search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lib/gssapi/krb5: implement GSS_C_CHANNEL_BOUND_FLAG for gss_init_sec_context()
[heimdal.git] / lib / gssapi / krb5 / inquire_sec_context_by_oid.c
blob49d86d11cd5dafb8db44f831a9430c8c2ae0dd9c
1 /*
2 * Copyright (c) 2004, PADL Software Pty Ltd.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * 3. Neither the name of PADL Software nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 #include "gsskrb5_locl.h"
34
35 static int
36 oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix)
37 {
38 int ret;
39 heim_oid oid;
40 heim_oid prefix;
41
42 *suffix = 0;
43
44 ret = der_get_oid(oid_enc->elements, oid_enc->length,
45 &oid, NULL);
46 if (ret) {
47 return 0;
48 }
49
50 ret = der_get_oid(prefix_enc->elements, prefix_enc->length,
51 &prefix, NULL);
52 if (ret) {
53 der_free_oid(&oid);
54 return 0;
55 }
56
57 ret = 0;
58
59 if (oid.length - 1 == prefix.length) {
60 *suffix = oid.components[oid.length - 1];
61 oid.length--;
62 ret = (der_heim_oid_cmp(&oid, &prefix) == 0);
63 oid.length++;
64 }
65
66 der_free_oid(&oid);
67 der_free_oid(&prefix);
68
69 return ret;
70 }
71
72 static OM_uint32 inquire_sec_context_tkt_flags
73 (OM_uint32 *minor_status,
74 const gsskrb5_ctx context_handle,
75 gss_buffer_set_t *data_set)
76 {
77 OM_uint32 tkt_flags;
78 unsigned char buf[4];
79 gss_buffer_desc value;
80
81 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
82
83 if (context_handle->ticket == NULL) {
84 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
85 _gsskrb5_set_status(EINVAL, "No ticket from which to obtain flags");
86 *minor_status = EINVAL;
87 return GSS_S_BAD_MECH;
88 }
89
90 tkt_flags = TicketFlags2int(context_handle->ticket->ticket.flags);
91 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
92
93 _gss_mg_encode_le_uint32(tkt_flags, buf);
94 value.length = sizeof(buf);
95 value.value = buf;
96
97 return gss_add_buffer_set_member(minor_status,
98 &value,
99 data_set);
100 }
101
102 enum keytype { ACCEPTOR_KEY, INITIATOR_KEY, TOKEN_KEY };
103
104 static OM_uint32 inquire_sec_context_get_subkey
105 (OM_uint32 *minor_status,
106 const gsskrb5_ctx context_handle,
107 krb5_context context,
108 enum keytype keytype,
109 gss_buffer_set_t *data_set)
110 {
111 krb5_keyblock *key = NULL;
112 krb5_storage *sp = NULL;
113 krb5_data data;
114 OM_uint32 maj_stat = GSS_S_COMPLETE;
115 krb5_error_code ret;
116
117 krb5_data_zero(&data);
118
119 sp = krb5_storage_emem();
120 if (sp == NULL) {
121 _gsskrb5_clear_status();
122 ret = ENOMEM;
123 goto out;
124 }
125
126 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
127 switch(keytype) {
128 case ACCEPTOR_KEY:
129 ret = _gsskrb5i_get_acceptor_subkey(context_handle, context, &key);
130 break;
131 case INITIATOR_KEY:
132 ret = _gsskrb5i_get_initiator_subkey(context_handle, context, &key);
133 break;
134 case TOKEN_KEY:
135 ret = _gsskrb5i_get_token_key(context_handle, context, &key);
136 break;
137 default:
138 _gsskrb5_set_status(EINVAL, "%d is not a valid subkey type", keytype);
139 ret = EINVAL;
140 break;
141 }
142 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
143 if (ret)
144 goto out;
145 if (key == NULL) {
