1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /*
3 * Copyright (C) 2011 by the Massachusetts Institute of Technology.
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * * Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * * Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
16 * distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
23 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
24 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
27 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
29 * OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 /*
33 * This file contains dispatch functions for the three GSSAPI extensions
34 * described in draft-zhu-negoex-04, renamed to use the gssspi_ prefix. Since
35 * the only caller of these functions is SPNEGO, argument validation is
36 * omitted.
37 */
38
39 #include "mglueP.h"
40
41 OM_uint32 KRB5_CALLCONV
gssspi_query_meta_data(OM_uint32 * minor_status,gss_const_OID mech_oid,gss_cred_id_t cred_handle,gss_ctx_id_t * context_handle,const gss_name_t targ_name,OM_uint32 req_flags,gss_buffer_t meta_data)42 gssspi_query_meta_data(OM_uint32 *minor_status, gss_const_OID mech_oid,
43 gss_cred_id_t cred_handle, gss_ctx_id_t *context_handle,
44 const gss_name_t targ_name, OM_uint32 req_flags,
45 gss_buffer_t meta_data)
46 {
47 OM_uint32 status, minor;
48 gss_union_ctx_id_t ctx = (gss_union_ctx_id_t)*context_handle;
49 gss_union_cred_t cred = (gss_union_cred_t)cred_handle;
50 gss_union_name_t union_name = (gss_union_name_t)targ_name;
51 gss_mechanism mech;
52 gss_OID selected_mech, public_mech;
53 gss_cred_id_t internal_cred = GSS_C_NO_CREDENTIAL;
54 gss_name_t internal_name = GSS_C_NO_NAME, imported_name = GSS_C_NO_NAME;
55 gss_ctx_id_t new_ctx = GSS_C_NO_CONTEXT, *internal_ctx;
56
57 *minor_status = 0;
58 meta_data->length = 0;
59 meta_data->value = NULL;
60
61 status = gssint_select_mech_type(minor_status, mech_oid, &selected_mech);
62 if (status != GSS_S_COMPLETE)
63 return status;
64 public_mech = gssint_get_public_oid(selected_mech);
65
66 mech = gssint_get_mechanism(selected_mech);
67 if (mech == NULL)
68 return GSS_S_BAD_MECH;
69 if (mech->gssspi_query_meta_data == NULL)
70 return GSS_S_UNAVAILABLE;
71
72 if (cred != NULL) {
73 internal_cred = gssint_get_mechanism_cred(cred, selected_mech);
74 if (internal_cred == GSS_C_NO_CREDENTIAL)
75 return GSS_S_NO_CRED;
76 }
77
78 if (union_name != NULL) {
79 if (union_name->mech_type != GSS_C_NO_OID &&
80 g_OID_equal(union_name->mech_type, selected_mech)) {
81 internal_name = union_name->mech_name;
82 } else {
83 status = gssint_import_internal_name(minor_status, selected_mech,
84 union_name, &imported_name);
85 if (status != GSS_S_COMPLETE)
86 goto cleanup;
87 internal_name = imported_name;
88 }
89 }
90
91 internal_ctx = (ctx != NULL) ? &ctx->internal_ctx_id : &new_ctx;
92 status = mech->gssspi_query_meta_data(minor_status, public_mech,
93 internal_cred, internal_ctx,
94 internal_name, req_flags, meta_data);
95 if (status != GSS_S_COMPLETE) {
96 map_error(minor_status, mech);
97 goto cleanup;
98 }
99
100 /* If the mech created a context, wrap it in a union context. */
101 if (new_ctx != GSS_C_NO_CONTEXT) {
102 assert(ctx == NULL);
103 status = gssint_create_union_context(minor_status, selected_mech,
104 &ctx);
105 if (status != GSS_S_COMPLETE)
106 goto cleanup;
107
108 ctx->internal_ctx_id = new_ctx;
109 new_ctx = GSS_C_NO_CONTEXT;
110 *context_handle = (gss_ctx_id_t)ctx;
111 }
112
113 cleanup:
114 if (imported_name != GSS_C_NO_NAME) {
115 (void)gssint_release_internal_name(&minor, selected_mech,
116 &imported_name);
117 }
118 if (new_ctx != GSS_C_NO_CONTEXT) {
119 (void)gssint_delete_internal_sec_context(&minor, &mech->mech_type,
120 &new_ctx, GSS_C_NO_BUFFER);
121 }
122 return status;
123 }
124
125 OM_uint32 KRB5_CALLCONV
