17c478bd9Sstevel@tonic-gate /* 2*ab9b2e15Sgtb * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 37c478bd9Sstevel@tonic-gate * Use is subject to license terms. 47c478bd9Sstevel@tonic-gate */ 57c478bd9Sstevel@tonic-gate 67c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 77c478bd9Sstevel@tonic-gate 87c478bd9Sstevel@tonic-gate /* 97c478bd9Sstevel@tonic-gate * Copyright 2000 by the Massachusetts Institute of Technology. 107c478bd9Sstevel@tonic-gate * All Rights Reserved. 117c478bd9Sstevel@tonic-gate * 127c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may 137c478bd9Sstevel@tonic-gate * require a specific license from the United States Government. 147c478bd9Sstevel@tonic-gate * It is the responsibility of any person or organization contemplating 157c478bd9Sstevel@tonic-gate * export to obtain such a license before exporting. 167c478bd9Sstevel@tonic-gate * 177c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 187c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and 197c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright 207c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and 217c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that 227c478bd9Sstevel@tonic-gate * the name of M.I.T. not be used in advertising or publicity pertaining 237c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior 247c478bd9Sstevel@tonic-gate * permission. Furthermore if you modify this software you must label 257c478bd9Sstevel@tonic-gate * your software as modified software and not distribute it in such a 267c478bd9Sstevel@tonic-gate * fashion that it might be confused with the original M.I.T. software. 277c478bd9Sstevel@tonic-gate * M.I.T. makes no representations about the suitability of 287c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express 297c478bd9Sstevel@tonic-gate * or implied warranty. 307c478bd9Sstevel@tonic-gate * 317c478bd9Sstevel@tonic-gate */ 327c478bd9Sstevel@tonic-gate /* 337c478bd9Sstevel@tonic-gate * Copyright 1993 by OpenVision Technologies, Inc. 347c478bd9Sstevel@tonic-gate * 357c478bd9Sstevel@tonic-gate * Permission to use, copy, modify, distribute, and sell this software 367c478bd9Sstevel@tonic-gate * and its documentation for any purpose is hereby granted without fee, 377c478bd9Sstevel@tonic-gate * provided that the above copyright notice appears in all copies and 387c478bd9Sstevel@tonic-gate * that both that copyright notice and this permission notice appear in 397c478bd9Sstevel@tonic-gate * supporting documentation, and that the name of OpenVision not be used 407c478bd9Sstevel@tonic-gate * in advertising or publicity pertaining to distribution of the software 417c478bd9Sstevel@tonic-gate * without specific, written prior permission. OpenVision makes no 427c478bd9Sstevel@tonic-gate * representations about the suitability of this software for any 437c478bd9Sstevel@tonic-gate * purpose. It is provided "as is" without express or implied warranty. 447c478bd9Sstevel@tonic-gate * 457c478bd9Sstevel@tonic-gate * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 467c478bd9Sstevel@tonic-gate * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 477c478bd9Sstevel@tonic-gate * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR 487c478bd9Sstevel@tonic-gate * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 497c478bd9Sstevel@tonic-gate * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 507c478bd9Sstevel@tonic-gate * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 517c478bd9Sstevel@tonic-gate * PERFORMANCE OF THIS SOFTWARE. 