2 * Copyright (c) 2004, PADL Software Pty Ltd.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of PADL Software nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gsskrb5_locl.h"
36 oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix)
44 ret = der_get_oid(oid_enc->elements, oid_enc->length,
50 ret = der_get_oid(prefix_enc->elements, prefix_enc->length,
59 if (oid.length - 1 == prefix.length) {
60 *suffix = oid.components[oid.length - 1];
62 ret = (der_heim_oid_cmp(&oid, &prefix) == 0);
67 der_free_oid(&prefix);
72 static OM_uint32 inquire_sec_context_tkt_flags
73 (OM_uint32 *minor_status,
74 const gsskrb5_ctx context_handle,
75 gss_buffer_set_t *data_set)
79 gss_buffer_desc value;
81 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
83 if (context_handle->ticket == NULL) {
84 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
85 _gsskrb5_set_status(EINVAL, "No ticket from which to obtain flags");
86 *minor_status = EINVAL;
87 return GSS_S_BAD_MECH;
90 tkt_flags = TicketFlags2int(context_handle->ticket->ticket.flags);
91 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
93 _gsskrb5_encode_om_uint32(tkt_flags, buf);
94 value.length = sizeof(buf);
97 return gss_add_buffer_set_member(minor_status,
102 enum keytype { ACCEPTOR_KEY, INITIATOR_KEY, TOKEN_KEY };
104 static OM_uint32 inquire_sec_context_get_subkey
105 (OM_uint32 *minor_status,
106 const gsskrb5_ctx context_handle,
107 krb5_context context,
108 enum keytype keytype,
109 gss_buffer_set_t *data_set)
111 krb5_keyblock *key = NULL;
112 krb5_storage *sp = NULL;
114 OM_uint32 maj_stat = GSS_S_COMPLETE;
117 krb5_data_zero(&data);
119 sp = krb5_storage_emem();
121 _gsskrb5_clear_status();
126 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
129 ret = _gsskrb5i_get_acceptor_subkey(context_handle, context, &key);
132 ret = _gsskrb5i_get_initiator_subkey(context_handle, context, &key);
135 ret = _gsskrb5i_get_token_key(context_handle, context, &key);
138 _gsskrb5_set_status(EINVAL, "%d is not a valid subkey type", keytype);
142 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
146 _gsskrb5_set_status(EINVAL, "have no subkey of type %d", keytype);
151 ret = krb5_store_keyblock(sp, *key);
152 krb5_free_keyblock (context, key);
156 ret = krb5_storage_to_data(sp, &data);
161 gss_buffer_desc value;
163 value.length = data.length;
164 value.value = data.data;
166 maj_stat = gss_add_buffer_set_member(minor_status,
172 krb5_data_free(&data);
174 krb5_storage_free(sp);
177 maj_stat = GSS_S_FAILURE;
182 static OM_uint32 inquire_sec_context_get_sspi_session_key
183 (OM_uint32 *minor_status,
184 const gsskrb5_ctx context_handle,
185 krb5_context context,
186 gss_buffer_set_t *data_set)
189 OM_uint32 maj_stat = GSS_S_COMPLETE;
191 gss_buffer_desc value;
193 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
194 ret = _gsskrb5i_get_token_key(context_handle, context, &key);
195 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
204 value.length = key->keyvalue.length;
205 value.value = key->keyvalue.data;
207 maj_stat = gss_add_buffer_set_member(minor_status,
210 krb5_free_keyblock(context, key);
212 /* MIT also returns the enctype encoded as an OID in data_set[1] */
217 maj_stat = GSS_S_FAILURE;
222 static OM_uint32 inquire_sec_context_authz_data
223 (OM_uint32 *minor_status,
224 const gsskrb5_ctx context_handle,
225 krb5_context context,
227 gss_buffer_set_t *data_set)
230 gss_buffer_desc ad_data;
234 *data_set = GSS_C_NO_BUFFER_SET;
236 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
237 if (context_handle->ticket == NULL) {
