2
* Copyright (c) 2005 Doug Rabson
5
* Redistribution and use in source and binary forms, with or without
6
* modification, are permitted provided that the following conditions
8
* 1. Redistributions of source code must retain the above copyright
9
* notice, this list of conditions and the following disclaimer.
10
* 2. Redistributions in binary form must reproduce the above copyright
11
* notice, this list of conditions and the following disclaimer in the
12
* documentation and/or other materials provided with the distribution.
14
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26
* $FreeBSD: src/lib/libgssapi/gss_accept_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
29
#include "mech_locl.h"
33
parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
35
unsigned char *p = input_token->value;
36
size_t len = input_token->length;
40
* Token must start with [APPLICATION 0] SEQUENCE.
41
* But if it doesn't assume it is DCE-STYLE Kerberos!
44
return (GSS_S_DEFECTIVE_TOKEN);
50
* Decode the length and make sure it agrees with the
54
return (GSS_S_DEFECTIVE_TOKEN);
55
if ((*p & 0x80) == 0) {
64
return (GSS_S_DEFECTIVE_TOKEN);
74
return (GSS_S_DEFECTIVE_TOKEN);
77
* Decode the OID for the mechanism. Simplify life by
78
* assuming that the OID length is less than 128 bytes.
80
if (len < 2 || *p != 0x06)
81
return (GSS_S_DEFECTIVE_TOKEN);
82
if ((p[1] & 0x80) || p[1] > (len - 2))
83
return (GSS_S_DEFECTIVE_TOKEN);
84
mech_oid->length = p[1];
87
mech_oid->elements = p;
89
return GSS_S_COMPLETE;
92
static gss_OID_desc krb5_mechanism =
93
{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
94
static gss_OID_desc ntlm_mechanism =
95
{10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")};
96
static gss_OID_desc spnego_mechanism =
97
{6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02")};
100
choose_mech(const gss_buffer_t input, gss_OID mech_oid)
105
* First try to parse the gssapi token header and see if it's a
106
* correct header, use that in the first hand.
109
status = parse_header(input, mech_oid);
110
if (status == GSS_S_COMPLETE)
111
return GSS_S_COMPLETE;
114
* Lets guess what mech is really is, callback function to mech ??
117
if (input->length > 8 &&
118
memcmp((const char *)input->value, "NTLMSSP\x00", 8) == 0)
120
*mech_oid = ntlm_mechanism;
121
return GSS_S_COMPLETE;
122
} else if (input->length != 0 &&
123
((const char *)input->value)[0] == 0x6E)
125
/* Could be a raw AP-REQ (check for APPLICATION tag) */
126
*mech_oid = krb5_mechanism;
127
return GSS_S_COMPLETE;
128
} else if (input->length == 0) {
130
* There is the a wierd mode of SPNEGO (in CIFS and
131
* SASL GSS-SPENGO where the first token is zero
132
* length and the acceptor returns a mech_list, lets
133
* hope that is what is happening now.
135
* http://msdn.microsoft.com/en-us/library/cc213114.aspx
136
* "NegTokenInit2 Variation for Server-Initiation"
138
*mech_oid = spnego_mechanism;
139
return GSS_S_COMPLETE;
145
OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
146
gss_ctx_id_t *context_handle,
147
const gss_cred_id_t acceptor_cred_handle,
148
const gss_buffer_t input_token,
149
const gss_channel_bindings_t input_chan_bindings,
150
gss_name_t *src_name,
152
gss_buffer_t output_token,
153
OM_uint32 *ret_flags,
155
gss_cred_id_t *delegated_cred_handle)
157
OM_uint32 major_status, mech_ret_flags, junk;
158
gssapi_mech_interface m;
159
struct _gss_context *ctx = (struct _gss_context *) *context_handle;
160
struct _gss_cred *cred = (struct _gss_cred *) acceptor_cred_handle;
161
struct _gss_mechanism_cred *mc;
162
gss_cred_id_t acceptor_mc, delegated_mc;
167
*src_name = GSS_C_NO_NAME;
169
*mech_type = GSS_C_NO_OID;
174
if (delegated_cred_handle)
175
*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
176
_mg_buffer_zero(output_token);
180
* If this is the first call (*context_handle is NULL), we must
181
* parse the input token to figure out the mechanism to use.
183
if (*context_handle == GSS_C_NO_CONTEXT) {
184
gss_OID_desc mech_oid;
186
major_status = choose_mech(input_token, &mech_oid);
187
if (major_status != GSS_S_COMPLETE)
191
* Now that we have a mechanism, we can find the
194
ctx = malloc(sizeof(struct _gss_context));
196
*minor_status = ENOMEM;
197
return (GSS_S_DEFECTIVE_TOKEN);
199
memset(ctx, 0, sizeof(struct _gss_context));
200
m = ctx->gc_mech = __gss_get_mechanism(&mech_oid);
203
return (GSS_S_BAD_MECH);
205
*context_handle = (gss_ctx_id_t) ctx;
211
SLIST_FOREACH(mc, &cred->gc_mc, gmc_link)
212
if (mc->gmc_mech == m)
215
gss_delete_sec_context(&junk, context_handle, NULL);
216
return (GSS_S_BAD_MECH);
218
acceptor_mc = mc->gmc_cred;
220
acceptor_mc = GSS_C_NO_CREDENTIAL;
222
delegated_mc = GSS_C_NO_CREDENTIAL;
225
major_status = m->gm_accept_sec_context(minor_status,
236
if (major_status != GSS_S_COMPLETE &&
237
major_status != GSS_S_CONTINUE_NEEDED)
239
_gss_mg_error(m, major_status, *minor_status);
240
gss_delete_sec_context(&junk, context_handle, NULL);
241
return (major_status);
244
if (src_name && src_mn) {
246
* Make a new name and mark it as an MN.
248
struct _gss_name *name = _gss_make_name(m, src_mn);
251
m->gm_release_name(minor_status, &src_mn);
252
gss_delete_sec_context(&junk, context_handle, NULL);
253
return (GSS_S_FAILURE);
255
*src_name = (gss_name_t) name;
257
m->gm_release_name(minor_status, &src_mn);
260
if (mech_ret_flags & GSS_C_DELEG_FLAG) {
261
if (!delegated_cred_handle) {
262
m->gm_release_cred(minor_status, &delegated_mc);
263
*ret_flags &= ~GSS_C_DELEG_FLAG;
264
} else if (delegated_mc) {
265
struct _gss_cred *dcred;
266
struct _gss_mechanism_cred *dmc;
268
dcred = malloc(sizeof(struct _gss_cred));
270
*minor_status = ENOMEM;
271
gss_delete_sec_context(&junk, context_handle, NULL);
272
return (GSS_S_FAILURE);
274
SLIST_INIT(&dcred->gc_mc);
275
dmc = malloc(sizeof(struct _gss_mechanism_cred));
278
*minor_status = ENOMEM;
279
gss_delete_sec_context(&junk, context_handle, NULL);
280
return (GSS_S_FAILURE);
283
dmc->gmc_mech_oid = &m->gm_mech_oid;
284
dmc->gmc_cred = delegated_mc;
285
SLIST_INSERT_HEAD(&dcred->gc_mc, dmc, gmc_link);
287
*delegated_cred_handle = (gss_cred_id_t) dcred;
292
*ret_flags = mech_ret_flags;
293
return (major_status);