2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * Portions Copyright (c) 2004 PADL Software Pty Ltd.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "spnego/spnego_locl.h"
36 RCSID("$Id: accept_sec_context.c 21461 2007-07-10 14:01:13Z lha $");
39 send_reject (OM_uint32 *minor_status,
40 gss_buffer_t output_token)
45 nt.element = choice_NegotiationToken_negTokenResp;
47 ALLOC(nt.u.negTokenResp.negResult, 1);
48 if (nt.u.negTokenResp.negResult == NULL) {
49 *minor_status = ENOMEM;
52 *(nt.u.negTokenResp.negResult) = reject;
53 nt.u.negTokenResp.supportedMech = NULL;
54 nt.u.negTokenResp.responseToken = NULL;
55 nt.u.negTokenResp.mechListMIC = NULL;
57 ASN1_MALLOC_ENCODE(NegotiationToken,
58 output_token->value, output_token->length, &nt,
59 &size, *minor_status);
60 free_NegotiationToken(&nt);
61 if (*minor_status != 0)
64 return GSS_S_BAD_MECH;
68 acceptor_approved(gss_name_t target_name, gss_OID mech)
70 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
74 if (target_name == GSS_C_NO_NAME)
75 return GSS_S_COMPLETE;
77 gss_create_empty_oid_set(&junk, &oidset);
78 gss_add_oid_set_member(&junk, mech, &oidset);
80 ret = gss_acquire_cred(&junk, target_name, GSS_C_INDEFINITE, oidset,
81 GSS_C_ACCEPT, &cred, NULL, NULL);
82 gss_release_oid_set(&junk, &oidset);
83 if (ret != GSS_S_COMPLETE)
85 gss_release_cred(&junk, &cred);
87 return GSS_S_COMPLETE;
91 send_supported_mechs (OM_uint32 *minor_status,
92 gss_buffer_t output_token)
94 NegotiationTokenWin nt;
95 char hostname[MAXHOSTNAMELEN + 1], *p;
96 gss_buffer_desc name_buf;
98 gss_name_t target_princ;
99 gss_name_t canon_princ;
102 gss_buffer_desc data;
105 memset(&nt, 0, sizeof(nt));
107 nt.element = choice_NegotiationTokenWin_negTokenInit;
108 nt.u.negTokenInit.reqFlags = NULL;
109 nt.u.negTokenInit.mechToken = NULL;
110 nt.u.negTokenInit.negHints = NULL;
112 ret = _gss_spnego_indicate_mechtypelist(minor_status, GSS_C_NO_NAME,
113 acceptor_approved, 1, NULL,
114 &nt.u.negTokenInit.mechTypes, NULL);
115 if (ret != GSS_S_COMPLETE) {
119 memset(&target_princ, 0, sizeof(target_princ));
120 if (gethostname(hostname, sizeof(hostname) - 2) != 0) {
121 *minor_status = errno;
122 free_NegotiationTokenWin(&nt);
123 return GSS_S_FAILURE;
125 hostname[sizeof(hostname) - 1] = '\0';
127 /* Send the constructed SAM name for this host */
128 for (p = hostname; *p != '\0' && *p != '.'; p++) {
129 *p = toupper((unsigned char)*p);
134 name_buf.length = strlen(hostname);
135 name_buf.value = hostname;
137 ret = gss_import_name(minor_status, &name_buf,
140 if (ret != GSS_S_COMPLETE) {
141 free_NegotiationTokenWin(&nt);
146 name_buf.value = NULL;
148 /* Canonicalize the name using the preferred mechanism */
149 ret = gss_canonicalize_name(minor_status,
153 if (ret != GSS_S_COMPLETE) {
154 free_NegotiationTokenWin(&nt);
155 gss_release_name(&minor, &target_princ);
159 ret = gss_display_name(minor_status, canon_princ,
160 &name_buf, &name_type);
161 if (ret != GSS_S_COMPLETE) {
162 free_NegotiationTokenWin(&nt);
163 gss_release_name(&minor, &canon_princ);
164 gss_release_name(&minor, &target_princ);
168 gss_release_name(&minor, &canon_princ);
169 gss_release_name(&minor, &target_princ);
171 ALLOC(nt.u.negTokenInit.negHints, 1);
172 if (nt.u.negTokenInit.negHints == NULL) {
173 *minor_status = ENOMEM;
174 gss_release_buffer(&minor, &name_buf);
175 free_NegotiationTokenWin(&nt);
176 return GSS_S_FAILURE;
179 ALLOC(nt.u.negTokenInit.negHints->hintName, 1);
