2 * Copyright (c) 2004, PADL Software Pty Ltd.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of PADL Software nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gsskrb5_locl.h"
36 oid_prefix_equal(gss_OID oid_enc
, gss_OID prefix_enc
, unsigned *suffix
)
44 ret
= der_get_oid(oid_enc
->elements
, oid_enc
->length
,
50 ret
= der_get_oid(prefix_enc
->elements
, prefix_enc
->length
,
59 if (oid
.length
- 1 == prefix
.length
) {
60 *suffix
= oid
.components
[oid
.length
- 1];
62 ret
= (der_heim_oid_cmp(&oid
, &prefix
) == 0);
67 der_free_oid(&prefix
);
72 static OM_uint32 inquire_sec_context_tkt_flags
73 (OM_uint32
*minor_status
,
74 const gsskrb5_ctx context_handle
,
75 gss_buffer_set_t
*data_set
)
79 gss_buffer_desc value
;
81 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
83 if (context_handle
->ticket
== NULL
) {
84 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
85 _gsskrb5_set_status(EINVAL
, "No ticket from which to obtain flags");
86 *minor_status
= EINVAL
;
87 return GSS_S_BAD_MECH
;
90 tkt_flags
= TicketFlags2int(context_handle
->ticket
->ticket
.flags
);
91 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
93 _gsskrb5_encode_om_uint32(tkt_flags
, buf
);
94 value
.length
= sizeof(buf
);
97 return gss_add_buffer_set_member(minor_status
,
102 enum keytype
{ ACCEPTOR_KEY
, INITIATOR_KEY
, TOKEN_KEY
};
104 static OM_uint32 inquire_sec_context_get_subkey
105 (OM_uint32
*minor_status
,
106 const gsskrb5_ctx context_handle
,
107 krb5_context context
,
108 enum keytype keytype
,
109 gss_buffer_set_t
*data_set
)
111 krb5_keyblock
*key
= NULL
;
112 krb5_storage
*sp
= NULL
;
114 OM_uint32 maj_stat
= GSS_S_COMPLETE
;
117 krb5_data_zero(&data
);
119 sp
= krb5_storage_emem();
121 _gsskrb5_clear_status();
126 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
129 ret
= _gsskrb5i_get_acceptor_subkey(context_handle
, context
, &key
);
132 ret
= _gsskrb5i_get_initiator_subkey(context_handle
, context
, &key
);
135 ret
= _gsskrb5i_get_token_key(context_handle
, context
, &key
);
138 _gsskrb5_set_status(EINVAL
, "%d is not a valid subkey type", keytype
);
142 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
146 _gsskrb5_set_status(EINVAL
, "have no subkey of type %d", keytype
);
151 ret
= krb5_store_keyblock(sp
, *key
);
152 krb5_free_keyblock (context
, key
);
156 ret
= krb5_storage_to_data(sp
, &data
);
161 gss_buffer_desc value
;
163 value
.length
= data
.length
;
164 value
.value
= data
.data
;
166 maj_stat
= gss_add_buffer_set_member(minor_status
,
172 krb5_data_free(&data
);
174 krb5_storage_free(sp
);
177 maj_stat
= GSS_S_FAILURE
;
182 static OM_uint32 inquire_sec_context_get_sspi_session_key
183 (OM_uint32
*minor_status
,
184 const gsskrb5_ctx context_handle
,
185 krb5_context context
,
186 gss_buffer_set_t
*data_set
)
189 OM_uint32 maj_stat
= GSS_S_COMPLETE
;
191 gss_buffer_desc value
;
193 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
194 ret
= _gsskrb5i_get_token_key(context_handle
, context
, &key
);
195 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
204 value
.length
= key
->keyvalue
.length
;
205 value
.value
= key
->keyvalue
.data
;
207 maj_stat
= gss_add_buffer_set_member(minor_status
,
210 krb5_free_keyblock(context
, key
);
212 /* MIT also returns the enctype encoded as an OID in data_set[1] */
217 maj_stat
= GSS_S_FAILURE
;
222 static OM_uint32 inquire_sec_context_authz_data
223 (OM_uint32
*minor_status
,
224 const gsskrb5_ctx context_handle
,
225 krb5_context context
,
227 gss_buffer_set_t
*data_set
)
230 gss_buffer_desc ad_data
;
234 *data_set
= GSS_C_NO_BUFFER_SET
;
236 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
237 if (context_handle
