410 lines
13 KiB
C
410 lines
13 KiB
C
/*-
|
|
* Copyright (c) 2005 Doug Rabson
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*
|
|
* $FreeBSD: src/lib/libgssapi/gss_accept_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
|
|
*/
|
|
|
|
#include "mech_locl.h"
|
|
|
|
static OM_uint32
|
|
parse_header(const gss_buffer_t input_token, gss_OID *mech_oid)
|
|
{
|
|
gss_OID_desc mech;
|
|
unsigned char *p = input_token->value;
|
|
size_t len = input_token->length;
|
|
size_t a, b;
|
|
|
|
/*
|
|
* Token must start with [APPLICATION 0] SEQUENCE.
|
|
* But if it doesn't assume it is DCE-STYLE Kerberos!
|
|
*/
|
|
if (len == 0)
|
|
return (GSS_S_DEFECTIVE_TOKEN);
|
|
|
|
p++;
|
|
len--;
|
|
|
|
/*
|
|
* Decode the length and make sure it agrees with the
|
|
* token length.
|
|
*/
|
|
if (len == 0)
|
|
return (GSS_S_DEFECTIVE_TOKEN);
|
|
if ((*p & 0x80) == 0) {
|
|
a = *p;
|
|
p++;
|
|
len--;
|
|
} else {
|
|
b = *p & 0x7f;
|
|
p++;
|
|
len--;
|
|
if (len < b)
|
|
return (GSS_S_DEFECTIVE_TOKEN);
|
|
a = 0;
|
|
while (b) {
|
|
a = (a << 8) | *p;
|
|
p++;
|
|
len--;
|
|
b--;
|
|
}
|
|
}
|
|
if (a != len)
|
|
return (GSS_S_DEFECTIVE_TOKEN);
|
|
|
|
/*
|
|
* Decode the OID for the mechanism. Simplify life by
|
|
* assuming that the OID length is less than 128 bytes.
|
|
*/
|
|
if (len < 2 || *p != 0x06)
|
|
return (GSS_S_DEFECTIVE_TOKEN);
|
|
if ((p[1] & 0x80) || p[1] > (len - 2))
|
|
return (GSS_S_DEFECTIVE_TOKEN);
|
|
mech.length = p[1];
|
|
p += 2;
|
|
len -= 2;
|
|
mech.elements = p;
|
|
|
|
*mech_oid = _gss_mg_support_mechanism(&mech);
|
|
if (*mech_oid == GSS_C_NO_OID)
|
|
return GSS_S_BAD_MECH;
|
|
|
|
return GSS_S_COMPLETE;
|
|
}
|
|
|
|
static gss_OID
|
|
choose_mech(const gss_buffer_t input)
|
|
{
|
|
OM_uint32 status;
|
|
gss_OID mech_oid = GSS_C_NO_OID;
|
|
|
|
/*
|
|
* First try to parse the gssapi token header and see if it's a
|
|
* correct header, use that in the first hand.
|
|
*/
|
|
|
|
status = parse_header(input, &mech_oid);
|
|
if (status == GSS_S_COMPLETE && mech_oid != GSS_C_NO_OID)
|
|
return mech_oid;
|
|
|
|
if (input->length == 0) {
|
|
/*
|
|
* There is the a wierd mode of SPNEGO (in CIFS and
|
|
* SASL GSS-SPENGO where the first token is zero
|
|
* length and the acceptor returns a mech_list, lets
|
|
* hope that is what is happening now.