180 if (nt.u.negTokenInit.negHints->hintName == NULL) {
181 *minor_status = ENOMEM;
182 gss_release_buffer(&minor, &name_buf);
183 free_NegotiationTokenWin(&nt);
184 return GSS_S_FAILURE;
187 *(nt.u.negTokenInit.negHints->hintName) = name_buf.value;
188 name_buf.value = NULL;
189 nt.u.negTokenInit.negHints->hintAddress = NULL;
191 ASN1_MALLOC_ENCODE(NegotiationTokenWin,
192 data.value, data.length, &nt, &buf_len, ret);
193 free_NegotiationTokenWin(&nt);
197 if (data.length != buf_len)
200 ret = gss_encapsulate_token(&data, GSS_SPNEGO_MECHANISM, output_token);
204 if (ret != GSS_S_COMPLETE)
209 return GSS_S_CONTINUE_NEEDED;
213 send_accept (OM_uint32 *minor_status,
214 gssspnego_ctx context_handle,
215 gss_buffer_t mech_token,
216 int initial_response,
217 gss_buffer_t mech_buf,
218 gss_buffer_t output_token)
222 gss_buffer_desc mech_mic_buf;
225 memset(&nt, 0, sizeof(nt));
227 nt.element = choice_NegotiationToken_negTokenResp;
229 ALLOC(nt.u.negTokenResp.negResult, 1);
230 if (nt.u.negTokenResp.negResult == NULL) {
231 *minor_status = ENOMEM;
232 return GSS_S_FAILURE;
235 if (context_handle->open) {
236 if (mech_token != GSS_C_NO_BUFFER
237 && mech_token->length != 0
238 && mech_buf != GSS_C_NO_BUFFER)
239 *(nt.u.negTokenResp.negResult) = accept_incomplete;
241 *(nt.u.negTokenResp.negResult) = accept_completed;
243 if (initial_response && context_handle->require_mic)
244 *(nt.u.negTokenResp.negResult) = request_mic;
246 *(nt.u.negTokenResp.negResult) = accept_incomplete;
249 if (initial_response) {
250 ALLOC(nt.u.negTokenResp.supportedMech, 1);
251 if (nt.u.negTokenResp.supportedMech == NULL) {
252 free_NegotiationToken(&nt);
253 *minor_status = ENOMEM;
254 return GSS_S_FAILURE;
257 ret = der_get_oid(context_handle->preferred_mech_type->elements,
258 context_handle->preferred_mech_type->length,
259 nt.u.negTokenResp.supportedMech,
262 free_NegotiationToken(&nt);
263 *minor_status = ENOMEM;
264 return GSS_S_FAILURE;
267 nt.u.negTokenResp.supportedMech = NULL;
270 if (mech_token != GSS_C_NO_BUFFER && mech_token->length != 0) {
271 ALLOC(nt.u.negTokenResp.responseToken, 1);
272 if (nt.u.negTokenResp.responseToken == NULL) {
273 free_NegotiationToken(&nt);
274 *minor_status = ENOMEM;
275 return GSS_S_FAILURE;
277 nt.u.negTokenResp.responseToken->length = mech_token->length;
278 nt.u.negTokenResp.responseToken->data = mech_token->value;
279 mech_token->length = 0;
280 mech_token->value = NULL;
282 nt.u.negTokenResp.responseToken = NULL;
285 if (mech_buf != GSS_C_NO_BUFFER) {
286 ret = gss_get_mic(minor_status,
287 context_handle->negotiated_ctx_id,
291 if (ret == GSS_S_COMPLETE) {
292 ALLOC(nt.u.negTokenResp.mechListMIC, 1);
293 if (nt.u.negTokenResp.mechListMIC == NULL) {
294 gss_release_buffer(minor_status, &mech_mic_buf);
295 free_NegotiationToken(&nt);
296 *minor_status = ENOMEM;
297 return GSS_S_FAILURE;
299 nt.u.negTokenResp.mechListMIC->length = mech_mic_buf.length;
300 nt.u.negTokenResp.mechListMIC->data = mech_mic_buf.value;
301 } else if (ret == GSS_S_UNAVAILABLE) {
302 nt.u.negTokenResp.mechListMIC = NULL;
304 free_NegotiationToken(&nt);
309 nt.u.negTokenResp.mechListMIC = NULL;
311 ASN1_MALLOC_ENCODE(NegotiationToken,
312 output_token->value, output_token->length,
315 free_NegotiationToken(&nt);
317 return GSS_S_FAILURE;
321 * The response should not be encapsulated, because
322 * it is a SubsequentContextToken (note though RFC 1964
323 * specifies encapsulation for all _Kerberos_ tokens).