->ticket
== NULL
) {
238 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
239 *minor_status
= EINVAL
;
240 _gsskrb5_set_status(EINVAL
, "No ticket to obtain authz data from");
241 return GSS_S_NO_CONTEXT
;
244 ret
= krb5_ticket_get_authorization_data_type(context
,
245 context_handle
->ticket
,
248 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
251 return GSS_S_FAILURE
;
254 ad_data
.value
= data
.data
;
255 ad_data
.length
= data
.length
;
257 ret
= gss_add_buffer_set_member(minor_status
,
261 krb5_data_free(&data
);
266 static OM_uint32 inquire_sec_context_has_updated_spnego
267 (OM_uint32
*minor_status
,
268 const gsskrb5_ctx context_handle
,
269 gss_buffer_set_t
*data_set
)
274 *data_set
= GSS_C_NO_BUFFER_SET
;
277 * For Windows SPNEGO implementations, both the initiator and the
278 * acceptor are assumed to have been updated if a "newer" [CLAR] or
279 * different enctype is negotiated for use by the Kerberos GSS-API
282 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
283 is_updated
= (context_handle
->more_flags
& IS_CFX
);
284 if (is_updated
== 0) {
285 krb5_keyblock
*acceptor_subkey
;
287 if (context_handle
->more_flags
& LOCAL
)
288 acceptor_subkey
= context_handle
->auth_context
->remote_subkey
;
290 acceptor_subkey
= context_handle
->auth_context
->local_subkey
;
292 if (acceptor_subkey
!= NULL
)
293 is_updated
= (acceptor_subkey
->keytype
!=
294 context_handle
->auth_context
->keyblock
->keytype
);
296 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
298 return is_updated
? GSS_S_COMPLETE
: GSS_S_FAILURE
;
306 export_lucid_sec_context_v1(OM_uint32
*minor_status
,
307 gsskrb5_ctx context_handle
,
308 krb5_context context
,
309 gss_buffer_set_t
*data_set
)
311 krb5_storage
*sp
= NULL
;
312 OM_uint32 major_status
= GSS_S_COMPLETE
;
314 krb5_keyblock
*key
= NULL
;
321 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
323 is_cfx
= (context_handle
->more_flags
& IS_CFX
);
325 sp
= krb5_storage_emem();
327 _gsskrb5_clear_status();
332 ret
= krb5_store_int32(sp
, 1);
334 ret
= krb5_store_int32(sp
, (context_handle
->more_flags
& LOCAL
) ? 1 : 0);
336 ret
= krb5_store_int32(sp
, context_handle
->lifetime
);
338 krb5_auth_con_getlocalseqnumber (context
,
339 context_handle
->auth_context
,
341 ret
= krb5_store_uint32(sp
, (uint32_t)0); /* store top half as zero */
343 ret
= krb5_store_uint32(sp
, (uint32_t)number
);
345 krb5_auth_con_getremoteseqnumber (context
,
346 context_handle
->auth_context
,
348 ret
= krb5_store_uint32(sp
, (uint32_t)0); /* store top half as zero */
350 ret
= krb5_store_uint32(sp
, (uint32_t)number
);
352 ret
= krb5_store_int32(sp
, (is_cfx
) ? 1 : 0);
355 ret
= _gsskrb5i_get_token_key(context_handle
, context
, &key
);
359 int sign_alg
, seal_alg
;
361 switch (key
->keytype
) {
362 case ETYPE_DES_CBC_CRC
:
363 case ETYPE_DES_CBC_MD4
:
364 case ETYPE_DES_CBC_MD5
:
368 case ETYPE_DES3_CBC_MD5
:
369 case ETYPE_DES3_CBC_SHA1
:
373 case ETYPE_ARCFOUR_HMAC_MD5
:
374 case ETYPE_ARCFOUR_HMAC_MD5_56
:
383 ret
= krb5_store_int32(sp
, sign_alg
);
385 ret
= krb5_store_int32(sp
, seal_alg
);
388 ret
= krb5_store_keyblock(sp
, *key
);
391 int subkey_p
= (context_handle
->more_flags
& ACCEPTOR_SUBKEY
) ? 1 : 0;
393 /* have_acceptor_subkey */
394 ret
= krb5_store_int32(sp
, subkey_p
);
397 ret
= krb5_store_keyblock(sp
, *key
);
399 /* acceptor_subkey */
401 ret
= krb5_store_keyblock(sp
, *key
);
405 ret
= krb5_storage_to_data(sp
, &data
);
409 gss_buffer_desc ad_data
;
411 ad_data
.value
= data
.data
;
412 ad_data
.length
= data
.length
;
414 ret
= gss_add_buffer_set_member(minor_status
, &ad_data
, data_set
);
415 krb5_data_free(&data
);
422 krb5_free_keyblock (context
