search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
vendor/BIND: Update to 9.5.2-P3
[dragonfly.git] / contrib / bind / lib / dns / spnego.c
blob0233a2babdd3551fb01f5a5845d13abef140d2dd
1 /*
2 * Copyright (C) 2006-2009 Internet Systems Consortium, Inc. ("ISC")
3 *
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
15 */
16
17 /* $Id: spnego.c,v 1.5.128.7 2009/07/21 07:29:23 marka Exp $ */
18
19 /*! \file
20 * \brief
21 * Portable SPNEGO implementation.
22 *
23 * This is part of a portable implementation of the SPNEGO protocol
24 * (RFCs 2478 and 4178). This implementation uses the RFC 4178 ASN.1
25 * module but is not a full implementation of the RFC 4178 protocol;
26 * at the moment, we only support GSS-TSIG with Kerberos
27 * authentication, so we only need enough of the SPNEGO protocol to
28 * support that.
29 *
30 * The files that make up this portable SPNEGO implementation are:
31 * \li spnego.c (this file)
32 * \li spnego.h (API SPNEGO exports to the rest of lib/dns)
33 * \li spnego.asn1 (SPNEGO ASN.1 module)
34 * \li spnego_asn1.c (routines generated from spngo.asn1)
35 * \li spnego_asn1.pl (perl script to generate spnego_asn1.c)
36 *
37 * Everything but the functions exported in spnego.h is static, to
38 * avoid possible conflicts with other libraries (particularly Heimdal,
39 * since much of this code comes from Heimdal by way of mod_auth_kerb).
40 *
41 * spnego_asn1.c is shipped as part of lib/dns because generating it
42 * requires both Perl and the Heimdal ASN.1 compiler. See
43 * spnego_asn1.pl for further details. We've tried to eliminate all
44 * compiler warnings from the generated code, but you may see a few
45 * when using a compiler version we haven't tested yet.
46 */
47
48 /*
49 * Portions of this code were derived from mod_auth_kerb and Heimdal.
50 * These packages are available from:
51 *
52 * http://modauthkerb.sourceforge.net/
53 * http://www.pdc.kth.se/heimdal/
54 *
55 * and were released under the following licenses:
56 *
57 * ----------------------------------------------------------------
58 *
59 * Copyright (c) 2004 Masarykova universita
60 * (Masaryk University, Brno, Czech Republic)
61 * All rights reserved.
62 *
63 * Redistribution and use in source and binary forms, with or without
64 * modification, are permitted provided that the following conditions are met:
65 *
66 * 1. Redistributions of source code must retain the above copyright notice,
67 * this list of conditions and the following disclaimer.
68 *
69 * 2. Redistributions in binary form must reproduce the above copyright
70 * notice, this list of conditions and the following disclaimer in the
71 * documentation and/or other materials provided with the distribution.
72 *
73 * 3. Neither the name of the University nor the names of its contributors may
74 * be used to endorse or promote products derived from this software
75 * without specific prior written permission.
76 *
77 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
78 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
79 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
80 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
81 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
82 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
83 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
84 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
85 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
86 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
87 * POSSIBILITY OF SUCH DAMAGE.
88 *
89 * ----------------------------------------------------------------
90 *
91 * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
92 * (Royal Institute of Technology, Stockholm, Sweden).
93 * All rights reserved.
94 *
95 * Redistribution and use in source and binary forms, with or without
96 * modification, are permitted provided that the following conditions
97 * are met:
98 *
99 * 1. Redistributions of source code must retain the above copyright
100 * notice, this list of conditions and the following disclaimer.
101 *
102 * 2. Redistributions in binary form must reproduce the above copyright
103 * notice, this list of conditions and the following disclaimer in the
104 * documentation and/or other materials provided with the distribution.
105 *
106 * 3. Neither the name of the Institute nor the names of its contributors
107 * may be used to endorse or promote products derived from this software
108 * without specific prior written permission.
109 *
110 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
111 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
112 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
113 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
114 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
115 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
116 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
117 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
118 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
119 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
120 * SUCH DAMAGE.
121 */
122
123 /*
124 * XXXSRA We should omit this file entirely in Makefile.in via autoconf,
125 * but this will keep it from generating errors until that's written.
126 */
127
128 #ifdef GSSAPI
129
130 /*
131 * XXXSRA Some of the following files are almost certainly unnecessary,
132 * but using this list (borrowed from gssapictx.c) gets rid of some
133 * whacky compilation errors when building with MSVC and should be
134 * harmless in any case.
135 */
136
137 #include <config.h>
138
139 #include <stdlib.h>
