1*ba7b222eSGlenn Barry /*
2*ba7b222eSGlenn Barry * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
3*ba7b222eSGlenn Barry * Use is subject to license terms.
4*ba7b222eSGlenn Barry */
5*ba7b222eSGlenn Barry /* -*- mode: c; indent-tabs-mode: nil -*- */
6ab9b2e15Sgtb /*
7ab9b2e15Sgtb * lib/gssapi/krb5/lucid_context.c
8ab9b2e15Sgtb *
9*ba7b222eSGlenn Barry * Copyright 2004, 2008 by the Massachusetts Institute of Technology.
10ab9b2e15Sgtb * All Rights Reserved.
11ab9b2e15Sgtb *
12ab9b2e15Sgtb * Export of this software from the United States of America may
13ab9b2e15Sgtb * require a specific license from the United States Government.
14ab9b2e15Sgtb * It is the responsibility of any person or organization contemplating
15ab9b2e15Sgtb * export to obtain such a license before exporting.
16ab9b2e15Sgtb *
17ab9b2e15Sgtb * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18ab9b2e15Sgtb * distribute this software and its documentation for any purpose and
19ab9b2e15Sgtb * without fee is hereby granted, provided that the above copyright
20ab9b2e15Sgtb * notice appear in all copies and that both that copyright notice and
21ab9b2e15Sgtb * this permission notice appear in supporting documentation, and that
22ab9b2e15Sgtb * the name of M.I.T. not be used in advertising or publicity pertaining
23ab9b2e15Sgtb * to distribution of the software without specific, written prior
24ab9b2e15Sgtb * permission. Furthermore if you modify this software you must label
25ab9b2e15Sgtb * your software as modified software and not distribute it in such a
26ab9b2e15Sgtb * fashion that it might be confused with the original M.I.T. software.
27ab9b2e15Sgtb * M.I.T. makes no representations about the suitability of
28ab9b2e15Sgtb * this software for any purpose. It is provided "as is" without express
29ab9b2e15Sgtb * or implied warranty.
30ab9b2e15Sgtb *
31ab9b2e15Sgtb */
32ab9b2e15Sgtb
33ab9b2e15Sgtb /*
34ab9b2e15Sgtb * lucid_context.c - Externalize a "lucid" security
35ab9b2e15Sgtb * context from a krb5_gss_ctx_id_rec structure.
36ab9b2e15Sgtb */
37ab9b2e15Sgtb #include "gssapiP_krb5.h"
38ab9b2e15Sgtb #include "gssapi_krb5.h"
39*ba7b222eSGlenn Barry #include "mechglueP.h" /* SUNW17PACresync */
40ab9b2e15Sgtb
41ab9b2e15Sgtb /*
42ab9b2e15Sgtb * Local routine prototypes
43ab9b2e15Sgtb */
44ab9b2e15Sgtb static void
45ab9b2e15Sgtb free_external_lucid_ctx_v1(
46ab9b2e15Sgtb gss_krb5_lucid_context_v1_t *ctx);
47ab9b2e15Sgtb
48ab9b2e15Sgtb static void
49ab9b2e15Sgtb free_lucid_key_data(
50ab9b2e15Sgtb gss_krb5_lucid_key_t *key);
51ab9b2e15Sgtb
52ab9b2e15Sgtb static krb5_error_code
53ab9b2e15Sgtb copy_keyblock_to_lucid_key(
54ab9b2e15Sgtb krb5_keyblock *k5key,
55ab9b2e15Sgtb gss_krb5_lucid_key_t *lkey);
56ab9b2e15Sgtb
57ab9b2e15Sgtb static krb5_error_code
58ab9b2e15Sgtb make_external_lucid_ctx_v1(
59ab9b2e15Sgtb krb5_gss_ctx_id_rec * gctx,
60*ba7b222eSGlenn Barry int version,
61ab9b2e15Sgtb void **out_ptr);