146 _gsskrb5_set_status(EINVAL, "have no subkey of type %d", keytype);
147 ret = EINVAL;
148 goto out;
149 }
150
151 ret = krb5_store_keyblock(sp, *key);
152 if (ret)
153 goto out;
154
155 ret = krb5_storage_to_data(sp, &data);
156 if (ret)
157 goto out;
158
159 {
160 gss_buffer_desc value;
161
162 value.length = data.length;
163 value.value = data.data;
164
165 maj_stat = gss_add_buffer_set_member(minor_status,
166 &value,
167 data_set);
168 }
169
170 out:
171 krb5_free_keyblock(context, key);
172 krb5_data_free(&data);
173 if (sp)
174 krb5_storage_free(sp);
175 if (ret) {
176 *minor_status = ret;
177 maj_stat = GSS_S_FAILURE;
178 }
179 return maj_stat;
180 }
181
182 static OM_uint32 inquire_sec_context_get_sspi_session_key
183 (OM_uint32 *minor_status,
184 const gsskrb5_ctx context_handle,
185 krb5_context context,
186 gss_buffer_set_t *data_set)
187 {
188 krb5_keyblock *key;
189 OM_uint32 maj_stat = GSS_S_COMPLETE;
190 krb5_error_code ret;
191 gss_buffer_desc value;
192
193 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
194 ret = _gsskrb5i_get_token_key(context_handle, context, &key);
195 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
196
197 if (ret)
198 goto out;
199 if (key == NULL) {
200 ret = EINVAL;
201 goto out;
202 }
203
204 value.length = key->keyvalue.length;
205 value.value = key->keyvalue.data;
206
207 maj_stat = gss_add_buffer_set_member(minor_status,
208 &value,
209 data_set);
210 krb5_free_keyblock(context, key);
211
212 /* MIT also returns the enctype encoded as an OID in data_set[1] */
213
214 out:
215 if (ret) {
216 *minor_status = ret;
217 maj_stat = GSS_S_FAILURE;
218 }
219 return maj_stat;
220 }
221
222 static OM_uint32 inquire_sec_context_authz_data
223 (OM_uint32 *minor_status,
224 const gsskrb5_ctx context_handle,
225 krb5_context context,
226 unsigned ad_type,
227 gss_buffer_set_t *data_set)
228 {
229 krb5_data data;
230 gss_buffer_desc ad_data;
231 OM_uint32 ret;
232
233 *minor_status = 0;
234 *data_set = GSS_C_NO_BUFFER_SET;
235
236 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
237 if (context_handle->ticket == NULL) {
238 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
239 *minor_status = EINVAL;
240 _gsskrb5_set_status(EINVAL, "No ticket to obtain authz data from");
241 return GSS_S_NO_CONTEXT;
242 }
243
244 ret = krb5_ticket_get_authorization_data_type(context,
245 context_handle->ticket,
246 ad_type,
247 &data);
248 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
249 if (ret) {
250 *minor_status = ret;
251 return GSS_S_FAILURE;
252 }
253
254 ad_data.value = data.data;
255 ad_data.length = data.length;
256
257 ret = gss_add_buffer_set_member(minor_status,
258 &ad_data,
259 data_set);
260
261 krb5_data_free(&data);
262
263 return ret;
264 }
265
266 static OM_uint32 inquire_sec_context_has_buggy_spnego
267 (OM_uint32 *minor_status,
268 const gsskrb5_ctx context_handle,
269 gss_buffer_set_t *data_set)
270 {
271 uint8_t old_enctype;
272 gss_buffer_desc buffer;
273
274 *minor_status = 0;
275 *data_set = GSS_C_NO_BUFFER_SET;
276
277 /*
278 * For Windows SPNEGO implementations, the initiator or acceptor
279 * are presumed to be "buggy" (Windows 2003 or earlier) if an
280 * "older" (i.e. pre-AES per RFC 4121) encryption type was used.
