindings,
922 input_token,
923 actual_mech_type,
924 output_token,
925 ret_flags,
926 time_rec);
927 if (ctx->state == INITIATOR_RESTART)
928 goto again;
929 break;
930 case INITIATOR_READY:
931 /*
932 * If we get there, the caller have called
933 * gss_init_sec_context() one time too many.
934 */
935 _gsskrb5_set_status(EINVAL, "init_sec_context "
936 "called one time too many");
937 *minor_status = EINVAL;
938 ret = GSS_S_BAD_STATUS;
939 break;
940 default:
941 _gsskrb5_set_status(EINVAL, "init_sec_context "
942 "invalid state %d for client",
943 (int)ctx->state);
944 *minor_status = EINVAL;
945 ret = GSS_S_BAD_STATUS;
946 break;
947 }
948 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
949
950 /* destroy context in case of error */
951 if (GSS_ERROR(ret)) {
952 OM_uint32 min2;
953 _gsskrb5_delete_sec_context(&min2, context_handle, GSS_C_NO_BUFFER);
954 }
955
956 return ret;
957
958 }
Heimdal