2 * Copyright (c) 2004, PADL Software Pty Ltd.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of PADL Software nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gsskrb5_locl.h"
36 oid_prefix_equal(gss_OID oid_enc
, gss_OID prefix_enc
, unsigned *suffix
)
44 ret
= der_get_oid(oid_enc
->elements
, oid_enc
->length
,
50 ret
= der_get_oid(prefix_enc
->elements
, prefix_enc
->length
,
59 if (oid
.length
- 1 == prefix
.length
) {
60 *suffix
= oid
.components
[oid
.length
- 1];
62 ret
= (der_heim_oid_cmp(&oid
, &prefix
) == 0);
67 der_free_oid(&prefix
);
72 static OM_uint32 inquire_sec_context_tkt_flags
73 (OM_uint32
*minor_status
,
74 const gsskrb5_ctx context_handle
,
75 gss_buffer_set_t
*data_set
)
79 gss_buffer_desc value
;
81 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
83 if (context_handle
->ticket
== NULL
) {
84 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
85 _gsskrb5_set_status(EINVAL
, "No ticket from which to obtain flags");
86 *minor_status
= EINVAL
;
87 return GSS_S_BAD_MECH
;
90 tkt_flags
= TicketFlags2int(context_handle
->ticket
->ticket
.flags
);
91 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
93 _gsskrb5_encode_om_uint32(tkt_flags
, buf
);
94 value
.length
= sizeof(buf
);
97 return gss_add_buffer_set_member(minor_status
,
102 enum keytype
{ ACCEPTOR_KEY
, INITIATOR_KEY
, TOKEN_KEY
};
104 static OM_uint32 inquire_sec_context_get_subkey
105 (OM_uint32
*minor_status
,
106 const gsskrb5_ctx context_handle
,
107 krb5_context context
,
108 enum keytype keytype
,
109 gss_buffer_set_t
*data_set
)
111 krb5_keyblock
*key
= NULL
;
112 krb5_storage
*sp
= NULL
;
114 OM_uint32 maj_stat
= GSS_S_COMPLETE
;
117 krb5_data_zero(&data
);
119 sp
= krb5_storage_emem();
121 _gsskrb5_clear_status();
126 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
129 ret
= _gsskrb5i_get_acceptor_subkey(context_handle
, context
, &key
);
132 ret
= _gsskrb5i_get_initiator_subkey(context_handle
, context
, &key
);
135 ret
= _gsskrb5i_get_token_key(context_handle
, context
, &key
);
138 _gsskrb5_set_status(EINVAL
, "%d is not a valid subkey type", keytype
);
142 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
146 _gsskrb5_set_status(EINVAL
, "have no subkey of type %d", keytype
);
151 ret
= krb5_store_keyblock(sp
, *key
);
152 krb5_free_keyblock (context
, key
);
156 ret
= krb5_storage_to_data(sp
, &data
);
161 gss_buffer_desc value
;
163 value
.length
= data
.length
;
164 value
.value
= data
.data
;
166 maj_stat
= gss_add_buffer_set_member(minor_status
,
172 krb5_data_free(&data
);
174 krb5_storage_free(sp
);
177 maj_stat
= GSS_S_FAILURE
;
182 static OM_uint32 inquire_sec_context_authz_data
183 (OM_uint32
*minor_status
,
184 const gsskrb5_ctx context_handle
,
185 krb5_context context
,
187 gss_buffer_set_t
*data_set
)
190 gss_buffer_desc ad_data
;
194 *data_set
= GSS_C_NO_BUFFER_SET
;
196 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
197 if (context_handle
->ticket
== NULL
) {
198 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
199 *minor_status
= EINVAL
;
200 _gsskrb5_set_status(EINVAL
, "No ticket to obtain authz data from");
201 return GSS_S_NO_CONTEXT
;
204 ret
= krb5_ticket_get_authorization_data_type(context
,
205 context_handle
->ticket
,
208 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
211 return GSS_S_FAILURE
;
214 ad_data
.value
= data
.data
;
215 ad_data