281 */
282
283 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
284 old_enctype = ((context_handle->more_flags & IS_CFX) == 0);
285 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
286
287 buffer.value = &old_enctype;
288 buffer.length = sizeof(old_enctype);
289
290 return gss_add_buffer_set_member(minor_status, &buffer, data_set);
291 }
292
293 /*
294 *
295 */
296
297 static OM_uint32
298 export_lucid_sec_context_v1(OM_uint32 *minor_status,
299 gsskrb5_ctx context_handle,
300 krb5_context context,
301 gss_buffer_set_t *data_set)
302 {
303 krb5_storage *sp = NULL;
304 OM_uint32 major_status = GSS_S_COMPLETE;
305 krb5_error_code ret;
306 krb5_keyblock *key = NULL;
307 int32_t number;
308 int is_cfx;
309 krb5_data data;
310
311 *minor_status = 0;
312
313 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
314
315 is_cfx = (context_handle->more_flags & IS_CFX);
316
317 sp = krb5_storage_emem();
318 if (sp == NULL) {
319 _gsskrb5_clear_status();
320 ret = ENOMEM;
321 goto out;
322 }
323
324 ret = krb5_store_int32(sp, 1);
325 if (ret) goto out;
326 ret = krb5_store_int32(sp, (context_handle->more_flags & LOCAL) ? 1 : 0);
327 if (ret) goto out;
328 /* XXX need krb5_store_int64() */
329 ret = krb5_store_int32(sp, context_handle->endtime);
330 if (ret) goto out;
331 krb5_auth_con_getlocalseqnumber (context,
332 context_handle->auth_context,
333 &number);
334 ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
335 if (ret) goto out;
336 ret = krb5_store_uint32(sp, (uint32_t)number);
337 if (ret) goto out;
338 krb5_auth_con_getremoteseqnumber (context,
339 context_handle->auth_context,
340 &number);
341 ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
342 if (ret) goto out;
343 ret = krb5_store_uint32(sp, (uint32_t)number);
344 if (ret) goto out;
345 ret = krb5_store_int32(sp, (is_cfx) ? 1 : 0);
346 if (ret) goto out;
347
348 ret = _gsskrb5i_get_token_key(context_handle, context, &key);
349 if (ret) goto out;
350
351 if (is_cfx == 0) {
352 int sign_alg, seal_alg;
353
354 switch (key->keytype) {
355 case ETYPE_DES_CBC_CRC:
356 case ETYPE_DES_CBC_MD4:
357 case ETYPE_DES_CBC_MD5:
358 sign_alg = 0;
359 seal_alg = 0;
360 break;
361 case ETYPE_DES3_CBC_MD5:
362 case ETYPE_DES3_CBC_SHA1:
363 sign_alg = 4;
364 seal_alg = 2;
365 break;
366 case ETYPE_ARCFOUR_HMAC_MD5:
367 case ETYPE_ARCFOUR_HMAC_MD5_56:
368 sign_alg = 17;
369 seal_alg = 16;
370 break;
371 default:
372 sign_alg = -1;
373 seal_alg = -1;
374 break;
375 }
376 ret = krb5_store_int32(sp, sign_alg);
377 if (ret) goto out;
378 ret = krb5_store_int32(sp, seal_alg);
379 if (ret) goto out;
380 /* ctx_key */
381 ret = krb5_store_keyblock(sp, *key);
382 if (ret) goto out;
383 } else {
384 int subkey_p = (context_handle->more_flags & ACCEPTOR_SUBKEY) ? 1 : 0;
385
386 /* have_acceptor_subkey */
387 ret = krb5_store_int32(sp, subkey_p);
388 if (ret) goto out;
389 /* ctx_key */
390 ret = krb5_store_keyblock(sp, *key);
391 if (ret) goto out;
392 /* acceptor_subkey */
393 if (subkey_p) {
394 ret = krb5_store_keyblock(sp, *key);
395 if (ret) goto out;
396 }
397 }
398 ret = krb5_storage_to_data(sp, &data);
399 if (ret) goto out;
400
401 {
402 gss_buffer_desc ad_data;
403
404 ad_data.value = data.data;
405 ad_data.length = data.length;
406
407 ret = gss_add_buffer_set_member(minor_status, &ad_data, data_set);
408 krb5_data_free(&data);
409 if (ret)
410 goto out;
411 }
412
413 out:
414 if (key)
415 krb5_free_keyblock (context, key);
416 if (sp)
417 krb5_storage_free(sp);
418 if (ret) {
419 *minor_status = ret;
420 major_status = GSS_S_FAILURE;
421 }
422 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
423 return major_status;
424 }
425
426 static OM_uint32
427 get_authtime(OM_uint32 *minor_status,
428 gsskrb5_ctx ctx,
429 gss_buffer_set_t *data_set)
430
431 {
432 gss_buffer_desc value;
433 unsigned char buf[SIZEOF_TIME_T];
434 time_t authtime;
435
436 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
437 if (ctx->ticket == NULL) {
438 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
439 _gsskrb5_set_status(EINVAL, "No ticket to obtain auth time from");
440 *minor_status = EINVAL;
441 return GSS_S_FAILURE;
442 }
443
444 authtime = ctx->ticket->ticket.authtime;
