aboutsummaryrefslogtreecommitdiff
path: root/lib/libgssapi/gss_accept_sec_context.c
diff options
context:
space:
mode:
authorDoug Rabson <dfr@FreeBSD.org>2008-05-07 13:53:12 +0000
committerDoug Rabson <dfr@FreeBSD.org>2008-05-07 13:53:12 +0000
commit33f12199250a09b573f7a518b523fdac3f120b8f (patch)
tree1338a6c0e5d3e7c3b0da720ac15cd79fc72c6b5a /lib/libgssapi/gss_accept_sec_context.c
parent4fe54d7c6acb302aacc6ac18798804b26c882c13 (diff)
downloadsrc-33f12199250a09b573f7a518b523fdac3f120b8f.tar.gz
src-33f12199250a09b573f7a518b523fdac3f120b8f.zip
Fix conflicts after heimdal-1.1 import and add build infrastructure. Import
all non-style changes made by heimdal to our own libgssapi.
Notes
Notes: svn path=/head/; revision=178828
Diffstat (limited to 'lib/libgssapi/gss_accept_sec_context.c')
-rw-r--r--lib/libgssapi/gss_accept_sec_context.c222
1 files changed, 145 insertions, 77 deletions
diff --git a/lib/libgssapi/gss_accept_sec_context.c b/lib/libgssapi/gss_accept_sec_context.c
index 62a3bdadfa89..b4240920c59e 100644
--- a/lib/libgssapi/gss_accept_sec_context.c
+++ b/lib/libgssapi/gss_accept_sec_context.c
@@ -35,6 +35,116 @@
#include "context.h"
#include "cred.h"
#include "name.h"
+#include "utils.h"
+
+static OM_uint32
+parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
+{
+ unsigned char *p = input_token->value;
+ size_t len = input_token->length;
+ size_t a, b;
+
+ /*
+ * Token must start with [APPLICATION 0] SEQUENCE.
+ * But if it doesn't assume it is DCE-STYLE Kerberos!
+ */
+ if (len == 0)
+ return (GSS_S_DEFECTIVE_TOKEN);
+
+ p++;
+ len--;
+
+ /*
+ * Decode the length and make sure it agrees with the
+ * token length.
+ */
+ if (len == 0)
+ return (GSS_S_DEFECTIVE_TOKEN);
+ if ((*p & 0x80) == 0) {
+ a = *p;
+ p++;
+ len--;
+ } else {
+ b = *p & 0x7f;
+ p++;
+ len--;
+ if (len < b)
+ return (GSS_S_DEFECTIVE_TOKEN);
+ a = 0;
+ while (b) {
+ a = (a << 8) | *p;
+ p++;
+ len--;
+ b--;
+ }
+ }
+ if (a != len)
+ return (GSS_S_DEFECTIVE_TOKEN);
+
+ /*
+ * Decode the OID for the mechanism. Simplify life by
+ * assuming that the OID length is less than 128 bytes.
+ */
+ if (len < 2 || *p != 0x06)
+ return (GSS_S_DEFECTIVE_TOKEN);
+ if ((p[1] & 0x80) || p[1] > (len - 2))
+ return (GSS_S_DEFECTIVE_TOKEN);
+ mech_oid->length = p[1];
+ p += 2;
+ len -= 2;
+ mech_oid->elements = p;
+
+ return (GSS_S_COMPLETE);
+}
+
+static gss_OID_desc krb5_mechanism =
+{9, (void *)(uintptr_t) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
+static gss_OID_desc ntlm_mechanism =
+{10, (void *)(uintptr_t) "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"};
+static gss_OID_desc spnego_mechanism =
+{6, (void *)(uintptr_t) "\x2b\x06\x01\x05\x05\x02"};
+
+static OM_uint32
+choose_mech(const gss_buffer_t input, gss_OID mech_oid)
+{
+ OM_uint32 status;
+
+ /*
+ * First try to parse the gssapi token header and see if it's a
+ * correct header, use that in the first hand.
+ */
+
+ status = parse_header(input, mech_oid);
+ if (status == GSS_S_COMPLETE)
+ return (GSS_S_COMPLETE);
+
+ /*
+ * Lets guess what mech is really is, callback function to mech ??
+ */
+
+ if (input->length > 8 &&
+ memcmp((const char *)input->value, "NTLMSSP\x00", 8) == 0)
+ {
+ *mech_oid = ntlm_mechanism;
+ return (GSS_S_COMPLETE);
+ } else if (input->length != 0 &&
+ ((const char *)input->value)[0] == 0x6E)
+ {
+ /* Could be a raw AP-REQ (check for APPLICATION tag) */
+ *mech_oid = krb5_mechanism;
+ return (GSS_S_COMPLETE);
+ } else if (input->length == 0) {
+ /*
+ * There is the a wierd mode of SPNEGO (in CIFS and
+ * SASL GSS-SPENGO where the first token is zero
+ * length and the acceptor returns a mech_list, lets
+ * hope that is what is happening now.