62ab9b2e15Sgtb
63ab9b2e15Sgtb
64ab9b2e15Sgtb /*
65ab9b2e15Sgtb * Exported routines
66ab9b2e15Sgtb */
67ab9b2e15Sgtb
68ab9b2e15Sgtb OM_uint32 KRB5_CALLCONV
gss_krb5int_export_lucid_sec_context(OM_uint32 * minor_status,gss_ctx_id_t context_handle,const gss_OID desired_object,gss_buffer_set_t * data_set)69ab9b2e15Sgtb gss_krb5int_export_lucid_sec_context(
70*ba7b222eSGlenn Barry OM_uint32 *minor_status,
71*ba7b222eSGlenn Barry gss_ctx_id_t context_handle,
72*ba7b222eSGlenn Barry const gss_OID desired_object,
73*ba7b222eSGlenn Barry gss_buffer_set_t *data_set)
74ab9b2e15Sgtb {
75*ba7b222eSGlenn Barry krb5_error_code kret = 0;
76*ba7b222eSGlenn Barry OM_uint32 retval;
77*ba7b222eSGlenn Barry krb5_gss_ctx_id_t ctx = (krb5_gss_ctx_id_t)context_handle;
78*ba7b222eSGlenn Barry void *lctx = NULL;
79*ba7b222eSGlenn Barry int version = 0;
80*ba7b222eSGlenn Barry gss_buffer_desc rep;
81ab9b2e15Sgtb
82ab9b2e15Sgtb /* Assume failure */
83ab9b2e15Sgtb retval = GSS_S_FAILURE;
84ab9b2e15Sgtb *minor_status = 0;
85*ba7b222eSGlenn Barry *data_set = GSS_C_NO_BUFFER_SET;
86ab9b2e15Sgtb
87*ba7b222eSGlenn Barry retval = generic_gss_oid_decompose(minor_status,
88*ba7b222eSGlenn Barry GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID,
89*ba7b222eSGlenn Barry GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH,
90*ba7b222eSGlenn Barry desired_object,
91*ba7b222eSGlenn Barry &version);
92*ba7b222eSGlenn Barry if (GSS_ERROR(retval))
93*ba7b222eSGlenn Barry return retval;
94ab9b2e15Sgtb
95ab9b2e15Sgtb /* Externalize a structure of the right version */
96ab9b2e15Sgtb switch (version) {
97ab9b2e15Sgtb case 1:
98*ba7b222eSGlenn Barry kret = make_external_lucid_ctx_v1((krb5_pointer)ctx,
99*ba7b222eSGlenn Barry version, &lctx);
100ab9b2e15Sgtb break;
101ab9b2e15Sgtb default:
102*ba7b222eSGlenn Barry kret = (OM_uint32) KG_LUCID_VERSION;
103*ba7b222eSGlenn Barry break;
104ab9b2e15Sgtb }
105ab9b2e15Sgtb
106ab9b2e15Sgtb if (kret)
107*ba7b222eSGlenn Barry goto error_out;
108ab9b2e15Sgtb
109ab9b2e15Sgtb /* Success! Record the context and return the buffer */
110ab9b2e15Sgtb if (! kg_save_lucidctx_id((void *)lctx)) {
111*ba7b222eSGlenn Barry kret = G_VALIDATE_FAILED;
112*ba7b222eSGlenn Barry goto error_out;
113ab9b2e15Sgtb }
114ab9b2e15Sgtb
115*ba7b222eSGlenn Barry rep.value = &lctx;
116*ba7b222eSGlenn Barry rep.length = sizeof(lctx);
117ab9b2e15Sgtb
118*ba7b222eSGlenn Barry retval = generic_gss_add_buffer_set_member(minor_status, &rep, data_set);
119*ba7b222eSGlenn Barry if (GSS_ERROR(retval))
120*ba7b222eSGlenn Barry goto error_out;
121ab9b2e15Sgtb
122ab9b2e15Sgtb error_out:
123*ba7b222eSGlenn Barry if (*minor_status == 0)
124*ba7b222eSGlenn Barry *minor_status = (OM_uint32) kret;
125ab9b2e15Sgtb return(retval);
126ab9b2e15Sgtb }
127ab9b2e15Sgtb
128ab9b2e15Sgtb /*
129ab9b2e15Sgtb * Frees the storage associated with an
130ab9b2e15Sgtb * exported lucid context structure.
