2 * Copyright (c) 2004, PADL Software Pty Ltd.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of PADL Software nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gsskrb5_locl.h"
36 oid_prefix_equal(gss_OID oid_enc
, gss_OID prefix_enc
, unsigned *suffix
)
44 ret
= der_get_oid(oid_enc
->elements
, oid_enc
->length
,
50 ret
= der_get_oid(prefix_enc
->elements
, prefix_enc
->length
,
59 if (oid
.length
- 1 == prefix
.length
) {
60 *suffix
= oid
.components
[oid
.length
- 1];
62 ret
= (der_heim_oid_cmp(&oid
, &prefix
) == 0);
67 der_free_oid(&prefix
);
72 static OM_uint32 inquire_sec_context_tkt_flags
73 (OM_uint32
*minor_status
,
74 const gsskrb5_ctx context_handle
,
75 gss_buffer_set_t
*data_set
)
79 gss_buffer_desc value
;
81 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
83 if (context_handle
->ticket
== NULL
) {
84 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
85 _gsskrb5_set_status(EINVAL
, "No ticket from which to obtain flags");
86 *minor_status
= EINVAL
;
87 return GSS_S_BAD_MECH
;
90 tkt_flags
= TicketFlags2int(context_handle
->ticket
->ticket
.flags
);
91 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
93 _gss_mg_encode_le_uint32(tkt_flags
, buf
);
94 value
.length
= sizeof(buf
);
97 return gss_add_buffer_set_member(minor_status
,
102 enum keytype
{ ACCEPTOR_KEY
, INITIATOR_KEY
, TOKEN_KEY
};
104 static OM_uint32 inquire_sec_context_get_subkey
105 (OM_uint32
*minor_status
,
106 const gsskrb5_ctx context_handle
,
107 krb5_context context
,
108 enum keytype keytype
,
109 gss_buffer_set_t
*data_set
)
111 krb5_keyblock
*key
= NULL
;
112 krb5_storage
*sp
= NULL
;
114 OM_uint32 maj_stat
= GSS_S_COMPLETE
;
117 krb5_data_zero(&data
);
119 sp
= krb5_storage_emem();
121 _gsskrb5_clear_status();
126 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
129 ret
= _gsskrb5i_get_acceptor_subkey(context_handle
, context
, &key
);
132 ret
= _gsskrb5i_get_initiator_subkey(context_handle
, context
, &key
);
135 ret
= _gsskrb5i_get_token_key(context_handle
, context
, &key
);
138 _gsskrb5_set_status(EINVAL
, "%d is not a valid subkey type", keytype
);
142 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
146 _gsskrb5_set_status(EINVAL
, "have no subkey of type %d", keytype
);
151 ret
= krb5_store_keyblock(sp
, *key
);
155 ret
= krb5_storage_to_data(sp
, &data
);
160 gss_buffer_desc value
;
162 value
.length
= data
.length
;
163 value
.value
= data
.data
;
165 maj_stat
= gss_add_buffer_set_member(minor_status
,
171 krb5_free_keyblock(context
, key
);
172 krb5_data_free(&data
);
174 krb5_storage_free(sp
);
177 maj_stat
= GSS_S_FAILURE
;
182 static OM_uint32 inquire_sec_context_get_sspi_session_key
183 (OM_uint32
*minor_status
,
184 const gsskrb5_ctx context_handle
,
185 krb5_context context
,
186 gss_buffer_set_t
*data_set
)
189 OM_uint32 maj_stat
= GSS_S_COMPLETE
;
191 gss_buffer_desc value
;
193 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
194 ret
= _gsskrb5i_get_token_key(context_handle
, context
, &key
);
195 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
204 value
.length
= key
->keyvalue
.length
;
205 value
.value
= key
->keyvalue
.data
;
207 maj_stat
= gss_add_buffer_set_member(minor_status
,
210 krb5_free_keyblock(context
, key
);
212 /* MIT also returns the enctype encoded as an OID in data_set[1] */
217 maj_stat
= GSS_S_FAILURE
;
222 static OM_uint32 inquire_sec_context_authz_data
223 (OM_uint32
*minor_status
,
224 const gsskrb5_ctx context_handle
,
225 krb5_context context
,
227 gss_buffer_set_t
*data_set
)
230 gss_buffer_desc ad_data
;
234 *data_set
= GSS_C_NO_BUFFER_SET
;
236 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
237 if (context_handle
->ticket
== NULL
) {
238 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
239 *minor_status
= EINVAL
;
240 _gsskrb5_set_status(EINVAL
, "No ticket to obtain authz data from");
241 return GSS_S_NO_CONTEXT
;
244 ret
= krb5_ticket_get_authorization_data_type(context
,
245 context_handle
->ticket
,
248 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
251 return GSS_S_FAILURE
;
254 ad_data
.value
= data
.data
;
255 ad_data
.length
= data
.length
;
257 ret
= gss_add_buffer_set_member(minor_status
,
261 krb5_data_free(&data
);
266 static OM_uint32 inquire_sec_context_has_buggy_spnego
267 (OM_uint32
*minor_status
,
268 const gsskrb5_ctx context_handle
,
269 gss_buffer_set_t
*data_set
)
272 gss_buffer_desc buffer
;
275 *data_set
= GSS_C_NO_BUFFER_SET
;
278 * For Windows SPNEGO implementations, the initiator or acceptor
279 * are presumed to be "buggy" (Windows 2003 or earlier) if an
280 * "older" (i.e. pre-AES per RFC 4121) encryption type was used.
