search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dmake: do not set MAKEFLAGS=k
[unleashed/tickless.git] / usr / src / lib / gss_mechs / mech_spnego / mech / spnego_mech.c
blob1bf5a2c26fdf1bb9f1e545bb8a87b95786469aca
1 /*
2 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
3 */
4 /*
5 * Copyright (C) 2006,2008 by the Massachusetts Institute of Technology.
6 * All rights reserved.
7 *
8 * Export of this software from the United States of America may
9 * require a specific license from the United States Government.
10 * It is the responsibility of any person or organization contemplating
11 * export to obtain such a license before exporting.
12 *
13 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
14 * distribute this software and its documentation for any purpose and
15 * without fee is hereby granted, provided that the above copyright
16 * notice appear in all copies and that both that copyright notice and
17 * this permission notice appear in supporting documentation, and that
18 * the name of M.I.T. not be used in advertising or publicity pertaining
19 * to distribution of the software without specific, written prior
20 * permission. Furthermore if you modify this software you must label
21 * your software as modified software and not distribute it in such a
22 * fashion that it might be confused with the original M.I.T. software.
23 * M.I.T. makes no representations about the suitability of
24 * this software for any purpose. It is provided "as is" without express
25 * or implied warranty.
26 *
27 */
28
29 /*
30 * A module that implements the spnego security mechanism.
31 * It is used to negotiate the security mechanism between
32 * peers using the GSS-API.
33 *
34 */
35
36 /*
37 * Copyright (c) 2006-2008, Novell, Inc.
38 * All rights reserved.
39 *
40 * Redistribution and use in source and binary forms, with or without
41 * modification, are permitted provided that the following conditions are met:
42 *
43 * * Redistributions of source code must retain the above copyright notice,
44 * this list of conditions and the following disclaimer.
45 * * Redistributions in binary form must reproduce the above copyright
46 * notice, this list of conditions and the following disclaimer in the
47 * documentation and/or other materials provided with the distribution.
48 * * The copyright holder's name is not used to endorse or promote products
49 * derived from this software without specific prior written permission.
50 *
51 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
52 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
55 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
56 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
57 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
58 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
59 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
60 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
61 * POSSIBILITY OF SUCH DAMAGE.
62 */
63 /* #pragma ident "@(#)spnego_mech.c 1.7 04/09/28 SMI" */
64
65 #include <sys/param.h>
66 #include <unistd.h>
67 #include <assert.h>
68 #include <stdio.h>
69 #include <stdlib.h>
70 #include <string.h>
71 #include <k5-int.h>
72 #include <krb5.h>
73 #include <mglueP.h>
74 #include "gssapiP_spnego.h"
75 #include "gssapiP_generic.h"
76 #include <gssapi_err_generic.h>
77 #include <locale.h>
78
79 /*
80 * SUNW17PACresync
81 * MIT has diff names for these GSS utilities. Solaris needs to change
82 * them globally to get in sync w/MIT.
83 * Revisit for full 1.7 resync.
84 */
85 #define gssint_get_modOptions __gss_get_modOptions