238 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
239 *minor_status = EINVAL;
240 _gsskrb5_set_status(EINVAL, "No ticket to obtain authz data from");
241 return GSS_S_NO_CONTEXT;
244 ret = krb5_ticket_get_authorization_data_type(context,
245 context_handle->ticket,
248 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
251 return GSS_S_FAILURE;
254 ad_data.value = data.data;
255 ad_data.length = data.length;
257 ret = gss_add_buffer_set_member(minor_status,
261 krb5_data_free(&data);
266 static OM_uint32 inquire_sec_context_has_updated_spnego
267 (OM_uint32 *minor_status,
268 const gsskrb5_ctx context_handle,
269 gss_buffer_set_t *data_set)
274 *data_set = GSS_C_NO_BUFFER_SET;
277 * For Windows SPNEGO implementations, both the initiator and the
278 * acceptor are assumed to have been updated if a "newer" [CLAR] or
279 * different enctype is negotiated for use by the Kerberos GSS-API
282 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
283 is_updated = (context_handle->more_flags & IS_CFX);
284 if (is_updated == 0) {
285 krb5_keyblock *acceptor_subkey;
287 if (context_handle->more_flags & LOCAL)
288 acceptor_subkey = context_handle->auth_context->remote_subkey;
290 acceptor_subkey = context_handle->auth_context->local_subkey;
292 if (acceptor_subkey != NULL)
293 is_updated = (acceptor_subkey->keytype !=
294 context_handle->auth_context->keyblock->keytype);
296 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
298 return is_updated ? GSS_S_COMPLETE : GSS_S_FAILURE;
306 export_lucid_sec_context_v1(OM_uint32 *minor_status,
307 gsskrb5_ctx context_handle,
308 krb5_context context,
309 gss_buffer_set_t *data_set)
311 krb5_storage *sp = NULL;
312 OM_uint32 major_status = GSS_S_COMPLETE;
314 krb5_keyblock *key = NULL;
321 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
323 is_cfx = (context_handle->more_flags & IS_CFX);
325 sp = krb5_storage_emem();
327 _gsskrb5_clear_status();
332 ret = krb5_store_int32(sp, 1);
334 ret = krb5_store_int32(sp, (context_handle->more_flags & LOCAL) ? 1 : 0);
336 ret = krb5_store_int32(sp, context_handle->lifetime);
338 krb5_auth_con_getlocalseqnumber (context,
339 context_handle->auth_context,
341 ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
343 ret = krb5_store_uint32(sp, (uint32_t)number);
345 krb5_auth_con_getremoteseqnumber (context,
346 context_handle->auth_context,
348 ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
350 ret = krb5_store_uint32(sp, (uint32_t)number);
352 ret = krb5_store_int32(sp, (is_cfx) ? 1 : 0);
355 ret = _gsskrb5i_get_token_key(context_handle, context, &key);
359 int sign_alg, seal_alg;
361 switch (key->keytype) {
362 case ETYPE_DES_CBC_CRC:
363 case ETYPE_DES_CBC_MD4:
364 case ETYPE_DES_CBC_MD5:
368 case ETYPE_DES3_CBC_MD5:
369 case ETYPE_DES3_CBC_SHA1:
373 case ETYPE_ARCFOUR_HMAC_MD5:
374 case ETYPE_ARCFOUR_HMAC_MD5_56:
383 ret = krb5_store_int32(sp, sign_alg);
385 ret = krb5_store_int32(sp, seal_alg);
388 ret = krb5_store_keyblock(sp, *key);
391 int subkey_p = (context_handle->more_flags & ACCEPTOR_SUBKEY) ? 1 : 0;
393 /* have_acceptor_subkey */
394 ret = krb5_store_int32(sp, subkey_p);
397 ret = krb5_store_keyblock(sp, *key);
399 /* acceptor_subkey */
401 ret = krb5_store_keyblock(sp, *key);
405 ret = krb5_storage_to_data(sp, &data);
409 gss_buffer_desc ad_data;
411 ad_data.value = data.data;
412 ad_data.length = data.length;
414 ret = gss_add_buffer_set_member(minor_status, &ad_data, data_set);
415 krb5_data_free(&data);
422 krb5_free_keyblock (context, key);
424 krb5_storage_free(sp);