|
|
*
|
|
* http://msdn.microsoft.com/en-us/library/cc213114.aspx
|
|
* "NegTokenInit2 Variation for Server-Initiation"
|
|
*/
|
|
return &__gss_spnego_mechanism_oid_desc;
|
|
}
|
|
|
|
_gss_mg_log(10, "Don't have client request mech");
|
|
|
|
return mech_oid;
|
|
}
|
|
|
|
|
|
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
|
|
gss_accept_sec_context(OM_uint32 *minor_status,
|
|
gss_ctx_id_t *context_handle,
|
|
gss_const_cred_id_t acceptor_cred_handle,
|
|
const gss_buffer_t input_token,
|
|
const gss_channel_bindings_t input_chan_bindings,
|
|
gss_name_t *src_name,
|
|
gss_OID *mech_type,
|
|
gss_buffer_t output_token,
|
|
OM_uint32 *ret_flags,
|
|
OM_uint32 *time_rec,
|
|
gss_cred_id_t *delegated_cred_handle)
|
|
{
|
|
OM_uint32 major_status, mech_ret_flags, junk;
|
|
gssapi_mech_interface m = NULL;
|
|
struct _gss_context *ctx = (struct _gss_context *) *context_handle;
|
|
struct _gss_cred *cred = (struct _gss_cred *) acceptor_cred_handle;
|
|
struct _gss_mechanism_cred *mc;
|
|
gss_buffer_desc defective_token_error;
|
|
gss_const_cred_id_t acceptor_mc;
|
|
gss_cred_id_t delegated_mc = GSS_C_NO_CREDENTIAL;
|
|
gss_name_t src_mn = GSS_C_NO_NAME;
|
|
gss_OID mech_ret_type = GSS_C_NO_OID;
|
|
int initial = !!(*context_handle == GSS_C_NO_CONTEXT);
|
|
|
|
defective_token_error.length = 0;
|
|
defective_token_error.value = NULL;
|
|
|
|
*minor_status = 0;
|
|
if (src_name)
|
|
*src_name = GSS_C_NO_NAME;
|
|
if (mech_type)
|
|
*mech_type = GSS_C_NO_OID;
|
|
if (ret_flags)
|
|
*ret_flags = 0;
|
|
if (time_rec)
|
|
*time_rec = 0;
|
|
if (delegated_cred_handle)
|
|
*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
|
|
_mg_buffer_zero(output_token);
|
|
|
|
/*
|
|
* If this is the first call (*context_handle is NULL), we must
|
|
* parse the input token to figure out the mechanism to use.
|
|
*/
|
|
if (initial) {
|
|
gss_OID mech_oid;
|
|
|
|
mech_oid = choose_mech(input_token);
|
|
|
|
/*
|
|
* If mech_oid == GSS_C_NO_OID then the mech is non-standard
|
|
* and we have to try all mechs (that we have a cred element
|
|
* for, if we have a cred).
|
|
*/
|
|
ctx = malloc(sizeof(struct _gss_context));
|
|
if (!ctx) {
|
|
*minor_status = ENOMEM;
|
|
return (GSS_S_DEFECTIVE_TOKEN);
|
|
}
|
|
memset(ctx, 0, sizeof(struct _gss_context));
|
|
if (mech_oid != GSS_C_NO_OID) {
|
|
m = ctx->gc_mech = __gss_get_mechanism(mech_oid);
|
|
if (!m) {
|
|
free(ctx);
|
|
_gss_mg_log(10, "mechanism client used is unknown");
|
|
return (GSS_S_BAD_MECH);
|
|
}
|
|
}
|
|
*context_handle = (gss_ctx_id_t) ctx;
|
|
} else {
|
|
m = ctx->gc_mech;
|
|
}
|
|
|
|
if (initial && !m && acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
|
|
/*
|
|
* No header, not a standard mechanism. Try all the mechanisms
|
|
* (because default credential).
|
|
*/
|
|
struct _gss_mech_switch *ms;
|
|
|
|
_gss_load_mech();
|
|
acceptor_mc = GSS_C_NO_CREDENTIAL;
|
|
HEIM_TAILQ_FOREACH(ms, &_gss_mechs, gm_link) {
|
|
m = &ms->gm_mech;
|
|
mech_ret_flags = 0;
|
|
major_status = m->gm_accept_sec_context(minor_status,
|
|
&ctx->gc_ctx,
|
|
acceptor_mc,
|
|
input_token,
|
|
input_chan_bindings,
|
|
&src_mn,
|
|
&mech_ret_type,
|
|
output_token,
|
|
&mech_ret_flags,
|
|
time_rec,
|
|
&delegated_mc);
|
|
if (major_status == GSS_S_DEFECTIVE_TOKEN) {
|
|
/*
|
|
* Try to retain and output one error token for
|
|
* GSS_S_DEFECTIVE_TOKEN. The first one.