140 #include <errno.h>
141
142 #include <isc/buffer.h>
143 #include <isc/dir.h>
144 #include <isc/entropy.h>
145 #include <isc/lex.h>
146 #include <isc/mem.h>
147 #include <isc/once.h>
148 #include <isc/random.h>
149 #include <isc/string.h>
150 #include <isc/time.h>
151 #include <isc/util.h>
152
153 #include <dns/fixedname.h>
154 #include <dns/name.h>
155 #include <dns/rdata.h>
156 #include <dns/rdataclass.h>
157 #include <dns/result.h>
158 #include <dns/types.h>
159 #include <dns/keyvalues.h>
160 #include <dns/log.h>
161
162 #include <dst/gssapi.h>
163 #include <dst/result.h>
164
165 #include "dst_internal.h"
166
167 /*
168 * The API we export
169 */
170 #include "spnego.h"
171
172 /* asn1_err.h */
173 /* Generated from ../../../lib/asn1/asn1_err.et */
174
175 typedef enum asn1_error_number {
176 ASN1_BAD_TIMEFORMAT = 1859794432,
177 ASN1_MISSING_FIELD = 1859794433,
178 ASN1_MISPLACED_FIELD = 1859794434,
179 ASN1_TYPE_MISMATCH = 1859794435,
180 ASN1_OVERFLOW = 1859794436,
181 ASN1_OVERRUN = 1859794437,
182 ASN1_BAD_ID = 1859794438,
183 ASN1_BAD_LENGTH = 1859794439,
184 ASN1_BAD_FORMAT = 1859794440,
185 ASN1_PARSE_ERROR = 1859794441
186 } asn1_error_number;
187
188 #define ERROR_TABLE_BASE_asn1 1859794432
189
190 #define __asn1_common_definitions__
191
192 typedef struct octet_string {
193 size_t length;
194 void *data;
195 } octet_string;
196
197 typedef char *general_string;
198
199 typedef char *utf8_string;
200
201 typedef struct oid {
202 size_t length;
203 unsigned *components;
204 } oid;
205
206 /* der.h */
207
208 typedef enum {
209 ASN1_C_UNIV = 0, ASN1_C_APPL = 1,
210 ASN1_C_CONTEXT = 2, ASN1_C_PRIVATE = 3
211 } Der_class;
212
213 typedef enum {
214 PRIM = 0, CONS = 1
215 } Der_type;
216
217 /* Universal tags */
218
219 enum {
220 UT_Boolean = 1,
221 UT_Integer = 2,
222 UT_BitString = 3,
223 UT_OctetString = 4,
224 UT_Null = 5,
225 UT_OID = 6,
226 UT_Enumerated = 10,
227 UT_Sequence = 16,
228 UT_Set = 17,
229 UT_PrintableString = 19,
230 UT_IA5String = 22,
231 UT_UTCTime = 23,
232 UT_GeneralizedTime = 24,
233 UT_VisibleString = 26,
234 UT_GeneralString = 27
235 };
236
237 #define ASN1_INDEFINITE 0xdce0deed
238
239 static int
240 der_get_length(const unsigned char *p, size_t len,
241 size_t * val, size_t * size);
242
243 static int
244 der_get_octet_string(const unsigned char *p, size_t len,
245 octet_string * data, size_t * size);
246 static int
247 der_get_oid(const unsigned char *p, size_t len,
248 oid * data, size_t * size);
249 static int
250 der_get_tag(const unsigned char *p, size_t len,
251 Der_class * class, Der_type * type,
252 int *tag, size_t * size);
253
254 static int
255 der_match_tag(const unsigned char *p, size_t len,
256 Der_class class, Der_type type,
257 int tag, size_t * size);
258 static int
259 der_match_tag_and_length(const unsigned char *p, size_t len,
260 Der_class class, Der_type type, int tag,
261 size_t * length_ret, size_t * size);
262
263 static int
264 decode_oid(const unsigned char *p, size_t len,
265 oid * k, size_t * size);
266
267 static int
268 decode_enumerated(const unsigned char *p, size_t len, void *num, size_t *size);
269
270 static int
271 decode_octet_string(const unsigned char *, size_t, octet_string *, size_t *);
272
273 static int
274 der_put_int(unsigned char *p, size_t len, int val, size_t *);
275
276 static int
277 der_put_length(unsigned char *p, size_t len, size_t val, size_t *);
278
279 static int
280 der_put_octet_string(unsigned char *p, size_t len,
281 const octet_string * data, size_t *);
282 static int
283 der_put_oid(unsigned char *p, size_t len,
284 const oid * data, size_t * size);
285 static int
286 der_put_tag(unsigned char *p, size_t len, Der_class class, Der_type type,
287 int tag, size_t *);
288 static int
289 der_put_length_and_tag(unsigned char *, size_t, size_t,
290 Der_class, Der_type, int, size_t *);
291
292 static int
293 encode_enumerated(unsigned char *p, size_t len, const void *data, size_t *);
294
295 static int
296 encode_octet_string(unsigned char *p, size_t len,
297 const octet_string * k, size_t *);
298 static int
299 encode_oid(unsigned char *p, size_t len,
300 const oid * k, size_t *);
301
302 static void
303 free_octet_string(octet_string * k);
304
305 static void
306 free_oid (oid * k);
307
308 static size_t
309 length_len(size_t len);
310
311 static int
312 fix_dce(size_t reallen, size_t * len);
313
314 /*
315 * Include stuff generated by the ASN.1 compiler.
316 */
317
318 #include "spnego_asn1.c"
319
320 static unsigned char gss_krb5_mech_oid_bytes[] = {
321 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
322 };
323
324 static gss_OID_desc gss_krb5_mech_oid_desc = {
325 sizeof(gss_krb5_mech_oid_bytes),
326 gss_krb5_mech_oid_bytes
327 };
328
329 static gss_OID GSS_KRB5_MECH = &gss_krb5_mech_oid_desc;
330
331 static unsigned char gss_mskrb5_mech_oid_bytes[] = {
332 0x2a, 0x86, 0x48, 0x82, 0xf7, 0x12, 0x01, 0x02, 0x02
333 };
334
335 static gss_OID_desc gss_mskrb5_mech_oid_desc = {
336 sizeof(gss_mskrb5_mech_oid_bytes),
337 gss_mskrb5_mech_oid_bytes
338 };
339
340 static gss_OID GSS_MSKRB5_MECH = &gss_mskrb5_mech_oid_desc;
341
342 static unsigned char gss_spnego_mech_oid_bytes[] = {
343 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
344 };
345
346 static gss_OID_desc gss_spnego_mech_oid_desc = {
347 sizeof(gss_spnego_mech_oid_bytes),
348 gss_spnego_mech_oid_bytes
349 };
350
351 static gss_OID GSS_SPNEGO_MECH = &gss_spnego_mech_oid_desc;
352
353 /* spnegokrb5_locl.h */
354
355 static OM_uint32
356 gssapi_spnego_encapsulate(OM_uint32 *,
357 unsigned char *,
358 size_t,
359 gss_buffer_t,
360 const gss_OID);
361
