2 // Novell.Directory.Ldap.Security.Krb5Helper.cs
5 // Boris Kirzner <borsk@mainsoft.com>
6 // Konstantin Triger <kostat@mainsoft.com>
8 // (C) 2005 Mainsoft Corporation (http://www.mainsoft.com)
12 // Permission is hereby granted, free of charge, to any person obtaining
13 // a copy of this software and associated documentation files (the
14 // "Software"), to deal in the Software without restriction, including
15 // without limitation the rights to use, copy, modify, merge, publish,
16 // distribute, sublicense, and/or sell copies of the Software, and to
17 // permit persons to whom the Software is furnished to do so, subject to
18 // the following conditions:
20 // The above copyright notice and this permission notice shall be
21 // included in all copies or substantial portions of the Software.
23 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
25 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
26 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
27 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
28 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
29 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
36 using javax
.security
.auth
;
40 namespace Novell
.Directory
.Ldap
.Security
42 internal class Krb5Helper
: IDisposable
46 INTEGRITY_ONLY_PROTECTION
= 2,
47 PRIVACY_PROTECTION
= 4
52 internal static readonly sbyte [] EmptyToken
= new sbyte [0];
54 private readonly bool _encryption
;
55 private readonly bool _signing
;
56 private readonly bool _delegation
;
58 private readonly GSSContext _context
;
64 public Krb5Helper(string name
, string clientName
, Subject subject
, AuthenticationTypes authenticationTypes
, string mech
)
66 _encryption
= (authenticationTypes
& AuthenticationTypes
.Sealing
) != 0;
67 _signing
= (authenticationTypes
& AuthenticationTypes
.Signing
) != 0;
68 _delegation
= (authenticationTypes
& AuthenticationTypes
.Delegation
) != 0;
70 CreateContextPrivilegedAction action
= new CreateContextPrivilegedAction (name
, clientName
, mech
,_encryption
,_signing
,_delegation
);
72 _context
= (GSSContext
) Subject
.doAs (subject
,action
);
74 catch (PrivilegedActionException e
) {
75 throw new LdapException ("Problem performing token exchange with the server",LdapException
.OTHER
,"",e
.getCause());
79 #endregion // Constructors
83 internal GSSContext Context
85 get { return _context; }
88 #endregion // Properties
92 public sbyte [] ExchangeTokens(sbyte [] clientToken
)
94 if (Context
.isEstablished ()) {
95 if (clientToken
== null || clientToken
.Length
== 0)
96 return Krb5Helper
.EmptyToken
;
99 byte [] challengeData
= (byte []) TypeUtils
.ToByteArray (clientToken
);
100 byte [] gssOutToken
= Unwrap (challengeData
, 0, challengeData
.Length
, new MessageProp (false));
102 QOP myCop
= QOP
.NO_PROTECTION
;
105 myCop
= QOP
.PRIVACY_PROTECTION
;
106 else if (_signing
|| (((QOP
)gssOutToken
[0] & QOP
.INTEGRITY_ONLY_PROTECTION
) != 0))
107 myCop
= QOP
.INTEGRITY_ONLY_PROTECTION
;
109 if ((myCop
& (QOP
)gssOutToken
[0]) == 0)
110 throw new LdapException ("Server does not support the requested security level", 80, "");
112 int srvMaxBufSize
= SecureStream
.NetworkByteOrderToInt (gssOutToken
, 1, 3);
114 //int rawSendSize = Context.getWrapSizeLimit(0, _encryption, srvMaxBufSize);
116 byte [] gssInToken
= new byte [4];
117 gssInToken
[0] = (byte) myCop
;
119 SecureStream
.IntToNetworkByteOrder (srvMaxBufSize
, gssInToken
, 1, 3);
121 gssOutToken
= Wrap (gssInToken
, 0, gssInToken
.Length
, new MessageProp (true));
123 return TypeUtils
.ToSByteArray (gssOutToken
);
126 sbyte [] token
= Context
.initSecContext (clientToken
, 0, clientToken
.Length
);
128 if (Context
.isEstablished ()) {
130 if (Context
.getConfState () != _encryption
)
131 throw new LdapException ("Encryption protocol was not established layer between client and server", 80, "");
133 if (Context
.getCredDelegState () != _delegation
)
134 throw new LdapException ("Credential delegation was not established layer between client and server", 80, "");
136 if (_signing
&& (Context
.getIntegState () != _signing
))
137 throw new LdapException ("Signing protocol was not established layer between client and server", 80, "");
145 public byte [] Wrap(byte [] outgoing
, int start
, int len
)
147 return Wrap (outgoing
, start
, len
, new MessageProp(true));
150 public byte [] Wrap(byte [] outgoing
, int start
, int len
, MessageProp messageProp
)
152 if (!Context
.isEstablished ())
153 throw new LdapException ("GSSAPI authentication not completed",LdapException
.OTHER
,"");
155 if (!(Context
.getConfState () || Context
.getIntegState ())) {
156 // in the case no encryption and no integrity required - return the original data
157 byte [] buff
= new byte [len
];
158 Array
.Copy (outgoing
, start
, buff
, 0, len
);
162 sbyte [] result
= Context
.wrap (TypeUtils
.ToSByteArray (outgoing
), start
, len
, messageProp
);
163 return (byte []) TypeUtils
.ToByteArray (result
);
166 public byte [] Unwrap(byte [] incoming
, int start
, int len
)
168 return Unwrap (incoming
, start
, len
, new MessageProp(true));
171 public byte [] Unwrap(byte [] incoming
, int start
, int len
, MessageProp messageProp
)
173 if (!Context
.isEstablished ())
174 throw new LdapException ("GSSAPI authentication not completed",LdapException
.OTHER
,"");
176 if (!(Context
.getConfState () || Context
.getIntegState ())) {
177 // in the case no encryption and no integrity required - return the original data
178 byte [] buff
= new byte [len
];
179 Array
.Copy (incoming
, start
, buff
, 0, len
);
183 sbyte [] result
= Context
.unwrap (TypeUtils
.ToSByteArray (incoming
), start
, len
, messageProp
);
184 return (byte []) TypeUtils
.ToByteArray (result
);
187 #endregion // Methods
189 #region IDisposable Members
191 public void Dispose() {