527c478bd9Sstevel@tonic-gate */ 537c478bd9Sstevel@tonic-gate 547c478bd9Sstevel@tonic-gate /* 557c478bd9Sstevel@tonic-gate * Copyright (C) 1998 by the FundsXpress, INC. 567c478bd9Sstevel@tonic-gate * 577c478bd9Sstevel@tonic-gate * All rights reserved. 587c478bd9Sstevel@tonic-gate * 597c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may require 607c478bd9Sstevel@tonic-gate * a specific license from the United States Government. It is the 617c478bd9Sstevel@tonic-gate * responsibility of any person or organization contemplating export to 627c478bd9Sstevel@tonic-gate * obtain such a license before exporting. 637c478bd9Sstevel@tonic-gate * 647c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 657c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and 667c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright 677c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and 687c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that 697c478bd9Sstevel@tonic-gate * the name of FundsXpress. not be used in advertising or publicity pertaining 707c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior 717c478bd9Sstevel@tonic-gate * permission. FundsXpress makes no representations about the suitability of 727c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express 737c478bd9Sstevel@tonic-gate * or implied warranty. 747c478bd9Sstevel@tonic-gate * 757c478bd9Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 767c478bd9Sstevel@tonic-gate * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 777c478bd9Sstevel@tonic-gate * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 787c478bd9Sstevel@tonic-gate */ 797c478bd9Sstevel@tonic-gate 80*ab9b2e15Sgtb #include "gssapiP_krb5.h" 817c478bd9Sstevel@tonic-gate 82*ab9b2e15Sgtb size_t KRB5_CALLCONV krb5_encrypt_size(size_t, krb5_enctype); 83*ab9b2e15Sgtb 84*ab9b2e15Sgtb /* SUNW15resync - XXX find new home for this func */ 85*ab9b2e15Sgtb #ifdef _KERNEL 86*ab9b2e15Sgtb size_t KRB5_CALLCONV 87*ab9b2e15Sgtb krb5_encrypt_size(size_t length, krb5_enctype crypto) 88*ab9b2e15Sgtb { 89*ab9b2e15Sgtb size_t ret; 90*ab9b2e15Sgtb 91*ab9b2e15Sgtb if (krb5_c_encrypt_length(/* XXX */ 0, crypto, length, &ret)) 92*ab9b2e15Sgtb /*LINTED*/ 93*ab9b2e15Sgtb return(-1); /* XXX */ 94*ab9b2e15Sgtb 95*ab9b2e15Sgtb return(ret); 96*ab9b2e15Sgtb } 97*ab9b2e15Sgtb #endif 987c478bd9Sstevel@tonic-gate 997c478bd9Sstevel@tonic-gate /* V2 interface */ 1007c478bd9Sstevel@tonic-gate OM_uint32 101*ab9b2e15Sgtb krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, 1027c478bd9Sstevel@tonic-gate qop_req, req_output_size, max_input_size) 1037c478bd9Sstevel@tonic-gate OM_uint32 *minor_status; 1047c478bd9Sstevel@tonic-gate gss_ctx_id_t context_handle; 1057c478bd9Sstevel@tonic-gate int conf_req_flag; 1067c478bd9Sstevel@tonic-gate gss_qop_t qop_req; 1077c478bd9Sstevel@tonic-gate OM_uint32 req_output_size; 1087c478bd9Sstevel@tonic-gate OM_uint32 *max_input_size; 1097c478bd9Sstevel@tonic-gate { 1107c478bd9Sstevel@tonic-gate krb5_gss_ctx_id_rec *ctx; 111*ab9b2e15Sgtb OM_uint32 data_size, conflen; 1127c478bd9Sstevel@tonic-gate OM_uint32 ohlen; 113*ab9b2e15Sgtb int overhead; 1147c478bd9Sstevel@tonic-gate 115*ab9b2e15Sgtb /* Solaris Kerb - check to make sure we aren't writing to a NULL pointer */ 1167c478bd9Sstevel@tonic-gate if (!max_input_size) 117*ab9b2e15Sgtb return(GSS_S_CALL_INACCESSIBLE_WRITE); 1187c478bd9Sstevel@tonic-gate 1197c478bd9Sstevel@tonic-gate /* only default qop is allowed */ 120*ab9b2e15Sgtb /* 121*ab9b2e15Sgtb * SUNW15resync 122*ab9b2e15Sgtb * mit 1.2-6: if (qop_req != GSS_C_QOP_DEFAULT) { 123*ab9b2e15Sgtb * Go with Solaris version here, though not sure which is 124*ab9b2e15Sgtb * correct and RFC 2743 does not make it clear. 