2 * Copyright (c) 2012, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
33 * This code was adapted from the MIT Kerberos Consortium's
34 * GSS example code, which was distributed under the following
37 * Copyright 2004-2006 Massachusetts Institute of Technology.
38 * All Rights Reserved.
40 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
41 * distribute this software and its documentation for any purpose and
42 * without fee is hereby granted, provided that the above copyright
43 * notice appear in all copies and that both that copyright notice and
44 * this permission notice appear in supporting documentation, and that
45 * the name of M.I.T. not be used in advertising or publicity pertaining
46 * to distribution of the software without specific, written prior
47 * permission. Furthermore if you modify this software you must label
48 * your software as modified software and not distribute it in such a
49 * fashion that it might be confused with the original M.I.T. software.
50 * M.I.T. makes no representations about the suitability of
51 * this software for any purpose. It is provided "as is" without express
52 * or implied warranty.
57 const char *gServiceName = NULL;
59 int gsscon_passive_authenticate (int inSocket,
60 gss_ctx_id_t *outGSSContext,
61 client_cb_fn clientCb,
65 OM_uint32 majorStatus;
66 OM_uint32 minorStatus = 0;
67 gss_ctx_id_t gssContext = GSS_C_NO_CONTEXT;
68 gss_name_t clientName = GSS_C_NO_NAME, serviceName = GSS_C_NO_NAME;
69 gss_cred_id_t acceptorCredentials = NULL;
70 gss_buffer_desc clientDisplayName = {0, NULL};
71 gss_buffer_desc nameBuffer = {0, "trustidentity"};
73 char *inputTokenBuffer = NULL;
74 size_t inputTokenBufferLength = 0;
75 gss_buffer_desc inputToken; /* buffer received from the server */
78 nameBuffer.length = strlen(nameBuffer.value);
79 if (inSocket < 0 ) { err = EINVAL; }
80 if (!outGSSContext) { err = EINVAL; }
83 majorStatus = gss_import_name (&minorStatus, &nameBuffer, (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &serviceName);
84 if (majorStatus != GSS_S_COMPLETE) {
85 gsscon_print_gss_errors ("gss_import_name(inServiceName)", majorStatus, minorStatus);
86 err = minorStatus ? minorStatus : majorStatus;
90 majorStatus = gss_acquire_cred ( &minorStatus, serviceName,
91 GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
92 GSS_C_ACCEPT, &acceptorCredentials,
93 NULL /*mechs out*/, NULL /*time out*/);
94 if (majorStatus != GSS_S_COMPLETE) {
95 gsscon_print_gss_errors ("gss_acquire_cred", majorStatus, minorStatus);
96 err = minorStatus ? minorStatus : majorStatus;
101 * The main authentication loop:
103 * GSS is a multimechanism API. The number of packet exchanges required to
104 * authenticatevaries between mechanisms. As a result, we need to loop reading
105 * input tokens from the client, calling gss_accept_sec_context on the input
106 * tokens and send the resulting output tokens back to the client until we
107 * get GSS_S_COMPLETE or an error.
109 * When we are done, save the client principal so we can make authorization
113 majorStatus = GSS_S_CONTINUE_NEEDED;
114 while (!err && (majorStatus != GSS_S_COMPLETE)) {
115 /* Clean up old input buffer */
116 if (inputTokenBuffer != NULL) {
117 free (inputTokenBuffer);
118 inputTokenBuffer = NULL; /* don't double-free */
121 err = gsscon_read_token (inSocket, &inputTokenBuffer, &inputTokenBufferLength);
124 /* Set up input buffers for the next run through the loop */
125 inputToken.value = inputTokenBuffer;
126 inputToken.length = inputTokenBufferLength;
130 /* buffer to send to the server */
131 gss_buffer_desc outputToken = { 0, NULL };
134 * accept_sec_context does the actual work of taking the client's
135 * request and generating an appropriate reply. */
136 majorStatus = gss_accept_sec_context (&minorStatus,
140 GSS_C_NO_CHANNEL_BINDINGS,
142 NULL /* actual_mech_type */,
144 NULL /* req_flags */,
146 NULL /* delegated_cred_handle */);
148 if ((outputToken.length > 0) && (outputToken.value != NULL)) {
149 /* Send the output token to the client (even on error) */
150 err = gsscon_write_token (inSocket, outputToken.value, outputToken.length);
152 /* free the output token */
153 gss_release_buffer (&minorStatus, &outputToken);
157 if ((majorStatus != GSS_S_COMPLETE) && (majorStatus != GSS_S_CONTINUE_NEEDED)) {
158 gsscon_print_gss_errors ("gss_accept_sec_context", majorStatus, minorStatus);
159 err = minorStatus ? minorStatus : majorStatus;
164 majorStatus = gss_display_name(&minorStatus, clientName, &clientDisplayName, NULL);
165 if (GSS_ERROR(majorStatus)) {
166 gsscon_print_gss_errors("gss_display_name", majorStatus, minorStatus);
170 err = clientCb(clientName, &clientDisplayName, clientCbData);
174 *outGSSContext = gssContext;
177 gsscon_print_error (err, "Authenticate failed");
180 if (inputTokenBuffer) { free (inputTokenBuffer); }
181 if (gssContext != GSS_C_NO_CONTEXT) {
182 gss_delete_sec_context (&minorStatus, &gssContext, GSS_C_NO_BUFFER); }
183 if (clientName != GSS_C_NO_NAME)
184 gss_release_name(&minorStatus, &clientName);
185 if (clientDisplayName.value != NULL)
186 gss_release_buffer(&minorStatus, &clientDisplayName);
187 gss_release_name( &minorStatus, &serviceName);
188 gss_release_cred( &minorStatus, &acceptorCredentials);
193 /* --------------------------------------------------------------------------- */
195 static int ServicePrincipalIsValidForService (const char *inServicePrincipal)
198 krb5_context context = NULL;
199 krb5_principal principal = NULL;
201 if (!inServicePrincipal) { err = EINVAL; }
204 err = krb5_init_context (&context);
208 err = krb5_parse_name (context, inServicePrincipal, &principal);
213 * Here is where we check to see if the service principal the client
214 * used is valid. Typically we would just check that the first component
215 * is the name of the service provided by the server. This check exists
216 * to make sure the server is using the correct key in its keytab since
217 * we passed GSS_C_NO_CREDENTIAL into gss_accept_sec_context().