283 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
284 old_enctype
= ((context_handle
->more_flags
& IS_CFX
) == 0);
285 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
287 buffer
.value
= &old_enctype
;
288 buffer
.length
= sizeof(old_enctype
);
290 return gss_add_buffer_set_member(minor_status
, &buffer
, data_set
);
298 export_lucid_sec_context_v1(OM_uint32
*minor_status
,
299 gsskrb5_ctx context_handle
,
300 krb5_context context
,
301 gss_buffer_set_t
*data_set
)
303 krb5_storage
*sp
= NULL
;
304 OM_uint32 major_status
= GSS_S_COMPLETE
;
306 krb5_keyblock
*key
= NULL
;
313 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
315 is_cfx
= (context_handle
->more_flags
& IS_CFX
);
317 sp
= krb5_storage_emem();
319 _gsskrb5_clear_status();
324 ret
= krb5_store_int32(sp
, 1);
326 ret
= krb5_store_int32(sp
, (context_handle
->more_flags
& LOCAL
) ? 1 : 0);
328 /* XXX need krb5_store_int64() */
329 ret
= krb5_store_int32(sp
, context_handle
->endtime
);
331 krb5_auth_con_getlocalseqnumber (context
,
332 context_handle
->auth_context
,
334 ret
= krb5_store_uint32(sp
, (uint32_t)0); /* store top half as zero */
336 ret
= krb5_store_uint32(sp
, (uint32_t)number
);
338 krb5_auth_con_getremoteseqnumber (context
,
339 context_handle
->auth_context
,
341 ret
= krb5_store_uint32(sp
, (uint32_t)0); /* store top half as zero */
343 ret
= krb5_store_uint32(sp
, (uint32_t)number
);
345 ret
= krb5_store_int32(sp
, (is_cfx
) ? 1 : 0);
348 ret
= _gsskrb5i_get_token_key(context_handle
, context
, &key
);
352 int sign_alg
, seal_alg
;
354 switch (key
->keytype
) {
355 case ETYPE_DES_CBC_CRC
:
356 case ETYPE_DES_CBC_MD4
:
357 case ETYPE_DES_CBC_MD5
:
361 case ETYPE_DES3_CBC_MD5
:
362 case ETYPE_DES3_CBC_SHA1
:
366 case ETYPE_ARCFOUR_HMAC_MD5
:
367 case ETYPE_ARCFOUR_HMAC_MD5_56
:
376 ret
= krb5_store_int32(sp
, sign_alg
);
378 ret
= krb5_store_int32(sp
, seal_alg
);
381 ret
= krb5_store_keyblock(sp
, *key
);
384 int subkey_p
= (context_handle
->more_flags
& ACCEPTOR_SUBKEY
) ? 1 : 0;
386 /* have_acceptor_subkey */
387 ret
= krb5_store_int32(sp
, subkey_p
);
390 ret
= krb5_store_keyblock(sp
, *key
);
392 /* acceptor_subkey */
394 ret
= krb5_store_keyblock(sp
, *key
);
398 ret
= krb5_storage_to_data(sp
, &data
);
402 gss_buffer_desc ad_data
;
404 ad_data
.value
= data
.data
;
405 ad_data
.length
= data
.length
;
407 ret
= gss_add_buffer_set_member(minor_status
, &ad_data
, data_set
);
408 krb5_data_free(&data
);
415 krb5_free_keyblock (context
, key
);
417 krb5_storage_free(sp
);
420 major_status
= GSS_S_FAILURE
;
422 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
427 get_authtime(OM_uint32
*minor_status
,
429 gss_buffer_set_t
*data_set
)
432 gss_buffer_desc value
;
433 unsigned char buf
[SIZEOF_TIME_T
];
436 HEIMDAL_MUTEX_lock(&ctx
->ctx_id_mutex
);
437 if (ctx
->ticket
== NULL
) {
438 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
439 _gsskrb5_set_status(EINVAL
, "No ticket to obtain auth time from");
440 *minor_status
= EINVAL
;
441 return GSS_S_FAILURE
;
444 authtime
= ctx
->ticket
->ticket
.authtime
;
446 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
448 #if SIZEOF_TIME_T == 8
