1 /* 2 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #pragma ident "%Z%%M% %I% %E% SMI" 7 8 /* 9 * Copyright 2000 by the Massachusetts Institute of Technology. 10 * All Rights Reserved. 11 * 12 * Export of this software from the United States of America may 13 * require a specific license from the United States Government. 14 * It is the responsibility of any person or organization contemplating 15 * export to obtain such a license before exporting. 16 * 17 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 18 * distribute this software and its documentation for any purpose and 19 * without fee is hereby granted, provided that the above copyright 20 * notice appear in all copies and that both that copyright notice and 21 * this permission notice appear in supporting documentation, and that 22 * the name of M.I.T. not be used in advertising or publicity pertaining 23 * to distribution of the software without specific, written prior 24 * permission. Furthermore if you modify this software you must label 25 * your software as modified software and not distribute it in such a 26 * fashion that it might be confused with the original M.I.T. software. 27 * M.I.T. makes no representations about the suitability of 28 * this software for any purpose. It is provided "as is" without express 29 * or implied warranty. 30 * 31 */ 32 /* 33 * Copyright 1993 by OpenVision Technologies, Inc. 34 * 35 * Permission to use, copy, modify, distribute, and sell this software 36 * and its documentation for any purpose is hereby granted without fee, 37 * provided that the above copyright notice appears in all copies and 38 * that both that copyright notice and this permission notice appear in 39 * supporting documentation, and that the name of OpenVision not be used 40 * in advertising or publicity pertaining to distribution of the software 41 * without specific, written prior permission. OpenVision makes no 42 * representations about the suitability of this software for any 43 * purpose. It is provided "as is" without express or implied warranty. 44 * 45 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 46 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 47 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR 48 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 49 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 50 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 51 * PERFORMANCE OF THIS SOFTWARE. 52 */ 53 54 /* 55 * Copyright (C) 1998 by the FundsXpress, INC. 56 * 57 * All rights reserved. 58 * 59 * Export of this software from the United States of America may require 60 * a specific license from the United States Government. It is the 61 * responsibility of any person or organization contemplating export to 62 * obtain such a license before exporting. 63 * 64 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 65 * distribute this software and its documentation for any purpose and 66 * without fee is hereby granted, provided that the above copyright 67 * notice appear in all copies and that both that copyright notice and 68 * this permission notice appear in supporting documentation, and that 69 * the name of FundsXpress. not be used in advertising or publicity pertaining 70 * to distribution of the software without specific, written prior 71 * permission. FundsXpress makes no representations about the suitability of 72 * this software for any purpose. It is provided "as is" without express 73 * or implied warranty. 