17c478bd9Sstevel@tonic-gate /* 2*ab9b2e15Sgtb * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 37c478bd9Sstevel@tonic-gate * Use is subject to license terms. 47c478bd9Sstevel@tonic-gate */ 57c478bd9Sstevel@tonic-gate 67c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 77c478bd9Sstevel@tonic-gate 87c478bd9Sstevel@tonic-gate /* 97c478bd9Sstevel@tonic-gate * Copyright 1993 by OpenVision Technologies, Inc. 107c478bd9Sstevel@tonic-gate * 117c478bd9Sstevel@tonic-gate * Permission to use, copy, modify, distribute, and sell this software 127c478bd9Sstevel@tonic-gate * and its documentation for any purpose is hereby granted without fee, 137c478bd9Sstevel@tonic-gate * provided that the above copyright notice appears in all copies and 147c478bd9Sstevel@tonic-gate * that both that copyright notice and this permission notice appear in 157c478bd9Sstevel@tonic-gate * supporting documentation, and that the name of OpenVision not be used 167c478bd9Sstevel@tonic-gate * in advertising or publicity pertaining to distribution of the software 177c478bd9Sstevel@tonic-gate * without specific, written prior permission. OpenVision makes no 187c478bd9Sstevel@tonic-gate * representations about the suitability of this software for any 197c478bd9Sstevel@tonic-gate * purpose. It is provided "as is" without express or implied warranty. 207c478bd9Sstevel@tonic-gate * 217c478bd9Sstevel@tonic-gate * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 227c478bd9Sstevel@tonic-gate * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 237c478bd9Sstevel@tonic-gate * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR 247c478bd9Sstevel@tonic-gate * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 257c478bd9Sstevel@tonic-gate * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 267c478bd9Sstevel@tonic-gate * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 277c478bd9Sstevel@tonic-gate * PERFORMANCE OF THIS SOFTWARE. 287c478bd9Sstevel@tonic-gate */ 297c478bd9Sstevel@tonic-gate 30*ab9b2e15Sgtb #include "gssapiP_krb5.h" 31*ab9b2e15Sgtb #include "mglueP.h" /* SUNW15resync - for KGSS_ macros */ 327c478bd9Sstevel@tonic-gate 337c478bd9Sstevel@tonic-gate /* 34*ab9b2e15Sgtb * $Id: delete_sec_context.c 16465 2004-06-16 02:37:23Z tlyu $ 357c478bd9Sstevel@tonic-gate */ 367c478bd9Sstevel@tonic-gate 37*ab9b2e15Sgtb 387c478bd9Sstevel@tonic-gate #ifdef _KERNEL 39*ab9b2e15Sgtb /* SUNW15resync - todo - unify these kernel rel oid funcs with user spc ones */ 40*ab9b2e15Sgtb 41*ab9b2e15Sgtb OM_uint32 42*ab9b2e15Sgtb krb5_gss_internal_release_oid(minor_status, oid) 43*ab9b2e15Sgtb OM_uint32 *minor_status; 44*ab9b2e15Sgtb gss_OID *oid; 457c478bd9Sstevel@tonic-gate { 46*ab9b2e15Sgtb /* 47*ab9b2e15Sgtb * This function only knows how to release internal OIDs. It will 48*ab9b2e15Sgtb * return GSS_S_CONTINUE_NEEDED for any OIDs it does not recognize. 