2 * Copyright (c) 2005 Doug Rabson
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <gssapi/gssapi.h>
30 #include <gssapi/gssapi_krb5.h>
32 /* RCSID("$Id: gss_krb5.c 21889 2007-08-09 07:43:24Z lha $"); */
38 gss_krb5_copy_ccache(OM_uint32 *minor_status,
42 gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
49 ret = gss_inquire_cred_by_oid(minor_status,
51 GSS_KRB5_COPY_CCACHE_X,
56 if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
57 gss_release_buffer_set(minor_status, &data_set);
58 *minor_status = EINVAL;
62 kret = krb5_init_context(&context);
65 gss_release_buffer_set(minor_status, &data_set);
69 kret = asprintf(&str, "%.*s", (int)data_set->elements[0].length,
70 (char *)data_set->elements[0].value);
71 gss_release_buffer_set(minor_status, &data_set);
73 *minor_status = ENOMEM;
77 kret = krb5_cc_resolve(context, str, &id);
84 kret = krb5_cc_copy_cache(context, id, out);
85 krb5_cc_close(context, id);
86 krb5_free_context(context);
96 gss_krb5_import_cred(OM_uint32 *minor_status,
98 krb5_principal keytab_principal,
102 gss_buffer_desc buffer;
103 OM_uint32 major_status;
104 krb5_context context;
110 *cred = GSS_C_NO_CREDENTIAL;
112 ret = krb5_init_context(&context);
115 return GSS_S_FAILURE;
118 sp = krb5_storage_emem();
120 *minor_status = ENOMEM;
121 major_status = GSS_S_FAILURE;
126 ret = krb5_cc_get_full_name(context, id, &str);
128 ret = krb5_store_string(sp, str);
132 ret = krb5_store_string(sp, "");
135 major_status = GSS_S_FAILURE;
139 if (keytab_principal) {
140 ret = krb5_unparse_name(context, keytab_principal, &str);
142 ret = krb5_store_string(sp, str);
146 krb5_store_string(sp, "");
149 major_status = GSS_S_FAILURE;
155 ret = krb5_kt_get_full_name(context, keytab, &str);
157 ret = krb5_store_string(sp, str);
161 krb5_store_string(sp, "");
164 major_status = GSS_S_FAILURE;
168 ret = krb5_storage_to_data(sp, &data);
171 major_status = GSS_S_FAILURE;
175 buffer.value = data.data;
176 buffer.length = data.length;
178 major_status = gss_set_cred_option(minor_status,
180 GSS_KRB5_IMPORT_CRED_X,
182 krb5_data_free(&data);
185 krb5_storage_free(sp);
186 krb5_free_context(context);
191 gsskrb5_register_acceptor_identity(const char *identity)
193 gss_buffer_desc buffer;
196 buffer.value = rk_UNCONST(identity);
197 buffer.length = strlen(identity);
199 gss_set_sec_context_option(&junk, NULL,
200 GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
202 return (GSS_S_COMPLETE);
206 gsskrb5_set_dns_canonicalize(int flag)
208 gss_buffer_desc buffer;
210 char b = (flag != 0);
213 buffer.length = sizeof(b);
215 gss_set_sec_context_option(&junk, NULL,
216 GSS_KRB5_SET_DNS_CANONICALIZE_X, &buffer);
218 return (GSS_S_COMPLETE);
223 static krb5_error_code
224 set_key(krb5_keyblock *keyblock, gss_krb5_lucid_key_t *key)
226 key->type = keyblock->keytype;
227 key->length = keyblock->keyvalue.length;
228 key->data = malloc(key->length);
229 if (key->data == NULL && key->length != 0)
231 memcpy(key->data, keyblock->keyvalue.data, key->length);
236 free_key(gss_krb5_lucid_key_t *key)
238 memset(key->data, 0, key->length);
240 memset(key, 0, sizeof(*key));
244 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
245 gss_ctx_id_t *context_handle,
249 krb5_context context = NULL;
