1/*- 2 * Copyright (c) 2005 Doug Rabson 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD: src/lib/libgssapi/gss_accept_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ 27 */ 28 29#include "mech_locl.h" 30 31static OM_uint32 32parse_header(const gss_buffer_t input_token, gss_OID *mech_oid) 33{ 34 gss_OID_desc mech; 35 unsigned char *p = input_token->value; 36 size_t len = input_token->length; 37 size_t a, b; 38 39 /* 40 * Token must start with [APPLICATION 0] SEQUENCE. 41 * But if it doesn't assume it is DCE-STYLE Kerberos! 42 */ 43 if (len == 0) 44 return (GSS_S_DEFECTIVE_TOKEN); 45 46 p++; 47 len--; 48 49 /* 50 * Decode the length and make sure it agrees with the 51 * token length. 52 */ 53 if (len == 0) 54 return (GSS_S_DEFECTIVE_TOKEN); 55 if ((*p & 0x80) == 0) { 56 a = *p; 57 p++; 58 len--; 59 } else { 60 b = *p & 0x7f; 61 p++; 62 len--; 63 if (len < b) 64 return (GSS_S_DEFECTIVE_TOKEN); 65 a = 0; 66 while (b) { 67 a = (a << 8) | *p; 68 p++; 69 len--; 70 b--; 71 } 72 } 73 if (a != len) 74 return (GSS_S_DEFECTIVE_TOKEN); 75 76 /* 77 * Decode the OID for the mechanism. Simplify life by 78 * assuming that the OID length is less than 128 bytes. 79 */ 80 if (len < 2 || *p != 0x06) 81 return (GSS_S_DEFECTIVE_TOKEN); 82 if ((p[1] & 0x80) || p[1] > (len - 2)) 83 return (GSS_S_DEFECTIVE_TOKEN); 84 mech.length = p[1]; 85 p += 2; 86 mech.elements = p; 87 88 *mech_oid = _gss_mg_support_mechanism(&mech); 89 if (*mech_oid == GSS_C_NO_OID) 90 return GSS_S_BAD_MECH; 91 92 return GSS_S_COMPLETE; 93} 94 95static OM_uint32 96choose_mech(const gss_buffer_t input, gss_OID *mech_oid) 97{ 98 OM_uint32 status; 99 100 /* 101 * First try to parse the gssapi token header and see if it's a 102 * correct header, use that in the first hand. 103 */ 104 105 status = parse_header(input, mech_oid); 106 if (status == GSS_S_COMPLETE) 107 return GSS_S_COMPLETE; 108 109 /* 110 * Lets guess what mech is really is, callback function to mech ?? 111 */ 112 113 if (input->length > 8 && 114 memcmp((const char *)input->value, "NTLMSSP\x00", 8) == 0) 115 { 116 *mech_oid = &__gss_ntlm_mechanism_oid_desc; 117 return GSS_S_COMPLETE; 118 } else if (input->length != 0 && 119 ((const char *)input->value)[0] == 0x6E) 120 { 121 /* Could be a raw AP-REQ (check for APPLICATION tag) */ 122 *mech_oid = &__gss_krb5_mechanism_oid_desc; 123 return GSS_S_COMPLETE; 124 } else if (input->length == 0) { 125 /* 126 * There is the a wierd mode of SPNEGO (in CIFS and 127 * SASL GSS-SPENGO where the first token is zero 128 * length and the acceptor returns a mech_list, lets 129 * hope that is what is happening now. 130 * 131 * http://msdn.microsoft.com/en-us/library/cc213114.aspx 132 * "NegTokenInit2 Variation for Server-Initiation" 133 */ 134 *mech_oid = &__gss_spnego_mechanism_oid_desc; 135 return GSS_S_COMPLETE; 136 } 137 138 _gss_mg_log(10, "Don't have client request mech"); 139 140 return status; 141} 142 143 144GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL 145gss_accept_sec_context(OM_uint32 *minor_status, 146 gss_ctx_id_t *context_handle, 147 const gss_cred_id_t acceptor_cred_handle, 148 const gss_buffer_t input_token, 149 const gss_channel_bindings_t input_chan_bindings, 150 gss_name_t *src_name, 151 gss_OID *mech_type, 152 gss_buffer_t output_token, 153 OM_uint32 *ret_flags, 154 OM_uint32 *time_rec, 155 gss_cred_id_t *delegated_cred_handle) 156{ 157 OM_uint32 major_status, mech_ret_flags, junk; 158 gssapi_mech_interface m; 159 struct _gss_context *ctx = (struct _gss_context *) *context_handle; 160 struct _gss_cred *cred = (struct _gss_cred *) acceptor_cred_handle; 161 struct _gss_mechanism_cred *mc; 162 gss_cred_id_t acceptor_mc, delegated_mc; 163 gss_name_t src_mn; 164 gss_OID mech_ret_type = NULL; 165 166 *minor_status = 0; 167 if (src_name) 168 *src_name = GSS_C_NO_NAME; 169 if (mech_type) 170 *mech_type = GSS_C_NO_OID; 171 if (ret_flags) 172 *ret_flags = 0; 173 if (time_rec) 174 *time_rec = 0; 175 if (delegated_cred_handle) 176 *delegated_cred_handle = GSS_C_NO_CREDENTIAL; 177 _mg_buffer_zero(output_token); 178 179 _gss_mg_check_credential(acceptor_cred_handle); 180 181 /* 182 * If this is the first call (*context_handle is NULL), we must 183 * parse the input token to figure out the mechanism to use. 184 */ 185 if (*context_handle == GSS_C_NO_CONTEXT) { 186 gss_OID mech_oid; 187 188 major_status = choose_mech(input_token, &mech_oid); 189 if (major_status != GSS_S_COMPLETE) 190 return major_status; 191 192 /* 193 * Now that we have a mechanism, we can find the 194 * implementation. 