2 * Copyright (c) 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 #if defined(SASL) && defined(KRB5)
43 extern krb5_context gssapi_krb5_context
;
46 gss_ctx_id_t context_hdl
;
48 gss_name_t client_name
;
53 gss_set_error (struct gss_state
*gs
, int min_stat
)
56 OM_uint32 msg_ctx
= 0;
57 gss_buffer_desc status_string
;
61 ret
= gss_display_status (&new_stat
,
67 pop_auth_set_error(status_string
.value
);
68 gss_release_buffer (&new_stat
, &status_string
);
69 } while (!GSS_ERROR(ret
) && msg_ctx
!= 0);
73 gss_loop(POP
*p
, void *state
,
74 /* const */ void *input
, size_t input_length
,
75 void **output
, size_t *output_length
)
77 struct gss_state
*gs
= state
;
78 gss_buffer_desc real_input_token
, real_output_token
;
79 gss_buffer_t input_token
= &real_input_token
,
80 output_token
= &real_output_token
;
81 OM_uint32 maj_stat
, min_stat
;
82 gss_channel_bindings_t bindings
= GSS_C_NO_CHANNEL_BINDINGS
;
85 /* we require an initial response, so ask for one if not
88 if(input
== NULL
&& input_length
== 0) {
89 /* XXX this could be done better */
90 fputs("+ \r\n", p
->output
);
92 return POP_AUTH_CONTINUE
;
96 input_token
->value
= input
;
97 input_token
->length
= input_length
;
99 gss_accept_sec_context (&min_stat
,
110 if (GSS_ERROR(maj_stat
)) {
111 gss_set_error(gs
, min_stat
);
112 return POP_AUTH_FAILURE
;
114 if (output_token
->length
!= 0) {
115 *output
= output_token
->value
;
116 *output_length
= output_token
->length
;
118 if(maj_stat
== GSS_S_COMPLETE
)
121 return POP_AUTH_CONTINUE
;
125 /* send wanted protection levels */
126 unsigned char x
[4] = { 1, 0, 0, 0 };
128 input_token
->value
= x
;
129 input_token
->length
= 4;
131 maj_stat
= gss_wrap(&min_stat
,
138 if (GSS_ERROR(maj_stat
)) {
139 gss_set_error(gs
, min_stat
);
140 return POP_AUTH_FAILURE
;
142 *output
= output_token
->value
;
143 *output_length
= output_token
->length
;
145 return POP_AUTH_CONTINUE
;
148 /* receive protection levels and username */
150 krb5_principal principal
;
151 gss_buffer_desc export_name
;
155 input_token
->value
= input
;
156 input_token
->length
= input_length
;
158 maj_stat
= gss_unwrap (&min_stat
,
164 if (GSS_ERROR(maj_stat
)) {
165 gss_set_error(gs
, min_stat
);
166 return POP_AUTH_FAILURE
;
168 if(output_token
->length
< 5) {
169 pop_auth_set_error("response too short");
170 return POP_AUTH_FAILURE
;
172 ptr
= output_token
->value
;
174 pop_auth_set_error("must use clear text");
175 return POP_AUTH_FAILURE
;
177 memmove(output_token
->value
, ptr
+ 4, output_token
->length
- 4);
178 ptr
[output_token
->length
- 4] = '\0';
180 maj_stat
= gss_display_name(&min_stat
, gs
->client_name
,
182 if(maj_stat
!= GSS_S_COMPLETE
) {
183 gss_set_error(gs
, min_stat
);
184 return POP_AUTH_FAILURE
;
187 if(oid
!= GSS_KRB5_NT_PRINCIPAL_NAME
) {
188 pop_auth_set_error("unexpected gss name type");
189 gss_release_buffer(&min_stat
, &export_name
);
190 return POP_AUTH_FAILURE
;
192 name
= malloc(export_name
.length
+ 1);
194 pop_auth_set_error("out of memory");
195 gss_release_buffer(&min_stat
, &export_name
);
196 return POP_AUTH_FAILURE
;
198 memcpy(name
, export_name
.value
, export_name
.length
);
199 name
[export_name
.length
] = '\0';
200 gss_release_buffer(&min_stat
, &export_name
);
201 krb5_parse_name(gssapi_krb5_context
, name
, &principal
);
203 if(!krb5_kuserok(gssapi_krb5_context
, principal
, ptr
)) {
204 pop_auth_set_error("Permission denied");
205 return POP_AUTH_FAILURE
;
209 strlcpy(p
->user
, ptr
, sizeof(p
->user
));
210 return POP_AUTH_COMPLETE
;
212 return POP_AUTH_FAILURE
;
217 gss_init(POP
*p
, void **state
)
219 struct gss_state
*gs
= malloc(sizeof(*gs
));
221 pop_auth_set_error("out of memory");
222 return POP_AUTH_FAILURE
;
224 gs
->context_hdl
= GSS_C_NO_CONTEXT
;
227 return POP_AUTH_CONTINUE
;
231 gss_cleanup(POP
*p
, void *state
)
234 struct gss_state
*gs
= state
;
235 if(gs
->context_hdl
!= GSS_C_NO_CONTEXT
)
236 gss_delete_sec_context(&min_stat
, &gs
->context_hdl
, GSS_C_NO_BUFFER
);
238 return POP_AUTH_CONTINUE
;
241 struct auth_mech gssapi_mech
= {
242 "GSSAPI", gss_init
, gss_loop
, gss_cleanup