.length
= data
.length
;
217 ret
= gss_add_buffer_set_member(minor_status
,
221 krb5_data_free(&data
);
226 static OM_uint32 inquire_sec_context_has_updated_spnego
227 (OM_uint32
*minor_status
,
228 const gsskrb5_ctx context_handle
,
229 gss_buffer_set_t
*data_set
)
234 *data_set
= GSS_C_NO_BUFFER_SET
;
237 * For Windows SPNEGO implementations, both the initiator and the
238 * acceptor are assumed to have been updated if a "newer" [CLAR] or
239 * different enctype is negotiated for use by the Kerberos GSS-API
242 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
243 is_updated
= (context_handle
->more_flags
& IS_CFX
);
244 if (is_updated
== 0) {
245 krb5_keyblock
*acceptor_subkey
;
247 if (context_handle
->more_flags
& LOCAL
)
248 acceptor_subkey
= context_handle
->auth_context
->remote_subkey
;
250 acceptor_subkey
= context_handle
->auth_context
->local_subkey
;
252 if (acceptor_subkey
!= NULL
)
253 is_updated
= (acceptor_subkey
->keytype
!=
254 context_handle
->auth_context
->keyblock
->keytype
);
256 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
258 return is_updated
? GSS_S_COMPLETE
: GSS_S_FAILURE
;
266 export_lucid_sec_context_v1(OM_uint32
*minor_status
,
267 gsskrb5_ctx context_handle
,
268 krb5_context context
,
269 gss_buffer_set_t
*data_set
)
271 krb5_storage
*sp
= NULL
;
272 OM_uint32 major_status
= GSS_S_COMPLETE
;
274 krb5_keyblock
*key
= NULL
;
281 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
283 is_cfx
= (context_handle
->more_flags
& IS_CFX
);
285 sp
= krb5_storage_emem();
287 _gsskrb5_clear_status();
292 ret
= krb5_store_int32(sp
, 1);
294 ret
= krb5_store_int32(sp
, (context_handle
->more_flags
& LOCAL
) ? 1 : 0);
296 ret
= krb5_store_int32(sp
, context_handle
->lifetime
);
298 krb5_auth_con_getlocalseqnumber (context
,
299 context_handle
->auth_context
,
301 ret
= krb5_store_uint32(sp
, (uint32_t)0); /* store top half as zero */
303 ret
= krb5_store_uint32(sp
, (uint32_t)number
);
305 krb5_auth_getremoteseqnumber (context
,
306 context_handle
->auth_context
,
308 ret
= krb5_store_uint32(sp
, (uint32_t)0); /* store top half as zero */
310 ret
= krb5_store_uint32(sp
, (uint32_t)number
);
312 ret
= krb5_store_int32(sp
, (is_cfx
) ? 1 : 0);
315 ret
= _gsskrb5i_get_token_key(context_handle
, context
, &key
);
319 int sign_alg
, seal_alg
;
321 switch (key
->keytype
) {
322 case ETYPE_DES_CBC_CRC
:
323 case ETYPE_DES_CBC_MD4
:
324 case ETYPE_DES_CBC_MD5
:
328 case ETYPE_DES3_CBC_MD5
:
329 case ETYPE_DES3_CBC_SHA1
:
333 case ETYPE_ARCFOUR_HMAC_MD5
:
334 case ETYPE_ARCFOUR_HMAC_MD5_56
:
343 ret
= krb5_store_int32(sp
, sign_alg
);
345 ret
= krb5_store_int32(sp
, seal_alg
);
348 ret
= krb5_store_keyblock(sp
, *key
);
351 int subkey_p
= (context_handle
->more_flags
& ACCEPTOR_SUBKEY
) ? 1 : 0;
353 /* have_acceptor_subkey */
354 ret
= krb5_store_int32(sp
, subkey_p
);
357 ret
= krb5_store_keyblock(sp
, *key
);
359 /* acceptor_subkey */
361 ret
= krb5_store_keyblock(sp
, *key
);
365 ret
= krb5_storage_to_data(sp
, &data
);
369 gss_buffer_desc ad_data
;
371 ad_data
.value
= data
.data
;
372 ad_data
.length
= data
.length
;
374 ret
= gss_add_buffer_set_member(minor_status
, &ad_data
, data_set
);
375 krb5_data_free(&data
);
382 krb5_free_keyblock (context
, key
);
384 krb5_storage_free(sp
);
387 major_status
= GSS_S_FAILURE
;
389 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
