1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /*
3 * Copyright 1993 by OpenVision Technologies, Inc.
4 *
5 * Permission to use, copy, modify, distribute, and sell this software
6 * and its documentation for any purpose is hereby granted without fee,
7 * provided that the above copyright notice appears in all copies and
8 * that both that copyright notice and this permission notice appear in
9 * supporting documentation, and that the name of OpenVision not be used
10 * in advertising or publicity pertaining to distribution of the software
11 * without specific, written prior permission. OpenVision makes no
12 * representations about the suitability of this software for any
13 * purpose. It is provided "as is" without express or implied warranty.
14 *
15 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
16 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
17 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
18 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
19 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
20 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
21 * PERFORMANCE OF THIS SOFTWARE.
22 */
23 /*
24 * Copyright (c) 2006-2008, Novell, Inc.
25 * All rights reserved.
26 *
27 * Redistribution and use in source and binary forms, with or without
28 * modification, are permitted provided that the following conditions are met:
29 *
30 * * Redistributions of source code must retain the above copyright notice,
31 * this list of conditions and the following disclaimer.
32 * * Redistributions in binary form must reproduce the above copyright
33 * notice, this list of conditions and the following disclaimer in the
34 * documentation and/or other materials provided with the distribution.
35 * * The copyright holder's name is not used to endorse or promote products
36 * derived from this software without specific prior written permission.
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
39 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
41 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
42 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
43 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
44 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
45 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
46 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
47 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
48 * POSSIBILITY OF SUCH DAMAGE.
49 */
50 /*
51 * Copyright (c) 2006-2008, Novell, Inc.
52 * All rights reserved.
53 *
54 * Redistribution and use in source and binary forms, with or without
55 * modification, are permitted provided that the following conditions are met:
56 *
57 * * Redistributions of source code must retain the above copyright notice,
58 * this list of conditions and the following disclaimer.
59 * * Redistributions in binary form must reproduce the above copyright
60 * notice, this list of conditions and the following disclaimer in the
61 * documentation and/or other materials provided with the distribution.
62 * * The copyright holder's name is not used to endorse or promote products
63 * derived from this software without specific prior written permission.
64 *
65 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
66 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
67 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
68 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
69 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
70 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
71 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
72 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
73 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
74 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
75 * POSSIBILITY OF SUCH DAMAGE.
76 */
77
78 #include "gssapiP_krb5.h"
79
80 OM_uint32 KRB5_CALLCONV
krb5_gss_inquire_context(minor_status,context_handle,initiator_name,acceptor_name,lifetime_rec,mech_type,ret_flags,locally_initiated,opened)81 krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
82 acceptor_name, lifetime_rec, mech_type, ret_flags,
83 locally_initiated, opened)
84 OM_uint32 *minor_status;
85 gss_ctx_id_t context_handle;
86 gss_name_t *initiator_name;
87 gss_name_t *acceptor_name;
