diff options
Diffstat (limited to 'src/lib/gssapi/krb5/accept_sec_context.c')
-rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 264 |
1 files changed, 132 insertions, 132 deletions
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 52cf6fa..ce3075f 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 2000, 2004, 2007, 2008 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -292,104 +292,104 @@ static OM_uint32 kg_accept_dce(minor_status, context_handle, verifier_cred_handle, input_token, input_chan_bindings, src_name, mech_type, output_token, ret_flags, time_rec, delegated_cred_handle) - OM_uint32 *minor_status; - gss_ctx_id_t *context_handle; - gss_cred_id_t verifier_cred_handle; - gss_buffer_t input_token; - gss_channel_bindings_t input_chan_bindings; - gss_name_t *src_name; - gss_OID *mech_type; - gss_buffer_t output_token; - OM_uint32 *ret_flags; - OM_uint32 *time_rec; - gss_cred_id_t *delegated_cred_handle; + OM_uint32 *minor_status; + gss_ctx_id_t *context_handle; + gss_cred_id_t verifier_cred_handle; + gss_buffer_t input_token; + gss_channel_bindings_t input_chan_bindings; + gss_name_t *src_name; + gss_OID *mech_type; + gss_buffer_t output_token; + OM_uint32 *ret_flags; + OM_uint32 *time_rec; + gss_cred_id_t *delegated_cred_handle; { - krb5_error_code code; - krb5_gss_ctx_id_rec *ctx = 0; - krb5_timestamp now; - krb5_gss_name_t name = NULL; - krb5_ui_4 nonce = 0; - krb5_data ap_rep; - OM_uint32 major_status = GSS_S_FAILURE; - - output_token->length = 0; - output_token->value = NULL; - - if (mech_type) - *mech_type = GSS_C_NULL_OID; - /* return a bogus cred handle */ - if (delegated_cred_handle) - *delegated_cred_handle = GSS_C_NO_CREDENTIAL; - - ctx = (krb5_gss_ctx_id_rec *)*context_handle; - - code = krb5_timeofday(ctx->k5_context, &now); - if (code != 0) { - major_status = GSS_S_FAILURE; - goto fail; - } - - if (ctx->krb_times.endtime < now) { - code = 0; - major_status = GSS_S_CREDENTIALS_EXPIRED; - goto fail; - } - - ap_rep.data = input_token->value; - ap_rep.length = input_token->length; - - code = krb5_rd_rep_dce(ctx->k5_context, - ctx->auth_context, - &ap_rep, - &nonce); - if (code != 0) { - major_status = GSS_S_FAILURE; - goto fail; - } - - ctx->established = 1; - - if (src_name) { - if ((code = kg_duplicate_name(ctx->k5_context, ctx->there, - KG_INIT_NAME_INTERN, &name))) { - major_status = GSS_S_FAILURE; - goto fail; - } - *src_name = (gss_name_t) name; - } - - if (mech_type) - *mech_type = ctx->mech_used; - - if (time_rec) - *time_rec = ctx->krb_times.endtime - now; - - if (ret_flags) - *ret_flags = ctx->gss_flags; - - /* XXX no support for delegated credentials yet */ - - *minor_status = 0; - - return GSS_S_COMPLETE; - - fail: - /* real failure code follows */ - - (void) krb5_gss_delete_sec_context(minor_status, (gss_ctx_id_t *) &ctx, - NULL); - *context_handle = GSS_C_NO_CONTEXT; - *minor_status = code; - - return major_status; + krb5_error_code code; + krb5_gss_ctx_id_rec *ctx = 0; + krb5_timestamp now; + krb5_gss_name_t name = NULL; + krb5_ui_4 nonce = 0; + krb5_data ap_rep; + OM_uint32 major_status = GSS_S_FAILURE; + + output_token->length = 0; + output_token->value = NULL; + + if (mech_type) + *mech_type = GSS_C_NULL_OID; + /* return a bogus cred handle */ + if (delegated_cred_handle) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + + ctx = (krb5_gss_ctx_id_rec *)*context_handle; + + code = krb5_timeofday(ctx->k5_context, &now); + if (code != 0) { + major_status = GSS_S_FAILURE; + goto fail; + } + + if (ctx->krb_times.endtime < now) { + code = 0; + major_status = GSS_S_CREDENTIALS_EXPIRED; + goto fail; + } + + ap_rep.data = input_token->value; + ap_rep.length = input_token->length; + + code = krb5_rd_rep_dce(ctx->k5_context, + ctx->auth_context, + &ap_rep, + &nonce); + if (code != 0) { + major_status = GSS_S_FAILURE; + goto fail; + } + + ctx->established = 1; + + if (src_name) { + if ((code = kg_duplicate_name(ctx->k5_context, ctx->there, + KG_INIT_NAME_INTERN, &name))) { + major_status = GSS_S_FAILURE; + goto fail; + } + *src_name = (gss_name_t) name; + } + + if (mech_type) + *mech_type = ctx->mech_used; + + if (time_rec) + *time_rec = ctx->krb_times.endtime - now; + + if (ret_flags) + *ret_flags = ctx->gss_flags; + + /* XXX no support for delegated credentials yet */ + + *minor_status = 0; + + return GSS_S_COMPLETE; + +fail: + /* real failure code follows */ + + (void) krb5_gss_delete_sec_context(minor_status, (gss_ctx_id_t *) &ctx, + NULL); + *context_handle = GSS_C_NO_CONTEXT; + *minor_status = code; + + return major_status; } static OM_uint32 kg_accept_krb5(minor_status, context_handle, - verifier_cred_handle, input_token, - input_chan_bindings, src_name, mech_type, - output_token, ret_flags, time_rec, - delegated_cred_handle) + verifier_cred_handle, input_token, + input_chan_bindings, src_name, mech_type, + output_token, ret_flags, time_rec, + delegated_cred_handle) OM_uint32 *minor_status; gss_ctx_id_t *context_handle; gss_cred_id_t verifier_cred_handle; @@ -607,37 +607,37 @@ kg_accept_krb5(minor_status, context_handle, } #endif - if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) { - /* Samba does not send 0x8003 GSS-API checksums */ - krb5_boolean valid; - krb5_key subkey; - krb5_data zero; - - code = krb5_auth_con_getkey_k(context, auth_context, &subkey); - if (code) { - major_status = GSS_S_FAILURE; - goto fail; - } - - zero.length = 0; - zero.data = ""; - - code = krb5_k_verify_checksum(context, - subkey, - KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, - &zero, - authdat->checksum, - &valid); - krb5_k_free_key(context, subkey); - if (code || !valid) { - major_status = GSS_S_BAD_SIG; - goto fail; - } - - gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; - bigend = 0; - decode_req_message = 0; - } else { + if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) { + /* Samba does not send 0x8003 GSS-API checksums */ + krb5_boolean valid; + krb5_key subkey; + krb5_data zero; + + code = krb5_auth_con_getkey_k(context, auth_context, &subkey); + if (code) { + major_status = GSS_S_FAILURE; + goto fail; + } + + zero.length = 0; + zero.data = ""; + + code = krb5_k_verify_checksum(context, + subkey, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + &zero, + authdat->checksum, + &valid); + krb5_k_free_key(context, subkey); + if (code || !valid) { + major_status = GSS_S_BAD_SIG; + goto fail; + } + + gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; + bigend = 0; + decode_req_message = 0; + } else { /* gss krb5 v1 */ /* stash this now, for later. */ @@ -856,9 +856,9 @@ kg_accept_krb5(minor_status, context_handle, /* XXX move this into gss_name_t */ if ( (code = krb5_merge_authdata(context, - ticket->enc_part2->authorization_data, + ticket->enc_part2->authorization_data, authdat->authorization_data, - &ctx->authdata))) { + &ctx->authdata))) { major_status = GSS_S_FAILURE; goto fail; } @@ -1120,7 +1120,7 @@ kg_accept_krb5(minor_status, context_handle, *src_name = (gss_name_t) name; if (delegated_cred_handle) { - if (!kg_save_cred_id((gss_cred_id_t) deleg_cred)) { + if (!kg_save_cred_id((gss_cred_id_t) deleg_cred)) { major_status = GSS_S_FAILURE; code = G_VALIDATE_FAILED; goto fail; @@ -1288,8 +1288,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle, } return kg_accept_krb5(minor_status, context_handle, - verifier_cred_handle, input_token, - input_chan_bindings, src_name, mech_type, - output_token, ret_flags, time_rec, - delegated_cred_handle); + verifier_cred_handle, input_token, + input_chan_bindings, src_name, mech_type, + output_token, ret_flags, time_rec, + delegated_cred_handle); } |