251 gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
252 OM_uint32 major_status;
253 gss_krb5_lucid_context_v1_t *ctx = NULL;
254 krb5_storage *sp = NULL;
257 if (context_handle == NULL
258 || *context_handle == GSS_C_NO_CONTEXT
262 return GSS_S_FAILURE;
266 gss_inquire_sec_context_by_oid (minor_status,
268 GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X,
273 if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
274 gss_release_buffer_set(minor_status, &data_set);
275 *minor_status = EINVAL;
276 return GSS_S_FAILURE;
279 ret = krb5_init_context(&context);
283 ctx = calloc(1, sizeof(*ctx));
289 sp = krb5_storage_from_mem(data_set->elements[0].value,
290 data_set->elements[0].length);
296 ret = krb5_ret_uint32(sp, &num);
304 ret = krb5_ret_uint32(sp, &ctx->initiate);
307 ret = krb5_ret_uint32(sp, &ctx->endtime);
310 ret = krb5_ret_uint32(sp, &num);
312 ctx->send_seq = ((uint64_t)num) << 32;
313 ret = krb5_ret_uint32(sp, &num);
315 ctx->send_seq |= num;
317 ret = krb5_ret_uint32(sp, &num);
319 ctx->recv_seq = ((uint64_t)num) << 32;
320 ret = krb5_ret_uint32(sp, &num);
322 ctx->recv_seq |= num;
324 ret = krb5_ret_uint32(sp, &ctx->protocol);
326 if (ctx->protocol == 0) {
330 ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.sign_alg);
333 ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.seal_alg);
336 ret = krb5_ret_keyblock(sp, &key);
338 ret = set_key(&key, &ctx->rfc1964_kd.ctx_key);
339 krb5_free_keyblock_contents(context, &key);
341 } else if (ctx->protocol == 1) {
344 /* acceptor_subkey */
345 ret = krb5_ret_uint32(sp, &ctx->cfx_kd.have_acceptor_subkey);
348 ret = krb5_ret_keyblock(sp, &key);
350 ret = set_key(&key, &ctx->cfx_kd.ctx_key);
351 krb5_free_keyblock_contents(context, &key);
353 /* acceptor_subkey */
354 if (ctx->cfx_kd.have_acceptor_subkey) {
355 ret = krb5_ret_keyblock(sp, &key);
357 ret = set_key(&key, &ctx->cfx_kd.acceptor_subkey);
358 krb5_free_keyblock_contents(context, &key);
369 gss_release_buffer_set(minor_status, &data_set);
371 krb5_storage_free(sp);
373 krb5_free_context(context);
377 gss_krb5_free_lucid_sec_context(NULL, ctx);
380 return GSS_S_FAILURE;
383 return GSS_S_COMPLETE;
387 gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c)
389 gss_krb5_lucid_context_v1_t *ctx = c;
391 if (ctx->version != 1) {
394 return GSS_S_FAILURE;
397 if (ctx->protocol == 0) {
398 free_key(&ctx->rfc1964_kd.ctx_key);
399 } else if (ctx->protocol == 1) {
400 free_key(&ctx->cfx_kd.ctx_key);
401 if (ctx->cfx_kd.have_acceptor_subkey)
402 free_key(&ctx->cfx_kd.acceptor_subkey);
407 return GSS_S_COMPLETE;
415 gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
417 OM_uint32 num_enctypes,
421 OM_uint32 maj_status;
422 gss_buffer_desc buffer;
427 sp = krb5_storage_emem();
429 *minor_status = ENOMEM;
430 maj_status = GSS_S_FAILURE;
434 for (i = 0; i < num_enctypes; i++) {
435 ret = krb5_store_int32(sp, enctypes[i]);
438 maj_status = GSS_S_FAILURE;
443 ret = krb5_storage_to_data(sp, &data);
446 maj_status = GSS_S_FAILURE;
450 buffer.value = data.data;
451 buffer.length = data.length;
453 maj_status = gss_set_cred_option(minor_status,
455 GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X,
457 krb5_data_free(&data);
460 krb5_storage_free(sp);
