2 * Copyright (c) 2004, PADL Software Pty Ltd.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of PADL Software nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * glue routine for _gsskrb5_inquire_sec_context_by_oid
37 #include "gsskrb5_locl.h"
40 get_bool(OM_uint32 *minor_status,
41 const gss_buffer_t value,
44 if (value->value == NULL || value->length != 1) {
45 *minor_status = EINVAL;
48 *flag = *((const char *)value->value) != 0;
49 return GSS_S_COMPLETE;
53 get_string(OM_uint32 *minor_status,
54 const gss_buffer_t value,
57 if (value == NULL || value->length == 0) {
60 *str = malloc(value->length + 1);
63 return GSS_S_UNAVAILABLE;
65 memcpy(*str, value->value, value->length);
66 (*str)[value->length] = '\0';
68 return GSS_S_COMPLETE;
72 get_int32(OM_uint32 *minor_status,
73 const gss_buffer_t value,
77 if (value == NULL || value->length == 0)
79 else if (value->length == sizeof(*ret))
80 memcpy(ret, value->value, sizeof(*ret));
82 return GSS_S_UNAVAILABLE;
84 return GSS_S_COMPLETE;
88 set_int32(OM_uint32 *minor_status,
89 const gss_buffer_t value,
93 if (value->length == sizeof(set))
94 memcpy(value->value, &set, sizeof(set));
96 return GSS_S_UNAVAILABLE;
98 return GSS_S_COMPLETE;
102 * GSS_KRB5_IMPORT_RFC4121_CONTEXT_X is an internal, private interface
103 * to allow SAnon to create a skeletal context for using RFC4121 message
104 * protection services.
106 * rfc4121_args ::= initiator_flag || flags || enctype || session key
109 make_rfc4121_context(OM_uint32 *minor,
110 krb5_context context,
111 gss_ctx_id_t *context_handle,
112 gss_const_buffer_t rfc4121_args)
114 OM_uint32 major = GSS_S_FAILURE, tmp;
116 krb5_storage *sp = NULL;
117 gsskrb5_ctx ctx = NULL;
118 uint8_t initiator_flag;
125 sp = krb5_storage_from_readonly_mem(rfc4121_args->value, rfc4121_args->length);
131 krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_HOST);
133 ctx = calloc(1, sizeof(*ctx));
139 ret = krb5_ret_uint8(sp, &initiator_flag);
143 ret = krb5_ret_uint32(sp, &ctx->flags);
147 ctx->more_flags = IS_CFX | ACCEPTOR_SUBKEY | OPEN;
149 ctx->more_flags |= LOCAL;
151 ctx->state = initiator_flag ? INITIATOR_READY : ACCEPTOR_READY;
153 ret = krb5_ret_int32(sp, &enctype);
157 ret = krb5_enctype_keysize(context, enctype, &keysize);
161 ctx->auth_context = calloc(1, sizeof(*ctx->auth_context));
162 if (ctx->auth_context == NULL) {
167 key = calloc(1, sizeof(*key));
173 ctx->auth_context->remote_subkey = key;
175 ctx->auth_context->local_subkey = key;
177 key->keytype = enctype;
178 key->keyvalue.data = malloc(keysize);
179 if (key->keyvalue.data == NULL) {
184 if (krb5_storage_read(sp, key->keyvalue.data, keysize) != keysize) {
188 key->keyvalue.length = keysize;
190 ret = krb5_crypto_init(context, key, 0, &ctx->crypto);
194 major = _gssapi_msg_order_create(minor, &ctx->order,
195 _gssapi_msg_order_f(ctx->flags),
197 if (major != GSS_S_COMPLETE)
201 krb5_storage_free(sp);
203 if (major != GSS_S_COMPLETE) {
206 _gsskrb5_delete_sec_context(&tmp, (gss_ctx_id_t *)&ctx, GSS_C_NO_BUFFER);
208 *context_handle = (gss_ctx_id_t)ctx;
214 OM_uint32 GSSAPI_CALLCONV