49*ab9b2e15Sgtb */ 50*ab9b2e15Sgtb 51*ab9b2e15Sgtb if ((*oid != gss_mech_krb5) && 52*ab9b2e15Sgtb (*oid != gss_mech_krb5_old) && 53*ab9b2e15Sgtb (*oid != gss_mech_krb5_wrong) && 54*ab9b2e15Sgtb (*oid != gss_nt_krb5_name) && 55*ab9b2e15Sgtb (*oid != gss_nt_krb5_principal)) { 56*ab9b2e15Sgtb /* We don't know about this OID */ 57*ab9b2e15Sgtb return(GSS_S_CONTINUE_NEEDED); 58*ab9b2e15Sgtb } 59*ab9b2e15Sgtb else { 60*ab9b2e15Sgtb *oid = GSS_C_NO_OID; 61*ab9b2e15Sgtb *minor_status = 0; 62*ab9b2e15Sgtb return(GSS_S_COMPLETE); 63*ab9b2e15Sgtb } 64*ab9b2e15Sgtb } 657c478bd9Sstevel@tonic-gate 66*ab9b2e15Sgtb OM_uint32 67*ab9b2e15Sgtb generic_gss_release_oid(minor_status, oid) 68*ab9b2e15Sgtb OM_uint32 *minor_status; 69*ab9b2e15Sgtb gss_OID *oid; 70*ab9b2e15Sgtb { 71*ab9b2e15Sgtb if (minor_status) 72*ab9b2e15Sgtb *minor_status = 0; 73*ab9b2e15Sgtb 74*ab9b2e15Sgtb if (*oid == GSS_C_NO_OID) 75*ab9b2e15Sgtb return(GSS_S_COMPLETE); 76*ab9b2e15Sgtb 77*ab9b2e15Sgtb 78*ab9b2e15Sgtb if ((*oid != GSS_C_NT_USER_NAME) && 79*ab9b2e15Sgtb (*oid != GSS_C_NT_MACHINE_UID_NAME) && 80*ab9b2e15Sgtb (*oid != GSS_C_NT_STRING_UID_NAME) && 81*ab9b2e15Sgtb (*oid != GSS_C_NT_HOSTBASED_SERVICE) && 82*ab9b2e15Sgtb (*oid != GSS_C_NT_ANONYMOUS) && 83*ab9b2e15Sgtb (*oid != GSS_C_NT_EXPORT_NAME) && 84*ab9b2e15Sgtb (*oid != gss_nt_service_name)) { 85*ab9b2e15Sgtb FREE((*oid)->elements, (*oid)->length); 86*ab9b2e15Sgtb FREE(*oid, sizeof(gss_OID_desc)); 87*ab9b2e15Sgtb } 88*ab9b2e15Sgtb *oid = GSS_C_NO_OID; 89*ab9b2e15Sgtb return(GSS_S_COMPLETE); 90*ab9b2e15Sgtb } 917c478bd9Sstevel@tonic-gate 92*ab9b2e15Sgtb OM_uint32 93*ab9b2e15Sgtb krb5_gss_release_oid(minor_status, oid) 94*ab9b2e15Sgtb OM_uint32 *minor_status; 95*ab9b2e15Sgtb gss_OID *oid; 96*ab9b2e15Sgtb { 977c478bd9Sstevel@tonic-gate 98*ab9b2e15Sgtb if (krb5_gss_internal_release_oid(minor_status, oid) != GSS_S_COMPLETE) { 99*ab9b2e15Sgtb /* Pawn it off on the generic routine */ 100*ab9b2e15Sgtb return(generic_gss_release_oid(minor_status, oid)); 101*ab9b2e15Sgtb } 102*ab9b2e15Sgtb else { 103*ab9b2e15Sgtb *oid = GSS_C_NO_OID; 104*ab9b2e15Sgtb *minor_status = 0; 105*ab9b2e15Sgtb return(GSS_S_COMPLETE); 106*ab9b2e15Sgtb } 1077c478bd9Sstevel@tonic-gate } 108*ab9b2e15Sgtb #endif 1097c478bd9Sstevel@tonic-gate 1107c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 1117c478bd9Sstevel@tonic-gate OM_uint32 112*ab9b2e15Sgtb krb5_gss_delete_sec_context(minor_status, 113*ab9b2e15Sgtb context_handle, 114*ab9b2e15Sgtb output_token 1157c478bd9Sstevel@tonic-gate #ifdef _KERNEL 116*ab9b2e15Sgtb , gssd_ctx_verifier 1177c478bd9Sstevel@tonic-gate #endif 118*ab9b2e15Sgtb ) 1197c478bd9Sstevel@tonic-gate OM_uint32 *minor_status; 1207c478bd9Sstevel@tonic-gate gss_ctx_id_t *context_handle; 1217c478bd9Sstevel@tonic-gate gss_buffer_t output_token; 1227c478bd9Sstevel@tonic-gate #ifdef _KERNEL 123*ab9b2e15Sgtb OM_uint32 gssd_ctx_verifier; 1247c478bd9Sstevel@tonic-gate #endif 1257c478bd9Sstevel@tonic-gate { 126*ab9b2e15Sgtb krb5_context context; 1277c478bd9Sstevel@tonic-gate krb5_gss_ctx_id_rec *ctx; 1287c478bd9Sstevel@tonic-gate 1297c478bd9Sstevel@tonic-gate if (output_token) { 1307c478bd9Sstevel@tonic-gate output_token->length = 0; 1317c478bd9Sstevel@tonic-gate output_token->value = NULL; 1327c478bd9Sstevel@tonic-gate } 1337c478bd9Sstevel@tonic-gate 1347c478bd9Sstevel@tonic-gate /*SUPPRESS 29*/ 1357c478bd9Sstevel@tonic-gate if (*context_handle == GSS_C_NO_CONTEXT) { 1367c478bd9Sstevel@tonic-gate *minor_status = 0; 137*ab9b2e15Sgtb return(GSS_S_COMPLETE); 1387c478bd9Sstevel@tonic-gate } 1397c478bd9Sstevel@tonic-gate 1407c478bd9Sstevel@tonic-gate /*SUPPRESS 29*/ 1417c478bd9Sstevel@tonic-gate /* validate the context handle */ 1427c478bd9Sstevel@tonic-gate if (! kg_validate_ctx_id(*context_handle)) { 1437c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_VALIDATE_FAILED; 