, key
);
424 krb5_storage_free(sp
);
427 major_status
= GSS_S_FAILURE
;
429 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
434 get_authtime(OM_uint32
*minor_status
,
436 gss_buffer_set_t
*data_set
)
439 gss_buffer_desc value
;
440 unsigned char buf
[4];
443 HEIMDAL_MUTEX_lock(&ctx
->ctx_id_mutex
);
444 if (ctx
->ticket
== NULL
) {
445 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
446 _gsskrb5_set_status(EINVAL
, "No ticket to obtain auth time from");
447 *minor_status
= EINVAL
;
448 return GSS_S_FAILURE
;
451 authtime
= ctx
->ticket
->ticket
.authtime
;
453 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
455 _gsskrb5_encode_om_uint32(authtime
, buf
);
456 value
.length
= sizeof(buf
);
459 return gss_add_buffer_set_member(minor_status
,
467 (OM_uint32
*minor_status
,
469 gss_buffer_set_t
*data_set
)
471 krb5_storage
*sp
= NULL
;
473 OM_uint32 maj_stat
= GSS_S_COMPLETE
;
474 krb5_error_code ret
= EINVAL
;
476 sp
= krb5_storage_emem();
478 _gsskrb5_clear_status();
479 *minor_status
= ENOMEM
;
480 return GSS_S_FAILURE
;
483 HEIMDAL_MUTEX_lock(&ctx
->ctx_id_mutex
);
484 if (ctx
->service_keyblock
== NULL
) {
485 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
486 krb5_storage_free(sp
);
487 _gsskrb5_set_status(EINVAL
, "No service keyblock on gssapi context");
488 *minor_status
= EINVAL
;
489 return GSS_S_FAILURE
;
492 krb5_data_zero(&data
);
494 ret
= krb5_store_keyblock(sp
, *ctx
->service_keyblock
);
496 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
501 ret
= krb5_storage_to_data(sp
, &data
);
506 gss_buffer_desc value
;
508 value
.length
= data
.length
;
509 value
.value
= data
.data
;
511 maj_stat
= gss_add_buffer_set_member(minor_status
,
517 krb5_data_free(&data
);
519 krb5_storage_free(sp
);
522 maj_stat
= GSS_S_FAILURE
;
530 OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_sec_context_by_oid
531 (OM_uint32
*minor_status
,
532 const gss_ctx_id_t context_handle
,
533 const gss_OID desired_object
,
534 gss_buffer_set_t
*data_set
)
536 krb5_context context
;
537 const gsskrb5_ctx ctx
= (const gsskrb5_ctx
) context_handle
;
541 *minor_status
= EINVAL
;
542 return GSS_S_NO_CONTEXT
;
545 GSSAPI_KRB5_INIT (&context
);
547 if (gss_oid_equal(desired_object
, GSS_KRB5_GET_TKT_FLAGS_X
)) {
548 return inquire_sec_context_tkt_flags(minor_status
,
551 } else if (gss_oid_equal(desired_object
, GSS_C_PEER_HAS_UPDATED_SPNEGO
)) {
552 return inquire_sec_context_has_updated_spnego(minor_status
,
555 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_SUBKEY_X
)) {
556 return inquire_sec_context_get_subkey(minor_status
,
561 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_INITIATOR_SUBKEY_X
)) {
562 return inquire_sec_context_get_subkey(minor_status
,
567 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_ACCEPTOR_SUBKEY_X
)) {
568 return inquire_sec_context_get_subkey(minor_status
,
573 } else if (gss_oid_equal(desired_object
, GSS_C_INQ_SSPI_SESSION_KEY
)) {
574 return inquire_sec_context_get_sspi_session_key(minor_status
,
578 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_AUTHTIME_X
)) {
579 return get_authtime(minor_status
, ctx
, data_set
);
580 } else if (oid_prefix_equal(desired_object
,
581 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X
,
583 return inquire_sec_context_authz_data(minor_status
,
588 } else if (oid_prefix_equal(desired_object
,
589 GSS_KRB5_EXPORT_LUCID_CONTEXT_X
,
592 return export_lucid_sec_context_v1(minor_status
,
597 return GSS_S_FAILURE
;
598 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_SERVICE_KEYBLOCK_X
)) {
599 return get_service_keyblock(minor_status
, ctx
, data_set
);
602 return GSS_S_FAILURE
;