326 if (*(nt.u.negTokenResp.negResult) == accept_completed)
327 ret = GSS_S_COMPLETE;
329 ret = GSS_S_CONTINUE_NEEDED;
330 free_NegotiationToken(&nt);
337 (OM_uint32 *minor_status,
338 gssspnego_ctx context_handle,
339 gss_buffer_t mech_buf,
340 heim_octet_string *mechListMIC
344 gss_buffer_desc mic_buf;
346 if (context_handle->verified_mic) {
347 /* This doesn't make sense, we've already verified it? */
349 return GSS_S_DUPLICATE_TOKEN;
352 if (mechListMIC == NULL) {
354 return GSS_S_DEFECTIVE_TOKEN;
357 mic_buf.length = mechListMIC->length;
358 mic_buf.value = mechListMIC->data;
360 ret = gss_verify_mic(minor_status,
361 context_handle->negotiated_ctx_id,
366 if (ret != GSS_S_COMPLETE)
367 ret = GSS_S_DEFECTIVE_TOKEN;
373 select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
381 ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1,
386 return GSS_S_DEFECTIVE_TOKEN;
389 oid.length = mech_len;
390 oid.elements = mechbuf + sizeof(mechbuf) - mech_len;
392 if (gss_oid_equal(&oid, GSS_SPNEGO_MECHANISM)) {
393 return GSS_S_BAD_MECH;
398 /* Translate broken MS Kebreros OID */
399 if (gss_oid_equal(&oid, &_gss_spnego_mskrb_mechanism_oid_desc)) {
400 gssapi_mech_interface mech;
402 mech = __gss_get_mechanism(&_gss_spnego_krb5_mechanism_oid_desc);
404 return GSS_S_BAD_MECH;
406 ret = gss_duplicate_oid(minor_status,
407 &_gss_spnego_mskrb_mechanism_oid_desc,
410 gssapi_mech_interface mech;
412 mech = __gss_get_mechanism(&oid);
414 return GSS_S_BAD_MECH;
416 ret = gss_duplicate_oid(minor_status,
422 gss_name_t name = GSS_C_NO_NAME;
423 gss_buffer_desc namebuf;
424 char *str = NULL, *host, hostname[MAXHOSTNAMELEN];
426 host = getenv("GSSAPI_SPNEGO_NAME");
427 if (host == NULL || issuid()) {
428 if (gethostname(hostname, sizeof(hostname)) != 0) {
429 *minor_status = errno;
430 return GSS_S_FAILURE;
432 asprintf(&str, "host@%s", hostname);
436 namebuf.length = strlen(host);
437 namebuf.value = host;
439 ret = gss_import_name(minor_status, &namebuf,
440 GSS_C_NT_HOSTBASED_SERVICE, &name);
443 if (ret != GSS_S_COMPLETE)
446 ret = acceptor_approved(name, *mech_p);
447 gss_release_name(&junk, &name);
455 acceptor_complete(OM_uint32 * minor_status,
458 gss_buffer_t mech_buf,
459 gss_buffer_t mech_input_token,
460 gss_buffer_t mech_output_token,
461 heim_octet_string *mic,
462 gss_buffer_t output_token)
465 int require_mic, verify_mic;
471 ret = _gss_spnego_require_mechlist_mic(minor_status, ctx, &require_mic);
475 ctx->require_mic = require_mic;
480 if (ctx->open && require_mic) {
481 if (mech_input_token == GSS_C_NO_BUFFER) { /* Even/One */
484 } else if (mech_output_token != GSS_C_NO_BUFFER &&
485 mech_output_token->length == 0) { /* Odd */
486 *get_mic = verify_mic = 1;
487 } else { /* Even/One */
492 if (verify_mic || get_mic) {
496 ASN1_MALLOC_ENCODE(MechTypeList,
497 mech_buf->value, mech_buf->length,
498 &ctx->initiator_mech_types, &buf_len, eret);
500 *minor_status = eret;
501 return GSS_S_FAILURE;
503 if (buf.length != buf_len)
508 ret = verify_mechlist_mic(minor_status, ctx, mech_buf, mic);
511 send_reject (minor_status, output_token);
516 ctx->verified_mic = 1;
522 *get_mic = verify_mic = 0;
524 return GSS_S_COMPLETE;
530 (OM_uint32 * minor_status,
531 gss_ctx_id_t * context_handle,
