2 * Copyright (c) 2005 Doug Rabson
5 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * $FreeBSD: src/lib/libgssapi/gss_init_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
31 #include "mech_locl.h"
34 _gss_mg_find_mech_cred(
35 gss_const_cred_id_t cred_handle,
36 gss_const_OID mech_type)
38 struct _gss_cred *cred = (struct _gss_cred *)cred_handle;
39 struct _gss_mechanism_cred *mc;
42 return GSS_C_NO_CREDENTIAL;
44 HEIM_TAILQ_FOREACH(mc, &cred->gc_mc, gmc_link) {
45 if (gss_oid_equal(mech_type, mc->gmc_mech_oid))
48 return GSS_C_NO_CREDENTIAL;
52 log_init_sec_context(struct _gss_context *ctx,
53 struct _gss_name *target,
55 struct _gss_cred *cred,
57 gss_buffer_t input_token)
59 gssapi_mech_interface m;
64 m = __gss_get_mechanism(mech_type);
68 mech_type = &m->gm_mech_oid;
70 _gss_mg_log(1, "gss_isc: %s %sfirst flags %08x, %s cred, %stoken",
72 (ctx == NULL) ? "" : "not ",
74 (cred != NULL) ? "specific" : "default",
75 (input_token != NULL && input_token->length) ? "" : "no ");
77 _gss_mg_log_cred(1, cred, "gss_isc cred");
79 /* print target name */
80 _gss_mg_log_name(1, target, mech_type, "gss_isc: target");
84 * As the initiator build a context with an acceptor.
86 * Returns in the major
87 * - GSS_S_COMPLETE - if the context if build
88 * - GSS_S_CONTINUE_NEEDED - if the caller needs to continue another
89 * round of gss_i nit_sec_context
90 * - error code - any other error code
92 * @param minor_status minor status code.
94 * @param initiator_cred_handle the credential to use when building
95 * the context, if GSS_C_NO_CREDENTIAL is passed, the default
96 * credential for the mechanism will be used.
98 * @param context_handle a pointer to a context handle, will be
99 * returned as long as there is not an error.
101 * @param target_name the target name of acceptor, created using
102 * gss_import_name(). The name is can be of any name types the
103 * mechanism supports, check supported name types with
104 * gss_inquire_names_for_mech().
106 * @param input_mech_type mechanism type to use, if GSS_C_NO_OID is
107 * used, Kerberos (GSS_KRB5_MECHANISM) will be tried. Other
108 * available mechanism are listed in the @ref gssapi_mechs_intro
111 * @param req_flags flags using when building the context, see @ref
112 * gssapi_context_flags
114 * @param time_req time requested this context should be valid in
115 * seconds, common used value is GSS_C_INDEFINITE
117 * @param input_chan_bindings Channel bindings used, if not exepected
118 * otherwise, used GSS_C_NO_CHANNEL_BINDINGS
120 * @param input_token input token sent from the acceptor, for the
121 * initial packet the buffer of { NULL, 0 } should be used.
123 * @param actual_mech_type the actual mech used, MUST NOT be freed
124 * since it pointing to static memory.
126 * @param output_token if there is an output token, regardless of
127 * complete, continue_needed, or error it should be sent to the
130 * @param ret_flags return what flags was negotitated, caller should
131 * check if they are accetable. For example, if
132 * GSS_C_MUTUAL_FLAG was negotiated with the acceptor or not.
134 * @param time_rec amount of time this context is valid for
136 * @returns a gss_error code, see gss_display_status() about printing
144 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
145 gss_init_sec_context(OM_uint32 * minor_status,
146 gss_const_cred_id_t initiator_cred_handle,
147 gss_ctx_id_t * context_handle,
148 gss_const_name_t target_name,
149 const gss_OID input_mech_type,
152 const gss_channel_bindings_t input_chan_bindings,
153 const gss_buffer_t input_token,
154 gss_OID * actual_mech_type,
155 gss_buffer_t output_token,
156 OM_uint32 * ret_flags,
157 OM_uint32 * time_rec)
159 OM_uint32 major_status;
160 gssapi_mech_interface m;
161 gss_const_name_t mn_inner = GSS_C_NO_NAME;
162 struct _gss_name *name = (struct _gss_name *) target_name;
163 struct _gss_mechanism_name *mn;
164 struct _gss_context *ctx = (struct _gss_context *) *context_handle;
165 gss_const_cred_id_t cred_handle;
167 gss_OID mech_type = input_mech_type;
171 _mg_buffer_zero(output_token);
172 if (actual_mech_type)
173 *actual_mech_type = GSS_C_NO_OID;
179 if (mech_type == GSS_C_NO_OID)
180 mech_type = GSS_KRB5_MECHANISM;
182 _gss_mg_check_name(target_name);
184 if (_gss_mg_log_level(1))
185 log_init_sec_context(ctx, name, req_flags,
186 (struct _gss_cred *)initiator_cred_handle,
187 input_mech_type, input_token);
190 * If we haven't allocated a context yet, do so now and lookup
191 * the mechanism switch table. If we have one already, make
192 * sure we use the same mechanism switch as before.
195 ctx = malloc(sizeof(struct _gss_context));
197 *minor_status = ENOMEM;
198 return (GSS_S_FAILURE);
200 memset(ctx, 0, sizeof(struct _gss_context));
201 m = ctx->gc_mech = __gss_get_mechanism(mech_type);
205 gss_mg_set_error_string(mech_type, GSS_S_BAD_MECH,
207 "Unsupported mechanism requested");
208 return (GSS_S_BAD_MECH);
213 mech_type = &ctx->gc_mech->gm_mech_oid;
218 * Find the MN for this mechanism.
220 if ((m->gm_flags & GM_USE_MG_NAME)) {
221 mn_inner = target_name;
223 major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
224 if (major_status != GSS_S_COMPLETE) {
230 mn_inner = mn->gmn_name;
234 * If we have a cred, find the cred for this mechanism.
236 if (m->gm_flags & GM_USE_MG_CRED)
237 cred_handle = initiator_cred_handle;
239 cred_handle = _gss_mg_find_mech_cred(initiator_cred_handle, mech_type);
241 if (initiator_cred_handle != GSS_C_NO_CREDENTIAL &&
242 cred_handle == NULL) {
246 gss_mg_set_error_string(mech_type, GSS_S_UNAVAILABLE,
248 "Credential for the requested mechanism "
249 "not found in credential handle");
250 return GSS_S_UNAVAILABLE;
253 major_status = m->gm_init_sec_context(minor_status,
267 if (major_status != GSS_S_COMPLETE
268 && major_status != GSS_S_CONTINUE_NEEDED) {
271 _mg_buffer_zero(output_token);
272 _gss_mg_error(m, *minor_status);
274 *context_handle = (gss_ctx_id_t) ctx;
277 _gss_mg_log(1, "gss_isc: %s maj_stat: %d/%d",
278 m->gm_name, (int)major_status, (int)*minor_status);
280 return (major_status);