1/*- 2 * Copyright (c) 2005 Doug Rabson 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD: src/lib/libgssapi/gss_accept_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ 27 */ 28 29#include "mech_locl.h" 30 31static OM_uint32 32parse_header(const gss_buffer_t input_token, gss_OID mech_oid) 33{ 34 unsigned char *p = input_token->value; 35 size_t len = input_token->length; 36 size_t a, b; 37 38 /* 39 * Token must start with [APPLICATION 0] SEQUENCE. 40 * But if it doesn't assume it is DCE-STYLE Kerberos! 41 */ 42 if (len == 0) 43 return (GSS_S_DEFECTIVE_TOKEN); 44 45 p++; 46 len--; 47 48 /* 49 * Decode the length and make sure it agrees with the 50 * token length. 51 */ 52 if (len == 0) 53 return (GSS_S_DEFECTIVE_TOKEN); 54 if ((*p & 0x80) == 0) { 55 a = *p; 56 p++; 57 len--; 58 } else { 59 b = *p & 0x7f; 60 p++; 61 len--; 62 if (len < b) 63 return (GSS_S_DEFECTIVE_TOKEN); 64 a = 0; 65 while (b) { 66 a = (a << 8) | *p; 67 p++; 68 len--; 69 b--; 70 } 71 } 72 if (a != len) 73 return (GSS_S_DEFECTIVE_TOKEN); 74 75 /* 76 * Decode the OID for the mechanism. Simplify life by 77 * assuming that the OID length is less than 128 bytes. 78 */ 79 if (len < 2 || *p != 0x06) 80 return (GSS_S_DEFECTIVE_TOKEN); 81 if ((p[1] & 0x80) || p[1] > (len - 2)) 82 return (GSS_S_DEFECTIVE_TOKEN); 83 mech_oid->length = p[1]; 84 p += 2; 85 mech_oid->elements = p; 86 87 return GSS_S_COMPLETE; 88} 89 90static gss_OID_desc krb5_mechanism = 91 {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")}; 92static gss_OID_desc ntlm_mechanism = 93 {10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")}; 94static gss_OID_desc spnego_mechanism = 95 {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02")}; 96 97static OM_uint32 98choose_mech(const gss_buffer_t input, gss_OID mech_oid) 99{ 100 OM_uint32 status; 101 102 /* 103 * First try to parse the gssapi token header and see if it's a 104 * correct header, use that in the first hand. 105 */ 106 107 status = parse_header(input, mech_oid); 108 if (status == GSS_S_COMPLETE) 109 return GSS_S_COMPLETE; 110 111 /* 112 * Lets guess what mech is really is, callback function to mech ?? 113 */ 114 115 if (input->length > 8 && 116 memcmp((const char *)input->value, "NTLMSSP\x00", 8) == 0) 117 { 118 *mech_oid = ntlm_mechanism; 119 return GSS_S_COMPLETE; 120 } else if (input->length != 0 && 121 ((const char *)input->value)[0] == 0x6E) 122 { 123 /* Could be a raw AP-REQ (check for APPLICATION tag) */ 124 *mech_oid = krb5_mechanism; 125 return GSS_S_COMPLETE; 126 } else if (input->length == 0) { 127 /* 128 * There is the a wierd mode of SPNEGO (in CIFS and 129 * SASL GSS-SPENGO where the first token is zero 130 * length and the acceptor returns a mech_list, lets 131 * hope that is what is happening now. 132 * 133 * http://msdn.microsoft.com/en-us/library/cc213114.aspx 134 * "NegTokenInit2 Variation for Server-Initiation" 135 */ 136 *mech_oid = spnego_mechanism; 137 return GSS_S_COMPLETE; 138 } 139 140 _gss_mg_log(10, "Don't have client request mech"); 141 142 return status; 143} 144 145 146GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL 147gss_accept_sec_context(OM_uint32 *minor_status, 148 gss_ctx_id_t *context_handle, 149 const gss_cred_id_t acceptor_cred_handle, 150 const gss_buffer_t input_token, 151 const gss_channel_bindings_t input_chan_bindings, 152 gss_name_t *src_name, 153 gss_OID *mech_type, 154 gss_buffer_t output_token, 155 OM_uint32 *ret_flags, 156 OM_uint32 *time_rec, 157 gss_cred_id_t *delegated_cred_handle) 158{ 159 OM_uint32 major_status, mech_ret_flags, junk; 160 gssapi_mech_interface m; 161 struct _gss_context *ctx = (struct _gss_context *) *context_handle; 162 struct _gss_cred *cred = (struct _gss_cred *) acceptor_cred_handle; 163 struct _gss_mechanism_cred *mc; 164 gss_cred_id_t acceptor_mc, delegated_mc; 165 gss_name_t src_mn; 166 gss_OID mech_ret_type = NULL; 167 168 *minor_status = 0; 169 if (src_name) 170 *src_name = GSS_C_NO_NAME; 171 if (mech_type) 172 *mech_type = GSS_C_NO_OID; 173 if (ret_flags) 174 *ret_flags = 0; 175 if (time_rec) 176 *time_rec = 0; 177 if (delegated_cred_handle) 178 *delegated_cred_handle = GSS_C_NO_CREDENTIAL; 179 _mg_buffer_zero(output_token); 180 181 _gss_mg_check_credential(acceptor_cred_handle); 182 183 /* 184 * If this is the first call (*context_handle is NULL), we must 185 * parse the input token to figure out the mechanism to use. 186 */ 187 if (*context_handle == GSS_C_NO_CONTEXT) { 188 gss_OID_desc mech_oid; 189 190 major_status = choose_mech(input_token, &mech_oid); 191 if (major_status != GSS_S_COMPLETE) 192 return major_status; 193 194 /* 195 * Now that we have a mechanism, we can find the 196 * implementation. 