gssspi_exchange_meta_data(OM_uint32 * minor_status,gss_const_OID mech_oid,gss_cred_id_t cred_handle,gss_ctx_id_t * context_handle,const gss_name_t targ_name,OM_uint32 req_flags,gss_const_buffer_t meta_data)126 gssspi_exchange_meta_data(OM_uint32 *minor_status, gss_const_OID mech_oid,
127 gss_cred_id_t cred_handle,
128 gss_ctx_id_t *context_handle,
129 const gss_name_t targ_name, OM_uint32 req_flags,
130 gss_const_buffer_t meta_data)
131 {
132 OM_uint32 status, minor;
133 gss_union_ctx_id_t ctx = (gss_union_ctx_id_t)*context_handle;
134 gss_union_cred_t cred = (gss_union_cred_t)cred_handle;
135 gss_union_name_t union_name = (gss_union_name_t)targ_name;
136 gss_mechanism mech;
137 gss_OID selected_mech, public_mech;
138 gss_cred_id_t internal_cred = GSS_C_NO_CREDENTIAL;
139 gss_name_t internal_name = GSS_C_NO_NAME, imported_name = GSS_C_NO_NAME;
140 gss_ctx_id_t new_ctx = GSS_C_NO_CONTEXT, *internal_ctx;
141
142 *minor_status = 0;
143
144 status = gssint_select_mech_type(minor_status, mech_oid, &selected_mech);
145 if (status != GSS_S_COMPLETE)
146 return status;
147 public_mech = gssint_get_public_oid(selected_mech);
148
149 mech = gssint_get_mechanism(selected_mech);
150 if (mech == NULL)
151 return GSS_S_BAD_MECH;
152 if (mech->gssspi_exchange_meta_data == NULL)
153 return GSS_S_UNAVAILABLE;
154
155 if (cred != NULL) {
156 internal_cred = gssint_get_mechanism_cred(cred, selected_mech);
157 if (internal_cred == GSS_C_NO_CREDENTIAL)
158 return GSS_S_NO_CRED;
159 }
160
161 if (union_name != NULL) {
162 if (union_name->mech_type != GSS_C_NO_OID &&
163 g_OID_equal(union_name->mech_type, selected_mech)) {
164 internal_name = union_name->mech_name;
165 } else {
166 status = gssint_import_internal_name(minor_status, selected_mech,
167 union_name, &imported_name);
168 if (GSS_ERROR(status))
169 return status;
170 internal_name = imported_name;
171 }
172 }
173
174 internal_ctx = (ctx != NULL) ? &ctx->internal_ctx_id : &new_ctx;
175 status = mech->gssspi_exchange_meta_data(minor_status, public_mech,
176 internal_cred, internal_ctx,
177 internal_name, req_flags,
178 meta_data);
179 if (status != GSS_S_COMPLETE) {
180 map_error(minor_status, mech);
181 goto cleanup;
182 }
183
184 /* If the mech created a context, wrap it in a union context. */
185 if (new_ctx != GSS_C_NO_CONTEXT) {
186 assert(ctx == NULL);
187 status = gssint_create_union_context(minor_status, selected_mech,
188 &ctx);
189 if (status != GSS_S_COMPLETE)
190 goto cleanup;
191
192 ctx->internal_ctx_id = new_ctx;
193 new_ctx = GSS_C_NO_CONTEXT;
194 *context_handle = (gss_ctx_id_t)ctx;
195 }
196
197 cleanup:
198 if (imported_name != GSS_C_NO_NAME) {
199 (void)gssint_release_internal_name(&minor, selected_mech,
200 &imported_name);
201 }
202 if (new_ctx != GSS_C_NO_CONTEXT) {
203 (void)gssint_delete_internal_sec_context(&minor, &mech->mech_type,
204 &new_ctx, GSS_C_NO_BUFFER);
205 }
206 return status;
207 }
208
209 OM_uint32 KRB5_CALLCONV
gssspi_query_mechanism_info(OM_uint32 * minor_status,gss_const_OID mech_oid,unsigned char auth_scheme[16])210 gssspi_query_mechanism_info(OM_uint32 *minor_status, gss_const_OID mech_oid,
211 unsigned char auth_scheme[16])
212 {
213 OM_uint32 status;
214 gss_OID selected_mech, public_mech;
215 gss_mechanism mech;
216
217 *minor_status = 0;
218 memset(auth_scheme, 0, 16);
219
220 status = gssint_select_mech_type(minor_status, mech_oid, &selected_mech);
221 if (status != GSS_S_COMPLETE)
222 return status;
223 public_mech = gssint_get_public_oid(selected_mech);
224
225 mech = gssint_get_mechanism(selected_mech);
226 if (mech == NULL)
227 return GSS_S_BAD_MECH;
228 if (mech->gssspi_query_mechanism_info == NULL)
229 return GSS_S_UNAVAILABLE;
230
231 status = mech->gssspi_query_mechanism_info(minor_status, public_mech,
232 auth_scheme);
233 if (GSS_ERROR(status))
234 map_error(minor_status, mech);
235
236 return status;
237 }
238