131ab9b2e15Sgtb */
132*ba7b222eSGlenn Barry OM_uint32
gss_krb5int_free_lucid_sec_context(OM_uint32 * minor_status,const gss_OID desired_mech,const gss_OID desired_object,gss_buffer_t value)133*ba7b222eSGlenn Barry gss_krb5int_free_lucid_sec_context(
134ab9b2e15Sgtb OM_uint32 *minor_status,
135*ba7b222eSGlenn Barry const gss_OID desired_mech,
136*ba7b222eSGlenn Barry const gss_OID desired_object,
137*ba7b222eSGlenn Barry gss_buffer_t value)
138ab9b2e15Sgtb {
139*ba7b222eSGlenn Barry OM_uint32 retval;
140*ba7b222eSGlenn Barry krb5_error_code kret = 0;
141*ba7b222eSGlenn Barry int version;
142*ba7b222eSGlenn Barry void *kctx;
143ab9b2e15Sgtb
144ab9b2e15Sgtb /* Assume failure */
145ab9b2e15Sgtb retval = GSS_S_FAILURE;
146ab9b2e15Sgtb *minor_status = 0;
147ab9b2e15Sgtb
148*ba7b222eSGlenn Barry kctx = value->value;
149ab9b2e15Sgtb if (!kctx) {
150*ba7b222eSGlenn Barry kret = EINVAL;
151*ba7b222eSGlenn Barry goto error_out;
152ab9b2e15Sgtb }
153ab9b2e15Sgtb
154ab9b2e15Sgtb /* Verify pointer is valid lucid context */
155ab9b2e15Sgtb if (! kg_validate_lucidctx_id(kctx)) {
156*ba7b222eSGlenn Barry kret = G_VALIDATE_FAILED;
157*ba7b222eSGlenn Barry goto error_out;
158ab9b2e15Sgtb }
159ab9b2e15Sgtb
160ab9b2e15Sgtb /* Determine version and call correct free routine */
161ab9b2e15Sgtb version = ((gss_krb5_lucid_context_version_t *)kctx)->version;
162ab9b2e15Sgtb switch (version) {
163ab9b2e15Sgtb case 1:
164*ba7b222eSGlenn Barry (void)kg_delete_lucidctx_id(kctx);
165*ba7b222eSGlenn Barry free_external_lucid_ctx_v1((gss_krb5_lucid_context_v1_t*) kctx);
166*ba7b222eSGlenn Barry break;
167ab9b2e15Sgtb default:
168*ba7b222eSGlenn Barry kret = EINVAL;
169*ba7b222eSGlenn Barry break;
170ab9b2e15Sgtb }
171ab9b2e15Sgtb
172ab9b2e15Sgtb if (kret)
173*ba7b222eSGlenn Barry goto error_out;
174ab9b2e15Sgtb
175ab9b2e15Sgtb /* Success! */
176ab9b2e15Sgtb *minor_status = 0;
177ab9b2e15Sgtb retval = GSS_S_COMPLETE;
178ab9b2e15Sgtb
179ab9b2e15Sgtb return (retval);
180ab9b2e15Sgtb
181ab9b2e15Sgtb error_out:
182*ba7b222eSGlenn Barry if (*minor_status == 0)
183*ba7b222eSGlenn Barry *minor_status = (OM_uint32) kret;
184ab9b2e15Sgtb return(retval);
185ab9b2e15Sgtb }
186ab9b2e15Sgtb
187ab9b2e15Sgtb /*
188ab9b2e15Sgtb * Local routines
189ab9b2e15Sgtb */
190ab9b2e15Sgtb
191ab9b2e15Sgtb static krb5_error_code
make_external_lucid_ctx_v1(krb5_gss_ctx_id_rec * gctx,int version,void ** out_ptr)192ab9b2e15Sgtb make_external_lucid_ctx_v1(
193ab9b2e15Sgtb krb5_gss_ctx_id_rec * gctx,
194*ba7b222eSGlenn Barry int version,
