2 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "gssapi_locl.h"
36 RCSID("$Id: accept_sec_context.c,v 1.30 2001/08/29 02:21:09 assar Exp $");
38 krb5_keytab gssapi_krb5_keytab;
41 gsskrb5_register_acceptor_identity (char *identity)
46 ret = gssapi_krb5_init();
50 if(gssapi_krb5_keytab != NULL) {
51 krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab);
52 gssapi_krb5_keytab = NULL;
54 asprintf(&p, "FILE:%s", identity);
57 ret = krb5_kt_resolve(gssapi_krb5_context, p, &gssapi_krb5_keytab);
61 return GSS_S_COMPLETE;
65 gss_accept_sec_context
66 (OM_uint32 * minor_status,
67 gss_ctx_id_t * context_handle,
68 const gss_cred_id_t acceptor_cred_handle,
69 const gss_buffer_t input_token_buffer,
70 const gss_channel_bindings_t input_chan_bindings,
71 gss_name_t * src_name,
73 gss_buffer_t output_token,
74 OM_uint32 * ret_flags,
76 gss_cred_id_t * delegated_cred_handle
82 krb5_flags ap_options;
84 krb5_ticket *ticket = NULL;
85 krb5_keytab keytab = NULL;
92 krb5_data_zero (&fwd_data);
93 output_token->length = 0;
94 output_token->value = NULL;
96 if (*context_handle == GSS_C_NO_CONTEXT) {
97 *context_handle = malloc(sizeof(**context_handle));
98 if (*context_handle == GSS_C_NO_CONTEXT) {
99 *minor_status = ENOMEM;
100 return GSS_S_FAILURE;
104 (*context_handle)->auth_context = NULL;
105 (*context_handle)->source = NULL;
106 (*context_handle)->target = NULL;
107 (*context_handle)->flags = 0;
108 (*context_handle)->more_flags = 0;
109 (*context_handle)->ticket = NULL;
111 if (src_name != NULL)
114 kret = krb5_auth_con_init (gssapi_krb5_context,
115 &(*context_handle)->auth_context);
118 *minor_status = kret;
119 gssapi_krb5_set_error_string ();
123 if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS
124 && input_chan_bindings->application_data.length ==
125 2 * sizeof((*context_handle)->auth_context->local_port)
128 /* Port numbers are expected to be in application_data.value,
129 * initator's port first */
131 krb5_address initiator_addr, acceptor_addr;
133 memset(&initiator_addr, 0, sizeof(initiator_addr));
134 memset(&acceptor_addr, 0, sizeof(acceptor_addr));
136 (*context_handle)->auth_context->remote_port =
137 *(int16_t *) input_chan_bindings->application_data.value;
139 (*context_handle)->auth_context->local_port =
140 *((int16_t *) input_chan_bindings->application_data.value + 1);
143 kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype,
144 &input_chan_bindings->acceptor_address,
145 (*context_handle)->auth_context->local_port,
148 gssapi_krb5_set_error_string ();
149 ret = GSS_S_BAD_BINDINGS;
150 *minor_status = kret;
154 kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype,
155 &input_chan_bindings->initiator_address,
156 (*context_handle)->auth_context->remote_port,
159 krb5_free_address (gssapi_krb5_context, &acceptor_addr);
160 gssapi_krb5_set_error_string ();
161 ret = GSS_S_BAD_BINDINGS;
162 *minor_status = kret;
166 kret = krb5_auth_con_setaddrs(gssapi_krb5_context,
167 (*context_handle)->auth_context,
168 &acceptor_addr, /* local address */
169 &initiator_addr); /* remote address */
171 krb5_free_address (gssapi_krb5_context, &initiator_addr);
172 krb5_free_address (gssapi_krb5_context, &acceptor_addr);
175 free(input_chan_bindings->application_data.value);
176 input_chan_bindings->application_data.value = NULL;
177 input_chan_bindings->application_data.length = 0;
181 gssapi_krb5_set_error_string ();
182 ret = GSS_S_BAD_BINDINGS;
183 *minor_status = kret;
193 krb5_auth_con_getflags(gssapi_krb5_context,
194 (*context_handle)->auth_context,
196 tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE;
197 krb5_auth_con_setflags(gssapi_krb5_context,
198 (*context_handle)->auth_context,
202 ret = gssapi_krb5_decapsulate (minor_status,
209 if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
