LCOV - code coverage report
Current view: top level - third_party/heimdal/lib/gss_preauth - pa_client.c (source / functions) Hit Total Coverage
Test: coverage report for v4-17-test 1498b464 Lines: 0 88 0.0 %
Date: 2024-06-13 04:01:37 Functions: 0 6 0.0 %

          Line data    Source code
       1             : /*
       2             :  * Copyright (c) 2021, PADL Software Pty Ltd.
       3             :  * All rights reserved.
       4             :  *
       5             :  * Redistribution and use in source and binary forms, with or without
       6             :  * modification, are permitted provided that the following conditions
       7             :  * are met:
       8             :  *
       9             :  * 1. Redistributions of source code must retain the above copyright
      10             :  *    notice, this list of conditions and the following disclaimer.
      11             :  *
      12             :  * 2. Redistributions in binary form must reproduce the above copyright
      13             :  *    notice, this list of conditions and the following disclaimer in the
      14             :  *    documentation and/or other materials provided with the distribution.
      15             :  *
      16             :  * 3. Neither the name of PADL Software nor the names of its contributors
      17             :  *    may be used to endorse or promote products derived from this software
      18             :  *    without specific prior written permission.
      19             :  *
      20             :  * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
      21             :  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
      22             :  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
      23             :  * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
      24             :  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
      25             :  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
      26             :  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      27             :  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
      28             :  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
      29             :  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
      30             :  * SUCH DAMAGE.
      31             :  */
      32             : 
      33             : #include <krb5_locl.h>
      34             : #include <mech_locl.h>
      35             : 
      36             : #include "gss-preauth-protos.h"
      37             : #include "gss-preauth-private.h"
      38             : 
      39             : static krb5_error_code
      40           0 : pa_gss_acquire_initiator_cred(krb5_context context,
      41             :                               krb5_gss_init_ctx gssic,
      42             :                               const krb5_creds *kcred,
      43             :                               gss_cred_id_t *cred)
      44             : {
      45             :     krb5_error_code ret;
      46             : 
      47             :     OM_uint32 major, minor;
      48             :     gss_const_OID mech;
      49             :     gss_OID_set_desc mechs;
      50           0 :     gss_name_t initiator_name = GSS_C_NO_NAME;
      51             :     OM_uint32 time_req;
      52             :     krb5_timestamp now;
      53             : 
      54           0 :     *cred = GSS_C_NO_CREDENTIAL;
      55             : 
      56           0 :     mech = _krb5_init_creds_get_gss_mechanism(context, gssic);
      57             : 
      58           0 :     mechs.count = 1;
      59           0 :     mechs.elements = (gss_OID)mech;
      60             : 
      61           0 :     ret = _krb5_gss_pa_unparse_name(context, kcred->client, &initiator_name);
      62           0 :     if (ret)
      63           0 :         return ret;
      64             : 
      65           0 :     krb5_timeofday(context, &now);
      66           0 :     if (kcred->times.endtime && kcred->times.endtime > now)
      67           0 :         time_req = kcred->times.endtime - now;
      68             :     else
      69           0 :         time_req = GSS_C_INDEFINITE;
      70             : 
      71           0 :     major = gss_acquire_cred(&minor, initiator_name, time_req, &mechs,
      72             :                              GSS_C_INITIATE, cred, NULL, NULL);
      73           0 :     ret = _krb5_gss_map_error(major, minor);
      74             : 
      75           0 :     gss_release_name(&major, &initiator_name);
      76             : 
      77           0 :     return ret;
      78             : }
      79             : 
      80             : static krb5_error_code KRB5_LIB_CALL
      81           0 : pa_gss_step(krb5_context context,
      82             :             krb5_gss_init_ctx gssic,
      83             :             const krb5_creds *kcred,
      84             :             gss_ctx_id_t *ctx,
      85             :             KDCOptions flags,
      86             :             krb5_data *enc_as_req,
      87             :             krb5_data *in,
      88             :             krb5_data *out)
      89             : {
      90             :     krb5_error_code ret;
      91           0 :     krb5_principal tgs_name = NULL;
      92             : 
      93             :     OM_uint32 major, minor;
      94             :     gss_cred_id_t cred;
      95           0 :     gss_name_t target_name = GSS_C_NO_NAME;
      96           0 :     OM_uint32 req_flags = GSS_C_MUTUAL_FLAG;
      97             :     OM_uint32 ret_flags;
      98             :     struct gss_channel_bindings_struct cb;
      99           0 :     gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER;
     100             : 
     101           0 :     memset(&cb, 0, sizeof(cb));
     102           0 :     krb5_data_zero(out);
     103             : 
     104           0 :     if (flags.request_anonymous)
     105           0 :         req_flags |= GSS_C_ANON_FLAG;
     106             : 
     107           0 :     cred = (gss_cred_id_t)_krb5_init_creds_get_gss_cred(context, gssic);
     108             : 
     109           0 :     if (cred == GSS_C_NO_CREDENTIAL) {
     110           0 :         ret = pa_gss_acquire_initiator_cred(context, gssic, kcred, &cred);
     111           0 :         if (ret)
     112           0 :             goto out;
     113             : 
     114           0 :         _krb5_init_creds_set_gss_cred(context, gssic, cred);
     115             :     }
     116             : 
     117           0 :     ret = krb5_make_principal(context, &tgs_name, kcred->server->realm,
     118           0 :                               KRB5_TGS_NAME, kcred->server->realm, NULL);
     119           0 :     if (ret)
     120           0 :         goto out;
     121             : 
     122           0 :     ret = _krb5_gss_pa_unparse_name(context, tgs_name, &target_name);
