summaryrefslogtreecommitdiffstats
path: root/src/lib/gssapi/acc_sec.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/gssapi/acc_sec.c')
-rw-r--r--src/lib/gssapi/acc_sec.c285
1 files changed, 0 insertions, 285 deletions
diff --git a/src/lib/gssapi/acc_sec.c b/src/lib/gssapi/acc_sec.c
deleted file mode 100644
index d0cc43c196..0000000000
--- a/src/lib/gssapi/acc_sec.c
+++ /dev/null
@@ -1,285 +0,0 @@
-/*
- * acc_sec.c --- accept security context
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-extern krb5_flags krb5_kdc_default_options;
-
-/*
- * To do in the future:
- *
- * * Support replay cache
- *
- * * Support delegation of credentials
- *
- * * Do something with time_rec
- *
- * * Should handle Kerberos error packets being sent back and
- * forth.
- */
-
-static krb5_error_code gss_krb5_keyproc(DECLARG(krb5_pointer, cred_handle),
- DECLARG(krb5_principal, principal),
- DECLARG(krb5_kvno, vno),
- DECLARG(krb5_keyblock **, key))
-OLDDECLARG(krb5_pointer, cred_handle)
-OLDDECLARG(krb5_principal, principal)
-OLDDECLARG(krb5_kvno, vno)
-OLDDECLARG(krb5_keyblock **, key)
-{
- gss_cred_id_t *creds;
-
- creds = (gss_cred_id_t *) cred_handle;
-
- if (krb5_principal_compare(creds->principal, principal)) {
- if (creds->cred_flags & GSS_KRB_HAS_SRVTAB) {
- *key = &creds->srvtab;
- return(0);
- } else
- return(KRB5_KT_NOTFOUND);
- } else
- return(KRB5_KT_NOTFOUND);
-}
-
-
-OM_uint32 gss_accept_sec_context(minor_status, context_handle,
- verifier_cred_handle, input_token,
- channel, src_name,
- mech_type, output_token,
- ret_flags, time_rec,
- delegated_cred_handle)
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_cred_id_t verifier_cred_handle;
- gss_buffer_t input_token;
- gss_channel_bindings channel;
- gss_name_t *src_name;
- gss_OID *mech_type;
- gss_buffer_t output_token;
- int *ret_flags;
- OM_uint32 *time_rec;
- gss_cred_id_t *delegated_cred_handle;
-{
- krb5_rcache rcache;
- krb5_address sender_addr;
- krb5_data inbuf, outbuf;
- krb5_principal server;
- krb5_tkt_authent *authdat;
- OM_uint32 retval;
- gss_ctx_id_t context;
-
- *minor_status = 0;
-
- if (!context_handle) {
- /*
- * This is first call to accept_sec_context
- *
- * Make sure the input token is sane.
- */
- if (retval = gss_check_token(minor_status, input_token,
- GSS_API_KRB5_TYPE,
- GSS_API_KRB5_REQ))
- return(retval);
- inbuf.length = input_token->length-5;
- inbuf.data = ( (char *) input_token->value)+5;
- sender_addr.addrtype = channel->initiator_addrtype;
- sender_addr.length = channel->initiator_address.length;
- sender_addr.contents = (krb5_octet *)
- channel->initiator_address.value;
- server = verifier_cred_handle.principal;
- /*
- * Setup the replay cache.