445
446 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
447
448 #if SIZEOF_TIME_T == 8
449 _gss_mg_encode_le_uint64(authtime, buf);
450 #elif SIZEOF_TIME_T == 4
451 _gss_mg_encode_le_uint32(authtime, buf);
452 #else
453 #error set SIZEOF_TIME_T for your platform
454 #endif
455 value.length = sizeof(buf);
456 value.value = buf;
457
458 return gss_add_buffer_set_member(minor_status,
459 &value,
460 data_set);
461 }
462
463
464 static OM_uint32
465 get_service_keyblock
466 (OM_uint32 *minor_status,
467 gsskrb5_ctx ctx,
468 gss_buffer_set_t *data_set)
469 {
470 krb5_storage *sp = NULL;
471 krb5_data data;
472 OM_uint32 maj_stat = GSS_S_COMPLETE;
473 krb5_error_code ret = EINVAL;
474
475 sp = krb5_storage_emem();
476 if (sp == NULL) {
477 _gsskrb5_clear_status();
478 *minor_status = ENOMEM;
479 return GSS_S_FAILURE;
480 }
481
482 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
483 if (ctx->service_keyblock == NULL) {
484 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
485 krb5_storage_free(sp);
486 _gsskrb5_set_status(EINVAL, "No service keyblock on gssapi context");
487 *minor_status = EINVAL;
488 return GSS_S_FAILURE;
489 }
490
491 krb5_data_zero(&data);
492
493 ret = krb5_store_keyblock(sp, *ctx->service_keyblock);
494
495 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
496
497 if (ret)
498 goto out;
499
500 ret = krb5_storage_to_data(sp, &data);
501 if (ret)
502 goto out;
503
504 {
505 gss_buffer_desc value;
506
507 value.length = data.length;
508 value.value = data.data;
509
510 maj_stat = gss_add_buffer_set_member(minor_status,
511 &value,
512 data_set);
513 }
514
515 out:
516 krb5_data_free(&data);
517 if (sp)
518 krb5_storage_free(sp);
519 if (ret) {
520 *minor_status = ret;
521 maj_stat = GSS_S_FAILURE;
522 }
523 return maj_stat;
524 }
525 /*
526 *
527 */
528
529 OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_sec_context_by_oid
530 (OM_uint32 *minor_status,
531 gss_const_ctx_id_t context_handle,
532 const gss_OID desired_object,
533 gss_buffer_set_t *data_set)
534 {
535 krb5_context context;
536 const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
537 unsigned suffix;
538
539 if (ctx == NULL) {
540 *minor_status = EINVAL;
541 return GSS_S_NO_CONTEXT;
542 }
543
544 GSSAPI_KRB5_INIT (&context);
545
546 if (gss_oid_equal(desired_object, GSS_KRB5_GET_TKT_FLAGS_X)) {
547 return inquire_sec_context_tkt_flags(minor_status,
548 ctx,
549 data_set);
550 } else if (gss_oid_equal(desired_object, GSS_C_INQ_PEER_HAS_BUGGY_SPNEGO)) {
551 return inquire_sec_context_has_buggy_spnego(minor_status,
552 ctx,
553 data_set);
554 } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SUBKEY_X)) {
555 return inquire_sec_context_get_subkey(minor_status,
556 ctx,
557 context,
558 TOKEN_KEY,
559 data_set);
560 } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_INITIATOR_SUBKEY_X)) {
561 return inquire_sec_context_get_subkey(minor_status,
562 ctx,
563 context,
564 INITIATOR_KEY,
565 data_set);
566 } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_ACCEPTOR_SUBKEY_X)) {
567 return inquire_sec_context_get_subkey(minor_status,
568 ctx,
569 context,
570 ACCEPTOR_KEY,
571 data_set);
572 } else if (gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY)) {
573 return inquire_sec_context_get_sspi_session_key(minor_status,
574 ctx,
575 context,
576 data_set);
577 } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) {
578 return get_authtime(minor_status, ctx, data_set);
579 } else if (oid_prefix_equal(desired_object,
580 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X,
581 &suffix)) {
582 return inquire_sec_context_authz_data(minor_status,
583 ctx,
584 context,
585 suffix,
586 data_set);
587 } else if (oid_prefix_equal(desired_object,
588 GSS_KRB5_EXPORT_LUCID_CONTEXT_X,
589 &suffix)) {
590 if (suffix == 1)
591 return export_lucid_sec_context_v1(minor_status,
592 ctx,
593 context,
594 data_set);
595 *minor_status = 0;
596 return GSS_S_FAILURE;
597 } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SERVICE_KEYBLOCK_X)) {
598 return get_service_keyblock(minor_status, ctx, data_set);
599 } else {
600 *minor_status = 0;
601 return GSS_S_FAILURE;
602 }
603 }
604
Heimdal