search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / heimdal / appl / popper / auth_gssapi.c
blob09b5759eb2a04a72a84e7335a4f489e672bfe6c2
1 /*
2 * Copyright (c) 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <popper.h>
35 #include <base64.h>
36 #include <pop_auth.h>
37 __RCSID("$Heimdal: auth_gssapi.c 13932 2004-06-15 11:24:21Z joda $"
38 "$NetBSD$");
39
40
41 #if defined(SASL) && defined(KRB5)
42 #include <gssapi.h>
43
44 extern krb5_context gssapi_krb5_context;
45
46 struct gss_state {
47 gss_ctx_id_t context_hdl;
48 gss_OID mech_oid;
49 gss_name_t client_name;
50 int stage;
51 };
52
53 static void
54 gss_set_error (struct gss_state *gs, int min_stat)
55 {
56 OM_uint32 new_stat;
57 OM_uint32 msg_ctx = 0;
58 gss_buffer_desc status_string;
59 OM_uint32 ret;
60
61 do {
62 ret = gss_display_status (&new_stat,
63 min_stat,
64 GSS_C_MECH_CODE,
65 gs->mech_oid,
66 &msg_ctx,
67 &status_string);
68 pop_auth_set_error(status_string.value);
69 gss_release_buffer (&new_stat, &status_string);
70 } while (!GSS_ERROR(ret) && msg_ctx != 0);
71 }
72
73 static int
74 gss_loop(POP *p, void *state,
75 /* const */ void *input, size_t input_length,
76 void **output, size_t *output_length)
77 {
78 struct gss_state *gs = state;
79 gss_buffer_desc real_input_token, real_output_token;
80 gss_buffer_t input_token = &real_input_token,
81 output_token = &real_output_token;
82 OM_uint32 maj_stat, min_stat;
83 gss_channel_bindings_t bindings = GSS_C_NO_CHANNEL_BINDINGS;
84
85 if(gs->stage == 0) {
86 /* we require an initial response, so ask for one if not
87 present */
88 gs->stage++;
89 if(input == NULL && input_length == 0) {
90 /* XXX this could be done better */
91 fputs("+ \r\n", p->output);
92 fflush(p->output);
93 return POP_AUTH_CONTINUE;
94 }
95 }
96 if(gs->stage == 1) {
97 input_token->value = input;
98 input_token->length = input_length;
99 maj_stat =
100 gss_accept_sec_context (&min_stat,
101 &gs->context_hdl,
102 GSS_C_NO_CREDENTIAL,
103 input_token,
104 bindings,
105 &gs->client_name,
106 &gs->mech_oid,
107 output_token,
108 NULL,
109 NULL,
110 NULL);
111 if (GSS_ERROR(maj_stat)) {
112 gss_set_error(gs, min_stat);
113 return POP_AUTH_FAILURE;
114 }
115 if (output_token->length != 0) {
116 *output = output_token->value;
117 *output_length = output_token->length;
118 }
119 if(maj_stat == GSS_S_COMPLETE)
120 gs->stage++;
121
122 return POP_AUTH_CONTINUE;
123 }
124
125 if(gs->stage == 2) {
126 /* send wanted protection levels */
127 unsigned char x[4] = { 1, 0, 0, 0 };
128
129 input_token->value = x;
130 input_token->length = 4;
131
132 maj_stat = gss_wrap(&min_stat,
133 gs->context_hdl,
134 FALSE,
135 GSS_C_QOP_DEFAULT,
136 input_token,
137 NULL,
138 output_token);
139 if (GSS_ERROR(maj_stat)) {
140 gss_set_error(gs, min_stat);
141 return POP_AUTH_FAILURE;
142 }
143 *output = output_token->value;
144 *output_length = output_token->length;
145 gs->stage++;
146 return POP_AUTH_CONTINUE;
147 }
148 if(gs->stage == 3) {
149 /* receive protection levels and username */
150 char *name;
151 krb5_principal principal;
152 gss_buffer_desc export_name;
153 gss_OID oid;
154 unsigned char *ptr;
155
156 input_token->value = input;
157 input_token->length = input_length;
158
159 maj_stat = gss_unwrap (&min_stat,
160 gs->context_hdl,
161 input_token,
162 output_token,
163 NULL,
164 NULL);
165 if (GSS_ERROR(maj_stat)) {
166 gss_set_error(gs, min_stat);
167 return POP_AUTH_FAILURE;
168 }
169 if(output_token->length < 5) {
170 pop_auth_set_error("response too short");
171 return POP_AUTH_FAILURE;
172 }
173 ptr = output_token->value;
174 if(ptr[0] != 1) {
175 pop_auth_set_error("must use clear text");
176 return POP_AUTH_FAILURE;
177 }
178 memmove(output_token->value, ptr + 4, output_token->length - 4);
179 ptr[output_token->length - 4] = '\0';
180
181 maj_stat = gss_display_name(&min_stat, gs->client_name,
182 &export_name, &oid);
183 if(maj_stat != GSS_S_COMPLETE) {
184 gss_set_error(gs, min_stat);
185 return POP_AUTH_FAILURE;
186 }
187 /* XXX kerberos */
188 if(oid != GSS_KRB5_NT_PRINCIPAL_NAME) {
189 pop_auth_set_error("unexpected gss name type");
190 gss_release_buffer(&min_stat, &export_name);
191 return POP_AUTH_FAILURE;
192 }
193 name = malloc(export_name.length + 1);
194 if(name == NULL) {
195 pop_auth_set_error("out of memory");
196 gss_release_buffer(&min_stat, &export_name);
197 return POP_AUTH_FAILURE;
198 }
199 memcpy(name, export_name.value, export_name.length);
200 name[export_name.length] = '\0';
201 gss_release_buffer(&min_stat, &export_name);
202 krb5_parse_name(gssapi_krb5_context, name, &principal);
203
204 if(!krb5_kuserok(gssapi_krb5_context, principal, ptr)) {
205 pop_auth_set_error("Permission denied");
206 return POP_AUTH_FAILURE;
207 }
208
209
210 strlcpy(p->user, ptr, sizeof(p->user));
211 return POP_AUTH_COMPLETE;
212 }
213 return POP_AUTH_FAILURE;
214 }
215
216
217 static int
218 gss_init(POP *p, void **state)
219 {
220 struct gss_state *gs = malloc(sizeof(*gs));
221 if(gs == NULL) {
222 pop_auth_set_error("out of memory");
223 return POP_AUTH_FAILURE;
224 }
225 gs->context_hdl = GSS_C_NO_CONTEXT;
226 gs->stage = 0;
227 *state = gs;
228 return POP_AUTH_CONTINUE;
229 }
230
231 static int
232 gss_cleanup(POP *p, void *state)
233 {
234 OM_uint32 min_stat;
235 struct gss_state *gs = state;
236 if(gs->context_hdl != GSS_C_NO_CONTEXT)
237 gss_delete_sec_context(&min_stat, &gs->context_hdl, GSS_C_NO_BUFFER);
238 free(state);
239 return POP_AUTH_CONTINUE;
240 }
241
242 struct auth_mech gssapi_mech = {
243 "GSSAPI", gss_init, gss_loop, gss_cleanup
244 };
245
246 #endif /* KRB5 */
NetBSD on the FriendlyARM MINI2440