144*ab9b2e15Sgtb return(GSS_S_NO_CONTEXT); 1457c478bd9Sstevel@tonic-gate } 1467c478bd9Sstevel@tonic-gate 147*ab9b2e15Sgtb ctx = (krb5_gss_ctx_id_t) *context_handle; 148*ab9b2e15Sgtb context = ctx->k5_context; 149*ab9b2e15Sgtb 1507c478bd9Sstevel@tonic-gate /* construct a delete context token if necessary */ 1517c478bd9Sstevel@tonic-gate 1527c478bd9Sstevel@tonic-gate if (output_token) { 153*ab9b2e15Sgtb OM_uint32 major; 1547c478bd9Sstevel@tonic-gate gss_buffer_desc empty; 1557c478bd9Sstevel@tonic-gate empty.length = 0; empty.value = NULL; 1567c478bd9Sstevel@tonic-gate 157*ab9b2e15Sgtb if ((major = kg_seal(minor_status, *context_handle, 0, 1587c478bd9Sstevel@tonic-gate GSS_C_QOP_DEFAULT, 1597c478bd9Sstevel@tonic-gate &empty, NULL, output_token, KG_TOK_DEL_CTX))) 160*ab9b2e15Sgtb return(major); 1617c478bd9Sstevel@tonic-gate } 1627c478bd9Sstevel@tonic-gate 1637c478bd9Sstevel@tonic-gate /* invalidate the context handle */ 1647c478bd9Sstevel@tonic-gate 1657c478bd9Sstevel@tonic-gate (void)kg_delete_ctx_id(*context_handle); 1667c478bd9Sstevel@tonic-gate 1677c478bd9Sstevel@tonic-gate /* free all the context state */ 1687c478bd9Sstevel@tonic-gate 1697c478bd9Sstevel@tonic-gate if (ctx->seqstate) 1707c478bd9Sstevel@tonic-gate g_order_free(&(ctx->seqstate)); 1717c478bd9Sstevel@tonic-gate 1727c478bd9Sstevel@tonic-gate if (ctx->enc) 1737c478bd9Sstevel@tonic-gate krb5_free_keyblock(context, ctx->enc); 1747c478bd9Sstevel@tonic-gate 1757c478bd9Sstevel@tonic-gate if (ctx->seq) 1767c478bd9Sstevel@tonic-gate krb5_free_keyblock(context, ctx->seq); 1777c478bd9Sstevel@tonic-gate 1787c478bd9Sstevel@tonic-gate if (ctx->here) 1797c478bd9Sstevel@tonic-gate krb5_free_principal(context, ctx->here); 1807c478bd9Sstevel@tonic-gate if (ctx->there) 1817c478bd9Sstevel@tonic-gate krb5_free_principal(context, ctx->there); 1827c478bd9Sstevel@tonic-gate if (ctx->subkey) 1837c478bd9Sstevel@tonic-gate krb5_free_keyblock(context, ctx->subkey); 1847c478bd9Sstevel@tonic-gate if (ctx->acceptor_subkey) 185*ab9b2e15Sgtb krb5_free_keyblock(context, ctx->acceptor_subkey); 1867c478bd9Sstevel@tonic-gate 187*ab9b2e15Sgtb /* We never import the auth_context into the kernel */ 1887c478bd9Sstevel@tonic-gate #ifndef _KERNEL 1897c478bd9Sstevel@tonic-gate if (ctx->auth_context) { 190*ab9b2e15Sgtb if (ctx->cred_rcache) 191*ab9b2e15Sgtb (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL); 192*ab9b2e15Sgtb 1937c478bd9Sstevel@tonic-gate krb5_auth_con_free(context, ctx->auth_context); 1947c478bd9Sstevel@tonic-gate } 1957c478bd9Sstevel@tonic-gate #endif 1967c478bd9Sstevel@tonic-gate 197*ab9b2e15Sgtb if (ctx->mech_used) 198*ab9b2e15Sgtb (void) KGSS_RELEASE_OID(minor_status, &ctx->mech_used); 199*ab9b2e15Sgtb 200*ab9b2e15Sgtb if (ctx->k5_context) 201*ab9b2e15Sgtb krb5_free_context(ctx->k5_context); 2027c478bd9Sstevel@tonic-gate 2037c478bd9Sstevel@tonic-gate /* Zero out context */ 2047c478bd9Sstevel@tonic-gate (void) memset(ctx, 0, sizeof(*ctx)); 2057c478bd9Sstevel@tonic-gate xfree_wrap(ctx, sizeof (krb5_gss_ctx_id_rec)); 2067c478bd9Sstevel@tonic-gate 2077c478bd9Sstevel@tonic-gate /* zero the handle itself */ 2087c478bd9Sstevel@tonic-gate 2097c478bd9Sstevel@tonic-gate *context_handle = GSS_C_NO_CONTEXT; 2107c478bd9Sstevel@tonic-gate 2117c478bd9Sstevel@tonic-gate *minor_status = 0; 212*ab9b2e15Sgtb return(GSS_S_COMPLETE); 2137c478bd9Sstevel@tonic-gate } 214