|
|
*/
|
|
if (output_token->length &&
|
|
defective_token_error.length == 0) {
|
|
defective_token_error = *output_token;
|
|
output_token->length = 0;
|
|
output_token->value = NULL;
|
|
}
|
|
gss_release_buffer(&junk, output_token);
|
|
continue;
|
|
}
|
|
gss_release_buffer(&junk, &defective_token_error);
|
|
ctx->gc_mech = m;
|
|
goto got_one;
|
|
}
|
|
m = NULL;
|
|
acceptor_mc = GSS_C_NO_CREDENTIAL;
|
|
} else if (initial && !m) {
|
|
/*
|
|
* No header, not a standard mechanism. Try all the mechanisms
|
|
* that we have a credential element for if we have a
|
|
* non-default credential.
|
|
*/
|
|
HEIM_TAILQ_FOREACH(mc, &cred->gc_mc, gmc_link) {
|
|
m = mc->gmc_mech;
|
|
acceptor_mc = (m->gm_flags & GM_USE_MG_CRED) ?
|
|
acceptor_cred_handle : mc->gmc_cred;
|
|
mech_ret_flags = 0;
|
|
major_status = m->gm_accept_sec_context(minor_status,
|
|
&ctx->gc_ctx,
|
|
acceptor_mc,
|
|
input_token,
|
|
input_chan_bindings,
|
|
&src_mn,
|
|
&mech_ret_type,
|
|
output_token,
|
|
&mech_ret_flags,
|
|
time_rec,
|
|
&delegated_mc);
|
|
if (major_status == GSS_S_DEFECTIVE_TOKEN) {
|
|
if (output_token->length &&
|
|
defective_token_error.length == 0) {
|
|
defective_token_error = *output_token;
|
|
output_token->length = 0;
|
|
output_token->value = NULL;
|
|
}
|
|
gss_release_buffer(&junk, output_token);
|
|
continue;
|
|
}
|
|
gss_release_buffer(&junk, &defective_token_error);
|
|
ctx->gc_mech = m;
|
|
goto got_one;
|
|
}
|
|
m = NULL;
|
|
acceptor_mc = GSS_C_NO_CREDENTIAL;
|
|
}
|
|
|
|
if (m == NULL) {
|
|
gss_delete_sec_context(&junk, context_handle, NULL);
|
|
_gss_mg_log(10, "No mechanism accepted the non-standard initial security context token");
|
|
*output_token = defective_token_error;
|
|
return GSS_S_BAD_MECH;
|
|
}
|
|
|
|
if (m->gm_flags & GM_USE_MG_CRED) {
|
|
acceptor_mc = acceptor_cred_handle;
|
|
} else if (cred) {
|
|
HEIM_TAILQ_FOREACH(mc, &cred->gc_mc, gmc_link)
|
|
if (mc->gmc_mech == m)
|
|
break;
|
|
if (!mc) {
|
|
gss_delete_sec_context(&junk, context_handle, NULL);
|
|
_gss_mg_log(10, "gss-asc: client sent mech %s "
|
|
"but no credential was matching",
|
|
m->gm_name);
|
|
HEIM_TAILQ_FOREACH(mc, &cred->gc_mc, gmc_link)
|
|
_gss_mg_log(10, "gss-asc: available creds were %s", mc->gmc_mech->gm_name);
|
|
return (GSS_S_BAD_MECH);
|
|
}
|
|
acceptor_mc = mc->gmc_cred;
|
|
} else {
|
|
acceptor_mc = GSS_C_NO_CREDENTIAL;
|
|
}
|
|
|
|
mech_ret_flags = 0;
|
|
major_status = m->gm_accept_sec_context(minor_status,
|
|
&ctx->gc_ctx,
|
|
acceptor_mc,
|
|
input_token,
|
|
input_chan_bindings,
|
|
&src_mn,
|
|
&mech_ret_type,
|
|
output_token,
|
|
&mech_ret_flags,
|
|
time_rec,
|
|
&delegated_mc);
|
|
|
|
got_one:
|
|
if (major_status != GSS_S_COMPLETE &&
|
|
major_status != GSS_S_CONTINUE_NEEDED)
|
|
{
|
|
_gss_mg_error(m, *minor_status);
|
|
gss_delete_sec_context(&junk, context_handle, NULL);
|
|
return (major_status);
|
|
}
|
|
|
|
if (mech_type)
|
|
*mech_type = mech_ret_type;
|
|
|
|
if (src_name && src_mn) {
|
|
/*
|
|
* Make a new name and mark it as an MN.