532 const gss_cred_id_t acceptor_cred_handle,
533 const gss_buffer_t input_token_buffer,
534 const gss_channel_bindings_t input_chan_bindings,
535 gss_name_t * src_name,
537 gss_buffer_t output_token,
538 OM_uint32 * ret_flags,
539 OM_uint32 * time_rec,
540 gss_cred_id_t *delegated_cred_handle
543 OM_uint32 ret, junk, minor;
548 gss_buffer_desc data;
549 gss_buffer_t mech_input_token = GSS_C_NO_BUFFER;
550 gss_buffer_desc mech_output_token;
551 gss_buffer_desc mech_buf;
552 gss_OID preferred_mech_type = GSS_C_NO_OID;
554 gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle;
558 mech_output_token.value = NULL;
559 mech_output_token.length = 0;
560 mech_buf.value = NULL;
562 if (input_token_buffer->length == 0)
563 return send_supported_mechs (minor_status, output_token);
565 ret = _gss_spnego_alloc_sec_context(minor_status, context_handle);
566 if (ret != GSS_S_COMPLETE)
569 ctx = (gssspnego_ctx)*context_handle;
572 * The GSS-API encapsulation is only present on the initial
573 * context token (negTokenInit).
575 ret = gss_decapsulate_token (input_token_buffer,
576 GSS_SPNEGO_MECHANISM,
581 ret = decode_NegotiationToken(data.value, data.length, &nt, &nt_len);
582 gss_release_buffer(minor_status, &data);
585 return GSS_S_DEFECTIVE_TOKEN;
587 if (nt.element != choice_NegotiationToken_negTokenInit) {
589 return GSS_S_DEFECTIVE_TOKEN;
591 ni = &nt.u.negTokenInit;
593 if (ni->mechTypes.len < 1) {
594 free_NegotiationToken(&nt);
596 return GSS_S_DEFECTIVE_TOKEN;
599 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
601 ret = copy_MechTypeList(&ni->mechTypes, &ctx->initiator_mech_types);
603 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
604 free_NegotiationToken(&nt);
606 return GSS_S_FAILURE;
610 * First we try the opportunistic token if we have support for it,
611 * don't try to verify we have credential for the token,
612 * gss_accept_sec_context will (hopefully) tell us that.
616 ret = select_mech(minor_status,
617 &ni->mechTypes.val[0],
619 &preferred_mech_type);
621 if (ret == 0 && ni->mechToken != NULL) {
622 gss_cred_id_t mech_delegated_cred = GSS_C_NO_CREDENTIAL;
623 gss_cred_id_t mech_cred;
624 gss_buffer_desc ibuf;
626 ibuf.length = ni->mechToken->length;
627 ibuf.value = ni->mechToken->data;
628 mech_input_token = &ibuf;
630 if (acceptor_cred != NULL)
631 mech_cred = acceptor_cred->negotiated_cred_id;
633 mech_cred = GSS_C_NO_CREDENTIAL;
635 if (ctx->mech_src_name != GSS_C_NO_NAME)
636 gss_release_name(&minor, &ctx->mech_src_name);
638 if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL)
639 _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
641 ret = gss_accept_sec_context(&minor,
642 &ctx->negotiated_ctx_id,
647 &ctx->negotiated_mech_type,
651 &mech_delegated_cred);
652 if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
653 ctx->preferred_mech_type = preferred_mech_type;
654 ctx->negotiated_mech_type = preferred_mech_type;
655 if (ret == GSS_S_COMPLETE)
658 if (mech_delegated_cred && delegated_cred_handle)
659 ret = _gss_spnego_alloc_cred(minor_status,
661 delegated_cred_handle);
663 gss_release_cred(&junk, &mech_delegated_cred);
665 ret = acceptor_complete(minor_status,
673 if (ret != GSS_S_COMPLETE)
681 * If opportunistic token failed, lets try the other mechs.