469 gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c)
471 gss_buffer_desc buffer;
476 buffer.length = sizeof(*c);
482 gss_set_sec_context_option(&junk, NULL,
483 GSS_KRB5_SEND_TO_KDC_X, &buffer);
485 return (GSS_S_COMPLETE);
493 gss_krb5_ccache_name(OM_uint32 *minor_status,
495 const char **out_name)
497 gss_buffer_desc buffer;
503 buffer.value = rk_UNCONST(name);
504 buffer.length = strlen(name);
506 gss_set_sec_context_option(&junk, NULL,
507 GSS_KRB5_CCACHE_NAME_X, &buffer);
509 return (GSS_S_COMPLETE);
518 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
519 gss_ctx_id_t context_handle,
522 gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
525 if (context_handle == GSS_C_NO_CONTEXT) {
526 *minor_status = EINVAL;
527 return GSS_S_FAILURE;
531 gss_inquire_sec_context_by_oid (minor_status,
533 GSS_KRB5_GET_AUTHTIME_X,
538 if (data_set == GSS_C_NO_BUFFER_SET) {
539 gss_release_buffer_set(minor_status, &data_set);
540 *minor_status = EINVAL;
541 return GSS_S_FAILURE;
544 if (data_set->count != 1) {
545 gss_release_buffer_set(minor_status, &data_set);
546 *minor_status = EINVAL;
547 return GSS_S_FAILURE;
550 if (data_set->elements[0].length != 4) {
551 gss_release_buffer_set(minor_status, &data_set);
552 *minor_status = EINVAL;
553 return GSS_S_FAILURE;
557 unsigned char *buf = data_set->elements[0].value;
558 *authtime = (buf[3] <<24) | (buf[2] << 16) |
559 (buf[1] << 8) | (buf[0] << 0);
562 gss_release_buffer_set(minor_status, &data_set);
565 return GSS_S_COMPLETE;
573 gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
574 gss_ctx_id_t context_handle,
576 gss_buffer_t ad_data)
578 gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
580 gss_OID_desc oid_flat;
581 heim_oid baseoid, oid;
584 if (context_handle == GSS_C_NO_CONTEXT) {
585 *minor_status = EINVAL;
586 return GSS_S_FAILURE;
589 /* All this to append an integer to an oid... */
591 if (der_get_oid(GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->elements,
592 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->length,
593 &baseoid, NULL) != 0) {
594 *minor_status = EINVAL;
595 return GSS_S_FAILURE;
598 oid.length = baseoid.length + 1;
599 oid.components = calloc(oid.length, sizeof(*oid.components));
600 if (oid.components == NULL) {
601 der_free_oid(&baseoid);
603 *minor_status = ENOMEM;
604 return GSS_S_FAILURE;
607 memcpy(oid.components, baseoid.components,
608 baseoid.length * sizeof(*baseoid.components));
610 der_free_oid(&baseoid);
612 oid.components[oid.length - 1] = ad_type;
614 oid_flat.length = der_length_oid(&oid);
615 oid_flat.elements = malloc(oid_flat.length);
616 if (oid_flat.elements == NULL) {
617 free(oid.components);
618 *minor_status = ENOMEM;
619 return GSS_S_FAILURE;
622 if (der_put_oid((unsigned char *)oid_flat.elements + oid_flat.length - 1,
623 oid_flat.length, &oid, &size) != 0) {
624 free(oid.components);
625 free(oid_flat.elements);
626 *minor_status = EINVAL;
627 return GSS_S_FAILURE;
629 if (oid_flat.length != size)
632 free(oid.components);
634 /* FINALLY, we have the OID */
636 maj_stat = gss_inquire_sec_context_by_oid (minor_status,
641 free(oid_flat.elements);
646 if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
647 gss_release_buffer_set(minor_status, &data_set);