     123           0 :     if (ret)
     124           0 :         goto out;
     125             : 
     126           0 :     _krb5_gss_data_to_buffer(enc_as_req, &cb.application_data);
     127           0 :     _krb5_gss_data_to_buffer(in, &input_token);
     128             : 
     129           0 :     major = gss_init_sec_context(&minor,
     130             :                                  cred,
     131             :                                  ctx,
     132             :                                  target_name,
     133           0 :                                  (gss_OID)_krb5_init_creds_get_gss_mechanism(context, gssic),
     134             :                                  req_flags,
     135             :                                  GSS_C_INDEFINITE,
     136             :                                  &cb,
     137             :                                  &input_token,
     138             :                                  NULL,
     139             :                                  &output_token,
     140             :                                  &ret_flags,
     141             :                                  NULL);
     142             : 
     143           0 :     _krb5_gss_buffer_to_data(&output_token, out);
     144             : 
     145           0 :     if (major == GSS_S_COMPLETE) {
     146           0 :         if ((ret_flags & GSS_C_MUTUAL_FLAG) == 0)
     147           0 :             ret = KRB5_MUTUAL_FAILED;
     148           0 :         else if ((ret_flags & req_flags) != req_flags)
     149           0 :             ret = KRB5KDC_ERR_BADOPTION;
     150             :         else
     151           0 :             ret = 0;
     152             :     } else
     153           0 :         ret = _krb5_gss_map_error(major, minor);
     154             : 
     155           0 : out:
     156           0 :     gss_release_name(&minor, &target_name);
     157           0 :     krb5_free_principal(context, tgs_name);
     158             : 
     159           0 :     return ret;
     160             : }
     161             : 
     162             : static krb5_error_code KRB5_LIB_CALL
     163           0 : pa_gss_finish(krb5_context context,
     164             :               krb5_gss_init_ctx gssic,
     165             :               const krb5_creds *kcred,
     166             :               gss_ctx_id_t ctx,
     167             :               krb5int32 nonce,
     168             :               krb5_enctype enctype,
     169             :               krb5_principal *client_p,
     170             :               krb5_keyblock **reply_key_p)
     171             : {
     172             :     krb5_error_code ret;
     173           0 :     krb5_principal client = NULL;
     174           0 :     krb5_keyblock *reply_key = NULL;
     175             : 
     176             :     OM_uint32 major, minor;
     177           0 :     gss_name_t initiator_name = GSS_C_NO_NAME;
     178             : 
     179           0 :     *client_p = NULL;
     180           0 :     *reply_key_p = NULL;
     181             : 
     182           0 :     major = gss_inquire_context(&minor,
     183             :                                 ctx,
     184             :                                 &initiator_name,
     185             :                                 NULL, /* target_name */
     186             :                                 NULL, /* lifetime_req */
     187             :                                 NULL, /* mech_type */
     188             :                                 NULL, /* ctx_flags */
     189             :                                 NULL, /* locally_initiated */
     190             :                                 NULL); /* open */
     191             : 
     192           0 :     if (GSS_ERROR(major))
     193           0 :         return _krb5_gss_map_error(major, minor);
     194             : 
     195           0 :     ret = _krb5_gss_pa_parse_name(context, initiator_name, 0, &client);
     196           0 :     if (ret)
     197           0 :         goto out;
     198             : 
     199           0 :     ret = _krb5_gss_pa_derive_key(context, ctx, nonce, enctype, &reply_key);
     200           0 :     if (ret)
     201           0 :         goto out;
     202             : 
     203           0 :     *client_p = client;
     204           0 :     client = NULL;
     205             : 
     206           0 :     *reply_key_p = reply_key;
     207           0 :     reply_key = NULL;
     208             : 
     209           0 : out:
     210           0 :     krb5_free_principal(context, client);
     211           0 :     if (reply_key)
     212           0 :         krb5_free_keyblock(context, reply_key);
     213           0 :     gss_release_name(&minor, &initiator_name);
     214             : 
     215           0 :     return ret;
     216             : }
     217             : 
     218             : static void KRB5_LIB_CALL
     219           0 : pa_gss_delete_sec_context(krb5_context context,
     220             :                           krb5_gss_init_ctx gssic,
     221             :                           gss_ctx_id_t ctx)
     222             : {
     223             :     OM_uint32 minor;
     224             : 
     225           0 :     gss_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
     226           0 : }
     227             : 
     228             : static void KRB5_LIB_CALL
     229           0 : pa_gss_release_cred(krb5_context context,
     230             :                     krb5_gss_init_ctx gssic,
     231             :                     gss_cred_id_t cred)
     232             : {
     233             :     OM_uint32 minor;
     234             : 
     235           0 :     gss_release_cred(&minor, &cred);
     236           0 : }
     237             : 
     238             : krb5_error_code
     239           0 : krb5_gss_set_init_creds(krb5_context context,
     240             :                         krb5_init_creds_context ctx,
     241             :                         gss_const_cred_id_t gss_cred,
     242             :                         gss_const_OID gss_mech)
     243             : {
     244           0 :     return _krb5_init_creds_init_gss(context,ctx,
     245             :                                      pa_gss_step,
     246             :                                      pa_gss_finish,
     247             :                                      pa_gss_release_cred,
     248             :                                      pa_gss_delete_sec_context,
     249             :                                      gss_cred,
     250             :                                      gss_mech,
     251             :                                      0);
     252             : }

Generated by: LCOV version 1.13