195ab9b2e15Sgtb void **out_ptr)
196ab9b2e15Sgtb {
197ab9b2e15Sgtb gss_krb5_lucid_context_v1_t *lctx = NULL;
198ab9b2e15Sgtb unsigned int bufsize = sizeof(gss_krb5_lucid_context_v1_t);
199ab9b2e15Sgtb krb5_error_code retval;
200ab9b2e15Sgtb
201ab9b2e15Sgtb /* Allocate the structure */
202ab9b2e15Sgtb if ((lctx = xmalloc(bufsize)) == NULL) {
203*ba7b222eSGlenn Barry retval = ENOMEM;
204*ba7b222eSGlenn Barry goto error_out;
205ab9b2e15Sgtb }
206ab9b2e15Sgtb
207ab9b2e15Sgtb memset(lctx, 0, bufsize);
208ab9b2e15Sgtb
209ab9b2e15Sgtb lctx->version = 1;
210ab9b2e15Sgtb lctx->initiate = gctx->initiate ? 1 : 0;
211*ba7b222eSGlenn Barry lctx->endtime = gctx->krb_times.endtime;
212ab9b2e15Sgtb lctx->send_seq = gctx->seq_send;
213ab9b2e15Sgtb lctx->recv_seq = gctx->seq_recv;
214ab9b2e15Sgtb lctx->protocol = gctx->proto;
215ab9b2e15Sgtb /* gctx->proto == 0 ==> rfc1964-style key information
216ab9b2e15Sgtb gctx->proto == 1 ==> cfx-style (draft-ietf-krb-wg-gssapi-cfx-07) keys */
217ab9b2e15Sgtb if (gctx->proto == 0) {
218*ba7b222eSGlenn Barry lctx->rfc1964_kd.sign_alg = gctx->signalg;
219*ba7b222eSGlenn Barry lctx->rfc1964_kd.seal_alg = gctx->sealalg;
220*ba7b222eSGlenn Barry /* Copy key */
221*ba7b222eSGlenn Barry if ((retval = copy_keyblock_to_lucid_key(gctx->seq,
222*ba7b222eSGlenn Barry &lctx->rfc1964_kd.ctx_key)))
223*ba7b222eSGlenn Barry goto error_out;
224ab9b2e15Sgtb }
225ab9b2e15Sgtb else if (gctx->proto == 1) {
226*ba7b222eSGlenn Barry /* Copy keys */
227*ba7b222eSGlenn Barry /* (subkey is always present, either a copy of the kerberos
228*ba7b222eSGlenn Barry session key or a subkey) */
229*ba7b222eSGlenn Barry if ((retval = copy_keyblock_to_lucid_key(gctx->subkey,
230*ba7b222eSGlenn Barry &lctx->cfx_kd.ctx_key)))
231*ba7b222eSGlenn Barry goto error_out;
232*ba7b222eSGlenn Barry if (gctx->have_acceptor_subkey) {
233*ba7b222eSGlenn Barry if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey,
234*ba7b222eSGlenn Barry &lctx->cfx_kd.acceptor_subkey)))
235*ba7b222eSGlenn Barry goto error_out;
236*ba7b222eSGlenn Barry lctx->cfx_kd.have_acceptor_subkey = 1;
237*ba7b222eSGlenn Barry }
238ab9b2e15Sgtb }
239ab9b2e15Sgtb else {
240*ba7b222eSGlenn Barry return EINVAL; /* XXX better error code? */
241ab9b2e15Sgtb }
242ab9b2e15Sgtb
243ab9b2e15Sgtb /* Success! */
244ab9b2e15Sgtb *out_ptr = lctx;
245ab9b2e15Sgtb return 0;
246ab9b2e15Sgtb
247ab9b2e15Sgtb error_out:
248ab9b2e15Sgtb if (lctx) {
249*ba7b222eSGlenn Barry free_external_lucid_ctx_v1(lctx);
250ab9b2e15Sgtb }