362 static OM_uint32
363 gssapi_spnego_decapsulate(OM_uint32 *,
364 gss_buffer_t,
365 unsigned char **,
366 size_t *,
367 const gss_OID);
368
369 /* mod_auth_kerb.c */
370
371 static int
372 cmp_gss_type(gss_buffer_t token, gss_OID oid)
373 {
374 unsigned char *p;
375 size_t len;
376
377 if (token->length == 0)
378 return (GSS_S_DEFECTIVE_TOKEN);
379
380 p = token->value;
381 if (*p++ != 0x60)
382 return (GSS_S_DEFECTIVE_TOKEN);
383 len = *p++;
384 if (len & 0x80) {
385 if ((len & 0x7f) > 4)
386 return (GSS_S_DEFECTIVE_TOKEN);
387 p += len & 0x7f;
388 }
389 if (*p++ != 0x06)
390 return (GSS_S_DEFECTIVE_TOKEN);
391
392 if (((OM_uint32) *p++) != oid->length)
393 return (GSS_S_DEFECTIVE_TOKEN);
394
395 return (memcmp(p, oid->elements, oid->length));
396 }
397
398 /* accept_sec_context.c */
399 /*
400 * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
401 * based on Heimdal code)
402 */
403
404 static OM_uint32
405 code_NegTokenArg(OM_uint32 * minor_status,
406 const NegTokenResp * resp,
407 unsigned char **outbuf,
408 size_t * outbuf_size)
409 {
410 OM_uint32 ret;
411 u_char *buf;
412 size_t buf_size, buf_len;
413
414 buf_size = 1024;
415 buf = malloc(buf_size);
416 if (buf == NULL) {
417 *minor_status = ENOMEM;
418 return (GSS_S_FAILURE);
419 }
420 do {
421 ret = encode_NegTokenResp(buf + buf_size - 1,
422 buf_size,
423 resp, &buf_len);
424 if (ret == 0) {
425 size_t tmp;
426
427 ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
428 buf_size - buf_len,
429 buf_len,
430 ASN1_C_CONTEXT,
431 CONS,
432 1,
433 &tmp);
434 if (ret == 0)
435 buf_len += tmp;
436 }
437 if (ret) {
438 if (ret == ASN1_OVERFLOW) {
439 u_char *tmp;
440
441 buf_size *= 2;
442 tmp = realloc(buf, buf_size);
443 if (tmp == NULL) {
444 *minor_status = ENOMEM;
445 free(buf);
446 return (GSS_S_FAILURE);
447 }
448 buf = tmp;
449 } else {
450 *minor_status = ret;
451 free(buf);
452 return (GSS_S_FAILURE);
453 }
454 }
455 } while (ret == ASN1_OVERFLOW);
456
457 *outbuf = malloc(buf_len);
458 if (*outbuf == NULL) {
459 *minor_status = ENOMEM;
460 free(buf);
461 return (GSS_S_FAILURE);
462 }
463 memcpy(*outbuf, buf + buf_size - buf_len, buf_len);
464 *outbuf_size = buf_len;
465
466 free(buf);
467
468 return (GSS_S_COMPLETE);
469 }
470
471 static OM_uint32
472 send_reject(OM_uint32 * minor_status,
473 gss_buffer_t output_token)
474 {
475 NegTokenResp resp;
476 OM_uint32 ret;
477
478 resp.negState = malloc(sizeof(*resp.negState));
479 if (resp.negState == NULL) {
480 *minor_status = ENOMEM;
481 return (GSS_S_FAILURE);
482 }
483 *(resp.negState) = reject;
484
485 resp.supportedMech = NULL;
486 resp.responseToken = NULL;
487 resp.mechListMIC = NULL;
488
489 ret = code_NegTokenArg(minor_status, &resp,
490 (unsigned char **)&output_token->value,
491 &output_token->length);
492 free_NegTokenResp(&resp);
493 if (ret)
494 return (ret);
495
496 return (GSS_S_BAD_MECH);
497 }
498
499 static OM_uint32
500 send_accept(OM_uint32 * minor_status,
501 gss_buffer_t output_token,
502 gss_buffer_t mech_token,
503 const gss_OID pref)
504 {
505 NegTokenResp resp;
506 OM_uint32 ret;
507
508 memset(&resp, 0, sizeof(resp));
509 resp.negState = malloc(sizeof(*resp.negState));
510 if (resp.negState == NULL) {
511 *minor_status = ENOMEM;
512 return (GSS_S_FAILURE);
513 }
514 *(resp.negState) = accept_completed;
515
516 resp.supportedMech = malloc(sizeof(*resp.supportedMech));
517 if (resp.supportedMech == NULL) {
518 free_NegTokenResp(&resp);
519 *minor_status = ENOMEM;
520 return (GSS_S_FAILURE);
521 }
522 ret = der_get_oid(pref->elements,
523 pref->length,
524 resp.supportedMech,
525 NULL);
526 if (ret) {
527 free_NegTokenResp(&resp);
528 *minor_status = ENOMEM;
529 return (GSS_S_FAILURE);
530 }
531 if (mech_token != NULL && mech_token->length != 0) {
532 resp.responseToken = malloc(sizeof(*resp.responseToken));
533 if (resp.responseToken == NULL) {
534 free_NegTokenResp(&resp);
535 *minor_status = ENOMEM;
536 return (GSS_S_FAILURE);
537 }
538 resp.responseToken->length = mech_token->length;
539 resp.responseToken->data = mech_token->value;
540 }
541
542 ret = code_NegTokenArg(minor_status, &resp,
543 (unsigned char **)&output_token->value,
544 &output_token->length);
545 if (resp.responseToken != NULL) {
546 free(resp.responseToken);
547 resp.responseToken = NULL;
548 }
549 free_NegTokenResp(&resp);
550 if (ret)
551 return (ret);
552
553 return (GSS_S_COMPLETE);
554 }
555
556 OM_uint32
557 gss_accept_sec_context_spnego(OM_uint32 *minor_status,
558 gss_ctx_id_t *context_handle,
559 const gss_cred_id_t acceptor_cred_handle,
560 const gss_buffer_t input_token_buffer,
561 const gss_channel_bindings_t input_chan_bindings,
562 gss_name_t *src_name,
563 gss_OID *mech_type,
564 gss_buffer_t output_token,
565 OM_uint32 *ret_flags,
566 OM_uint32 *time_rec,
567 gss_cred_id_t *delegated_cred_handle)
568 {
569 NegTokenInit init_token;
570 OM_uint32 major_status;
571 OM_uint32 minor_status2;
572 gss_buffer_desc ibuf, obuf;
573 gss_buffer_t ot = NULL;
574 gss_OID pref = GSS_KRB5_MECH;
575 unsigned char *buf;
576 size_t buf_size;
577 size_t len, taglen, ni_len;
578 int found = 0;
579 int ret;
580 unsigned i;
581
582 /*
583 * Before doing anything else, see whether this is a SPNEGO
584 * PDU. If not, dispatch to the GSSAPI library and get out.
585 */
586
587 if (cmp_gss_type(input_token_buffer, GSS_SPNEGO_MECH))
588 return (gss_accept_sec_context(minor_status,
589 context_handle,
590 acceptor_cred_handle,
591 input_token_buffer,
592 input_chan_bindings,
593 src_name,
594 mech_type,
595 output_token,
596 ret_flags,
597 time_rec,
598 delegated_cred_handle));
599
600 /*
601 * If we get here, it's SPNEGO.