- */
- if (*minor_status =
- krb5_get_server_rcache(krb5_princ_component(server, 1),
- &rcache))
- return(GSS_S_FAILURE);
- /*
- * Now let's rip apart the packet
- */
- if (*minor_status = krb5_rd_req(&inbuf, server, &sender_addr,
- 0, gss_krb5_keyproc,
- (krb5_pointer)&verifier_cred_handle,
- rcache, &authdat))
- return(GSS_S_FAILURE);
- if (*minor_status = krb5_rc_close(rcache))
- return(GSS_S_FAILURE);
-
- /*
- * Allocate the context handle structure
- */
- if (!(context = (gss_ctx_id_t)
- malloc(sizeof(struct gss_ctx_id_desc)))) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- context->mech_type = &gss_OID_krb5;
- context->flags = 0;
- context->state = GSS_KRB_STATE_DOWN;
- context->am_client = 0;
- context->rcache = NULL;
-
- context->my_address.addrtype = channel->initiator_addrtype;
- context->my_address.length = channel->initiator_address.length;
- if (!(context->my_address.contents = (krb5_octet *)
- malloc(context->my_address.length))) {
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- memcpy((char *) context->my_address.contents,
- (char *) channel->initiator_address.value,
- context->my_address.length);
- context->his_address.addrtype = channel->acceptor_addrtype;
- context->his_address.length = channel->acceptor_address.length;
- if (!(context->his_address.contents = (krb5_octet *)
- malloc(context->my_address.length))) {
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- memcpy((char *) context->his_address.contents,
- (char *) channel->acceptor_address.value,
- context->his_address.length);
-
- /*
- * Do mutual authentication if requested.
- */
- output_token->length = 0;
- if ((authdat->ap_options & AP_OPTS_MUTUAL_REQUIRED)) {
- krb5_ap_rep_enc_part repl;
- /*
- * Generate a random sequence number
- */
- if (*minor_status =
- krb5_generate_seq_number(authdat->ticket->enc_part2->session,
- &context->my_seq_num)) {
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- krb5_free_tkt_authent(authdat);
- return(GSS_S_FAILURE);
- }
-
- repl.ctime = authdat->authenticator->ctime;
- repl.cusec = authdat->authenticator->cusec;
- repl.subkey = authdat->authenticator->subkey;
- repl.seq_number = context->my_seq_num;
-
- if (*minor_status =
- krb5_mk_rep(&repl,
- authdat->ticket->enc_part2->session,
- &outbuf)) {
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- krb5_free_tkt_authent(authdat);
- return(GSS_S_FAILURE);
- }
- if (*minor_status = gss_make_token(minor_status,
- GSS_API_KRB5_TYPE,
- GSS_API_KRB5_REQ,
- outbuf.length,
- outbuf.data,
- output_token)) {
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- krb5_xfree(outbuf.data);
- krb5_free_tkt_authent(authdat);
- return(GSS_S_FAILURE);
- }
- }
-
- /*
- * Fill in context handle structure
- */
- if (*minor_status =
- krb5_copy_principal(verifier_cred_handle.principal,
- &context->me)) {
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- if (*minor_status =
- krb5_copy_principal(authdat->authenticator->client,
- &context->him)) {
- krb5_free_principal(context->me);
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- if (*minor_status =
- krb5_copy_keyblock(authdat->ticket->enc_part2->session,
- &context->session_key)) {
- krb5_free_principal(context->me);
- krb5_free_principal(context->him);
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- context->his_seq_num = authdat->authenticator->seq_number;
- context->cusec = authdat->authenticator->cusec;
- context->ctime = authdat->authenticator->ctime;
- context->flags = ((char *) input_token->value)[4];
- /*
- * Strip out flags we don't support (yet) XXX
- */
- context->flags &= ~(GSS_C_DELEG_FLAG | GSS_C_REPLAY_FLAG);
- /*
- * Deliver output parameters
- */
- if (src_name) {
- if (*minor_status = krb5_copy_principal(context->him,
- src_name)) {
- krb5_xfree(context->session_key->contents);
- krb5_free_principal(context->me);
- krb5_free_principal(context->him);
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- }
- if (mech_type)
- *mech_type = &gss_OID_krb5;
- *ret_flags = context->flags;
- if (time_rec)
- *time_rec = GSS_TIME_REC_INDEFINITE;
- return(GSS_S_COMPLETE);
- } else {
- /*
- * Context is non-null, this is the second time through....
- */
- return(GSS_S_FAILURE);
- }
-}
-
generated by cgit (git 2.34.1) at 2025-03-10 08:52:16 +0000