210 if (gssapi_krb5_keytab != NULL) {
211 keytab = gssapi_krb5_keytab;
213 } else if (acceptor_cred_handle->keytab != NULL) {
214 keytab = acceptor_cred_handle->keytab;
217 kret = krb5_rd_req (gssapi_krb5_context,
218 &(*context_handle)->auth_context,
220 (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL
221 : acceptor_cred_handle->principal,
227 *minor_status = kret;
228 gssapi_krb5_set_error_string ();
232 kret = krb5_copy_principal (gssapi_krb5_context,
234 &(*context_handle)->source);
237 *minor_status = kret;
238 gssapi_krb5_set_error_string ();
242 kret = krb5_copy_principal (gssapi_krb5_context,
244 &(*context_handle)->target);
247 *minor_status = kret;
248 gssapi_krb5_set_error_string ();
252 if (src_name != NULL) {
253 kret = krb5_copy_principal (gssapi_krb5_context,
258 *minor_status = kret;
259 gssapi_krb5_set_error_string ();
265 krb5_authenticator authenticator;
267 kret = krb5_auth_con_getauthenticator(gssapi_krb5_context,
268 (*context_handle)->auth_context,
272 *minor_status = kret;
273 gssapi_krb5_set_error_string ();
277 ret = gssapi_krb5_verify_8003_checksum(minor_status,
279 authenticator->cksum,
282 krb5_free_authenticator(gssapi_krb5_context, &authenticator);
287 if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
291 if (delegated_cred_handle == NULL)
292 /* XXX Create a new delegated_cred_handle? */
293 kret = krb5_cc_default (gssapi_krb5_context, &ccache);
294 else if (*delegated_cred_handle == NULL) {
295 if ((*delegated_cred_handle =
296 calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
298 *minor_status = ENOMEM;
299 krb5_set_error_string(gssapi_krb5_context, "out of memory");
300 gssapi_krb5_set_error_string();
303 if ((ret = gss_duplicate_name(minor_status, ticket->client,
304 &(*delegated_cred_handle)->principal)) != 0) {
305 flags &= ~GSS_C_DELEG_FLAG;
306 free(*delegated_cred_handle);
307 *delegated_cred_handle = NULL;
311 if (delegated_cred_handle != NULL &&
312 (*delegated_cred_handle)->ccache == NULL) {
313 kret = krb5_cc_gen_new (gssapi_krb5_context,
315 &(*delegated_cred_handle)->ccache);
316 ccache = (*delegated_cred_handle)->ccache;
318 if (delegated_cred_handle != NULL &&
319 (*delegated_cred_handle)->mechanisms == NULL) {
320 ret = gss_create_empty_oid_set(minor_status,
321 &(*delegated_cred_handle)->mechanisms);
324 ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
325 &(*delegated_cred_handle)->mechanisms);
331 flags &= ~GSS_C_DELEG_FLAG;
335 kret = krb5_cc_initialize(gssapi_krb5_context,
339 flags &= ~GSS_C_DELEG_FLAG;
343 kret = krb5_rd_cred2(gssapi_krb5_context,
344 (*context_handle)->auth_context,
348 flags &= ~GSS_C_DELEG_FLAG;
357 flags |= GSS_C_TRANS_FLAG;
361 (*context_handle)->flags = flags;
362 (*context_handle)->more_flags |= OPEN;
365 *mech_type = GSS_KRB5_MECHANISM;
368 *time_rec = GSS_C_INDEFINITE;
370 if(flags & GSS_C_MUTUAL_FLAG) {
373 kret = krb5_mk_rep (gssapi_krb5_context,
374 (*context_handle)->auth_context,
378 *minor_status = kret;
379 gssapi_krb5_set_error_string ();
382 ret = gssapi_krb5_encapsulate (minor_status,
386 krb5_data_free (&outbuf);
390 output_token->length = 0;
393 (*context_handle)->ticket = ticket;
397 krb5_free_ticket (context, ticket);
400 return GSS_S_COMPLETE;
403 if (fwd_data.length > 0)
406 krb5_free_ticket (gssapi_krb5_context, ticket);
407 krb5_auth_con_free (gssapi_krb5_context,
408 (*context_handle)->auth_context);
409 if((*context_handle)->source)
410 krb5_free_principal (gssapi_krb5_context,
411 (*context_handle)->source);
412 if((*context_handle)->target)
413 krb5_free_principal (gssapi_krb5_context,
414 (*context_handle)->target);
415 free (*context_handle);
416 if (src_name != NULL) {
417 gss_release_name (&minor, src_name);
420 *context_handle = GSS_C_NO_CONTEXT;