86 #define gssint_der_length_size der_length_size
87 #define gssint_get_der_length get_der_length
88 #define gssint_put_der_length put_der_length
89 #define gssint_get_mechanism __gss_get_mechanism
90 #define gssint_copy_oid_set gss_copy_oid_set
91 #define gssint_get_mech_type __gss_get_mech_type
92
93
94 #undef g_token_size
95 #undef g_verify_token_header
96 #undef g_make_token_header
97
98 #define HARD_ERROR(v) ((v) != GSS_S_COMPLETE && (v) != GSS_S_CONTINUE_NEEDED)
99 typedef const gss_OID_desc *gss_OID_const;
100
101 /* der routines defined in libgss */
102 extern unsigned int gssint_der_length_size(OM_uint32);
103 extern int gssint_get_der_length(unsigned char **, OM_uint32, OM_uint32*);
104 extern int gssint_put_der_length(OM_uint32, unsigned char **, OM_uint32);
105
106
107 /* private routines for spnego_mechanism */
108 static spnego_token_t make_spnego_token(char *);
109 static gss_buffer_desc make_err_msg(char *);
110 static int g_token_size(gss_OID_const, unsigned int);
111 static int g_make_token_header(gss_OID_const, unsigned int,
112 unsigned char **, unsigned int);
113 static int g_verify_token_header(gss_OID_const, unsigned int *,
114 unsigned char **,
115 int, unsigned int);
116 static int g_verify_neg_token_init(unsigned char **, unsigned int);
117 static gss_OID get_mech_oid(OM_uint32 *, unsigned char **, size_t);
118 static gss_buffer_t get_input_token(unsigned char **, unsigned int);
119 static gss_OID_set get_mech_set(OM_uint32 *, unsigned char **, unsigned int);
120 static OM_uint32 get_req_flags(unsigned char **, OM_uint32, OM_uint32 *);
121 static OM_uint32 get_available_mechs(OM_uint32 *, gss_name_t,
122 gss_cred_usage_t, gss_cred_id_t *, gss_OID_set *);
123 static void release_spnego_ctx(spnego_gss_ctx_id_t *);
124 static void check_spnego_options(spnego_gss_ctx_id_t);
125 static spnego_gss_ctx_id_t create_spnego_ctx(void);
126 static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf);
127 static int put_input_token(unsigned char **, gss_buffer_t, unsigned int);
128 static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int);
129 static int put_negResult(unsigned char **, OM_uint32, unsigned int);
130
131 static OM_uint32
132 process_mic(OM_uint32 *, gss_buffer_t, spnego_gss_ctx_id_t,
133 gss_buffer_t *, OM_uint32 *, send_token_flag *);
134 static OM_uint32
135 handle_mic(OM_uint32 *, gss_buffer_t, int, spnego_gss_ctx_id_t,
136 gss_buffer_t *, OM_uint32 *, send_token_flag *);
137
138 static OM_uint32
139 init_ctx_new(OM_uint32 *, gss_cred_id_t, gss_ctx_id_t *,
140 gss_OID_set *, send_token_flag *);
141 static OM_uint32
142 init_ctx_nego(OM_uint32 *, spnego_gss_ctx_id_t, OM_uint32, gss_OID,
143 gss_buffer_t *, gss_buffer_t *,
144 OM_uint32 *, send_token_flag *);
145 static OM_uint32
146 init_ctx_cont(OM_uint32 *, gss_ctx_id_t *, gss_buffer_t,
147 gss_buffer_t *, gss_buffer_t *,
148 OM_uint32 *, send_token_flag *);
149 static OM_uint32
150 init_ctx_reselect(OM_uint32 *, spnego_gss_ctx_id_t, OM_uint32,
151 gss_OID, gss_buffer_t *, gss_buffer_t *,
152 OM_uint32 *, send_token_flag *);
153 static OM_uint32
154 init_ctx_call_init(OM_uint32 *, spnego_gss_ctx_id_t, gss_cred_id_t,
155 gss_name_t, OM_uint32, OM_uint32, gss_buffer_t,
156 gss_OID *, gss_buffer_t, OM_uint32 *, OM_uint32 *,
157 OM_uint32 *, send_token_flag *);
158
159 static OM_uint32
160 acc_ctx_new(OM_uint32 *, gss_buffer_t, gss_ctx_id_t *,
161 gss_cred_id_t, gss_buffer_t *,
162 gss_buffer_t *, OM_uint32 *, send_token_flag *);
163 static OM_uint32
164 acc_ctx_cont(OM_uint32 *, gss_buffer_t, gss_ctx_id_t *,
165 gss_buffer_t *, gss_buffer_t *,
166 OM_uint32 *, send_token_flag *);
