static int do_gss_auth(void *obj,
char *ibuf, size_t ibuflen,
char *rbuf, int *rbuflen,
char *username, size_t ulen,
struct session_info *sinfo )
{
OM_uint32 status = 0;
gss_name_t client_name;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
gss_buffer_desc ticket_buffer, authenticator_buff;
int ret = 0;
/*
* Try to accept the secondary context, using the ticket/token the
* client sent us. Ticket is stored at current ibuf position.
* Don't try to release ticket_buffer later, it points into ibuf!
*/
ticket_buffer.length = ibuflen;
ticket_buffer.value = ibuf;
if ((ret = accept_sec_context(&context,
&ticket_buffer,
&client_name,
&authenticator_buff)))
return ret;
log_service_name(context);
/* We succesfully acquired the secondary context, now get the
username for afpd and gss_wrap the sessionkey */
if ((ret = get_client_username(username, ulen, &client_name)))
goto cleanup_client_name;
if ((ret = wrap_sessionkey(context, sinfo)))
goto cleanup_client_name;
/* Authenticated, construct the reply using:
* authenticator length (uint16_t)
* authenticator
*/
/* copy the authenticator length into the reply buffer */
uint16_t auth_len = htons(authenticator_buff.length);
memcpy(rbuf, &auth_len, sizeof(auth_len));
*rbuflen += sizeof(auth_len);
rbuf += sizeof(auth_len);
/* copy the authenticator value into the reply buffer */
memcpy(rbuf, authenticator_buff.value, authenticator_buff.length);
*rbuflen += authenticator_buff.length;
cleanup_client_name:
gss_release_name(&status, &client_name);
cleanup_context:
gss_release_buffer(&status, &authenticator_buff);
gss_delete_sec_context(&status, &context, NULL);
return ret;
}
/* return 0 on success */
static int do_gss_auth(void *obj, char *ibuf, int ticket_len,
char *rbuf, int *rbuflen, char *username, int ulen,
struct session_info *sinfo )
{
OM_uint32 status = 0;
gss_name_t server_name, client_name;
gss_cred_id_t server_creds;
gss_ctx_id_t context_handle = GSS_C_NO_CONTEXT;
gss_buffer_desc ticket_buffer, authenticator_buff;
int ret = 0;
/* import our principal name from afpd */
if (get_afpd_principal(obj, &server_name) != 0) {
return 1;
}
log_principal(server_name);
/* Now we have to acquire our credentials */
if ((ret = acquire_credentials (&server_name, &server_creds)))
goto cleanup_vars;
/*
* Try to accept the secondary context, using the ticket/token the
* client sent us. Ticket is stored at current ibuf position.
* Don't try to release ticket_buffer later, it points into ibuf!
*/
ticket_buffer.length = ticket_len;
ticket_buffer.value = ibuf;
ret = accept_sec_context (&context_handle, server_creds, &ticket_buffer,
&client_name, &authenticator_buff);
if (!ret) {
/* We succesfully acquired the secondary context, now get the
username for afpd and gss_wrap the sessionkey */
if ( 0 == (ret = get_client_username(username, ulen, &client_name)) ) {
ret = wrap_sessionkey(context_handle, sinfo);
}
if (!ret) {
/* FIXME: Is copying the authenticator really necessary?
Where is this documented? */
u_int16_t auth_len = htons( authenticator_buff.length );
/* copy the authenticator length into the reply buffer */
memcpy( rbuf, &auth_len, sizeof(auth_len) );
*rbuflen += sizeof(auth_len);
rbuf += sizeof(auth_len);
/* copy the authenticator value into the reply buffer */
memcpy( rbuf, authenticator_buff.value, authenticator_buff.length );
*rbuflen += authenticator_buff.length;
}
/* Clean up after ourselves */
gss_release_name( &status, &client_name );
if ( authenticator_buff.value)
gss_release_buffer( &status, &authenticator_buff );
gss_delete_sec_context( &status, &context_handle, NULL );
}
gss_release_cred( &status, &server_creds );
cleanup_vars:
gss_release_name( &status, &server_name );
return ret;
}