251ab9b2e15Sgtb return retval;
252ab9b2e15Sgtb
253ab9b2e15Sgtb }
254ab9b2e15Sgtb
255ab9b2e15Sgtb /* Copy the contents of a krb5_keyblock to a gss_krb5_lucid_key_t structure */
256ab9b2e15Sgtb static krb5_error_code
copy_keyblock_to_lucid_key(krb5_keyblock * k5key,gss_krb5_lucid_key_t * lkey)257ab9b2e15Sgtb copy_keyblock_to_lucid_key(
258ab9b2e15Sgtb krb5_keyblock *k5key,
259ab9b2e15Sgtb gss_krb5_lucid_key_t *lkey)
260ab9b2e15Sgtb {
261ab9b2e15Sgtb if (!k5key || !k5key->contents || k5key->length == 0)
262*ba7b222eSGlenn Barry return EINVAL;
263ab9b2e15Sgtb
264ab9b2e15Sgtb memset(lkey, 0, sizeof(gss_krb5_lucid_key_t));
265ab9b2e15Sgtb
266ab9b2e15Sgtb /* Allocate storage for the key data */
267ab9b2e15Sgtb if ((lkey->data = xmalloc(k5key->length)) == NULL) {
268*ba7b222eSGlenn Barry return ENOMEM;
269ab9b2e15Sgtb }
270ab9b2e15Sgtb memcpy(lkey->data, k5key->contents, k5key->length);
271ab9b2e15Sgtb lkey->length = k5key->length;
272ab9b2e15Sgtb lkey->type = k5key->enctype;
273ab9b2e15Sgtb
274ab9b2e15Sgtb return 0;
275ab9b2e15Sgtb }
276ab9b2e15Sgtb
277ab9b2e15Sgtb
278ab9b2e15Sgtb /* Free any storage associated with a gss_krb5_lucid_key_t structure */
279ab9b2e15Sgtb static void
free_lucid_key_data(gss_krb5_lucid_key_t * key)280ab9b2e15Sgtb free_lucid_key_data(
281ab9b2e15Sgtb gss_krb5_lucid_key_t *key)
282ab9b2e15Sgtb {
283ab9b2e15Sgtb if (key) {
284*ba7b222eSGlenn Barry if (key->data && key->length) {
285*ba7b222eSGlenn Barry memset(key->data, 0, key->length);
286*ba7b222eSGlenn Barry xfree(key->data);
287*ba7b222eSGlenn Barry memset(key, 0, sizeof(gss_krb5_lucid_key_t));
288*ba7b222eSGlenn Barry }
289ab9b2e15Sgtb }
290ab9b2e15Sgtb }
291ab9b2e15Sgtb /* Free any storage associated with a gss_krb5_lucid_context_v1 structure */
292ab9b2e15Sgtb static void
free_external_lucid_ctx_v1(gss_krb5_lucid_context_v1_t * ctx)293ab9b2e15Sgtb free_external_lucid_ctx_v1(
294ab9b2e15Sgtb gss_krb5_lucid_context_v1_t *ctx)
295ab9b2e15Sgtb {
296ab9b2e15Sgtb if (ctx) {
297*ba7b222eSGlenn Barry if (ctx->protocol == 0) {
298*ba7b222eSGlenn Barry free_lucid_key_data(&ctx->rfc1964_kd.ctx_key);
299*ba7b222eSGlenn Barry }
300*ba7b222eSGlenn Barry if (ctx->protocol == 1) {
301*ba7b222eSGlenn Barry free_lucid_key_data(&ctx->cfx_kd.ctx_key);
302*ba7b222eSGlenn Barry if (ctx->cfx_kd.have_acceptor_subkey)
303*ba7b222eSGlenn Barry free_lucid_key_data(&ctx->cfx_kd.acceptor_subkey);
304*ba7b222eSGlenn Barry }
305*ba7b222eSGlenn Barry xfree(ctx);
306*ba7b222eSGlenn Barry ctx = NULL;
307ab9b2e15Sgtb }
308ab9b2e15Sgtb }
309