2 * Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000-2002 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
19 * $Id: gssapi_link.c,v 1.16.10.1 2011-03-28 05:36:05 marka Exp $
26 #include <isc/base64.h>
27 #include <isc/buffer.h>
29 #include <isc/string.h>
32 #include <dst/result.h>
34 #include "dst_internal.h"
35 #include "dst_parse.h"
37 #include <dst/gssapi.h>
39 #define INITIAL_BUFFER_SIZE 1024
40 #define BUFFER_EXTRA 1024
42 #define REGION_TO_GBUFFER(r, gb) \
44 (gb).length = (r).length; \
45 (gb).value = (r).base; \
48 #define GBUFFER_TO_REGION(gb, r) \
50 (r).length = (gb).length; \
51 (r).base = (gb).value; \
55 struct dst_gssapi_signverifyctx {
60 * Allocate a temporary "context" for use in gathering data for signing
64 gssapi_create_signverify_ctx(dst_key_t *key, dst_context_t *dctx) {
65 dst_gssapi_signverifyctx_t *ctx;
70 ctx = isc_mem_get(dctx->mctx, sizeof(dst_gssapi_signverifyctx_t));
72 return (ISC_R_NOMEMORY);
74 result = isc_buffer_allocate(dctx->mctx, &ctx->buffer,
76 if (result != ISC_R_SUCCESS) {
77 isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
81 dctx->ctxdata.gssctx = ctx;
83 return (ISC_R_SUCCESS);
87 * Destroy the temporary sign/verify context.
90 gssapi_destroy_signverify_ctx(dst_context_t *dctx) {
91 dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
94 if (ctx->buffer != NULL)
95 isc_buffer_free(&ctx->buffer);
96 isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
97 dctx->ctxdata.gssctx = NULL;
102 * Add data to our running buffer of data we will be signing or verifying.
103 * This code will see if the new data will fit in our existing buffer, and
104 * copy it in if it will. If not, it will attempt to allocate a larger
105 * buffer and copy old+new into it, and free the old buffer.
108 gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
109 dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
110 isc_buffer_t *newbuffer = NULL;
115 result = isc_buffer_copyregion(ctx->buffer, data);
116 if (result == ISC_R_SUCCESS)
117 return (ISC_R_SUCCESS);
119 length = isc_buffer_length(ctx->buffer) + data->length + BUFFER_EXTRA;
121 result = isc_buffer_allocate(dctx->mctx, &newbuffer, length);
122 if (result != ISC_R_SUCCESS)
125 isc_buffer_usedregion(ctx->buffer, &r);
126 (void)isc_buffer_copyregion(newbuffer, &r);
127 (void)isc_buffer_copyregion(newbuffer, data);
129 isc_buffer_free(&ctx->buffer);
130 ctx->buffer = newbuffer;
132 return (ISC_R_SUCCESS);
139 gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) {
140 dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
141 isc_region_t message;
142 gss_buffer_desc gmessage, gsig;
143 OM_uint32 minor, gret;
144 gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
148 * Convert the data we wish to sign into a structure gssapi can
151 isc_buffer_usedregion(ctx->buffer, &message);
152 REGION_TO_GBUFFER(message, gmessage);
155 * Generate the signature.
157 gret = gss_get_mic(&minor, gssctx, GSS_C_QOP_DEFAULT, &gmessage,
161 * If it did not complete, we log the result and return a generic
164 if (gret != GSS_S_COMPLETE) {
165 gss_log(3, "GSS sign error: %s",
166 gss_error_tostring(gret, minor, buf, sizeof(buf)));
167 return (ISC_R_FAILURE);
171 * If it will not fit in our allocated buffer, return that we need
174 if (gsig.length > isc_buffer_availablelength(sig)) {
175 gss_release_buffer(&minor, &gsig);
176 return (ISC_R_NOSPACE);
180 * Copy the output into our buffer space, and release the gssapi
183 isc_buffer_putmem(sig, gsig.value, gsig.length);
184 if (gsig.length != 0U)
185 gss_release_buffer(&minor, &gsig);
187 return (ISC_R_SUCCESS);
194 gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
195 dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
196 isc_region_t message, r;
197 gss_buffer_desc gmessage, gsig;
198 OM_uint32 minor, gret;
199 gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
204 * Convert the data we wish to sign into a structure gssapi can
207 isc_buffer_usedregion(ctx->buffer, &message);
208 REGION_TO_GBUFFER(message, gmessage);
212 * It seem that gss_verify_mic() modifies the signature buffer,
213 * at least on Heimdal's implementation. Copy it here to an allocated
216 buf = isc_mem_allocate(dst__memory_pool, sig->length);
218 return (ISC_R_FAILURE);
219 memcpy(buf, sig->base, sig->length);
221 r.length = sig->length;
222 REGION_TO_GBUFFER(r, gsig);
227 gret = gss_verify_mic(&minor, gssctx, &gmessage, &gsig, NULL);
229 isc_mem_free(dst__memory_pool, buf);
232 * Convert return codes into something useful to us.