88 OM_uint32 *lifetime_rec;
89 gss_OID *mech_type;
90 OM_uint32 *ret_flags;
91 int *locally_initiated;
92 int *opened;
93 {
94 krb5_context context;
95 krb5_error_code code;
96 krb5_gss_ctx_id_rec *ctx;
97 krb5_gss_name_t initiator, acceptor;
98 krb5_timestamp now, start;
99 OM_uint32 lifetime;
100
101 if (initiator_name)
102 *initiator_name = (gss_name_t) NULL;
103 if (acceptor_name)
104 *acceptor_name = (gss_name_t) NULL;
105
106 ctx = (krb5_gss_ctx_id_rec *) context_handle;
107 context = ctx->k5_context;
108
109 /* RFC 2743 states that a partially completed context must return
110 * flags, locally_initiated, and open, and *may* return mech_type. */
111 if (ctx->established) {
112 initiator = NULL;
113 acceptor = NULL;
114
115 if ((code = krb5_timeofday(context, &now))) {
116 *minor_status = code;
117 save_error_info(*minor_status, context);
118 return(GSS_S_FAILURE);
119 }
120
121 /* Add the maximum allowable clock skew as a grace period for context
122 * expiration, just as we do for the ticket during authentication. */
123 start = ctx->initiate ? now : ts_incr(now, -context->clockskew);
124 lifetime = ts_interval(start, ctx->krb_times.endtime);
125
126 if (initiator_name) {
127 code = kg_duplicate_name(context,
128 ctx->initiate ? ctx->here : ctx->there,
129 &initiator);
130 if (code) {
131 *minor_status = code;
132 save_error_info(*minor_status, context);
133 return(GSS_S_FAILURE);
134 }
135 }
136
137 if (acceptor_name) {
138 code = kg_duplicate_name(context,
139 ctx->initiate ? ctx->there : ctx->here,
140 &acceptor);
141 if (code) {
142 if (initiator)
143 kg_release_name(context, &initiator);
144 *minor_status = code;
145 save_error_info(*minor_status, context);
146 return(GSS_S_FAILURE);
147 }
148 }
149
150 if (initiator_name)
151 *initiator_name = (gss_name_t) initiator;
152
153 if (acceptor_name)
154 *acceptor_name = (gss_name_t) acceptor;
155
156 if (lifetime_rec)
157 *lifetime_rec = lifetime;
158 } else {
159 lifetime = 0;
160 if (initiator_name)
161 *initiator_name = GSS_C_NO_NAME;
162
163 if (acceptor_name)
164 *acceptor_name = GSS_C_NO_NAME;
165
166 if (lifetime_rec)
167 *lifetime_rec = 0;
168 }
169
170 if (mech_type)
171 *mech_type = (gss_OID) ctx->mech_used;
172
173 if (ret_flags)
174 *ret_flags = ctx->gss_flags;
175
176 if (locally_initiated)
177 *locally_initiated = ctx->initiate;
178
179 if (opened)
180 *opened = ctx->established;
181
182 *minor_status = 0;
183 if (ctx->established)
184 return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
185 else
186 return GSS_S_COMPLETE;
187 }
188
189 /* Add two buffers to data_set giving the contents and enctype of key. */
190 static OM_uint32
inq_session_key_result(OM_uint32 * minor_status,krb5_key key,gss_buffer_set_t * data_set)191 inq_session_key_result(OM_uint32 *minor_status, krb5_key key,
192 gss_buffer_set_t *data_set)
193 {
194 gss_buffer_desc keyvalue, keyinfo;
195 OM_uint32 major, tmpmin;
196 unsigned char oid_buf[GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + 6];
197 gss_OID_desc oid;
198
199 keyvalue.value = key->keyblock.contents;
200 keyvalue.length = key->keyblock.length;
201 major = generic_gss_add_buffer_set_member(minor_status, &keyvalue,
202 data_set);
203 if (GSS_ERROR(major))
204 goto cleanup;
205
206 oid.elements = oid_buf;
207 oid.length = sizeof(oid_buf);
208 major = generic_gss_oid_compose(minor_status,
209 GSS_KRB5_SESSION_KEY_ENCTYPE_OID,
210 GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH,
211 key->keyblock.enctype, &oid);
212 if (GSS_ERROR(major))
213 goto cleanup;
214
215 keyinfo.value = oid.elements;
216 keyinfo.length = oid.length;
217 major = generic_gss_add_buffer_set_member(minor_status, &keyinfo,
218 data_set);
219 if (GSS_ERROR(major))
220 goto cleanup;
221
222 return GSS_S_COMPLETE;
223
224 cleanup:
225 if (*data_set != GSS_C_NO_BUFFER_SET) {
226 if ((*data_set)->count != 0) {
227 zap((*data_set)->elements[0].value,
228 (*data_set)->elements[0].length);
229 }
230 gss_release_buffer_set(&tmpmin, data_set);
231 }
232
233 return major;
234 }
235
236 OM_uint32
gss_krb5int_inq_sspi_session_key(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,const gss_OID desired_object,gss_buffer_set_t * data_set)237 gss_krb5int_inq_sspi_session_key(OM_uint32 *minor_status,
238 const gss_ctx_id_t context_handle,