74 * 75 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 76 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 77 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 78 */ 79 80 #include <gssapiP_krb5.h> 81 #include <k5-int.h> 82 83 /* 84 * $Id: wrap_size_limit.c,v 1.7.6.2 2000/04/19 00:33:42 raeburn Exp $ 85 */ 86 87 /* V2 interface */ 88 /*ARGSUSED*/ 89 OM_uint32 90 krb5_gss_wrap_size_limit(ct, minor_status, context_handle, conf_req_flag, 91 qop_req, req_output_size, max_input_size) 92 void *ct; 93 OM_uint32 *minor_status; 94 gss_ctx_id_t context_handle; 95 int conf_req_flag; 96 gss_qop_t qop_req; 97 OM_uint32 req_output_size; 98 OM_uint32 *max_input_size; 99 { 100 krb5_context context; 101 krb5_gss_ctx_id_rec *ctx; 102 OM_uint32 conflen; 103 OM_uint32 ohlen; 104 OM_uint32 data_size; 105 106 /* Solaris Kerberos: for MT safety, we avoid the use of a default 107 * context via kg_get_context() */ 108 #if 0 109 if (GSS_ERROR(kg_get_context(minor_status, &context))) 110 return(GSS_S_FAILURE); 111 #endif 112 113 KRB5_LOG0(KRB5_INFO, "krb5_gss_wrap_size_limit() start\n"); 114 115 /* check to make sure we aren't writing to a NULL pointer */ 116 if (!max_input_size) 117 return(GSS_S_CALL_INACCESSIBLE_WRITE); 118 119 mutex_lock(&krb5_mutex); 120 context = ct; 121 122 /* only default qop is allowed */ 123 if ((qop_req & GSS_KRB5_CONF_C_QOP_MASK) != GSS_C_QOP_DEFAULT) { 124 *minor_status = (OM_uint32) G_UNKNOWN_QOP; 125 mutex_unlock(&krb5_mutex); 126 return(GSS_S_BAD_QOP); 127 } 128 129 /* validate the context handle */ 130 if (! kg_validate_ctx_id(context_handle)) { 131 *minor_status = (OM_uint32) G_VALIDATE_FAILED; 132 mutex_unlock(&krb5_mutex); 133 return(GSS_S_NO_CONTEXT); 134 } 135 136 ctx = (krb5_gss_ctx_id_rec *) context_handle; 137 if (! ctx->established) { 138 *minor_status = KG_CTX_INCOMPLETE; 139 mutex_unlock(&krb5_mutex); 140 return(GSS_S_NO_CONTEXT); 141 } 142 143 if (ctx->proto == 1) { 144 /* No pseudo-ASN.1 wrapper overhead, so no sequence length and 145 OID. */ 146 OM_uint32 sz = req_output_size; 147 if (conf_req_flag) { 148 size_t enclen; 149 if ( (*minor_status = krb5_c_encrypt_length(context, 150 ctx->enc->enctype, 151 sz, &enclen))) { 152 mutex_unlock(&krb5_mutex); 153 return (GSS_S_FAILURE); 154 } 155 /* 156 * The 16 byte token header is included 2 times, 157 * once at the beginning of the token and once 158 * encrypted with the plaintext data. 159 */ 160 while (sz > 0 && enclen + 32 > req_output_size) { 161 sz--; 162 if ((*minor_status = krb5_c_encrypt_length(context, 163 ctx->enc->enctype, sz, &enclen))) { 164 mutex_unlock(&krb5_mutex); 165 return (GSS_S_FAILURE); 166 } 167 } 168 } else { 169 if (sz < 16 + ctx->cksum_size) 170 sz = 0; 171 else 172 sz -= (16 + ctx->cksum_size); 173 } 174 175 *max_input_size = sz; 176 *minor_status = 0; 177 goto end; 178 } 179 180 data_size = req_output_size; 181 182 /* The confounder is always used */ 183 conflen = kg_confounder_size(context, ctx->enc); 184 data_size = (conflen + data_size + 8) & (~7); 185 186 /* 187 * If we are encrypting, check the size, it may be larger than 188 * the input in some cases due to padding and byte-boundaries. 189 */ 190 if (conf_req_flag) { 191 data_size = kg_encrypt_size(context, ctx->enc, data_size); 192 } 193 194 /* 195 * Calculate the token size for a buffer that is 'req_output_size' 196 * long. 197 */ 198 ohlen = g_token_size(&(ctx->mech_used), 199 (unsigned int)(data_size + ctx->cksum_size + 14)) - 200 req_output_size; 201 202 KRB5_LOG1(KRB5_INFO, "ohlen = %u, req_output_size = %u.\n", 203 ohlen, req_output_size); 204 205 *max_input_size = (req_output_size > ohlen) ? 206 ((req_output_size - ohlen) & (~7)) : 0; 207 208 *minor_status = 0; 209 end: 210 mutex_unlock(&krb5_mutex); 211 KRB5_LOG(KRB5_INFO, "krb5_gss_wrap_size_limit() end, " 212 "max_input_size = %u.\n", *max_input_size); 213 return(GSS_S_COMPLETE); 214 } 215