234 if (gret != GSS_S_COMPLETE) {
235 gss_log(3, "GSS verify error: %s",
236 gss_error_tostring(gret, minor, err, sizeof(err)));
237 if (gret == GSS_S_DEFECTIVE_TOKEN ||
238 gret == GSS_S_BAD_SIG ||
239 gret == GSS_S_DUPLICATE_TOKEN ||
240 gret == GSS_S_OLD_TOKEN ||
241 gret == GSS_S_UNSEQ_TOKEN ||
242 gret == GSS_S_GAP_TOKEN ||
243 gret == GSS_S_CONTEXT_EXPIRED ||
244 gret == GSS_S_NO_CONTEXT ||
245 gret == GSS_S_FAILURE)
246 return(DST_R_VERIFYFAILURE);
248 return (ISC_R_FAILURE);
251 return (ISC_R_SUCCESS);
255 gssapi_compare(const dst_key_t *key1, const dst_key_t *key2) {
256 gss_ctx_id_t gsskey1 = key1->keydata.gssctx;
257 gss_ctx_id_t gsskey2 = key2->keydata.gssctx;
260 return (ISC_TF(gsskey1 == gsskey2));
264 gssapi_generate(dst_key_t *key, int unused, void (*callback)(int)) {
270 return (ISC_R_FAILURE);
274 gssapi_isprivate(const dst_key_t *key) {
280 gssapi_destroy(dst_key_t *key) {
281 REQUIRE(key != NULL);
282 dst_gssapi_deletectx(key->mctx, &key->keydata.gssctx);
283 key->keydata.gssctx = NULL;
287 gssapi_restore(dst_key_t *key, const char *keystr) {
288 OM_uint32 major, minor;
290 isc_buffer_t *b = NULL;
292 gss_buffer_desc gssbuffer;
295 len = strlen(keystr);
297 return (ISC_R_BADBASE64);
301 result = isc_buffer_allocate(key->mctx, &b, len);
302 if (result != ISC_R_SUCCESS)
305 result = isc_base64_decodestring(keystr, b);
306 if (result != ISC_R_SUCCESS) {
311 isc_buffer_remainingregion(b, &r);
312 REGION_TO_GBUFFER(r, gssbuffer);
313 major = gss_import_sec_context(&minor, &gssbuffer,
314 &key->keydata.gssctx);
315 if (major != GSS_S_COMPLETE) {
317 return (ISC_R_FAILURE);
321 return (ISC_R_SUCCESS);
325 gssapi_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) {
326 OM_uint32 major, minor;
327 gss_buffer_desc gssbuffer;
334 major = gss_export_sec_context(&minor, &key->keydata.gssctx,
336 if (major != GSS_S_COMPLETE) {
337 fprintf(stderr, "gss_export_sec_context -> %d, %d\n",
339 return (ISC_R_FAILURE);
341 if (gssbuffer.length == 0U)
342 return (ISC_R_FAILURE);
343 len = ((gssbuffer.length + 2)/3) * 4;
344 buf = isc_mem_get(mctx, len);
346 gss_release_buffer(&minor, &gssbuffer);
347 return (ISC_R_NOMEMORY);
349 isc_buffer_init(&b, buf, len);
350 GBUFFER_TO_REGION(gssbuffer, r);
351 result = isc_base64_totext(&r, 0, "", &b);
352 RUNTIME_CHECK(result == ISC_R_SUCCESS);
353 gss_release_buffer(&minor, &gssbuffer);
356 return (ISC_R_SUCCESS);
359 static dst_func_t gssapi_functions = {
360 gssapi_create_signverify_ctx,
361 gssapi_destroy_signverify_ctx,
365 NULL, /*%< computesecret */
367 NULL, /*%< paramcompare */
372 NULL, /*%< fromdns */
375 NULL, /*%< cleanup */
376 NULL, /*%< fromlabel */
382 dst__gssapi_init(dst_func_t **funcp) {
383 REQUIRE(funcp != NULL);
385 *funcp = &gssapi_functions;
386 return (ISC_R_SUCCESS);
390 int gssapi_link_unneeded = 1;