167 static OM_uint32
168 acc_ctx_vfy_oid(OM_uint32 *, spnego_gss_ctx_id_t, gss_OID,
169 OM_uint32 *, send_token_flag *);
170 static OM_uint32
171 acc_ctx_call_acc(OM_uint32 *, spnego_gss_ctx_id_t, gss_cred_id_t,
172 gss_buffer_t, gss_OID *, gss_buffer_t,
173 OM_uint32 *, OM_uint32 *, gss_cred_id_t *,
174 OM_uint32 *, send_token_flag *);
175
176 static gss_OID
177 negotiate_mech_type(OM_uint32 *, gss_OID_set, gss_OID_set,
178 OM_uint32 *);
179 static int
180 g_get_tag_and_length(unsigned char **, int, unsigned int, unsigned int *);
181
182 static int
183 make_spnego_tokenInit_msg(spnego_gss_ctx_id_t,
184 int,
185 gss_buffer_t,
186 OM_uint32, gss_buffer_t, send_token_flag,
187 gss_buffer_t);
188 static int
189 make_spnego_tokenTarg_msg(OM_uint32, gss_OID, gss_buffer_t,
190 gss_buffer_t, send_token_flag,
191 gss_buffer_t);
192
193 static OM_uint32
194 get_negTokenInit(OM_uint32 *, gss_buffer_t, gss_buffer_t,
195 gss_OID_set *, OM_uint32 *, gss_buffer_t *,
196 gss_buffer_t *);
197 static OM_uint32
198 get_negTokenResp(OM_uint32 *, unsigned char *, unsigned int,
199 OM_uint32 *, gss_OID *, gss_buffer_t *, gss_buffer_t *);
200
201 static int
202 is_kerb_mech(gss_OID oid);
203
204 /* SPNEGO oid structure */
205 static const gss_OID_desc spnego_oids[] = {
206 {SPNEGO_OID_LENGTH, SPNEGO_OID},
207 };
208
209 const gss_OID_desc * const gss_mech_spnego = spnego_oids+0;
210 static const gss_OID_set_desc spnego_oidsets[] = {
211 {1, (gss_OID) spnego_oids+0},
212 };
213 const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;
214
215 static int make_NegHints(OM_uint32 *, gss_cred_id_t, gss_buffer_t *);
216 static int put_neg_hints(unsigned char **, gss_buffer_t, unsigned int);
217 static OM_uint32
218 acc_ctx_hints(OM_uint32 *, gss_ctx_id_t *, gss_cred_id_t,
219 gss_buffer_t *, OM_uint32 *, send_token_flag *);
220
221 #ifdef _GSS_STATIC_LINK
222 int gss_spnegoint_lib_init(void);
223 void gss_spnegoint_lib_fini(void);
224 #else
225 gss_mechanism gss_mech_initialize(void);
226 #endif /* _GSS_STATIC_LINK */
227
228 /*
229 * The Mech OID for SPNEGO:
230 * { iso(1) org(3) dod(6) internet(1) security(5)
231 * mechanism(5) spnego(2) }
232 */
233 static struct gss_config spnego_mechanism =
234 {
235 {SPNEGO_OID_LENGTH, SPNEGO_OID},
236 NULL,
237 glue_spnego_gss_acquire_cred,
238 glue_spnego_gss_release_cred,
239 glue_spnego_gss_init_sec_context,
240 #ifndef LEAN_CLIENT
241 glue_spnego_gss_accept_sec_context,
242 #else
243 NULL,
244 #endif /* LEAN_CLIENT */
245 NULL, /* unseal */
246 NULL, /* gss_process_context_token */
247 glue_spnego_gss_delete_sec_context, /* gss_delete_sec_context */
248 glue_spnego_gss_context_time,
249 glue_spnego_gss_display_status,
250 NULL, /* gss_indicate_mechs */
251 glue_spnego_gss_compare_name,
252 glue_spnego_gss_display_name,
253 glue_spnego_gss_import_name, /* glue */
254 glue_spnego_gss_release_name,
255 NULL, /* gss_inquire_cred */
256 NULL, /* gss_add_cred */
257 NULL, /* seal */
258 #ifndef LEAN_CLIENT
259 glue_spnego_gss_export_sec_context, /* gss_export_sec_context */
260 glue_spnego_gss_import_sec_context, /* gss_import_sec_context */
261 #else
262 NULL, /* gss_export_sec_context */
263 NULL, /* gss_import_sec_context */
264 #endif /* LEAN_CLIENT */
265 NULL, /* gss_inquire_cred_by_mech */
266 glue_spnego_gss_inquire_names_for_mech,
267 glue_spnego_gss_inquire_context,
268 NULL, /* gss_internal_release_oid */
269 glue_spnego_gss_wrap_size_limit,
270 NULL, /* pname */
271 NULL, /* userok */
272 NULL, /* gss_export_name */
273 NULL, /* sign */
274 NULL, /* verify */
275 NULL, /* gss_store_cred */
