diff options
Diffstat (limited to 'source4/heimdal/lib/gssapi/krb5/accept_sec_context.c')
-rw-r--r-- | source4/heimdal/lib/gssapi/krb5/accept_sec_context.c | 142 |
1 files changed, 71 insertions, 71 deletions
diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c index 84110b7a82..626afa9384 100644 --- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5/gsskrb5_locl.h" @@ -47,7 +47,7 @@ _gsskrb5_register_acceptor_identity (const char *identity) ret = _gsskrb5_init(&context); if(ret) return GSS_S_FAILURE; - + HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); if(_gsskrb5_keytab != NULL) { @@ -97,7 +97,7 @@ _gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx) if (key == NULL) return; - + switch (key->keytype) { case ETYPE_DES_CBC_CRC: case ETYPE_DES_CBC_MD4: @@ -128,7 +128,7 @@ gsskrb5_accept_delegated_token krb5_ccache ccache = NULL; krb5_error_code kret; int32_t ac_flags, ret = GSS_S_COMPLETE; - + *minor_status = 0; /* XXX Create a new delegated_cred_handle? */ @@ -148,7 +148,7 @@ gsskrb5_accept_delegated_token ctx->flags &= ~GSS_C_DELEG_FLAG; goto out; } - + krb5_auth_con_removeflags(context, ctx->auth_context, KRB5_AUTH_CONTEXT_DO_TIME, @@ -179,7 +179,7 @@ gsskrb5_accept_delegated_token goto out; handle = (gsskrb5_cred) *delegated_cred_handle; - + handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; krb5_cc_close(context, ccache); ccache = NULL; @@ -219,7 +219,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status, if (ret) return ret; - /* + /* * If requested, set local sequence num to remote sequence if this * isn't a mutual authentication context */ @@ -282,7 +282,7 @@ send_error_token(OM_uint32 *minor_status, } server = ap_req_server; } - + ret = krb5_mk_error(context, kret, NULL, NULL, NULL, server, NULL, NULL, &outbuf); if (ap_req_server) @@ -291,7 +291,7 @@ send_error_token(OM_uint32 *minor_status, *minor_status = ret; return GSS_S_FAILURE; } - + ret = _gsskrb5_encapsulate(minor_status, &outbuf, output_token, @@ -352,7 +352,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, } else if (acceptor_cred->keytab != NULL) { keytab = acceptor_cred->keytab; } - + /* * We need to check the ticket and create the AP-REP packet */ @@ -382,7 +382,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, in, &out); krb5_rd_req_in_ctx_free(context, in); if (kret == KRB5KRB_AP_ERR_SKEW) { - /* + /* * No reply in non-MUTUAL mode, but we don't know that its * non-MUTUAL mode yet, thats inside the 8003 checksum, so * lets only send the error token on clock skew, that @@ -401,7 +401,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, kret = krb5_rd_req_out_get_ap_req_options(context, out, &ap_options); if (kret == 0) - kret = krb5_rd_req_out_get_ticket(context, out, + kret = krb5_rd_req_out_get_ticket(context, out, &ctx->ticket); if (kret == 0) kret = krb5_rd_req_out_get_keyblock(context, out, @@ -415,8 +415,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, return ret; } } - - + + /* * We need to copy the principal names to the context and the * calling layer. @@ -429,7 +429,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, *minor_status = kret; } - kret = krb5_copy_principal(context, + kret = krb5_copy_principal(context, ctx->ticket->server, &ctx->target); if (kret) { @@ -437,7 +437,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, *minor_status = kret; return ret; } - + /* * We need to setup some compat stuff, this assumes that * context_handle->target is already set. @@ -462,7 +462,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, */ { krb5_authenticator authenticator; - + kret = krb5_auth_con_getauthenticator(context, ctx->auth_context, &authenticator); @@ -486,8 +486,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, } else { krb5_crypto crypto; - kret = krb5_crypto_init(context, - ctx->auth_context->keyblock, + kret = krb5_crypto_init(context, + ctx->auth_context->keyblock, 0, &crypto); if(kret) { krb5_free_authenticator(context, &authenticator); @@ -497,9 +497,9 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, return ret; } - /* + /* * Windows accepts Samba3's use of a kerberos, rather than - * GSSAPI checksum here + * GSSAPI checksum here */ kret = krb5_verify_checksum(context, @@ -514,26 +514,26 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, return ret; } - /* + /* * Samba style get some flags (but not DCE-STYLE) */ - ctx->flags = + ctx->flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; } } - + if(ctx->flags & GSS_C_MUTUAL_FLAG) { krb5_data outbuf; int use_subkey = 0; - + _gsskrb5i_is_cfx(ctx, &is_cfx); - + if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) { use_subkey = 1; } else { krb5_keyblock *rkey; - /* + /* * If there is a initiator subkey, copy that to acceptor * subkey to match Windows behavior */ @@ -541,7 +541,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, ctx->auth_context, &rkey); if (kret == 0) { - kret = krb5_auth_con_setlocalsubkey(context, + kret = krb5_auth_con_setlocalsubkey(context, ctx->auth_context, rkey); if (kret == 0) @@ -555,7 +555,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, KRB5_AUTH_CONTEXT_USE_SUBKEY, NULL); } - + kret = krb5_mk_rep(context, ctx->auth_context, &outbuf); @@ -563,7 +563,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, *minor_status = kret; return GSS_S_FAILURE; } - + if (IS_DCE_STYLE(ctx)) { output_token->length = outbuf.length; output_token->value = outbuf.data; @@ -578,17 +578,17 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, return ret; } } - + ctx->flags |= GSS_C_TRANS_FLAG; /* Remember the flags */ - + ctx->lifetime = ctx->ticket->ticket.endtime; ctx->more_flags |= OPEN; - + if (mech_type) *mech_type = GSS_KRB5_MECHANISM; - + if (time_rec) { ret = _gsskrb5_lifetime_left(minor_status, context, @@ -615,7 +615,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, return GSS_S_CONTINUE_NEEDED; } - ret = gsskrb5_acceptor_ready(minor_status, ctx, context, + ret = gsskrb5_acceptor_ready(minor_status, ctx, context, delegated_cred_handle); if (ret_flags) @@ -643,14 +643,14 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, krb5_data inbuf; int32_t r_seq_number, l_seq_number; - /* + /* * We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP */ inbuf.length = input_token_buffer->length; inbuf.data = input_token_buffer->value; - /* + /* * We need to remeber the old remote seq_number, then check if the * client has replied with our local seq_number, and then reset * the remote seq_number to the old value @@ -681,11 +681,11 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, } } - /* + /* * We need to verify the AP_REP, but we need to flag that this is * DCE_STYLE, so don't check the timestamps this time, but put the * flag DO_TIME back afterward. - */ + */ { krb5_ap_rep_enc_part *repl; int32_t auth_flags; @@ -783,7 +783,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, } } - return gsskrb5_acceptor_ready(minor_status, ctx, context, + return gsskrb5_acceptor_ready(minor_status, ctx, context, delegated_cred_handle); } @@ -824,17 +824,17 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status, if (ret) return ret; } - + ctx = (gsskrb5_ctx)*context_handle; - + /* - * TODO: check the channel_bindings + * TODO: check the channel_bindings * (above just sets them to krb5 layer) */ HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - + switch (ctx->state) { case ACCEPTOR_START: ret = gsskrb5_acceptor_start(minor_status, @@ -865,7 +865,7 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status, delegated_cred_handle); break; case ACCEPTOR_READY: - /* + /* * If we get there, the caller have called * gss_accept_sec_context() one time too many. */ @@ -876,9 +876,9 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status, ret = GSS_S_BAD_STATUS; break; } - + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - + if (GSS_ERROR(ret)) { OM_uint32 min2; _gsskrb5_delete_sec_context(&min2, context_handle, GSS_C_NO_BUFFER); |