125*ab9b2e15Sgtb */ 1267c478bd9Sstevel@tonic-gate if ((qop_req & GSS_KRB5_CONF_C_QOP_MASK) != GSS_C_QOP_DEFAULT) { 1277c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_UNKNOWN_QOP; 128*ab9b2e15Sgtb /* SUNW15resync - RFC 2743 is clear here but 129*ab9b2e15Sgtb this is still GSS_S_FAILURE in MIT */ 130*ab9b2e15Sgtb return(GSS_S_BAD_QOP); 1317c478bd9Sstevel@tonic-gate } 132*ab9b2e15Sgtb 1337c478bd9Sstevel@tonic-gate /* validate the context handle */ 1347c478bd9Sstevel@tonic-gate if (! kg_validate_ctx_id(context_handle)) { 1357c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_VALIDATE_FAILED; 1367c478bd9Sstevel@tonic-gate return(GSS_S_NO_CONTEXT); 1377c478bd9Sstevel@tonic-gate } 138*ab9b2e15Sgtb 1397c478bd9Sstevel@tonic-gate ctx = (krb5_gss_ctx_id_rec *) context_handle; 1407c478bd9Sstevel@tonic-gate if (! ctx->established) { 1417c478bd9Sstevel@tonic-gate *minor_status = KG_CTX_INCOMPLETE; 1427c478bd9Sstevel@tonic-gate return(GSS_S_NO_CONTEXT); 1437c478bd9Sstevel@tonic-gate } 1447c478bd9Sstevel@tonic-gate 1457c478bd9Sstevel@tonic-gate if (ctx->proto == 1) { 146*ab9b2e15Sgtb /* No pseudo-ASN.1 wrapper overhead, so no sequence length and 147*ab9b2e15Sgtb OID. */ 148*ab9b2e15Sgtb OM_uint32 sz = req_output_size; 149*ab9b2e15Sgtb /* Token header: 16 octets. */ 150*ab9b2e15Sgtb if (conf_req_flag) { 151*ab9b2e15Sgtb while (sz > 0 && krb5_encrypt_size(sz, ctx->enc->enctype) + 16 > req_output_size) 152*ab9b2e15Sgtb sz--; 153*ab9b2e15Sgtb /* Allow for encrypted copy of header. */ 154*ab9b2e15Sgtb if (sz > 16) 155*ab9b2e15Sgtb sz -= 16; 156*ab9b2e15Sgtb else 157*ab9b2e15Sgtb sz = 0; 158*ab9b2e15Sgtb #ifdef CFX_EXERCISE 159*ab9b2e15Sgtb /* Allow for EC padding. In the MIT implementation, only 160*ab9b2e15Sgtb added while testing. */ 161*ab9b2e15Sgtb if (sz > 65535) 162*ab9b2e15Sgtb sz -= 65535; 163*ab9b2e15Sgtb else 164*ab9b2e15Sgtb sz = 0; 165*ab9b2e15Sgtb #endif 166*ab9b2e15Sgtb } else { 167*ab9b2e15Sgtb /* Allow for token header and checksum. */ 168*ab9b2e15Sgtb if (sz < 16 + ctx->cksum_size) 169*ab9b2e15Sgtb sz = 0; 170*ab9b2e15Sgtb else 171*ab9b2e15Sgtb sz -= (16 + ctx->cksum_size); 172*ab9b2e15Sgtb } 173*ab9b2e15Sgtb 174*ab9b2e15Sgtb *max_input_size = sz; 175*ab9b2e15Sgtb *minor_status = 0; 176*ab9b2e15Sgtb return GSS_S_COMPLETE; 1777c478bd9Sstevel@tonic-gate } 1787c478bd9Sstevel@tonic-gate 179*ab9b2e15Sgtb /* Calculate the token size and subtract that from the output size */ 180*ab9b2e15Sgtb overhead = 7 + ctx->mech_used->length; 1817c478bd9Sstevel@tonic-gate data_size = req_output_size; 182*ab9b2e15Sgtb conflen = kg_confounder_size(ctx->k5_context, ctx->enc); 183*ab9b2e15Sgtb data_size = (conflen + data_size + 8) & (~(OM_uint32)7); 184*ab9b2e15Sgtb ohlen = g_token_size(ctx->mech_used, 185*ab9b2e15Sgtb (unsigned int) (data_size + ctx->cksum_size + 14)) 186*ab9b2e15Sgtb - req_output_size; 187*ab9b2e15Sgtb 188*ab9b2e15Sgtb if (ohlen+overhead < req_output_size) 189*ab9b2e15Sgtb /* 190*ab9b2e15Sgtb * Cannot have trailer length that will cause us to pad over our 191*ab9b2e15Sgtb * length. 192*ab9b2e15Sgtb */ 193*ab9b2e15Sgtb *max_input_size = (req_output_size - ohlen - overhead) & (~(OM_uint32)7); 194*ab9b2e15Sgtb else 195*ab9b2e15Sgtb *max_input_size = 0; 1967c478bd9Sstevel@tonic-gate 1977c478bd9Sstevel@tonic-gate *minor_status = 0; 1987c478bd9Sstevel@tonic-gate return(GSS_S_COMPLETE); 1997c478bd9Sstevel@tonic-gate } 200