602 */
603
604 memset(&init_token, 0, sizeof(init_token));
605
606 ret = gssapi_spnego_decapsulate(minor_status, input_token_buffer,
607 &buf, &buf_size, GSS_SPNEGO_MECH);
608 if (ret)
609 return (ret);
610
611 ret = der_match_tag_and_length(buf, buf_size, ASN1_C_CONTEXT, CONS,
612 0, &len, &taglen);
613 if (ret)
614 return (ret);
615
616 ret = decode_NegTokenInit(buf + taglen, len, &init_token, &ni_len);
617 if (ret) {
618 *minor_status = EINVAL; /* XXX */
619 return (GSS_S_DEFECTIVE_TOKEN);
620 }
621
622 for (i = 0; !found && i < init_token.mechTypes.len; ++i) {
623 unsigned char mechbuf[17];
624 size_t mech_len;
625
626 ret = der_put_oid(mechbuf + sizeof(mechbuf) - 1,
627 sizeof(mechbuf),
628 &init_token.mechTypes.val[i],
629 &mech_len);
630 if (ret)
631 return (GSS_S_DEFECTIVE_TOKEN);
632 if (mech_len == GSS_KRB5_MECH->length &&
633 memcmp(GSS_KRB5_MECH->elements,
634 mechbuf + sizeof(mechbuf) - mech_len,
635 mech_len) == 0) {
636 found = 1;
637 break;
638 }
639 if (mech_len == GSS_MSKRB5_MECH->length &&
640 memcmp(GSS_MSKRB5_MECH->elements,
641 mechbuf + sizeof(mechbuf) - mech_len,
642 mech_len) == 0) {
643 found = 1;
644 if (i == 0)
645 pref = GSS_MSKRB5_MECH;
646 break;
647 }
648 }
649
650 if (!found)
651 return (send_reject(minor_status, output_token));
652
653 if (i == 0 && init_token.mechToken != NULL) {
654 ibuf.length = init_token.mechToken->length;
655 ibuf.value = init_token.mechToken->data;
656
657 major_status = gss_accept_sec_context(minor_status,
658 context_handle,
659 acceptor_cred_handle,
660 &ibuf,
661 input_chan_bindings,
662 src_name,
663 mech_type,
664 &obuf,
665 ret_flags,
666 time_rec,
667 delegated_cred_handle);
668 if (GSS_ERROR(major_status)) {
669 send_reject(&minor_status2, output_token);
670 return (major_status);
671 }
672 ot = &obuf;
673 }
674 ret = send_accept(&minor_status2, output_token, ot, pref);
675 if (ot != NULL && ot->length != 0)
676 gss_release_buffer(&minor_status2, ot);
677
678 return (ret);
679 }
680
681 /* decapsulate.c */
682
683 static OM_uint32
684 gssapi_verify_mech_header(u_char ** str,
685 size_t total_len,
686 const gss_OID mech)
687 {
688 size_t len, len_len, mech_len, foo;
689 int e;
690 u_char *p = *str;
691
692 if (total_len < 1)
693 return (GSS_S_DEFECTIVE_TOKEN);
694 if (*p++ != 0x60)
695 return (GSS_S_DEFECTIVE_TOKEN);
696 e = der_get_length(p, total_len - 1, &len, &len_len);
697 if (e || 1 + len_len + len != total_len)
698 return (GSS_S_DEFECTIVE_TOKEN);
699 p += len_len;
700 if (*p++ != 0x06)
701 return (GSS_S_DEFECTIVE_TOKEN);
702 e = der_get_length(p, total_len - 1 - len_len - 1,
703 &mech_len, &foo);
704 if (e)
705 return (GSS_S_DEFECTIVE_TOKEN);
706 p += foo;
707 if (mech_len != mech->length)
708 return (GSS_S_BAD_MECH);
709 if (memcmp(p, mech->elements, mech->length) != 0)
710 return (GSS_S_BAD_MECH);
711 p += mech_len;
712 *str = p;
713 return (GSS_S_COMPLETE);
714 }
715
716 /*
717 * Remove the GSS-API wrapping from `in_token' giving `buf and buf_size' Does
718 * not copy data, so just free `in_token'.
719 */
720
721 static OM_uint32
722 gssapi_spnego_decapsulate(OM_uint32 *minor_status,
723 gss_buffer_t input_token_buffer,
724 unsigned char **buf,
725 size_t *buf_len,
726 const gss_OID mech)
727 {
728 u_char *p;
729 OM_uint32 ret;
730
731 p = input_token_buffer->value;
732 ret = gssapi_verify_mech_header(&p,
733 input_token_buffer->length,
734 mech);
735 if (ret) {
736 *minor_status = ret;
737 return (GSS_S_FAILURE);
738 }
739 *buf_len = input_token_buffer->length -
740 (p - (u_char *) input_token_buffer->value);
741 *buf = p;
742 return (GSS_S_COMPLETE);
743 }
744
745 /* der_free.c */
746
747 static void
748 free_octet_string(octet_string *k)
749 {
750 free(k->data);
751 k->data = NULL;
752 }
753
754 static void
755 free_oid(oid *k)
756 {
757 free(k->components);
758 k->components = NULL;
759 }
760
761 /* der_get.c */
762
763 /*
764 * All decoding functions take a pointer `p' to first position in which to
765 * read, from the left, `len' which means the maximum number of characters we
766 * are able to read, `ret' were the value will be returned and `size' where
767 * the number of used bytes is stored. Either 0 or an error code is returned.
768 */
769
770 static int
771 der_get_unsigned(const unsigned char *p, size_t len,
772 unsigned *ret, size_t *size)
773 {
774 unsigned val = 0;
775 size_t oldlen = len;
776
777 while (len--)
778 val = val * 256 + *p++;
779 *ret = val;
780 if (size)
781 *size = oldlen;
782 return (0);
783 }
784
785 static int
786 der_get_int(const unsigned char *p, size_t len,
787 int *ret, size_t *size)
788 {
789 int val = 0;
790 size_t oldlen = len;
791
792 if (len > 0) {
793 val = (signed char)*p++;
794 while (--len)
795 val = val * 256 + *p++;
796 }
797 *ret = val;
798 if (size)
799 *size = oldlen;
800 return (0);
801 }
802
803 static int
804 der_get_length(const unsigned char *p, size_t len,
805 size_t *val, size_t *size)
806 {
807 size_t v;
808
809 if (len <= 0)
810 return (ASN1_OVERRUN);
811 --len;
812 v = *p++;
813 if (v < 128) {
814 *val = v;
815 if (size)
816 *size = 1;
817 } else {
818 int e;
819 size_t l;
820 unsigned tmp;
821
822 if (v == 0x80) {
823 *val = ASN1_INDEFINITE;
824 if (size)
825 *size = 1;
826 return (0);
827 }
828 v &= 0x7F;
829 if (len < v)
830 return (ASN1_OVERRUN);
831 e = der_get_unsigned(p, v, &tmp, &l);
832 if (e)
833 return (e);
834 *val = tmp;
