mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs

   1 //
   2 // Novell.Directory.Ldap.Security.Krb5Helper.cs
   3 //
   4 // Authors:
   5 //  Boris Kirzner <borsk@mainsoft.com>
   6 //      Konstantin Triger <kostat@mainsoft.com>
   7 //
   8 // (C) 2005 Mainsoft Corporation (http://www.mainsoft.com)
   9 //
  10
  11 //
  12 // Permission is hereby granted, free of charge, to any person obtaining
  13 // a copy of this software and associated documentation files (the
  14 // "Software"), to deal in the Software without restriction, including
  15 // without limitation the rights to use, copy, modify, merge, publish,
  16 // distribute, sublicense, and/or sell copies of the Software, and to
  17 // permit persons to whom the Software is furnished to do so, subject to
  18 // the following conditions:
  19 //
  20 // The above copyright notice and this permission notice shall be
  21 // included in all copies or substantial portions of the Software.
  22 //
  23 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  24 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  25 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  26 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
  27 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
  28 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
  29 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  30 //
  31
  32 using System;
  33 using vmw.common;
  34
  35 using java.security;
  36 using javax.security.auth;
  37 using org.ietf.jgss;
  38
  39
  40 namespace Novell.Directory.Ldap.Security
  41 {
  42         internal class Krb5Helper : IDisposable
  43         {
  44                 enum QOP {
  45                         NO_PROTECTION = 1,
  46                         INTEGRITY_ONLY_PROTECTION = 2,
  47                         PRIVACY_PROTECTION = 4
  48                 }
  49
  50                 #region Fields
  51
  52                 internal static readonly sbyte [] EmptyToken = new sbyte [0];
  53
  54                 private readonly bool _encryption;
  55                 private readonly bool _signing;
  56                 private readonly bool _delegation;
  57
  58                 private readonly GSSContext _context;
  59
  60                 #endregion // Fields
  61
  62                 #region Constructors
  63
  64                 public Krb5Helper(string name, string clientName, Subject subject, AuthenticationTypes authenticationTypes, string mech)
  65                 {
  66                         _encryption = (authenticationTypes & AuthenticationTypes.Sealing) != 0;
  67                         _signing = (authenticationTypes & AuthenticationTypes.Signing) != 0;
  68                         _delegation = (authenticationTypes & AuthenticationTypes.Delegation) != 0;
  69
  70                         CreateContextPrivilegedAction action = new CreateContextPrivilegedAction (name, clientName, mech,_encryption,_signing,_delegation);
  71                         try {
  72                                 _context = (GSSContext) Subject.doAs (subject,action);
  73                         }
  74                         catch (PrivilegedActionException e) {
  75                                 throw new LdapException ("Problem performing token exchange with the server",LdapException.OTHER,"",e.getCause());
  76                         }
  77                 }
  78
  79                 #endregion // Constructors
  80
  81                 #region Properties
  82
  83                 internal GSSContext Context
  84                 {
  85                         get { return _context; }
  86                 }
  87
  88                 #endregion // Properties
  89
  90                 #region Methods
  91
  92                 public sbyte [] ExchangeTokens(sbyte [] clientToken)
  93                 {
  94                         if (Context.isEstablished ()) {
  95                                 if (clientToken == null || clientToken.Length == 0)
  96                                         return Krb5Helper.EmptyToken;
  97
  98                                 //final handshake
  99                                 byte [] challengeData = (byte []) TypeUtils.ToByteArray (clientToken);
 100                                 byte [] gssOutToken = Unwrap (challengeData, 0, challengeData.Length, new MessageProp (false));
 101
 102                                 QOP myCop = QOP.NO_PROTECTION;
 103
 104                                 if (_encryption)
 105                                         myCop = QOP.PRIVACY_PROTECTION;
 106                                 else if (_signing || (((QOP)gssOutToken [0] & QOP.INTEGRITY_ONLY_PROTECTION) != 0))
 107                                         myCop = QOP.INTEGRITY_ONLY_PROTECTION;