648 *minor_status = EINVAL;
649 return GSS_S_FAILURE;
652 ad_data->value = malloc(data_set->elements[0].length);
653 if (ad_data->value == NULL) {
654 gss_release_buffer_set(minor_status, &data_set);
655 *minor_status = ENOMEM;
656 return GSS_S_FAILURE;
659 ad_data->length = data_set->elements[0].length;
660 memcpy(ad_data->value, data_set->elements[0].value, ad_data->length);
661 gss_release_buffer_set(minor_status, &data_set);
664 return GSS_S_COMPLETE;
672 gsskrb5_extract_key(OM_uint32 *minor_status,
673 gss_ctx_id_t context_handle,
675 krb5_keyblock **keyblock)
678 gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
679 OM_uint32 major_status;
680 krb5_context context = NULL;
681 krb5_storage *sp = NULL;
683 if (context_handle == GSS_C_NO_CONTEXT) {
685 return GSS_S_FAILURE;
688 ret = krb5_init_context(&context);
691 return GSS_S_FAILURE;
695 gss_inquire_sec_context_by_oid (minor_status,
702 if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
703 gss_release_buffer_set(minor_status, &data_set);
704 *minor_status = EINVAL;
705 return GSS_S_FAILURE;
708 sp = krb5_storage_from_mem(data_set->elements[0].value,
709 data_set->elements[0].length);
715 *keyblock = calloc(1, sizeof(**keyblock));
716 if (keyblock == NULL) {
721 ret = krb5_ret_keyblock(sp, *keyblock);
724 gss_release_buffer_set(minor_status, &data_set);
726 krb5_storage_free(sp);
727 if (ret && keyblock) {
728 krb5_free_keyblock(context, *keyblock);
732 krb5_free_context(context);
736 return GSS_S_FAILURE;
738 return GSS_S_COMPLETE;
746 gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
747 gss_ctx_id_t context_handle,
748 krb5_keyblock **keyblock)
750 return gsskrb5_extract_key(minor_status,
752 GSS_KRB5_GET_SERVICE_KEYBLOCK_X,
757 gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
758 gss_ctx_id_t context_handle,
759 krb5_keyblock **keyblock)
761 return gsskrb5_extract_key(minor_status,
763 GSS_KRB5_GET_INITIATOR_SUBKEY_X,
768 gsskrb5_get_subkey(OM_uint32 *minor_status,
769 gss_ctx_id_t context_handle,
770 krb5_keyblock **keyblock)
772 return gsskrb5_extract_key(minor_status,
774 GSS_KRB5_GET_SUBKEY_X,
779 gsskrb5_set_default_realm(const char *realm)
781 gss_buffer_desc buffer;
784 buffer.value = rk_UNCONST(realm);
785 buffer.length = strlen(realm);
787 gss_set_sec_context_option(&junk, NULL,
788 GSS_KRB5_SET_DEFAULT_REALM_X, &buffer);
790 return (GSS_S_COMPLETE);
794 gss_krb5_get_tkt_flags(OM_uint32 *minor_status,
795 gss_ctx_id_t context_handle,
796 OM_uint32 *tkt_flags)
799 OM_uint32 major_status;
800 gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
802 if (context_handle == GSS_C_NO_CONTEXT) {
803 *minor_status = EINVAL;
804 return GSS_S_FAILURE;
808 gss_inquire_sec_context_by_oid (minor_status,
810 GSS_KRB5_GET_TKT_FLAGS_X,
815 if (data_set == GSS_C_NO_BUFFER_SET ||
816 data_set->count != 1 ||
817 data_set->elements[0].length < 4) {
818 gss_release_buffer_set(minor_status, &data_set);
819 *minor_status = EINVAL;
820 return GSS_S_FAILURE;
824 const u_char *p = data_set->elements[0].value;
825 *tkt_flags = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
828 gss_release_buffer_set(minor_status, &data_set);
829 return GSS_S_COMPLETE;
projects / FreeBSD / releng / 9.2.git / blob