835 if (size)
836 *size = l + 1;
837 }
838 return (0);
839 }
840
841 static int
842 der_get_octet_string(const unsigned char *p, size_t len,
843 octet_string *data, size_t *size)
844 {
845 data->length = len;
846 data->data = malloc(len);
847 if (data->data == NULL && data->length != 0)
848 return (ENOMEM);
849 memcpy(data->data, p, len);
850 if (size)
851 *size = len;
852 return (0);
853 }
854
855 static int
856 der_get_oid(const unsigned char *p, size_t len,
857 oid *data, size_t *size)
858 {
859 int n;
860 size_t oldlen = len;
861
862 if (len < 1)
863 return (ASN1_OVERRUN);
864
865 data->components = malloc(len * sizeof(*data->components));
866 if (data->components == NULL && len != 0)
867 return (ENOMEM);
868 data->components[0] = (*p) / 40;
869 data->components[1] = (*p) % 40;
870 --len;
871 ++p;
872 for (n = 2; len > 0; ++n) {
873 unsigned u = 0;
874
875 do {
876 --len;
877 u = u * 128 + (*p++ % 128);
878 } while (len > 0 && p[-1] & 0x80);
879 data->components[n] = u;
880 }
881 if (p[-1] & 0x80) {
882 free_oid(data);
883 return (ASN1_OVERRUN);
884 }
885 data->length = n;
886 if (size)
887 *size = oldlen;
888 return (0);
889 }
890
891 static int
892 der_get_tag(const unsigned char *p, size_t len,
893 Der_class *class, Der_type *type,
894 int *tag, size_t *size)
895 {
896 if (len < 1)
897 return (ASN1_OVERRUN);
898 *class = (Der_class) (((*p) >> 6) & 0x03);
899 *type = (Der_type) (((*p) >> 5) & 0x01);
900 *tag = (*p) & 0x1F;
901 if (size)
902 *size = 1;
903 return (0);
904 }
905
906 static int
907 der_match_tag(const unsigned char *p, size_t len,
908 Der_class class, Der_type type,
909 int tag, size_t *size)
910 {
911 size_t l;
912 Der_class thisclass;
913 Der_type thistype;
914 int thistag;
915 int e;
916
917 e = der_get_tag(p, len, &thisclass, &thistype, &thistag, &l);
918 if (e)
919 return (e);
920 if (class != thisclass || type != thistype)
921 return (ASN1_BAD_ID);
922 if (tag > thistag)
923 return (ASN1_MISPLACED_FIELD);
924 if (tag < thistag)
925 return (ASN1_MISSING_FIELD);
926 if (size)
927 *size = l;
928 return (0);
929 }
930
931 static int
932 der_match_tag_and_length(const unsigned char *p, size_t len,
933 Der_class class, Der_type type, int tag,
934 size_t *length_ret, size_t *size)
935 {
936 size_t l, ret = 0;
937 int e;
938
939 e = der_match_tag(p, len, class, type, tag, &l);
940 if (e)
941 return (e);
942 p += l;
943 len -= l;
944 ret += l;
945 e = der_get_length(p, len, length_ret, &l);
946 if (e)
947 return (e);
948 p += l;
949 len -= l;
950 ret += l;
951 if (size)
952 *size = ret;
953 return (0);
954 }
955
956 static int
957 decode_enumerated(const unsigned char *p, size_t len, void *num, size_t *size)
958 {
959 size_t ret = 0;
960 size_t l, reallen;
961 int e;
962
963 e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
964 if (e)
965 return (e);
966 p += l;
967 len -= l;
968 ret += l;
969 e = der_get_length(p, len, &reallen, &l);
970 if (e)
971 return (e);
972 p += l;
973 len -= l;
974 ret += l;
975 e = der_get_int(p, reallen, num, &l);
976 if (e)
977 return (e);
978 p += l;
979 len -= l;
980 ret += l;
981 if (size)
982 *size = ret;
983 return (0);
984 }
985
986 static int
987 decode_octet_string(const unsigned char *p, size_t len,
988 octet_string *k, size_t *size)
989 {
990 size_t ret = 0;
991 size_t l;
992 int e;
993 size_t slen;
994
995 e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
996 if (e)
997 return (e);
998 p += l;
999 len -= l;
1000 ret += l;
1001
1002 e = der_get_length(p, len, &slen, &l);
1003 if (e)
1004 return (e);
1005 p += l;
1006 len -= l;
1007 ret += l;
1008 if (len < slen)
1009 return (ASN1_OVERRUN);
1010
1011 e = der_get_octet_string(p, slen, k, &l);
1012 if (e)
1013 return (e);
1014 p += l;
1015 len -= l;
1016 ret += l;
1017 if (size)
1018 *size = ret;
1019 return (0);
1020 }
1021
1022 static int
1023 decode_oid(const unsigned char *p, size_t len,
1024 oid *k, size_t *size)
1025 {
1026 size_t ret = 0;
1027 size_t l;
1028 int e;
1029 size_t slen;
1030
1031 e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OID, &l);
1032 if (e)
1033 return (e);
1034 p += l;
1035 len -= l;
1036 ret += l;
1037
1038 e = der_get_length(p, len, &slen, &l);
1039 if (e)
1040 return (e);
1041 p += l;
1042 len -= l;
1043 ret += l;
1044 if (len < slen)
1045 return (ASN1_OVERRUN);
1046
1047 e = der_get_oid(p, slen, k, &l);
1048 if (e)
1049 return (e);
1050 p += l;
1051 len -= l;
1052 ret += l;
1053 if (size)
1054 *size = ret;
1055 return (0);
1056 }
1057
1058 static int
1059 fix_dce(size_t reallen, size_t *len)
1060 {
1061 if (reallen == ASN1_INDEFINITE)
1062 return (1);
1063 if (*len < reallen)
1064 return (-1);
1065 *len = reallen;
1066 return (0);
1067 }
1068
1069 /* der_length.c */
1070
1071 static size_t
1072 len_unsigned(unsigned val)
1073 {
1074 size_t ret = 0;
1075
1076 do {
1077 ++ret;
1078 val /= 256;
1079 } while (val);
1080 return (ret);
1081 }
1082
1083 static size_t
1084 length_len(size_t len)
1085 {
1086 if (len < 128)
1087 return (1);
1088 else
1089 return (len_unsigned(len) + 1);
1090 }
1091
1092
1093 /* der_put.c */
1094
1095 /*
1096 * All encoding functions take a pointer `p' to first position in which to
1097 * write, from the right, `len' which means the maximum number of characters
1098 * we are able to write. The function returns the number of characters
1099 * written in `size' (if non-NULL). The return value is 0 or an error.