 108
 109                                 if ((myCop & (QOP)gssOutToken [0]) == 0)
 110                                         throw new LdapException ("Server does not support the requested security level", 80, "");
 111
 112                                 int srvMaxBufSize = SecureStream.NetworkByteOrderToInt (gssOutToken, 1, 3);
 113
 114                                 //int rawSendSize = Context.getWrapSizeLimit(0, _encryption, srvMaxBufSize);
 115
 116                                 byte [] gssInToken = new byte [4];
 117                                 gssInToken [0] = (byte) myCop;
 118
 119                                 SecureStream.IntToNetworkByteOrder (srvMaxBufSize, gssInToken, 1, 3);
 120
 121                                 gssOutToken = Wrap (gssInToken, 0, gssInToken.Length, new MessageProp (true));
 122
 123                                 return TypeUtils.ToSByteArray (gssOutToken);
 124                         }
 125
 126                         sbyte [] token = Context.initSecContext (clientToken, 0, clientToken.Length);
 127
 128                         if (Context.isEstablished ()) {
 129
 130                                 if (Context.getConfState () != _encryption)
 131                                         throw new LdapException ("Encryption protocol was not established layer between client and server", 80, "");
 132
 133                                 if (Context.getCredDelegState () != _delegation)
 134                                         throw new LdapException ("Credential delegation was not established layer between client and server", 80, "");
 135
 136                                 if (_signing && (Context.getIntegState () != _signing))
 137                                         throw new LdapException ("Signing protocol was not established layer between client and server", 80, "");
 138
 139                                 if (token == null)
 140                                         return EmptyToken;
 141                         }
 142                         return token;
 143                 }
 144
 145                 public byte [] Wrap(byte [] outgoing, int start, int len)
 146                 {
 147                         return Wrap (outgoing, start, len, new MessageProp(true));
 148                 }
 149
 150                 public byte [] Wrap(byte [] outgoing, int start, int len, MessageProp messageProp)
 151                 {
 152                         if (!Context.isEstablished ())
 153                                 throw new LdapException ("GSSAPI authentication not completed",LdapException.OTHER,"");
 154
 155                         if (!(Context.getConfState () || Context.getIntegState ())) {
 156                                 // in the case no encryption and no integrity required - return the original data
 157                                 byte [] buff = new byte [len];
 158                                 Array.Copy (outgoing, start, buff, 0, len);
 159                                 return buff;
 160                         }
 161
 162                         sbyte [] result = Context.wrap (TypeUtils.ToSByteArray (outgoing), start, len, messageProp);
 163                         return (byte []) TypeUtils.ToByteArray (result);
 164                 }
 165
 166                 public byte [] Unwrap(byte [] incoming, int start, int len)
 167                 {
 168                         return Unwrap (incoming, start, len, new MessageProp(true));
 169                 }
 170
 171                 public byte [] Unwrap(byte [] incoming, int start, int len, MessageProp messageProp)
 172                 {
 173                         if (!Context.isEstablished ())
 174                                 throw new LdapException ("GSSAPI authentication not completed",LdapException.OTHER,"");
 175
 176                         if (!(Context.getConfState () || Context.getIntegState ())) {
 177                                 // in the case no encryption and no integrity required - return the original data
 178                                 byte [] buff = new byte [len];
 179                                 Array.Copy (incoming, start, buff, 0, len);
 180                                 return buff;
 181                         }
 182
 183                         sbyte [] result = Context.unwrap (TypeUtils.ToSByteArray (incoming), start, len, messageProp);
 184                         return (byte []) TypeUtils.ToByteArray (result);
 185                 }
 186
 187                 #endregion // Methods
 188
 189                 #region IDisposable Members
 190
 191                 public void Dispose() {
 192                         Context.dispose();
 193                 }
 194
 195                 #endregion
 196         }
 197 }