686 /* Call glue layer to find first mech we support */
687 for (i = 1; i < ni->mechTypes.len; ++i) {
688 ret = select_mech(minor_status,
689 &ni->mechTypes.val[i],
691 &preferred_mech_type);
695 if (preferred_mech_type == GSS_C_NO_OID) {
696 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
697 free_NegotiationToken(&nt);
698 return GSS_S_BAD_MECH;
701 ctx->preferred_mech_type = preferred_mech_type;
702 ctx->negotiated_mech_type = preferred_mech_type;
706 * The initial token always have a response
709 ret = send_accept (minor_status,
713 get_mic ? &mech_buf : NULL,
719 if (mech_output_token.value != NULL)
720 gss_release_buffer(&minor, &mech_output_token);
721 if (mech_buf.value != NULL) {
722 free(mech_buf.value);
723 mech_buf.value = NULL;
725 free_NegotiationToken(&nt);
728 if (ret == GSS_S_COMPLETE) {
729 if (src_name != NULL && ctx->mech_src_name != NULL) {
732 name = calloc(1, sizeof(*name));
734 name->mech = ctx->mech_src_name;
735 ctx->mech_src_name = NULL;
736 *src_name = (gss_name_t)name;
739 if (delegated_cred_handle != NULL) {
740 *delegated_cred_handle = ctx->delegated_cred_id;
741 ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
745 if (mech_type != NULL)
746 *mech_type = ctx->negotiated_mech_type;
747 if (ret_flags != NULL)
748 *ret_flags = ctx->mech_flags;
749 if (time_rec != NULL)
750 *time_rec = ctx->mech_time_rec;
752 if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
753 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
757 _gss_spnego_internal_delete_sec_context(&minor, context_handle,
766 (OM_uint32 * minor_status,
767 gss_ctx_id_t * context_handle,
768 const gss_cred_id_t acceptor_cred_handle,
769 const gss_buffer_t input_token_buffer,
770 const gss_channel_bindings_t input_chan_bindings,
771 gss_name_t * src_name,
773 gss_buffer_t output_token,
774 OM_uint32 * ret_flags,
775 OM_uint32 * time_rec,
776 gss_cred_id_t *delegated_cred_handle
779 OM_uint32 ret, ret2, minor;
783 unsigned int negResult = accept_incomplete;
784 gss_buffer_t mech_input_token = GSS_C_NO_BUFFER;
785 gss_buffer_t mech_output_token = GSS_C_NO_BUFFER;
786 gss_buffer_desc mech_buf;
788 gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle;
790 mech_buf.value = NULL;
792 ctx = (gssspnego_ctx)*context_handle;
795 * The GSS-API encapsulation is only present on the initial
796 * context token (negTokenInit).
799 ret = decode_NegotiationToken(input_token_buffer->value,
800 input_token_buffer->length,
804 return GSS_S_DEFECTIVE_TOKEN;
806 if (nt.element != choice_NegotiationToken_negTokenResp) {
808 return GSS_S_DEFECTIVE_TOKEN;
810 na = &nt.u.negTokenResp;
812 if (na->negResult != NULL) {
813 negResult = *(na->negResult);
816 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
819 gss_buffer_desc ibuf, obuf;
820 int require_mic, get_mic = 0;
821 int require_response;
822 heim_octet_string *mic;
824 if (na->responseToken != NULL) {
825 ibuf.length = na->responseToken->length;
826 ibuf.value = na->responseToken->data;
827 mech_input_token = &ibuf;
833 if (mech_input_token != GSS_C_NO_BUFFER) {
834 gss_cred_id_t mech_cred;
835 gss_cred_id_t mech_delegated_cred;
836 gss_cred_id_t *mech_delegated_cred_p;
838 if (acceptor_cred != NULL)
839 mech_cred = acceptor_cred->negotiated_cred_id;
841 mech_cred = GSS_C_NO_CREDENTIAL;
843 if (delegated_cred_handle != NULL) {
844 mech_delegated_cred = GSS_C_NO_CREDENTIAL;
845 mech_delegated_cred_p = &mech_delegated_cred;
847 mech_delegated_cred_p = NULL;
850 if (ctx->mech_src_name != GSS_C_NO_NAME)