215 _gsskrb5_set_sec_context_option
216 (OM_uint32 *minor_status,
217 gss_ctx_id_t *context_handle,
218 const gss_OID desired_object,
219 const gss_buffer_t value)
221 krb5_context context;
224 GSSAPI_KRB5_INIT (&context);
226 if (value == GSS_C_NO_BUFFER) {
227 *minor_status = EINVAL;
228 return GSS_S_FAILURE;
231 if (gss_oid_equal(desired_object, GSS_KRB5_COMPAT_DES3_MIC_X)) {
235 if (*context_handle == GSS_C_NO_CONTEXT) {
236 *minor_status = EINVAL;
237 return GSS_S_NO_CONTEXT;
240 maj_stat = get_bool(minor_status, value, &flag);
241 if (maj_stat != GSS_S_COMPLETE)
244 ctx = (gsskrb5_ctx)*context_handle;
245 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
247 ctx->more_flags |= COMPAT_OLD_DES3;
249 ctx->more_flags &= ~COMPAT_OLD_DES3;
250 ctx->more_flags |= COMPAT_OLD_DES3_SELECTED;
251 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
252 return GSS_S_COMPLETE;
253 } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DNS_CANONICALIZE_X)) {
256 maj_stat = get_bool(minor_status, value, &flag);
257 if (maj_stat != GSS_S_COMPLETE)
260 krb5_set_dns_canonicalize_hostname(context, flag);
261 return GSS_S_COMPLETE;
263 } else if (gss_oid_equal(desired_object, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X)) {
266 maj_stat = get_string(minor_status, value, &str);
267 if (maj_stat != GSS_S_COMPLETE)
270 maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
275 } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
278 maj_stat = get_string(minor_status, value, &str);
279 if (maj_stat != GSS_S_COMPLETE)
283 return GSS_S_CALL_INACCESSIBLE_READ;
286 krb5_set_default_realm(context, str);
290 return GSS_S_COMPLETE;
292 } else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) {
294 *minor_status = EINVAL;
295 return GSS_S_FAILURE;
297 } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_TIME_OFFSET_X)) {
301 maj_stat = get_int32(minor_status, value, &offset);
302 if (maj_stat != GSS_S_COMPLETE)
305 t = time(NULL) + offset;
307 krb5_set_real_time(context, t, 0);
310 return GSS_S_COMPLETE;
311 } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_TIME_OFFSET_X)) {
318 krb5_us_timeofday (context, &sec, &usec);
320 maj_stat = set_int32(minor_status, value, sec - t);
321 if (maj_stat != GSS_S_COMPLETE)
325 return GSS_S_COMPLETE;
326 } else if (gss_oid_equal(desired_object, GSS_KRB5_PLUGIN_REGISTER_X)) {
327 struct gsskrb5_krb5_plugin c;
329 if (value->length != sizeof(c)) {
330 *minor_status = EINVAL;
331 return GSS_S_FAILURE;
333 memcpy(&c, value->value, sizeof(c));
334 krb5_plugin_register(context, c.type, c.name, c.symbol);
337 return GSS_S_COMPLETE;
338 } else if (gss_oid_equal(desired_object, GSS_KRB5_CCACHE_NAME_X)) {
339 struct gsskrb5_ccache_name_args *args = value->value;
341 if (value->length != sizeof(*args)) {
342 *minor_status = EINVAL;
343 return GSS_S_FAILURE;
346 return _gsskrb5_krb5_ccache_name(minor_status, args->name, &args->out_name);
347 } else if (gss_oid_equal(desired_object, GSS_KRB5_IMPORT_RFC4121_CONTEXT_X)) {
348 return make_rfc4121_context(minor_status, context, context_handle, value);
351 *minor_status = EINVAL;
352 return GSS_S_FAILURE;