195 */ 196 ctx = malloc(sizeof(struct _gss_context)); 197 if (!ctx) { 198 *minor_status = ENOMEM; 199 return (GSS_S_DEFECTIVE_TOKEN); 200 } 201 memset(ctx, 0, sizeof(struct _gss_context)); 202 m = ctx->gc_mech = __gss_get_mechanism(mech_oid); 203 if (!m) { 204 free(ctx); 205 _gss_mg_log(10, "mechanism client used is unknown"); 206 return (GSS_S_BAD_MECH); 207 } 208 *context_handle = (gss_ctx_id_t) ctx; 209 } else { 210 m = ctx->gc_mech; 211 } 212 213 if (m->gm_flags & GM_USE_MG_CRED) { 214 acceptor_mc = acceptor_cred_handle; 215 } else if (cred) { 216 HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) 217 if (mc->gmc_mech == m) 218 break; 219 if (!mc) { 220 gss_delete_sec_context(&junk, context_handle, NULL); 221 _gss_mg_log(10, "gss-asc: client sent mech %s " 222 "but no credential was matching", 223 m->gm_name); 224 HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) 225 _gss_mg_log(10, "gss-asc: available creds where %s", mc->gmc_mech->gm_name); 226 return (GSS_S_BAD_MECH); 227 } 228 acceptor_mc = mc->gmc_cred; 229 } else { 230 acceptor_mc = GSS_C_NO_CREDENTIAL; 231 } 232 delegated_mc = GSS_C_NO_CREDENTIAL; 233 234 mech_ret_flags = 0; 235 major_status = m->gm_accept_sec_context(minor_status, 236 &ctx->gc_ctx, 237 acceptor_mc, 238 input_token, 239 input_chan_bindings, 240 &src_mn, 241 &mech_ret_type, 242 output_token, 243 &mech_ret_flags, 244 time_rec, 245 &delegated_mc); 246 if (major_status != GSS_S_COMPLETE && 247 major_status != GSS_S_CONTINUE_NEEDED) 248 { 249 _gss_mg_error(m, *minor_status); 250 gss_delete_sec_context(&junk, context_handle, NULL); 251 return (major_status); 252 } 253 254 if (mech_type) 255 *mech_type = mech_ret_type; 256 257 if (src_name && src_mn) { 258 /* 259 * Make a new name and mark it as an MN. 260 */ 261 struct _gss_name *name = _gss_create_name(src_mn, m); 262 263 if (!name) { 264 m->gm_release_name(minor_status, &src_mn); 265 gss_delete_sec_context(&junk, context_handle, NULL); 266 return (GSS_S_FAILURE); 267 } 268 *src_name = (gss_name_t) name; 269 } else if (src_mn) { 270 m->gm_release_name(minor_status, &src_mn); 271 } 272 273 if (mech_ret_flags & GSS_C_DELEG_FLAG) { 274 if (!delegated_cred_handle) { 275 if (m->gm_flags & GM_USE_MG_CRED) 276 gss_release_cred(minor_status, &delegated_mc); 277 else 278 m->gm_release_cred(minor_status, &delegated_mc); 279 280 mech_ret_flags &= 281 ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); 282 } else if ((m->gm_flags & GM_USE_MG_CRED) != 0) { 283 /* 284 * If credential is uses mechglue cred, assume it 285 * returns one too. 286 */ 287 *delegated_cred_handle = delegated_mc; 288 289 } else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) { 290 /* 291 * If the returned mech_type is not the same 292 * as the mech, assume its pseudo mech type 293 * and the returned type is already a 294 * mech-glue object 295 */ 296 *delegated_cred_handle = delegated_mc; 297 298 } else if (delegated_mc) { 299 struct _gss_cred *dcred; 300 struct _gss_mechanism_cred *dmc; 301 302 dcred = _gss_mg_alloc_cred(); 303 if (!dcred) { 304 *minor_status = ENOMEM; 305 gss_delete_sec_context(&junk, context_handle, NULL); 306 return (GSS_S_FAILURE); 307 } 308 dmc = malloc(sizeof(struct _gss_mechanism_cred)); 309 if (!dmc) { 310 free(dcred); 311 *minor_status = ENOMEM; 312 gss_delete_sec_context(&junk, context_handle, NULL); 313 return (GSS_S_FAILURE); 314 } 315 dmc->gmc_mech = m; 316 dmc->gmc_mech_oid = &m->gm_mech_oid; 317 dmc->gmc_cred = delegated_mc; 318 HEIM_SLIST_INSERT_HEAD(&dcred->gc_mc, dmc, gmc_link); 319 320 *delegated_cred_handle = (gss_cred_id_t) dcred; 321 } 322 } 323 324 _gss_mg_log(10, "gss-asc: return %d/%d", (int)major_status, (int)*minor_status); 325 326 if (ret_flags) 327 *ret_flags = mech_ret_flags; 328 return (major_status); 329} 330