239 const gss_OID desired_object,
240 gss_buffer_set_t *data_set)
241 {
242 krb5_gss_ctx_id_t ctx = (krb5_gss_ctx_id_t)context_handle;
243 krb5_key key;
244
245 if (ctx->terminated || !ctx->established) {
246 *minor_status = KG_CTX_INCOMPLETE;
247 return GSS_S_NO_CONTEXT;
248 }
249 key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey;
250 return inq_session_key_result(minor_status, key, data_set);
251 }
252
253 OM_uint32
gss_krb5int_inq_odbc_session_key(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,const gss_OID desired_object,gss_buffer_set_t * data_set)254 gss_krb5int_inq_odbc_session_key(OM_uint32 *minor_status,
255 const gss_ctx_id_t context_handle,
256 const gss_OID desired_object,
257 gss_buffer_set_t *data_set)
258 {
259 OM_uint32 major;
260 krb5_error_code ret;
261 krb5_gss_ctx_id_t ctx = (krb5_gss_ctx_id_t)context_handle;
262 krb5_key key;
263
264 if (ctx->terminated || !ctx->established) {
265 *minor_status = KG_CTX_INCOMPLETE;
266 return GSS_S_NO_CONTEXT;
267 }
268
269 ret = krb5_auth_con_getkey_k(ctx->k5_context, ctx->auth_context, &key);
270 if (ret) {
271 *minor_status = ret;
272 return GSS_S_FAILURE;
273 }
274
275 major = inq_session_key_result(minor_status, key, data_set);
276 krb5_k_free_key(ctx->k5_context, key);
277 return major;
278 }
279
280 OM_uint32
gss_krb5int_extract_authz_data_from_sec_context(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,const gss_OID desired_object,gss_buffer_set_t * data_set)281 gss_krb5int_extract_authz_data_from_sec_context(
282 OM_uint32 *minor_status,
283 const gss_ctx_id_t context_handle,
284 const gss_OID desired_object,
285 gss_buffer_set_t *data_set)
286 {
287 OM_uint32 major_status;
288 krb5_gss_ctx_id_rec *ctx;
289 int ad_type = 0;
290 size_t i;
291
292 *data_set = GSS_C_NO_BUFFER_SET;
293
294 ctx = (krb5_gss_ctx_id_rec *) context_handle;
295
296 major_status = generic_gss_oid_decompose(minor_status,
297 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID,
298 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH,
299 desired_object,
300 &ad_type);
301 if (major_status != GSS_S_COMPLETE || ad_type == 0) {
302 *minor_status = ENOENT;
303 return GSS_S_FAILURE;
304 }
305
306 if (ctx->authdata != NULL) {
307 for (i = 0; ctx->authdata[i] != NULL; i++) {
308 if (ctx->authdata[i]->ad_type == ad_type) {
309 gss_buffer_desc ad_data;
310
311 ad_data.length = ctx->authdata[i]->length;
312 ad_data.value = ctx->authdata[i]->contents;
313
314 major_status = generic_gss_add_buffer_set_member(minor_status,
315 &ad_data, data_set);
316 if (GSS_ERROR(major_status))
317 break;
318 }
319 }
320 }
321
322 if (GSS_ERROR(major_status)) {
323 OM_uint32 tmp;
324
325 generic_gss_release_buffer_set(&tmp, data_set);
326 }
327
328 return major_status;
329 }
330
331 OM_uint32
gss_krb5int_extract_authtime_from_sec_context(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,const gss_OID desired_oid,gss_buffer_set_t * data_set)332 gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *minor_status,
333 const gss_ctx_id_t context_handle,
334 const gss_OID desired_oid,
335 gss_buffer_set_t *data_set)
336 {
337 krb5_gss_ctx_id_rec *ctx;
338 gss_buffer_desc rep;
339
340 ctx = (krb5_gss_ctx_id_rec *) context_handle;
341
342 rep.value = &ctx->krb_times.authtime;
343 rep.length = sizeof(ctx->krb_times.authtime);
344
345 return generic_gss_add_buffer_set_member(minor_status, &rep, data_set);
346 }
347
348 OM_uint32
gss_krb5int_sec_context_sasl_ssf(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,const gss_OID desired_object,gss_buffer_set_t * data_set)349 gss_krb5int_sec_context_sasl_ssf(OM_uint32 *minor_status,
350 const gss_ctx_id_t context_handle,
351 const gss_OID desired_object,
352 gss_buffer_set_t *data_set)
353 {
354 krb5_gss_ctx_id_rec *ctx;
355 krb5_key key;
356 krb5_error_code code;
357 gss_buffer_desc ssfbuf;
358 unsigned int ssf;
359 uint8_t buf[4];
360
361 ctx = (krb5_gss_ctx_id_rec *)context_handle;
362 key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey;
363
364 code = k5_enctype_to_ssf(key->keyblock.enctype, &ssf);
365 if (code)
366 return GSS_S_FAILURE;
367
368 store_32_be(ssf, buf);
369 ssfbuf.value = buf;
370 ssfbuf.length = sizeof(buf);
371
372 return generic_gss_add_buffer_set_member(minor_status, &ssfbuf, data_set);
373 }
374