219 if (gServiceName && strcmp (gServiceName,
220 krb5_princ_name (context, principal)->data) != 0) {
221 err = KRB5KRB_AP_WRONG_PRINC;
225 if (principal) { krb5_free_principal (context, principal); }
226 if (context ) { krb5_free_context (context); }
232 /* --------------------------------------------------------------------------- */
234 static int ClientPrincipalIsAuthorizedForService (const char *inClientPrincipal)
238 * Here is where the server checks to see if the client principal should
239 * be allowed to use your service. Typically it should check both the name
240 * and the realm, since with cross-realm shared keys, a user at another
241 * realm may be trying to contact your service.
250 /* --------------------------------------------------------------------------- */
252 int gsscon_authorize (gss_ctx_id_t inContext,
254 int *outAuthorizationError)
257 OM_uint32 majorStatus;
258 OM_uint32 minorStatus = 0;
259 gss_name_t clientName = NULL;
260 gss_name_t serviceName = NULL;
261 char *clientPrincipal = NULL;
262 char *servicePrincipal = NULL;
264 if (!inContext ) { err = EINVAL; }
265 if (!outAuthorized ) { err = EINVAL; }
266 if (!outAuthorizationError) { err = EINVAL; }
269 /* Get the client and service principals used to authenticate */
270 majorStatus = gss_inquire_context (&minorStatus,
274 NULL, NULL, NULL, NULL, NULL);
275 if (majorStatus != GSS_S_COMPLETE) {
276 err = minorStatus ? minorStatus : majorStatus;
281 /* Pull the client principal string out of the gss name */
282 gss_buffer_desc nameToken;
284 majorStatus = gss_display_name (&minorStatus,
288 if (majorStatus != GSS_S_COMPLETE) {
289 err = minorStatus ? minorStatus : majorStatus;
293 clientPrincipal = malloc (nameToken.length + 1);
294 if (clientPrincipal == NULL) { err = ENOMEM; }
298 memcpy (clientPrincipal, nameToken.value, nameToken.length);
299 clientPrincipal[nameToken.length] = '\0';
302 if (nameToken.value) { gss_release_buffer (&minorStatus, &nameToken); }
306 // /* Pull the service principal string out of the gss name */
307 // gss_buffer_desc nameToken;
309 // majorStatus = gss_display_name (&minorStatus,
313 // if (majorStatus != GSS_S_COMPLETE) {
314 // err = minorStatus ? minorStatus : majorStatus;
318 // servic7ePrincipal = malloc (nameToken.length + 1);
319 // if (servicePrincipal == NULL) { err = ENOMEM; }
323 // memcpy (servicePrincipal, nameToken.value, nameToken.length);
324 // servicePrincipal[nameToken.length] = '\0';
327 // if (nameToken.value) { gss_release_buffer (&minorStatus, &nameToken); }
331 // int authorizationErr = ServicePrincipalIsValidForService (servicePr// incipal);
333 // if (!authorizationErr) {
335 int authorizationErr = 0;
336 authorizationErr = ClientPrincipalIsAuthorizedForService (clientPrincipal);
340 // printf ("'%s' is%s authorized for service '%s'\n",
341 // clientPrincipal, authorizationErr ? " NOT" : "", servicePrincipal);
343 *outAuthorized = !authorizationErr;
344 *outAuthorizationError = authorizationErr;
347 if (serviceName ) { gss_release_name (&minorStatus, &serviceName); }
348 if (clientName ) { gss_release_name (&minorStatus, &clientName); }
349 if (clientPrincipal ) { free (clientPrincipal); }
350 if (servicePrincipal) { free (servicePrincipal); }