851 gss_release_name(&minor, &ctx->mech_src_name);
853 if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL)
854 _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
856 ret = gss_accept_sec_context(&minor,
857 &ctx->negotiated_ctx_id,
862 &ctx->negotiated_mech_type,
866 mech_delegated_cred_p);
867 if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
868 if (mech_delegated_cred_p != NULL &&
869 mech_delegated_cred != GSS_C_NO_CREDENTIAL) {
870 ret2 = _gss_spnego_alloc_cred(minor_status,
872 &ctx->delegated_cred_id);
873 if (ret2 != GSS_S_COMPLETE)
876 mech_output_token = &obuf;
878 if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) {
879 free_NegotiationToken(&nt);
880 send_reject (minor_status, output_token);
881 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
884 if (ret == GSS_S_COMPLETE)
887 ret = GSS_S_COMPLETE;
889 ret2 = _gss_spnego_require_mechlist_mic(minor_status,
895 ctx->require_mic = require_mic;
897 mic = na->mechListMIC;
901 if (ret == GSS_S_COMPLETE)
902 ret = acceptor_complete(minor_status,
911 if (ctx->mech_flags & GSS_C_DCE_STYLE)
912 require_response = (negResult != accept_completed);
914 require_response = 0;
917 * Check whether we need to send a result: there should be only
918 * one accept_completed response sent in the entire negotiation
920 if ((mech_output_token != GSS_C_NO_BUFFER &&
921 mech_output_token->length != 0)
922 || (ctx->open && negResult == accept_incomplete)
925 ret2 = send_accept (minor_status,
929 get_mic ? &mech_buf : NULL,
936 if (ret2 != GSS_S_COMPLETE)
938 if (mech_output_token != NULL)
939 gss_release_buffer(&minor, mech_output_token);
940 if (mech_buf.value != NULL)
941 free(mech_buf.value);
942 free_NegotiationToken(&nt);
945 if (ret == GSS_S_COMPLETE) {
946 if (src_name != NULL && ctx->mech_src_name != NULL) {
949 name = calloc(1, sizeof(*name));
951 name->mech = ctx->mech_src_name;
952 ctx->mech_src_name = NULL;
953 *src_name = (gss_name_t)name;
956 if (delegated_cred_handle != NULL) {
957 *delegated_cred_handle = ctx->delegated_cred_id;
958 ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
962 if (mech_type != NULL)
963 *mech_type = ctx->negotiated_mech_type;
964 if (ret_flags != NULL)
965 *ret_flags = ctx->mech_flags;
966 if (time_rec != NULL)
967 *time_rec = ctx->mech_time_rec;
969 if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
970 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
974 _gss_spnego_internal_delete_sec_context(&minor, context_handle,
981 _gss_spnego_accept_sec_context
982 (OM_uint32 * minor_status,
983 gss_ctx_id_t * context_handle,
984 const gss_cred_id_t acceptor_cred_handle,
985 const gss_buffer_t input_token_buffer,
986 const gss_channel_bindings_t input_chan_bindings,
987 gss_name_t * src_name,
989 gss_buffer_t output_token,
990 OM_uint32 * ret_flags,
991 OM_uint32 * time_rec,
992 gss_cred_id_t *delegated_cred_handle
995 _gss_accept_sec_context_t *func;
999 output_token->length = 0;
1000 output_token->value = NULL;
1002 if (src_name != NULL)
1003 *src_name = GSS_C_NO_NAME;
1004 if (mech_type != NULL)
1005 *mech_type = GSS_C_NO_OID;
1006 if (ret_flags != NULL)
1008 if (time_rec != NULL)
1010 if (delegated_cred_handle != NULL)
1011 *delegated_cred_handle = GSS_C_NO_CREDENTIAL;
1014 if (*context_handle == GSS_C_NO_CONTEXT)
1015 func = acceptor_start;
1017 func = acceptor_continue;
1020 return (*func)(minor_status, context_handle, acceptor_cred_handle,
1021 input_token_buffer, input_chan_bindings,
1022 src_name, mech_type, output_token, ret_flags,
1023 time_rec, delegated_cred_handle);