1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 3*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 4*7c478bd9Sstevel@tonic-gate */ 5*7c478bd9Sstevel@tonic-gate 6*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 7*7c478bd9Sstevel@tonic-gate 8*7c478bd9Sstevel@tonic-gate /* 9*7c478bd9Sstevel@tonic-gate * Copyright 1993 by OpenVision Technologies, Inc. 10*7c478bd9Sstevel@tonic-gate * 11*7c478bd9Sstevel@tonic-gate * Permission to use, copy, modify, distribute, and sell this software 12*7c478bd9Sstevel@tonic-gate * and its documentation for any purpose is hereby granted without fee, 13*7c478bd9Sstevel@tonic-gate * provided that the above copyright notice appears in all copies and 14*7c478bd9Sstevel@tonic-gate * that both that copyright notice and this permission notice appear in 15*7c478bd9Sstevel@tonic-gate * supporting documentation, and that the name of OpenVision not be used 16*7c478bd9Sstevel@tonic-gate * in advertising or publicity pertaining to distribution of the software 17*7c478bd9Sstevel@tonic-gate * without specific, written prior permission. OpenVision makes no 18*7c478bd9Sstevel@tonic-gate * representations about the suitability of this software for any 19*7c478bd9Sstevel@tonic-gate * purpose. It is provided "as is" without express or implied warranty. 20*7c478bd9Sstevel@tonic-gate * 21*7c478bd9Sstevel@tonic-gate * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 22*7c478bd9Sstevel@tonic-gate * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 23*7c478bd9Sstevel@tonic-gate * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR 24*7c478bd9Sstevel@tonic-gate * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 25*7c478bd9Sstevel@tonic-gate * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 26*7c478bd9Sstevel@tonic-gate * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 27*7c478bd9Sstevel@tonic-gate * PERFORMANCE OF THIS SOFTWARE. 28*7c478bd9Sstevel@tonic-gate */ 29*7c478bd9Sstevel@tonic-gate 30*7c478bd9Sstevel@tonic-gate #include <gssapiP_krb5.h> 31*7c478bd9Sstevel@tonic-gate 32*7c478bd9Sstevel@tonic-gate /* 33*7c478bd9Sstevel@tonic-gate * $Id: delete_sec_context.c,v 1.15 1998/10/30 02:54:17 marc Exp $ 34*7c478bd9Sstevel@tonic-gate */ 35*7c478bd9Sstevel@tonic-gate 36*7c478bd9Sstevel@tonic-gate OM_uint32 37*7c478bd9Sstevel@tonic-gate krb5_gss_delete_sec_context(ct, 38*7c478bd9Sstevel@tonic-gate minor_status, 39*7c478bd9Sstevel@tonic-gate context_handle, 40*7c478bd9Sstevel@tonic-gate output_token 41*7c478bd9Sstevel@tonic-gate #ifdef _KERNEL 42*7c478bd9Sstevel@tonic-gate , gssd_ctx_verifier 43*7c478bd9Sstevel@tonic-gate #endif 44*7c478bd9Sstevel@tonic-gate ) 45*7c478bd9Sstevel@tonic-gate void *ct; 46*7c478bd9Sstevel@tonic-gate OM_uint32 *minor_status; 47*7c478bd9Sstevel@tonic-gate gss_ctx_id_t *context_handle; 48*7c478bd9Sstevel@tonic-gate gss_buffer_t output_token; 49*7c478bd9Sstevel@tonic-gate #ifdef _KERNEL 50*7c478bd9Sstevel@tonic-gate OM_uint32 gssd_ctx_verifier; 51*7c478bd9Sstevel@tonic-gate #endif 52*7c478bd9Sstevel@tonic-gate { 53*7c478bd9Sstevel@tonic-gate OM_uint32 major_status = GSS_S_FAILURE; 54*7c478bd9Sstevel@tonic-gate 55*7c478bd9Sstevel@tonic-gate mutex_lock(&krb5_mutex); 56*7c478bd9Sstevel@tonic-gate 57*7c478bd9Sstevel@tonic-gate major_status = krb5_gss_delete_sec_context_no_lock(ct, minor_status, 58*7c478bd9Sstevel@tonic-gate