|
|
*/
|
|
struct _gss_name *name = _gss_create_name(src_mn, m);
|
|
|
|
if (!name) {
|
|
m->gm_release_name(minor_status, &src_mn);
|
|
gss_delete_sec_context(&junk, context_handle, NULL);
|
|
return (GSS_S_FAILURE);
|
|
}
|
|
*src_name = (gss_name_t) name;
|
|
} else if (src_mn) {
|
|
m->gm_release_name(minor_status, &src_mn);
|
|
}
|
|
|
|
if (mech_ret_flags & GSS_C_DELEG_FLAG) {
|
|
if (!delegated_cred_handle) {
|
|
if (m->gm_flags & GM_USE_MG_CRED)
|
|
gss_release_cred(minor_status, &delegated_mc);
|
|
else
|
|
m->gm_release_cred(minor_status, &delegated_mc);
|
|
mech_ret_flags &=
|
|
~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
|
|
} else if ((m->gm_flags & GM_USE_MG_CRED) != 0) {
|
|
/*
|
|
* If credential is uses mechglue cred, assume it
|
|
* returns one too.
|
|
*/
|
|
*delegated_cred_handle = delegated_mc;
|
|
} else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) {
|
|
/*
|
|
* If the returned mech_type is not the same
|
|
* as the mech, assume its pseudo mech type
|
|
* and the returned type is already a
|
|
* mech-glue object
|
|
*/
|
|
*delegated_cred_handle = delegated_mc;
|
|
|
|
} else if (delegated_mc) {
|
|
struct _gss_cred *dcred;
|
|
struct _gss_mechanism_cred *dmc;
|
|
|
|
dcred = _gss_mg_alloc_cred();
|
|
if (!dcred) {
|
|
*minor_status = ENOMEM;
|
|
gss_delete_sec_context(&junk, context_handle, NULL);
|
|
return (GSS_S_FAILURE);
|
|
}
|
|
dmc = malloc(sizeof(struct _gss_mechanism_cred));
|
|
if (!dmc) {
|
|
free(dcred);
|
|
*minor_status = ENOMEM;
|
|
gss_delete_sec_context(&junk, context_handle, NULL);
|
|
return (GSS_S_FAILURE);
|
|
}
|
|
dmc->gmc_mech = m;
|
|
dmc->gmc_mech_oid = &m->gm_mech_oid;
|
|
dmc->gmc_cred = delegated_mc;
|
|
HEIM_TAILQ_INSERT_TAIL(&dcred->gc_mc, dmc, gmc_link);
|
|
|
|
*delegated_cred_handle = (gss_cred_id_t) dcred;
|
|
}
|
|
}
|
|
|
|
_gss_mg_log(10, "gss-asc: return %d/%d", (int)major_status, (int)*minor_status);
|
|
|
|
if (ret_flags)
|
|
*ret_flags = mech_ret_flags;
|
|
return (major_status);
|
|
}
|