394 get_authtime(OM_uint32
*minor_status
,
396 gss_buffer_set_t
*data_set
)
399 gss_buffer_desc value
;
400 unsigned char buf
[4];
403 HEIMDAL_MUTEX_lock(&ctx
->ctx_id_mutex
);
404 if (ctx
->ticket
== NULL
) {
405 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
406 _gsskrb5_set_status(EINVAL
, "No ticket to obtain auth time from");
407 *minor_status
= EINVAL
;
408 return GSS_S_FAILURE
;
411 authtime
= ctx
->ticket
->ticket
.authtime
;
413 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
415 _gsskrb5_encode_om_uint32(authtime
, buf
);
416 value
.length
= sizeof(buf
);
419 return gss_add_buffer_set_member(minor_status
,
427 (OM_uint32
*minor_status
,
429 gss_buffer_set_t
*data_set
)
431 krb5_storage
*sp
= NULL
;
433 OM_uint32 maj_stat
= GSS_S_COMPLETE
;
434 krb5_error_code ret
= EINVAL
;
436 sp
= krb5_storage_emem();
438 _gsskrb5_clear_status();
439 *minor_status
= ENOMEM
;
440 return GSS_S_FAILURE
;
443 HEIMDAL_MUTEX_lock(&ctx
->ctx_id_mutex
);
444 if (ctx
->service_keyblock
== NULL
) {
445 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
446 krb5_storage_free(sp
);
447 _gsskrb5_set_status(EINVAL
, "No service keyblock on gssapi context");
448 *minor_status
= EINVAL
;
449 return GSS_S_FAILURE
;
452 krb5_data_zero(&data
);
454 ret
= krb5_store_keyblock(sp
, *ctx
->service_keyblock
);
456 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
461 ret
= krb5_storage_to_data(sp
, &data
);
466 gss_buffer_desc value
;
468 value
.length
= data
.length
;
469 value
.value
= data
.data
;
471 maj_stat
= gss_add_buffer_set_member(minor_status
,
477 krb5_data_free(&data
);
479 krb5_storage_free(sp
);
482 maj_stat
= GSS_S_FAILURE
;
490 OM_uint32 _gsskrb5_inquire_sec_context_by_oid
491 (OM_uint32
*minor_status
,
492 const gss_ctx_id_t context_handle
,
493 const gss_OID desired_object
,
494 gss_buffer_set_t
*data_set
)
496 krb5_context context
;
497 const gsskrb5_ctx ctx
= (const gsskrb5_ctx
) context_handle
;
501 *minor_status
= EINVAL
;
502 return GSS_S_NO_CONTEXT
;
505 GSSAPI_KRB5_INIT (&context
);
507 if (gss_oid_equal(desired_object
, GSS_KRB5_GET_TKT_FLAGS_X
)) {
508 return inquire_sec_context_tkt_flags(minor_status
,
511 } else if (gss_oid_equal(desired_object
, GSS_C_PEER_HAS_UPDATED_SPNEGO
)) {
512 return inquire_sec_context_has_updated_spnego(minor_status
,
515 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_SUBKEY_X
)) {
516 return inquire_sec_context_get_subkey(minor_status
,
521 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_INITIATOR_SUBKEY_X
)) {
522 return inquire_sec_context_get_subkey(minor_status
,
527 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_ACCEPTOR_SUBKEY_X
)) {
528 return inquire_sec_context_get_subkey(minor_status
,
533 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_AUTHTIME_X
)) {
534 return get_authtime(minor_status
, ctx
, data_set
);
535 } else if (oid_prefix_equal(desired_object
,
536 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X
,
538 return inquire_sec_context_authz_data(minor_status
,
543 } else if (oid_prefix_equal(desired_object
,
544 GSS_KRB5_EXPORT_LUCID_CONTEXT_X
,
547 return export_lucid_sec_context_v1(minor_status
,
552 return GSS_S_FAILURE
;
553 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_SERVICE_KEYBLOCK_X
)) {
554 return get_service_keyblock(minor_status
, ctx
, data_set
);
557 return GSS_S_FAILURE
;