search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dcesrv_core: better fault codes dcesrv_auth_prepare_auth3()
[Samba.git] / third_party / heimdal / lib / gssapi / netlogon / acquire_cred.c
blobd790d08e1d659602a55a70013ca651b9e85148cb
1 /*
2 * Copyright (c) 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2010 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "netlogon.h"
37 #include <gssapi_spi.h>
38
39 OM_uint32
40 _netlogon_acquire_cred(OM_uint32 * min_stat,
41 gss_const_name_t desired_name,
42 OM_uint32 time_req,
43 const gss_OID_set desired_mechs,
44 gss_cred_usage_t cred_usage,
45 gss_cred_id_t * output_cred_handle,
46 gss_OID_set * actual_mechs,
47 OM_uint32 * time_rec)
48 {
49 OM_uint32 ret;
50 gssnetlogon_cred cred;
51
52 /* only initiator support so far */
53 if (cred_usage != GSS_C_INITIATE)
54 return GSS_S_FAILURE;
55
56 if (desired_name == GSS_C_NO_NAME)
57 return GSS_S_BAD_NAME;
58
59 cred = (gssnetlogon_cred)calloc(1, sizeof(*cred));
60 if (cred == NULL) {
61 *min_stat = ENOMEM;
62 return GSS_S_FAILURE;
63 }
64 cred->SignatureAlgorithm = NL_SIGN_ALG_HMAC_MD5;
65 cred->SealAlgorithm = NL_SEAL_ALG_RC4;
66
67 ret = _netlogon_duplicate_name(min_stat, desired_name,
68 (gss_name_t *)&cred->Name);
69 if (GSS_ERROR(ret)) {
70 free(cred);
71 return ret;
72 }
73
74 *output_cred_handle = (gss_cred_id_t)cred;
75 if (actual_mechs != NULL)
76 *actual_mechs = GSS_C_NO_OID_SET;
77 if (time_rec != NULL)
78 *time_rec = GSS_C_INDEFINITE;
79
80 return GSS_S_COMPLETE;
81 }
82
83 OM_uint32
84 _netlogon_acquire_cred_ex(gss_status_id_t status,
85 gss_const_name_t desired_name,
86 OM_uint32 flags,
87 OM_uint32 time_req,
88 gss_cred_usage_t cred_usage,
89 gss_auth_identity_t identity,
90 void *ctx,
91 void (*complete)(void *, OM_uint32, gss_status_id_t, gss_cred_id_t, OM_uint32))
92 {
93 return GSS_S_UNAVAILABLE;
94 }
95
96 /*
97 * value contains 16 byte session key
98 */
99 static OM_uint32
100 _netlogon_set_session_key(OM_uint32 *minor_status,
101 gss_cred_id_t *cred_handle,
102 const gss_buffer_t value)
103 {
104 gssnetlogon_cred cred;
105
106 if (*cred_handle == GSS_C_NO_CREDENTIAL) {
107 *minor_status = EINVAL;
108 return GSS_S_FAILURE;
109 }
110
111 cred = (gssnetlogon_cred)*cred_handle;
112
113 if (value->length != sizeof(cred->SessionKey)) {
114 *minor_status = ERANGE;
115 return GSS_S_FAILURE;
116 }
117
118 memcpy(cred->SessionKey, value->value, value->length);
119
120 *minor_status = 0;
121 return GSS_S_COMPLETE;
122 }
123
124 /*
125 * value contains 16 bit little endian encoded seal algorithm
126 */
127 static OM_uint32
128 _netlogon_set_sign_algorithm(OM_uint32 *minor_status,
129 gss_cred_id_t *cred_handle,
130 const gss_buffer_t value)
131 {
132 gssnetlogon_cred cred;
133 uint16_t alg;
134 const uint8_t *p;
135
136 if (*cred_handle == GSS_C_NO_CREDENTIAL) {
137 *minor_status = EINVAL;
138 return GSS_S_FAILURE;
139 }
140
141 cred = (gssnetlogon_cred)*cred_handle;
142
143 if (value->length != 2) {
144 *minor_status = ERANGE;
145 return GSS_S_FAILURE;
146 }
147
148 p = (const uint8_t *)value->value;
149 alg = (p[0] << 0) | (p[1] << 8);
150
151 if (alg != NL_SIGN_ALG_HMAC_MD5 && alg != NL_SIGN_ALG_SHA256) {
152 *minor_status = EINVAL;
153 return GSS_S_FAILURE;
154 }
155
156 cred->SignatureAlgorithm = alg;
157 if (alg == NL_SIGN_ALG_SHA256)
158 cred->SealAlgorithm = NL_SEAL_ALG_AES128;
159 else
160 cred->SealAlgorithm = NL_SEAL_ALG_RC4;
161
162 *minor_status = 0;
163 return GSS_S_COMPLETE;
164 }
165
166 OM_uint32
167 _netlogon_set_cred_option
168 (OM_uint32 *minor_status,
169 gss_cred_id_t *cred_handle,
170 const gss_OID desired_object,
171 const gss_buffer_t value)
172 {
173 if (value == GSS_C_NO_BUFFER) {
174 *minor_status = EINVAL;
175 return GSS_S_FAILURE;
176 }
177
178 if (gss_oid_equal(desired_object, GSS_NETLOGON_SET_SESSION_KEY_X))
179 return _netlogon_set_session_key(minor_status, cred_handle, value);
180 else if (gss_oid_equal(desired_object, GSS_NETLOGON_SET_SIGN_ALGORITHM_X))
181 return _netlogon_set_sign_algorithm(minor_status, cred_handle, value);
182
183 *minor_status = EINVAL;
184 return GSS_S_FAILURE;
185 }
186
Samba GIT mirror