+ */
+ *mech_oid = spnego_mechanism;
+ return (GSS_S_COMPLETE);
+ }
+ return (status);
+}
OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
@@ -58,71 +168,28 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
int allocated_ctx;
*minor_status = 0;
- if (src_name) *src_name = 0;
- if (mech_type) *mech_type = 0;
- if (ret_flags) *ret_flags = 0;
- if (time_rec) *time_rec = 0;
- if (delegated_cred_handle) *delegated_cred_handle = 0;
- output_token->length = 0;
- output_token->value = 0;
+ if (src_name)
+ *src_name = GSS_C_NO_NAME;
+ if (mech_type)
+ *mech_type = GSS_C_NO_OID;
+ if (ret_flags)
+ *ret_flags = 0;
+ if (time_rec)
+ *time_rec = 0;
+ if (delegated_cred_handle)
+ *delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+ _gss_buffer_zero(output_token);
/*
* If this is the first call (*context_handle is NULL), we must
* parse the input token to figure out the mechanism to use.
*/
if (*context_handle == GSS_C_NO_CONTEXT) {
- unsigned char *p = input_token->value;
- size_t len = input_token->length;
- size_t a, b;
gss_OID_desc mech_oid;
- /*
- * Token must start with [APPLICATION 0] SEQUENCE.
- */
- if (len == 0 || *p != 0x60)
- return (GSS_S_DEFECTIVE_TOKEN);
- p++;
- len--;
-
- /*
- * Decode the length and make sure it agrees with the
- * token length.
- */
- if (len == 0)
- return (GSS_S_DEFECTIVE_TOKEN);
- if ((*p & 0x80) == 0) {
- a = *p;
- p++;
- len--;
- } else {
- b = *p & 0x7f;
- p++;
- len--;
- if (len < b)
- return (GSS_S_DEFECTIVE_TOKEN);
- a = 0;
- while (b) {
- a = (a << 8) | *p;
- p++;
- len--;
- b--;
- }
- }
- if (a != len)
- return (GSS_S_DEFECTIVE_TOKEN);
-
- /*
- * Decode the OID for the mechanism. Simplify life by
- * assuming that the OID length is less than 128 bytes.
- */
- if (len < 2 || *p != 0x06)
- return (GSS_S_DEFECTIVE_TOKEN);
- if ((p[1] & 0x80) || p[1] > (len - 2))
- return (GSS_S_DEFECTIVE_TOKEN);
- mech_oid.length = p[1];
- p += 2;
- len -= 2;
- mech_oid.elements = p;
+ major_status = choose_mech(input_token, &mech_oid);
+ if (major_status != GSS_S_COMPLETE)
+ return (major_status);
/*
* Now that we have a mechanism, we can find the
@@ -157,6 +224,7 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
}
delegated_mc = GSS_C_NO_CREDENTIAL;
+ mech_ret_flags = 0;
major_status = m->gm_accept_sec_context(minor_status,
&ctx->gc_ctx,
acceptor_mc,
@@ -169,12 +237,12 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
time_rec,
&delegated_mc);
if (major_status != GSS_S_COMPLETE &&
- major_status != GSS_S_CONTINUE_NEEDED)
+ major_status != GSS_S_CONTINUE_NEEDED) {
+ _gss_mg_error(m, major_status, *minor_status);
return (major_status);
+ }
- if (!src_name) {
- m->gm_release_name(minor_status, &src_mn);
- } else {
+ if (src_name && src_mn) {
/*
* Make a new name and mark it as an MN.
*/
@@ -185,6 +253,8 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
return (GSS_S_FAILURE);
}
*src_name = (gss_name_t) name;
+ } else if (src_mn) {
+ m->gm_release_name(minor_status, &src_mn);
}
if (delegated_mc == GSS_C_NO_CREDENTIAL)
@@ -195,29 +265,27 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
m->gm_release_cred(minor_status, &delegated_mc);
mech_ret_flags &= ~GSS_C_DELEG_FLAG;
} else {
- struct _gss_cred *cred;
- struct _gss_mechanism_cred *mc;
+ struct _gss_cred *dcred;
+ struct _gss_mechanism_cred *dmc;
- cred = malloc(sizeof(struct _gss_cred));
- if (!cred) {
+ dcred = malloc(sizeof(struct _gss_cred));
+ if (!dcred) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
- SLIST_INIT(&cred->gc_mc);
- mc = malloc(sizeof(struct _gss_mechanism_cred));
- if (!mc) {
- free(cred);
+ SLIST_INIT(&dcred->gc_mc);
+ dmc = malloc(sizeof(struct _gss_mechanism_cred));
+ if (!dmc) {
+ free(dcred);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
- m->gm_inquire_cred(minor_status, delegated_mc,
- 0, 0, &cred->gc_usage, 0);
- mc->gmc_mech = m;
- mc->gmc_mech_oid = &m->gm_mech_oid;
- mc->gmc_cred = delegated_mc;
- SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
-
- *delegated_cred_handle = (gss_cred_id_t) cred;
+ dmc->gmc_mech = m;
+ dmc->gmc_mech_oid = &m->gm_mech_oid;
+ dmc->gmc_cred = delegated_mc;
+ SLIST_INSERT_HEAD(&dcred->gc_mc, dmc, gmc_link);
+
+ *delegated_cred_handle = (gss_cred_id_t) dcred;
}
}