1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /*
3 * Copyright 1993 by OpenVision Technologies, Inc.
4 *
5 * Permission to use, copy, modify, distribute, and sell this software
6 * and its documentation for any purpose is hereby granted without fee,
7 * provided that the above copyright notice appears in all copies and
8 * that both that copyright notice and this permission notice appear in
9 * supporting documentation, and that the name of OpenVision not be used
10 * in advertising or publicity pertaining to distribution of the software
11 * without specific, written prior permission. OpenVision makes no
12 * representations about the suitability of this software for any
13 * purpose. It is provided "as is" without express or implied warranty.
14 *
15 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
16 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
17 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
18 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
19 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
20 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
21 * PERFORMANCE OF THIS SOFTWARE.
22 */
23
24 #include "gssapiP_generic.h"
25 #include "k5-der.h"
26 #ifdef HAVE_MEMORY_H
27 #include <memory.h>
28 #endif
29 #include <limits.h>
30
31 /*
32 * $Id$
33 */
34
35 /* Return the length of an RFC 4121 token with RFC 2743 token framing, given
36 * the mech oid and the body size (without the two-byte RFC 4121 token ID). */
37 unsigned int
g_token_size(const gss_OID_desc * mech,unsigned int body_size)38 g_token_size(const gss_OID_desc * mech, unsigned int body_size)
39 {
40 size_t mech_der_len = k5_der_value_len(mech->length);
41
42 return k5_der_value_len(mech_der_len + 2 + body_size);
43 }
44
45 /*
46 * Add RFC 2743 generic token framing to buf with room left for body_size bytes
47 * in the sequence to be added by the caller. If tok_type is not -1, add it as
48 * a two-byte RFC 4121 token identifier after the framing and include room for
49 * it in the sequence.
50 */
51 void
g_make_token_header(struct k5buf * buf,const gss_OID_desc * mech,size_t body_size,int tok_type)52 g_make_token_header(struct k5buf *buf, const gss_OID_desc *mech,
53 size_t body_size, int tok_type)
54 {
55 size_t tok_len = (tok_type == -1) ? 0 : 2;
56 size_t seq_len = k5_der_value_len(mech->length) + body_size + tok_len;
57
58 k5_der_add_taglen(buf, 0x60, seq_len);
59 k5_der_add_value(buf, 0x06, mech->elements, mech->length);
60 if (tok_type != -1)
61 k5_buf_add_uint16_be(buf, tok_type);
62 }
63
64 /*
65 * If a valid GSSAPI generic token header is present at the beginning of *in,
66 * advance past it, set *oid_out to the mechanism OID in the header, set
67 * *token_len_out to the total token length (including the header) as indicated
68 * by length of the outermost DER value, and return true. Otherwise return
69 * false, leaving *in unchanged if it did not begin with a 0x60 byte.
70 *
71 * Do not verify that the outermost length matches or fits within in->len, as
72 * we need to be able to handle a detached header for krb5 IOV unwrap. It is
73 * the caller's responsibility to validate *token_len_out if necessary.
74 */
75 int
g_get_token_header(struct k5input * in,gss_OID oid_out,size_t * token_len_out)76 g_get_token_header(struct k5input *in, gss_OID oid_out, size_t *token_len_out)
77 {
78 size_t len, tlen;
79 const uint8_t *orig_ptr = in->ptr;
80 struct k5input oidbytes;
81
82 /* Read the outermost tag and length, and compute the full token length. */
83 if (!k5_der_get_taglen(in, 0x60, &len))
84 return 0;
85 tlen = len + (in->ptr - orig_ptr);
86
87 /* Read the mechanism OID. */
88 if (!k5_der_get_value(in, 0x06, &oidbytes))
89 return 0;
90 oid_out->length = oidbytes.len;
91 oid_out->elements = (uint8_t *)oidbytes.ptr;
92
93 *token_len_out = tlen;
94 return 1;
95 }
96
97 /*
98 * If a token header for expected_mech is present in *in and the token length
99 * indicated by the header is equal to in->len, advance past the header and
100 * return true. Otherwise return false. Leave *in unmodified if no token
101 * header is present or it is for a different mechanism.
102 */
103 int
g_verify_token_header(struct k5input * in,gss_const_OID expected_mech)104 g_verify_token_header(struct k5input *in, gss_const_OID expected_mech)
105 {
106 struct k5input orig = *in;
107 gss_OID_desc mech;
108 size_t tlen, orig_len = in->len;
109
110 if (!g_get_token_header(in, &mech, &tlen) || tlen != orig_len ||
111 !g_OID_equal(&mech, expected_mech)) {
112 *in = orig;
113 return 0;
114 }
115 return 1;
116 }
117