1100 */
1101
1102 static int
1103 der_put_unsigned(unsigned char *p, size_t len, unsigned val, size_t *size)
1104 {
1105 unsigned char *base = p;
1106
1107 if (val) {
1108 while (len > 0 && val) {
1109 *p-- = val % 256;
1110 val /= 256;
1111 --len;
1112 }
1113 if (val != 0)
1114 return (ASN1_OVERFLOW);
1115 else {
1116 *size = base - p;
1117 return (0);
1118 }
1119 } else if (len < 1)
1120 return (ASN1_OVERFLOW);
1121 else {
1122 *p = 0;
1123 *size = 1;
1124 return (0);
1125 }
1126 }
1127
1128 static int
1129 der_put_int(unsigned char *p, size_t len, int val, size_t *size)
1130 {
1131 unsigned char *base = p;
1132
1133 if (val >= 0) {
1134 do {
1135 if (len < 1)
1136 return (ASN1_OVERFLOW);
1137 *p-- = val % 256;
1138 len--;
1139 val /= 256;
1140 } while (val);
1141 if (p[1] >= 128) {
1142 if (len < 1)
1143 return (ASN1_OVERFLOW);
1144 *p-- = 0;
1145 len--;
1146 }
1147 } else {
1148 val = ~val;
1149 do {
1150 if (len < 1)
1151 return (ASN1_OVERFLOW);
1152 *p-- = ~(val % 256);
1153 len--;
1154 val /= 256;
1155 } while (val);
1156 if (p[1] < 128) {
1157 if (len < 1)
1158 return (ASN1_OVERFLOW);
1159 *p-- = 0xff;
1160 len--;
1161 }
1162 }
1163 *size = base - p;
1164 return (0);
1165 }
1166
1167 static int
1168 der_put_length(unsigned char *p, size_t len, size_t val, size_t *size)
1169 {
1170 if (len < 1)
1171 return (ASN1_OVERFLOW);
1172 if (val < 128) {
1173 *p = val;
1174 *size = 1;
1175 return (0);
1176 } else {
1177 size_t l;
1178 int e;
1179
1180 e = der_put_unsigned(p, len - 1, val, &l);
1181 if (e)
1182 return (e);
1183 p -= l;
1184 *p = 0x80 | l;
1185 *size = l + 1;
1186 return (0);
1187 }
1188 }
1189
1190 static int
1191 der_put_octet_string(unsigned char *p, size_t len,
1192 const octet_string *data, size_t *size)
1193 {
1194 if (len < data->length)
1195 return (ASN1_OVERFLOW);
1196 p -= data->length;
1197 len -= data->length;
1198 memcpy(p + 1, data->data, data->length);
1199 *size = data->length;
1200 return (0);
1201 }
1202
1203 static int
1204 der_put_oid(unsigned char *p, size_t len,
1205 const oid *data, size_t *size)
1206 {
1207 unsigned char *base = p;
1208 int n;
1209
1210 for (n = data->length - 1; n >= 2; --n) {
1211 unsigned u = data->components[n];
1212
1213 if (len < 1)
1214 return (ASN1_OVERFLOW);
1215 *p-- = u % 128;
1216 u /= 128;
1217 --len;
1218 while (u > 0) {
1219 if (len < 1)
1220 return (ASN1_OVERFLOW);
1221 *p-- = 128 + u % 128;
1222 u /= 128;
1223 --len;
1224 }
1225 }
1226 if (len < 1)
1227 return (ASN1_OVERFLOW);
1228 *p-- = 40 * data->components[0] + data->components[1];
1229 *size = base - p;
1230 return (0);
1231 }
1232
1233 static int
1234 der_put_tag(unsigned char *p, size_t len, Der_class class, Der_type type,
1235 int tag, size_t *size)
1236 {
1237 if (len < 1)
1238 return (ASN1_OVERFLOW);
1239 *p = (class << 6) | (type << 5) | tag; /* XXX */
1240 *size = 1;
1241 return (0);
1242 }
1243
1244 static int
1245 der_put_length_and_tag(unsigned char *p, size_t len, size_t len_val,
1246 Der_class class, Der_type type, int tag, size_t *size)
1247 {
1248 size_t ret = 0;
1249 size_t l;
1250 int e;
1251
1252 e = der_put_length(p, len, len_val, &l);
1253 if (e)
1254 return (e);
1255 p -= l;
1256 len -= l;
1257 ret += l;
1258 e = der_put_tag(p, len, class, type, tag, &l);
1259 if (e)
1260 return (e);
1261 p -= l;
1262 len -= l;
1263 ret += l;
1264 *size = ret;
1265 return (0);
1266 }
1267
1268 static int
1269 encode_enumerated(unsigned char *p, size_t len, const void *data, size_t *size)
1270 {
1271 unsigned num = *(const unsigned *)data;
1272 size_t ret = 0;
1273 size_t l;
1274 int e;
1275
1276 e = der_put_int(p, len, num, &l);
1277 if (e)
1278 return (e);
1279 p -= l;
1280 len -= l;
1281 ret += l;
1282 e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
1283 if (e)
1284 return (e);
1285 p -= l;
1286 len -= l;
1287 ret += l;
1288 *size = ret;
1289 return (0);
1290 }
1291
1292 static int
1293 encode_octet_string(unsigned char *p, size_t len,
1294 const octet_string *k, size_t *size)
1295 {
1296 size_t ret = 0;
1297 size_t l;
1298 int e;
1299
1300 e = der_put_octet_string(p, len, k, &l);
1301 if (e)
1302 return (e);
1303 p -= l;
1304 len -= l;
1305 ret += l;
1306 e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
1307 if (e)
1308 return (e);
1309 p -= l;
1310 len -= l;
1311 ret += l;
1312 *size = ret;
1313 return (0);
1314 }
1315
1316 static int
1317 encode_oid(unsigned char *p, size_t len,
1318 const oid *k, size_t *size)
1319 {
1320 size_t ret = 0;
1321 size_t l;
1322 int e;
1323
1324 e = der_put_oid(p, len, k, &l);
1325 if (e)
1326 return (e);
1327 p -= l;
1328 len -= l;
1329 ret += l;
1330 e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OID, &l);
1331 if (e)
1332 return (e);
1333 p -= l;
1334 len -= l;
1335 ret += l;
1336 *size = ret;
1337 return (0);
1338 }
1339
1340
1341 /* encapsulate.c */
1342
1343 static void
1344 gssapi_encap_length(size_t data_len,
1345 size_t *len,
1346 size_t *total_len,
1347 const gss_OID mech)
1348 {
1349 size_t len_len;
1350
1351 *len = 1 + 1 + mech->length + data_len;
1352
1353 len_len = length_len(*len);
1354
1355 *total_len = 1 + len_len + *len;
1356 }
1357
1358 static u_char *
1359 gssapi_mech_make_header(u_char *p,
1360 size_t len,
1361 const gss_OID mech)
1362 {
1363 int e;
1364 size_t len_len, foo;
1365
1366 *p++ = 0x60;
1367 len_len = length_len(len);
1368 e = der_put_length(p + len_len - 1, len_len, len, &foo);
1369 if (e || foo != len_len)
1370 return (NULL);
1371 p += len_len;
1372 *p++ = 0x06;
1373 *p++ = mech->length;
1374 memcpy(p, mech->elements, mech->length);
1375 p += mech->length;
1376 return (p);
1377 }
1378
1379 /*
1380 * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings.