427 major_status = GSS_S_FAILURE;
429 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
434 get_authtime(OM_uint32 *minor_status,
436 gss_buffer_set_t *data_set)
439 gss_buffer_desc value;
440 unsigned char buf[4];
443 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
444 if (ctx->ticket == NULL) {
445 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
446 _gsskrb5_set_status(EINVAL, "No ticket to obtain auth time from");
447 *minor_status = EINVAL;
448 return GSS_S_FAILURE;
451 authtime = ctx->ticket->ticket.authtime;
453 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
455 _gsskrb5_encode_om_uint32(authtime, buf);
456 value.length = sizeof(buf);
459 return gss_add_buffer_set_member(minor_status,
467 (OM_uint32 *minor_status,
469 gss_buffer_set_t *data_set)
471 krb5_storage *sp = NULL;
473 OM_uint32 maj_stat = GSS_S_COMPLETE;
474 krb5_error_code ret = EINVAL;
476 sp = krb5_storage_emem();
478 _gsskrb5_clear_status();
479 *minor_status = ENOMEM;
480 return GSS_S_FAILURE;
483 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
484 if (ctx->service_keyblock == NULL) {
485 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
486 krb5_storage_free(sp);
487 _gsskrb5_set_status(EINVAL, "No service keyblock on gssapi context");
488 *minor_status = EINVAL;
489 return GSS_S_FAILURE;
492 krb5_data_zero(&data);
494 ret = krb5_store_keyblock(sp, *ctx->service_keyblock);
496 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
501 ret = krb5_storage_to_data(sp, &data);
506 gss_buffer_desc value;
508 value.length = data.length;
509 value.value = data.data;
511 maj_stat = gss_add_buffer_set_member(minor_status,
517 krb5_data_free(&data);
519 krb5_storage_free(sp);
522 maj_stat = GSS_S_FAILURE;
530 OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_sec_context_by_oid
531 (OM_uint32 *minor_status,
532 const gss_ctx_id_t context_handle,
533 const gss_OID desired_object,
534 gss_buffer_set_t *data_set)
536 krb5_context context;
537 const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
541 *minor_status = EINVAL;
542 return GSS_S_NO_CONTEXT;
545 GSSAPI_KRB5_INIT (&context);
547 if (gss_oid_equal(desired_object, GSS_KRB5_GET_TKT_FLAGS_X)) {
548 return inquire_sec_context_tkt_flags(minor_status,
551 } else if (gss_oid_equal(desired_object, GSS_C_PEER_HAS_UPDATED_SPNEGO)) {
552 return inquire_sec_context_has_updated_spnego(minor_status,
555 } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SUBKEY_X)) {
556 return inquire_sec_context_get_subkey(minor_status,
561 } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_INITIATOR_SUBKEY_X)) {
562 return inquire_sec_context_get_subkey(minor_status,
567 } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_ACCEPTOR_SUBKEY_X)) {
568 return inquire_sec_context_get_subkey(minor_status,
573 } else if (gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY)) {
574 return inquire_sec_context_get_sspi_session_key(minor_status,
578 } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) {
579 return get_authtime(minor_status, ctx, data_set);
580 } else if (oid_prefix_equal(desired_object,
581 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X,
583 return inquire_sec_context_authz_data(minor_status,
588 } else if (oid_prefix_equal(desired_object,
589 GSS_KRB5_EXPORT_LUCID_CONTEXT_X,
592 return export_lucid_sec_context_v1(minor_status,
597 return GSS_S_FAILURE;
598 } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SERVICE_KEYBLOCK_X)) {
599 return get_service_keyblock(minor_status, ctx, data_set);
602 return GSS_S_FAILURE;