449 _gss_mg_encode_le_uint64(authtime
, buf
);
450 #elif SIZEOF_TIME_T == 4
451 _gss_mg_encode_le_uint32(authtime
, buf
);
453 #error set SIZEOF_TIME_T for your platform
455 value
.length
= sizeof(buf
);
458 return gss_add_buffer_set_member(minor_status
,
466 (OM_uint32
*minor_status
,
468 gss_buffer_set_t
*data_set
)
470 krb5_storage
*sp
= NULL
;
472 OM_uint32 maj_stat
= GSS_S_COMPLETE
;
473 krb5_error_code ret
= EINVAL
;
475 sp
= krb5_storage_emem();
477 _gsskrb5_clear_status();
478 *minor_status
= ENOMEM
;
479 return GSS_S_FAILURE
;
482 HEIMDAL_MUTEX_lock(&ctx
->ctx_id_mutex
);
483 if (ctx
->service_keyblock
== NULL
) {
484 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
485 krb5_storage_free(sp
);
486 _gsskrb5_set_status(EINVAL
, "No service keyblock on gssapi context");
487 *minor_status
= EINVAL
;
488 return GSS_S_FAILURE
;
491 krb5_data_zero(&data
);
493 ret
= krb5_store_keyblock(sp
, *ctx
->service_keyblock
);
495 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
500 ret
= krb5_storage_to_data(sp
, &data
);
505 gss_buffer_desc value
;
507 value
.length
= data
.length
;
508 value
.value
= data
.data
;
510 maj_stat
= gss_add_buffer_set_member(minor_status
,
516 krb5_data_free(&data
);
518 krb5_storage_free(sp
);
521 maj_stat
= GSS_S_FAILURE
;
529 OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_sec_context_by_oid
530 (OM_uint32
*minor_status
,
531 gss_const_ctx_id_t context_handle
,
532 const gss_OID desired_object
,
533 gss_buffer_set_t
*data_set
)
535 krb5_context context
;
536 const gsskrb5_ctx ctx
= (const gsskrb5_ctx
) context_handle
;
540 *minor_status
= EINVAL
;
541 return GSS_S_NO_CONTEXT
;
544 GSSAPI_KRB5_INIT (&context
);
546 if (gss_oid_equal(desired_object
, GSS_KRB5_GET_TKT_FLAGS_X
)) {
547 return inquire_sec_context_tkt_flags(minor_status
,
550 } else if (gss_oid_equal(desired_object
, GSS_C_INQ_PEER_HAS_BUGGY_SPNEGO
)) {
551 return inquire_sec_context_has_buggy_spnego(minor_status
,
554 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_SUBKEY_X
)) {
555 return inquire_sec_context_get_subkey(minor_status
,
560 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_INITIATOR_SUBKEY_X
)) {
561 return inquire_sec_context_get_subkey(minor_status
,
566 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_ACCEPTOR_SUBKEY_X
)) {
567 return inquire_sec_context_get_subkey(minor_status
,
572 } else if (gss_oid_equal(desired_object
, GSS_C_INQ_SSPI_SESSION_KEY
)) {
573 return inquire_sec_context_get_sspi_session_key(minor_status
,
577 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_AUTHTIME_X
)) {
578 return get_authtime(minor_status
, ctx
, data_set
);
579 } else if (oid_prefix_equal(desired_object
,
580 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X
,
582 return inquire_sec_context_authz_data(minor_status
,
587 } else if (oid_prefix_equal(desired_object
,
588 GSS_KRB5_EXPORT_LUCID_CONTEXT_X
,
591 return export_lucid_sec_context_v1(minor_status
,
596 return GSS_S_FAILURE
;
597 } else if (gss_oid_equal(desired_object
, GSS_KRB5_GET_SERVICE_KEYBLOCK_X
)) {
598 return get_service_keyblock(minor_status
, ctx
, data_set
);
601 return GSS_S_FAILURE
;