1381 */
1382
1383 static OM_uint32
1384 gssapi_spnego_encapsulate(OM_uint32 * minor_status,
1385 unsigned char *buf,
1386 size_t buf_size,
1387 gss_buffer_t output_token,
1388 const gss_OID mech)
1389 {
1390 size_t len, outer_len;
1391 u_char *p;
1392
1393 gssapi_encap_length(buf_size, &len, &outer_len, mech);
1394
1395 output_token->length = outer_len;
1396 output_token->value = malloc(outer_len);
1397 if (output_token->value == NULL) {
1398 *minor_status = ENOMEM;
1399 return (GSS_S_FAILURE);
1400 }
1401 p = gssapi_mech_make_header(output_token->value, len, mech);
1402 if (p == NULL) {
1403 if (output_token->length != 0)
1404 gss_release_buffer(minor_status, output_token);
1405 return (GSS_S_FAILURE);
1406 }
1407 memcpy(p, buf, buf_size);
1408 return (GSS_S_COMPLETE);
1409 }
1410
1411 /* init_sec_context.c */
1412 /*
1413 * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
1414 * based on Heimdal code)
1415 */
1416
1417 static int
1418 add_mech(MechTypeList * mech_list, gss_OID mech)
1419 {
1420 MechType *tmp;
1421 int ret;
1422
1423 tmp = realloc(mech_list->val, (mech_list->len + 1) * sizeof(*tmp));
1424 if (tmp == NULL)
1425 return (ENOMEM);
1426 mech_list->val = tmp;
1427
1428 ret = der_get_oid(mech->elements, mech->length,
1429 &mech_list->val[mech_list->len], NULL);
1430 if (ret)
1431 return (ret);
1432
1433 mech_list->len++;
1434 return (0);
1435 }
1436
1437 /*
1438 * return the length of the mechanism in token or -1
1439 * (which implies that the token was bad - GSS_S_DEFECTIVE_TOKEN
1440 */
1441
1442 static ssize_t
1443 gssapi_krb5_get_mech(const u_char *ptr,
1444 size_t total_len,
1445 const u_char **mech_ret)
1446 {
1447 size_t len, len_len, mech_len, foo;
1448 const u_char *p = ptr;
1449 int e;
1450
1451 if (total_len < 1)
1452 return (-1);
1453 if (*p++ != 0x60)
1454 return (-1);
1455 e = der_get_length (p, total_len - 1, &len, &len_len);
1456 if (e || 1 + len_len + len != total_len)
1457 return (-1);
1458 p += len_len;
1459 if (*p++ != 0x06)
1460 return (-1);
1461 e = der_get_length (p, total_len - 1 - len_len - 1,
1462 &mech_len, &foo);
1463 if (e)
1464 return (-1);
1465 p += foo;
1466 *mech_ret = p;
1467 return (mech_len);
1468 }
1469
1470 static OM_uint32
1471 spnego_initial(OM_uint32 *minor_status,
1472 const gss_cred_id_t initiator_cred_handle,
1473 gss_ctx_id_t *context_handle,
1474 const gss_name_t target_name,
1475 const gss_OID mech_type,
1476 OM_uint32 req_flags,
1477 OM_uint32 time_req,
1478 const gss_channel_bindings_t input_chan_bindings,
1479 const gss_buffer_t input_token,
1480 gss_OID *actual_mech_type,
1481 gss_buffer_t output_token,
1482 OM_uint32 *ret_flags,
1483 OM_uint32 *time_rec)
1484 {
1485 NegTokenInit token_init;
1486 OM_uint32 major_status, minor_status2;
1487 gss_buffer_desc krb5_output_token = GSS_C_EMPTY_BUFFER;
1488 unsigned char *buf = NULL;
1489 size_t buf_size;
1490 size_t len;
1491 int ret;
1492
1493 (void)mech_type;
1494
1495 memset(&token_init, 0, sizeof(token_init));
1496
1497 ret = add_mech(&token_init.mechTypes, GSS_KRB5_MECH);
1498 if (ret) {
1499 *minor_status = ret;
1500 ret = GSS_S_FAILURE;
1501 goto end;
1502 }
1503
1504 major_status = gss_init_sec_context(minor_status,
1505 initiator_cred_handle,
1506 context_handle,
1507 target_name,
1508 GSS_KRB5_MECH,
1509 req_flags,
1510 time_req,
1511 input_chan_bindings,
1512 input_token,
1513 actual_mech_type,
1514 &krb5_output_token,
1515 ret_flags,
1516 time_rec);
1517 if (GSS_ERROR(major_status)) {
1518 ret = major_status;
1519 goto end;
1520 }
1521 if (krb5_output_token.length > 0) {
1522 token_init.mechToken = malloc(sizeof(*token_init.mechToken));
1523 if (token_init.mechToken == NULL) {
1524 *minor_status = ENOMEM;
1525 ret = GSS_S_FAILURE;
1526 goto end;
1527 }
1528 token_init.mechToken->data = krb5_output_token.value;
1529 token_init.mechToken->length = krb5_output_token.length;
1530 }
1531 /*
1532 * The MS implementation of SPNEGO seems to not like the mechListMIC
1533 * field, so we omit it (it's optional anyway)
1534 */
1535
1536 buf_size = 1024;
1537 buf = malloc(buf_size);
1538
1539 do {
1540 ret = encode_NegTokenInit(buf + buf_size - 1,
1541 buf_size,
1542 &token_init, &len);
1543 if (ret == 0) {
1544 size_t tmp;
1545
1546 ret = der_put_length_and_tag(buf + buf_size - len - 1,
1547 buf_size - len,
1548 len,
1549 ASN1_C_CONTEXT,
1550 CONS,
1551 0,
1552 &tmp);
1553 if (ret == 0)
1554 len += tmp;
1555 }
1556 if (ret) {
1557 if (ret == ASN1_OVERFLOW) {
1558 u_char *tmp;
1559
1560 buf_size *= 2;
1561 tmp = realloc(buf, buf_size);
1562 if (tmp == NULL) {
1563 *minor_status = ENOMEM;
1564 ret = GSS_S_FAILURE;
1565 goto end;
1566 }
1567 buf = tmp;
1568 } else {
1569 *minor_status = ret;
1570 ret = GSS_S_FAILURE;
1571 goto end;
1572 }
1573 }
1574 } while (ret == ASN1_OVERFLOW);
1575
1576 ret = gssapi_spnego_encapsulate(minor_status,
1577 buf + buf_size - len, len,
1578 output_token, GSS_SPNEGO_MECH);
1579 if (ret == GSS_S_COMPLETE)
1580 ret = major_status;
1581
1582 end:
1583 if (token_init.mechToken != NULL) {
1584 free(token_init.mechToken);
1585 token_init.mechToken = NULL;
1586 }
1587 free_NegTokenInit(&token_init);
1588 if (krb5_output_token.length != 0)
1589 gss_release_buffer(&minor_status2, &krb5_output_token);
1590 if (buf)
1591 free(buf);
1592
1593 return (ret);
1594 }
1595
1596 static OM_uint32
1597 spnego_reply(OM_uint32 *minor_status,
1598 const gss_cred_id_t initiator_cred_handle,
1599 gss_ctx_id_t *context_handle,
1600 const gss_name_t target_name,
1601 const gss_OID mech_type,
1602 OM_uint32 req_flags,
1603 OM_uint32 time_req,
1604 const gss_channel_bindings_t input_chan_bindings,
1605 const gss_buffer_t input_token,
1606 gss_OID *actual_mech_type,
1607 gss_buffer_t output_token,
1608 OM_uint32 *ret_flags,
1609 OM_uint32 *time_rec)
1610 {
1611 OM_uint32 ret;
1612 NegTokenResp resp;
1613 unsigned char *buf;
1614 size_t buf_size;
1615 u_char oidbuf[17];
1616 size_t oidlen;
1617 gss_buffer_desc sub_token;
1618 ssize_t mech_len;
1619 const u_char *p;
1620 size_t len, taglen;
1621
1622 (void)mech_type;
1623
1624 output_token->length = 0;
1625 output_token->value = NULL;
1626
1627 /*
1628 * SPNEGO doesn't include gss wrapping on SubsequentContextToken
1629 * like the Kerberos 5 mech does. But lets check for it anyway.