context_handle, output_token 59*7c478bd9Sstevel@tonic-gate #ifdef _KERNEL 60*7c478bd9Sstevel@tonic-gate , gssd_ctx_verifier 61*7c478bd9Sstevel@tonic-gate #endif 62*7c478bd9Sstevel@tonic-gate ); 63*7c478bd9Sstevel@tonic-gate mutex_unlock(&krb5_mutex); 64*7c478bd9Sstevel@tonic-gate return(major_status); 65*7c478bd9Sstevel@tonic-gate 66*7c478bd9Sstevel@tonic-gate } 67*7c478bd9Sstevel@tonic-gate 68*7c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 69*7c478bd9Sstevel@tonic-gate OM_uint32 70*7c478bd9Sstevel@tonic-gate krb5_gss_delete_sec_context_no_lock(ct, 71*7c478bd9Sstevel@tonic-gate minor_status, 72*7c478bd9Sstevel@tonic-gate context_handle, 73*7c478bd9Sstevel@tonic-gate output_token 74*7c478bd9Sstevel@tonic-gate #ifdef _KERNEL 75*7c478bd9Sstevel@tonic-gate , gssd_ctx_verifier 76*7c478bd9Sstevel@tonic-gate #endif 77*7c478bd9Sstevel@tonic-gate ) 78*7c478bd9Sstevel@tonic-gate void *ct; 79*7c478bd9Sstevel@tonic-gate OM_uint32 *minor_status; 80*7c478bd9Sstevel@tonic-gate gss_ctx_id_t *context_handle; 81*7c478bd9Sstevel@tonic-gate gss_buffer_t output_token; 82*7c478bd9Sstevel@tonic-gate #ifdef _KERNEL 83*7c478bd9Sstevel@tonic-gate OM_uint32 gssd_ctx_verifier; 84*7c478bd9Sstevel@tonic-gate #endif 85*7c478bd9Sstevel@tonic-gate { 86*7c478bd9Sstevel@tonic-gate krb5_context context = ct; 87*7c478bd9Sstevel@tonic-gate krb5_gss_ctx_id_rec *ctx; 88*7c478bd9Sstevel@tonic-gate OM_uint32 major_status = GSS_S_FAILURE; 89*7c478bd9Sstevel@tonic-gate 90*7c478bd9Sstevel@tonic-gate /* Solaris Kerberos: we use the global kg_context for MT safe */ 91*7c478bd9Sstevel@tonic-gate #if 0 92*7c478bd9Sstevel@tonic-gate if (GSS_ERROR(kg_get_context(minor_status, &context))) 93*7c478bd9Sstevel@tonic-gate return(GSS_S_FAILURE); 94*7c478bd9Sstevel@tonic-gate #endif 95*7c478bd9Sstevel@tonic-gate 96*7c478bd9Sstevel@tonic-gate if (output_token) { 97*7c478bd9Sstevel@tonic-gate output_token->length = 0; 98*7c478bd9Sstevel@tonic-gate output_token->value = NULL; 99*7c478bd9Sstevel@tonic-gate } 100*7c478bd9Sstevel@tonic-gate 101*7c478bd9Sstevel@tonic-gate /*SUPPRESS 29*/ 102*7c478bd9Sstevel@tonic-gate if (*context_handle == GSS_C_NO_CONTEXT) { 103*7c478bd9Sstevel@tonic-gate *minor_status = 0; 104*7c478bd9Sstevel@tonic-gate major_status = GSS_S_COMPLETE; 105*7c478bd9Sstevel@tonic-gate goto out; 106*7c478bd9Sstevel@tonic-gate } 107*7c478bd9Sstevel@tonic-gate 108*7c478bd9Sstevel@tonic-gate /*SUPPRESS 29*/ 109*7c478bd9Sstevel@tonic-gate /* validate the context handle */ 110*7c478bd9Sstevel@tonic-gate if (! kg_validate_ctx_id(*context_handle)) { 111*7c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_VALIDATE_FAILED; 112*7c478bd9Sstevel@tonic-gate major_status = GSS_S_NO_CONTEXT; 113*7c478bd9Sstevel@tonic-gate goto out; 114*7c478bd9Sstevel@tonic-gate } 115*7c478bd9Sstevel@tonic-gate 116*7c478bd9Sstevel@tonic-gate /* construct a delete context token if necessary */ 117*7c478bd9Sstevel@tonic-gate 118*7c478bd9Sstevel@tonic-gate if (output_token) { 119*7c478bd9Sstevel@tonic-gate gss_buffer_desc empty; 120*7c478bd9Sstevel@tonic-gate empty.length = 0; empty.value = NULL; 121*7c478bd9Sstevel@tonic-gate 122*7c478bd9Sstevel@tonic-gate if ((major_status = kg_seal(context, minor_status, *context_handle, 0, 123*7c478bd9Sstevel@tonic-gate GSS_C_QOP_DEFAULT, 124*7c478bd9Sstevel@tonic-gate &empty, NULL, output_token, KG_TOK_DEL_CTX))) 125*7c478bd9Sstevel@tonic-gate goto out; 126*7c478bd9Sstevel@tonic-gate } 127*7c478bd9Sstevel@tonic-gate 128*7c478bd9Sstevel@tonic-gate /* invalidate the context handle */ 129*7c478bd9Sstevel@tonic-gate 130*7c478bd9Sstevel@tonic-gate (void)kg_delete_ctx_id(*context_handle); 131*7c478bd9Sstevel@tonic-gate 132*7c478bd9Sstevel@tonic-gate /* free all the context state */ 133*7c478bd9Sstevel@tonic-gate 134*7c478bd9Sstevel@tonic-gate ctx = (krb5_gss_ctx_id_rec *) *context_handle; 135*7c478bd9Sstevel@tonic-gate 136*7c478bd9Sstevel@tonic-gate if (ctx->seqstate) 137*7c478bd9Sstevel@tonic-gate g_order_free(&(ctx->seqstate)); 138*7c478bd9Sstevel@tonic-gate 139*7c478bd9Sstevel@tonic-gate if (ctx->enc) 140*7c478bd9Sstevel@tonic-gate krb5_free_keyblock(context, ctx->enc); 141*7c478bd9Sstevel@tonic-gate 142*7c478bd9Sstevel@tonic-gate if (ctx->seq) 143*7c478bd9Sstevel@tonic-gate krb5_free_keyblock(context, ctx->seq); 144*7c478bd9Sstevel@tonic-gate 145*7c478bd9Sstevel@tonic-gate if (ctx->here) 146*7c478bd9Sstevel@tonic-gate krb5_free_principal(context, ctx->here); 147*7c478bd9Sstevel@tonic-gate if (ctx->there) 148*7c478bd9Sstevel@tonic-gate krb5_free_principal(context, ctx->there); 149*7c478bd9Sstevel@tonic-gate if (ctx->subkey) 150*7c478bd9Sstevel@tonic-gate krb5_free_keyblock(context, ctx->subkey); 151*7c478bd9Sstevel@tonic-gate if (ctx->acceptor_subkey) 152*7c478bd9Sstevel@tonic-gate krb5_free_keyblock(context, ctx->acceptor_subkey); 153*7c478bd9Sstevel@tonic-gate 154*7c478bd9Sstevel@tonic-gate /* We never import the auth_context into the kernel */ 155*7c478bd9Sstevel@tonic-gate #ifndef _KERNEL 156*7c478bd9Sstevel@tonic-gate if (ctx->auth_context) { 157*7c478bd9Sstevel@tonic-gate (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL); 158*7c478bd9Sstevel@tonic-gate krb5_auth_con_free(context, ctx->auth_context); 159*7c478bd9Sstevel@tonic-gate } 160*7c478bd9Sstevel@tonic-gate #endif 161*7c478bd9Sstevel@tonic-gate 162*7c478bd9Sstevel@tonic-gate /* Solaris Kerberos: the mech_used element of this structure 163*7c478bd9Sstevel@tonic-gate * is the actual gss_OID_desc type in gssapiP_krb5.h, and not 164*7c478bd9Sstevel@tonic-gate * a gss_OID_desc * type, in particular, the gss_release_oid 165*7c478bd9Sstevel@tonic-gate * is not needed, as the oid is memset to zero below, then freed. 166*7c478bd9Sstevel@tonic-gate */ 167*7c478bd9Sstevel@tonic-gate if (ctx->mech_used.length) { 168*7c478bd9Sstevel@tonic-gate xfree_wrap(ctx->mech_used.elements, ctx->mech_used.length); 169*7c478bd9Sstevel@tonic-gate /* gss_release_oid(minor_status, &(ctx->mech_used)); */ 170*7c478bd9Sstevel@tonic-gate } 171*7c478bd9Sstevel@tonic-gate 172*7c478bd9Sstevel@tonic-gate /* Zero out context */ 173*7c478bd9Sstevel@tonic-gate (void) memset(ctx, 0, sizeof(*ctx)); 174*7c478bd9Sstevel@tonic-gate xfree_wrap(ctx, sizeof (krb5_gss_ctx_id_rec)); 175*7c478bd9Sstevel@tonic-gate 176*7c478bd9Sstevel@tonic-gate /* zero the handle itself */ 177*7c478bd9Sstevel@tonic-gate 178*7c478bd9Sstevel@tonic-gate *context_handle = GSS_C_NO_CONTEXT; 179*7c478bd9Sstevel@tonic-gate 180*7c478bd9Sstevel@tonic-gate *minor_status = 0; 181*7c478bd9Sstevel@tonic-gate major_status = GSS_S_COMPLETE; 182*7c478bd9Sstevel@tonic-gate out: 183*7c478bd9Sstevel@tonic-gate return(major_status); 184*7c478bd9Sstevel@tonic-gate } 185