/* * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "gssapi_locl.h" RCSID("$Id: accept_sec_context.c,v 1.33.2.2 2003/12/19 00:37:06 lha Exp $"); krb5_keytab gssapi_krb5_keytab; OM_uint32 gsskrb5_register_acceptor_identity (const char *identity) { krb5_error_code ret; char *p; ret = gssapi_krb5_init(); if(ret) return GSS_S_FAILURE; if(gssapi_krb5_keytab != NULL) { krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab); gssapi_krb5_keytab = NULL; } asprintf(&p, "FILE:%s", identity); if(p == NULL) return GSS_S_FAILURE; ret = krb5_kt_resolve(gssapi_krb5_context, p, &gssapi_krb5_keytab); free(p); if(ret) return GSS_S_FAILURE; return GSS_S_COMPLETE; } OM_uint32 gss_accept_sec_context (OM_uint32 * minor_status, gss_ctx_id_t * context_handle, const gss_cred_id_t acceptor_cred_handle, const gss_buffer_t input_token_buffer, const gss_channel_bindings_t input_chan_bindings, gss_name_t * src_name, gss_OID * mech_type, gss_buffer_t output_token, OM_uint32 * ret_flags, OM_uint32 * time_rec, gss_cred_id_t * delegated_cred_handle ) { krb5_error_code kret; OM_uint32 ret = GSS_S_COMPLETE; krb5_data indata; krb5_flags ap_options; OM_uint32 flags; krb5_ticket *ticket = NULL; krb5_keytab keytab = NULL; krb5_data fwd_data; OM_uint32 minor; GSSAPI_KRB5_INIT(); krb5_data_zero (&fwd_data); output_token->length = 0; output_token->value = NULL; if (src_name != NULL) *src_name = NULL; if (mech_type) *mech_type = GSS_KRB5_MECHANISM; if (*context_handle == GSS_C_NO_CONTEXT) { *context_handle = malloc(sizeof(**context_handle)); if (*context_handle == GSS_C_NO_CONTEXT) { *minor_status = ENOMEM; return GSS_S_FAILURE; } } (*context_handle)->auth_context = NULL; (*context_handle)->source = NULL; (*context_handle)->target = NULL; (*context_handle)->flags = 0; (*context_handle)->more_flags = 0; (*context_handle)->ticket = NULL; (*context_handle)->lifetime = GSS_C_INDEFINITE; kret = krb5_auth_con_init (gssapi_krb5_context, &(*context_handle)->auth_context); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS && input_chan_bindings->application_data.length == 2 * sizeof((*context_handle)->auth_context->local_port) ) { /* Port numbers are expected to be in application_data.value, * initator's port first */ krb5_address initiator_addr, acceptor_addr; memset(&initiator_addr, 0, sizeof(initiator_addr)); memset(&acceptor_addr, 0, sizeof(acceptor_addr)); (*context_handle)->auth_context->remote_port = *(int16_t *) input_chan_bindings->application_data.value; (*context_handle)->auth_context->local_port = *((int16_t *) input_chan_bindings->application_data.value + 1); kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, &input_chan_bindings->acceptor_address, (*context_handle)->auth_context->local_port, &acceptor_addr); if (kret) { gssapi_krb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; *minor_status = kret; goto failure; } kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, &input_chan_bindings->initiator_address, (*context_handle)->auth_context->remote_port, &initiator_addr); if (kret) { krb5_free_address (gssapi_krb5_context, &acceptor_addr); gssapi_krb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; *minor_status = kret; goto failure; } kret = krb5_auth_con_setaddrs(gssapi_krb5_context, (*context_handle)->auth_context, &acceptor_addr, /* local address */ &initiator_addr); /* remote address */ krb5_free_address (gssapi_krb5_context, &initiator_addr); krb5_free_address (gssapi_krb5_context, &acceptor_addr); #if 0 free(input_chan_bindings->application_data.value); input_chan_bindings->application_data.value = NULL; input_chan_bindings->application_data.length = 0; #endif if (kret) { gssapi_krb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; *minor_status = kret; goto failure; } } { int32_t tmp; krb5_auth_con_getflags(gssapi_krb5_context, (*context_handle)->auth_context, &tmp); tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE; krb5_auth_con_setflags(gssapi_krb5_context, (*context_handle)->auth_context, tmp); } ret = gssapi_krb5_decapsulate (minor_status, input_token_buffer, &indata, "\x01\x00"); if (ret) goto failure; if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { if (gssapi_krb5_keytab != NULL) { keytab = gssapi_krb5_keytab; } } else if (acceptor_cred_handle->keytab != NULL) { keytab = acceptor_cred_handle->keytab; } kret = krb5_rd_req (gssapi_krb5_context, &(*context_handle)->auth_context, &indata, (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred_handle->principal, keytab, &ap_options, &ticket); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } kret = krb5_copy_principal (gssapi_krb5_context, ticket->client, &(*context_handle)->source); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } kret = krb5_copy_principal (gssapi_krb5_context, ticket->server, &(*context_handle)->target); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); if (ret) goto failure; if (src_name != NULL) { kret = krb5_copy_principal (gssapi_krb5_context, ticket->client, src_name); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } } { krb5_authenticator authenticator; kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, (*context_handle)->auth_context, &authenticator); if(kret) { ret = GSS_S_FAILURE; *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } ret = gssapi_krb5_verify_8003_checksum(minor_status, input_chan_bindings, authenticator->cksum, &flags, &fwd_data); krb5_free_authenticator(gssapi_krb5_context, &authenticator); if (ret) goto failure; } if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { krb5_ccache ccache; int32_t ac_flags; if (delegated_cred_handle == NULL) /* XXX Create a new delegated_cred_handle? */ kret = krb5_cc_default (gssapi_krb5_context, &ccache); else if (*delegated_cred_handle == NULL) { if ((*delegated_cred_handle = calloc(1, sizeof(**delegated_cred_handle))) == NULL) { ret = GSS_S_FAILURE; *minor_status = ENOMEM; krb5_set_error_string(gssapi_krb5_context, "out of memory"); gssapi_krb5_set_error_string(); goto failure; } if ((ret = gss_duplicate_name(minor_status, ticket->client, &(*delegated_cred_handle)->principal)) != 0) { flags &= ~GSS_C_DELEG_FLAG; free(*delegated_cred_handle); *delegated_cred_handle = NULL; goto end_fwd; } } if (delegated_cred_handle != NULL && (*delegated_cred_handle)->ccache == NULL) { kret = krb5_cc_gen_new (gssapi_krb5_context, &krb5_mcc_ops, &(*delegated_cred_handle)->ccache); ccache = (*delegated_cred_handle)->ccache; } if (delegated_cred_handle != NULL && (*delegated_cred_handle)->mechanisms == NULL) { ret = gss_create_empty_oid_set(minor_status, &(*delegated_cred_handle)->mechanisms); if (ret) goto failure; ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, &(*delegated_cred_handle)->mechanisms); if (ret) goto failure; } if (kret) { flags &= ~GSS_C_DELEG_FLAG; goto end_fwd; } kret = krb5_cc_initialize(gssapi_krb5_context, ccache, *src_name); if (kret) { flags &= ~GSS_C_DELEG_FLAG; goto end_fwd; } krb5_auth_con_getflags(gssapi_krb5_context, (*context_handle)->auth_context, &ac_flags); krb5_auth_con_setflags(gssapi_krb5_context, (*context_handle)->auth_context, ac_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); kret = krb5_rd_cred2(gssapi_krb5_context, (*context_handle)->auth_context, ccache, &fwd_data); krb5_auth_con_setflags(gssapi_krb5_context, (*context_handle)->auth_context, ac_flags); if (kret) { flags &= ~GSS_C_DELEG_FLAG; goto end_fwd; } end_fwd: free(fwd_data.data); } flags |= GSS_C_TRANS_FLAG; if (ret_flags) *ret_flags = flags; (*context_handle)->lifetime = ticket->ticket.endtime; (*context_handle)->flags = flags; (*context_handle)->more_flags |= OPEN; if (mech_type) *mech_type = GSS_KRB5_MECHANISM; if (time_rec) { ret = gssapi_lifetime_left(minor_status, (*context_handle)->lifetime, time_rec); if (ret) goto failure; } if(flags & GSS_C_MUTUAL_FLAG) { krb5_data outbuf; kret = krb5_mk_rep (gssapi_krb5_context, (*context_handle)->auth_context, &outbuf); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } ret = gssapi_krb5_encapsulate (minor_status, &outbuf, output_token, "\x02\x00"); krb5_data_free (&outbuf); if (ret) goto failure; } else { output_token->length = 0; output_token->value = NULL; } (*context_handle)->ticket = ticket; ticket = NULL; #if 0 krb5_free_ticket (context, ticket); #endif *minor_status = 0; return GSS_S_COMPLETE; failure: if (fwd_data.length > 0) free(fwd_data.data); if (ticket != NULL) krb5_free_ticket (gssapi_krb5_context, ticket); krb5_auth_con_free (gssapi_krb5_context, (*context_handle)->auth_context); if((*context_handle)->source) krb5_free_principal (gssapi_krb5_context, (*context_handle)->source); if((*context_handle)->target) krb5_free_principal (gssapi_krb5_context, (*context_handle)->target); free (*context_handle); if (src_name != NULL) { gss_release_name (&minor, src_name); *src_name = NULL; } *context_handle = GSS_C_NO_CONTEXT; return ret; }