197 */ 198 ctx = malloc(sizeof(struct _gss_context)); 199 if (!ctx) { 200 *minor_status = ENOMEM; 201 return (GSS_S_DEFECTIVE_TOKEN); 202 } 203 memset(ctx, 0, sizeof(struct _gss_context)); 204 m = ctx->gc_mech = __gss_get_mechanism(&mech_oid); 205 if (!m) { 206 free(ctx); 207 _gss_mg_log(10, "mechanism client used is unknown"); 208 return (GSS_S_BAD_MECH); 209 } 210 *context_handle = (gss_ctx_id_t) ctx; 211 } else { 212 m = ctx->gc_mech; 213 } 214 215 if (m->gm_flags & GM_USE_MG_CRED) { 216 acceptor_mc = acceptor_cred_handle; 217 } else if (cred) { 218 HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) 219 if (mc->gmc_mech == m) 220 break; 221 if (!mc) { 222 gss_delete_sec_context(&junk, context_handle, NULL); 223 _gss_mg_log(10, "gss-asc: client sent mech %s " 224 "but no credential was matching", 225 m->gm_name); 226 HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) 227 _gss_mg_log(10, "gss-asc: available creds where %s", mc->gmc_mech->gm_name); 228 return (GSS_S_BAD_MECH); 229 } 230 acceptor_mc = mc->gmc_cred; 231 } else { 232 acceptor_mc = GSS_C_NO_CREDENTIAL; 233 } 234 delegated_mc = GSS_C_NO_CREDENTIAL; 235 236 mech_ret_flags = 0; 237 major_status = m->gm_accept_sec_context(minor_status, 238 &ctx->gc_ctx, 239 acceptor_mc, 240 input_token, 241 input_chan_bindings, 242 &src_mn, 243 &mech_ret_type, 244 output_token, 245 &mech_ret_flags, 246 time_rec, 247 &delegated_mc); 248 if (major_status != GSS_S_COMPLETE && 249 major_status != GSS_S_CONTINUE_NEEDED) 250 { 251 _gss_mg_error(m, *minor_status); 252 gss_delete_sec_context(&junk, context_handle, NULL); 253 return (major_status); 254 } 255 256 if (mech_type) 257 *mech_type = mech_ret_type; 258 259 if (src_name && src_mn) { 260 /* 261 * Make a new name and mark it as an MN. 262 */ 263 struct _gss_name *name = _gss_create_name(src_mn, m); 264 265 if (!name) { 266 m->gm_release_name(minor_status, &src_mn); 267 gss_delete_sec_context(&junk, context_handle, NULL); 268 return (GSS_S_FAILURE); 269 } 270 *src_name = (gss_name_t) name; 271 } else if (src_mn) { 272 m->gm_release_name(minor_status, &src_mn); 273 } 274 275 if (mech_ret_flags & GSS_C_DELEG_FLAG) { 276 if (!delegated_cred_handle) { 277 if (m->gm_flags & GM_USE_MG_CRED) 278 gss_release_cred(minor_status, &delegated_mc); 279 else 280 m->gm_release_cred(minor_status, &delegated_mc); 281 282 mech_ret_flags &= 283 ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); 284 } else if ((m->gm_flags & GM_USE_MG_CRED) != 0) { 285 /* 286 * If credential is uses mechglue cred, assume it 287 * returns one too. 288 */ 289 *delegated_cred_handle = delegated_mc; 290 291 } else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) { 292 /* 293 * If the returned mech_type is not the same 294 * as the mech, assume its pseudo mech type 295 * and the returned type is already a 296 * mech-glue object 297 */ 298 *delegated_cred_handle = delegated_mc; 299 300 } else if (delegated_mc) { 301 struct _gss_cred *dcred; 302 struct _gss_mechanism_cred *dmc; 303 304 dcred = _gss_mg_alloc_cred(); 305 if (!dcred) { 306 *minor_status = ENOMEM; 307 gss_delete_sec_context(&junk, context_handle, NULL); 308 return (GSS_S_FAILURE); 309 } 310 dmc = malloc(sizeof(struct _gss_mechanism_cred)); 311 if (!dmc) { 312 free(dcred); 313 *minor_status = ENOMEM; 314 gss_delete_sec_context(&junk, context_handle, NULL); 315 return (GSS_S_FAILURE); 316 } 317 dmc->gmc_mech = m; 318 dmc->gmc_mech_oid = &m->gm_mech_oid; 319 dmc->gmc_cred = delegated_mc; 320 HEIM_SLIST_INSERT_HEAD(&dcred->gc_mc, dmc, gmc_link); 321 322 *delegated_cred_handle = (gss_cred_id_t) dcred; 323 } 324 } 325 326 _gss_mg_log(10, "gss-asc: return %d/%d", (int)major_status, (int)*minor_status); 327 328 if (ret_flags) 329 *ret_flags = mech_ret_flags; 330 return (major_status); 331} 332