1630 */
1631
1632 mech_len = gssapi_krb5_get_mech(input_token->value,
1633 input_token->length,
1634 &p);
1635
1636 if (mech_len < 0) {
1637 buf = input_token->value;
1638 buf_size = input_token->length;
1639 } else if ((size_t)mech_len == GSS_KRB5_MECH->length &&
1640 memcmp(GSS_KRB5_MECH->elements, p, mech_len) == 0)
1641 return (gss_init_sec_context(minor_status,
1642 initiator_cred_handle,
1643 context_handle,
1644 target_name,
1645 GSS_KRB5_MECH,
1646 req_flags,
1647 time_req,
1648 input_chan_bindings,
1649 input_token,
1650 actual_mech_type,
1651 output_token,
1652 ret_flags,
1653 time_rec));
1654 else if ((size_t)mech_len == GSS_SPNEGO_MECH->length &&
1655 memcmp(GSS_SPNEGO_MECH->elements, p, mech_len) == 0) {
1656 ret = gssapi_spnego_decapsulate(minor_status,
1657 input_token,
1658 &buf,
1659 &buf_size,
1660 GSS_SPNEGO_MECH);
1661 if (ret)
1662 return (ret);
1663 } else
1664 return (GSS_S_BAD_MECH);
1665
1666 ret = der_match_tag_and_length(buf, buf_size,
1667 ASN1_C_CONTEXT, CONS, 1, &len, &taglen);
1668 if (ret)
1669 return (ret);
1670
1671 if(len > buf_size - taglen)
1672 return (ASN1_OVERRUN);
1673
1674 ret = decode_NegTokenResp(buf + taglen, len, &resp, NULL);
1675 if (ret) {
1676 *minor_status = ENOMEM;
1677 return (GSS_S_FAILURE);
1678 }
1679
1680 if (resp.negState == NULL ||
1681 *(resp.negState) == reject ||
1682 resp.supportedMech == NULL) {
1683 free_NegTokenResp(&resp);
1684 return (GSS_S_BAD_MECH);
1685 }
1686
1687 ret = der_put_oid(oidbuf + sizeof(oidbuf) - 1,
1688 sizeof(oidbuf),
1689 resp.supportedMech,
1690 &oidlen);
1691 if (ret || oidlen != GSS_KRB5_MECH->length ||
1692 memcmp(oidbuf + sizeof(oidbuf) - oidlen,
1693 GSS_KRB5_MECH->elements,
1694 oidlen) != 0) {
1695 free_NegTokenResp(&resp);
1696 return GSS_S_BAD_MECH;
1697 }
1698
1699 if (resp.responseToken != NULL) {
1700 sub_token.length = resp.responseToken->length;
1701 sub_token.value = resp.responseToken->data;
1702 } else {
1703 sub_token.length = 0;
1704 sub_token.value = NULL;
1705 }
1706
1707 ret = gss_init_sec_context(minor_status,
1708 initiator_cred_handle,
1709 context_handle,
1710 target_name,
1711 GSS_KRB5_MECH,
1712 req_flags,
1713 time_req,
1714 input_chan_bindings,
1715 &sub_token,
1716 actual_mech_type,
1717 output_token,
1718 ret_flags,
1719 time_rec);
1720 if (ret) {
1721 free_NegTokenResp(&resp);
1722 return (ret);
1723 }
1724
1725 /*
1726 * XXXSRA I don't think this limited implementation ever needs
1727 * to check the MIC -- our preferred mechanism (Kerberos)
1728 * authenticates its own messages and is the only mechanism
1729 * we'll accept, so if the mechanism negotiation completes
1730 * successfully, we don't need the MIC. See RFC 4178.
1731 */
1732
1733 free_NegTokenResp(&resp);
1734 return (ret);
1735 }
1736
1737
1738
1739 OM_uint32
1740 gss_init_sec_context_spnego(OM_uint32 *minor_status,
1741 const gss_cred_id_t initiator_cred_handle,
1742 gss_ctx_id_t *context_handle,
1743 const gss_name_t target_name,
1744 const gss_OID mech_type,
1745 OM_uint32 req_flags,
1746 OM_uint32 time_req,
1747 const gss_channel_bindings_t input_chan_bindings,
1748 const gss_buffer_t input_token,
1749 gss_OID *actual_mech_type,
1750 gss_buffer_t output_token,
1751 OM_uint32 *ret_flags,
1752 OM_uint32 *time_rec)
1753 {
1754 /* Dirty trick to suppress compiler warnings */
1755
1756 /* Figure out whether we're starting over or processing a reply */
1757
1758 if (input_token == GSS_C_NO_BUFFER || input_token->length == 0)
1759 return (spnego_initial(minor_status,
1760 initiator_cred_handle,
1761 context_handle,
1762 target_name,
1763 mech_type,
1764 req_flags,
1765 time_req,
1766 input_chan_bindings,
1767 input_token,
1768 actual_mech_type,
1769 output_token,
1770 ret_flags,
1771 time_rec));
1772 else
1773 return (spnego_reply(minor_status,
1774 initiator_cred_handle,
1775 context_handle,
1776 target_name,
1777 mech_type,
1778 req_flags,
1779 time_req,
1780 input_chan_bindings,
1781 input_token,
1782 actual_mech_type,
1783 output_token,
1784 ret_flags,
1785 time_rec));
1786 }
1787
1788 #endif /* GSSAPI */
DragonFly BSD