276 spnego_gss_inquire_sec_context_by_oid, /* gss_inquire_sec_context_by_oid */
277 };
278
279 #ifdef _GSS_STATIC_LINK
280 #include "mglueP.h"
281
282 static
283 int gss_spnegomechglue_init(void)
284 {
285 struct gss_mech_config mech_spnego;
286
287 memset(&mech_spnego, 0, sizeof(mech_spnego));
288 mech_spnego.mech = &spnego_mechanism;
289 mech_spnego.mechNameStr = "spnego";
290 mech_spnego.mech_type = GSS_C_NO_OID;
291
292 return gssint_register_mechinfo(&mech_spnego);
293 }
294 #else
295 /* Entry point for libgss */
296 gss_mechanism KRB5_CALLCONV
297 gss_mech_initialize(void)
298 {
299 int err;
300
301 err = k5_key_register(K5_KEY_GSS_SPNEGO_ERROR_MESSAGE,
302 spnego_gss_delete_error_info);
303 if (err) {
304 syslog(LOG_NOTICE,
305 "SPNEGO gss_mech_initialize: error message TSD key register fail");
306 return (NULL);
307 }
308
309 return (&spnego_mechanism);
310 }
311
312 #if 0 /* SUNW17PACresync */
313 MAKE_INIT_FUNCTION(gss_krb5int_lib_init);
314 MAKE_FINI_FUNCTION(gss_krb5int_lib_fini);
315 int gss_krb5int_lib_init(void)
316 #endif
317
318 #endif /* _GSS_STATIC_LINK */
319
320 static
321 int gss_spnegoint_lib_init(void)
322 {
323 #ifdef _GSS_STATIC_LINK
324 return gss_spnegomechglue_init();
325 #else
326 int err;
327
328 err = k5_key_register(K5_KEY_GSS_SPNEGO_ERROR_MESSAGE,
329 spnego_gss_delete_error_info);
330 if (err) {
331 syslog(LOG_NOTICE,
332 "SPNEGO gss_mech_initialize: error message TSD key register fail: err=%d",
333 err);
334 return err;
335 }
336
337 return 0;
338 #endif
339 }
340
341 static void gss_spnegoint_lib_fini(void)
342 {
343 }
344
345 /*ARGSUSED*/
346 OM_uint32
347 glue_spnego_gss_acquire_cred(
348 void *context,
349 OM_uint32 *minor_status,
350 gss_name_t desired_name,
351 OM_uint32 time_req,
352 gss_OID_set desired_mechs,
353 gss_cred_usage_t cred_usage,
354 gss_cred_id_t *output_cred_handle,
355 gss_OID_set *actual_mechs,
356 OM_uint32 *time_rec)
357 {
358 return(spnego_gss_acquire_cred(minor_status,
359 desired_name,
360 time_req,
361 desired_mechs,
362 cred_usage,
363 output_cred_handle,
364 actual_mechs,
365 time_rec));
366 }
367
368 /*ARGSUSED*/
369 OM_uint32
370 spnego_gss_acquire_cred(OM_uint32 *minor_status,
371 gss_name_t desired_name,
372 OM_uint32 time_req,
373 gss_OID_set desired_mechs,
374 gss_cred_usage_t cred_usage,
375 gss_cred_id_t *output_cred_handle,
376 gss_OID_set *actual_mechs,
377 OM_uint32 *time_rec)
378 {
379 OM_uint32 status;
380 gss_OID_set amechs;
381 dsyslog("Entering spnego_gss_acquire_cred\n");
382
383 if (actual_mechs)
384 *actual_mechs = NULL;
385
386 if (time_rec)
387 *time_rec = 0;
388
389 /*
390 * If the user did not specify a list of mechs,
391 * use get_available_mechs to collect a list of
392 * mechs for which creds are available.
393 */
394 if (desired_mechs == GSS_C_NULL_OID_SET) {
395 status = get_available_mechs(minor_status,
396 desired_name, cred_usage,
397 output_cred_handle, &amechs);
398 } else {
399 /*
400 * The caller gave a specific list of mechanisms,
401 * so just get whatever creds are available.
402 * gss_acquire_creds will return the subset of mechs for
403 * which the given 'output_cred_handle' is valid.
404 */
405 status = gss_acquire_cred(minor_status,
406 desired_name, time_req,
407 desired_mechs, cred_usage,
408 output_cred_handle, &amechs,
409 time_rec);
410 }
411
412 if (actual_mechs && amechs != GSS_C_NULL_OID_SET) {
413 (void) gssint_copy_oid_set(minor_status, amechs, actual_mechs);
414 }
415 (void) gss_release_oid_set(minor_status, &amechs);
416
417 dsyslog("Leaving spnego_gss_acquire_cred\n");
418 return (status);
419 }
420
421 /*ARGSUSED*/
422 OM_uint32
423 glue_spnego_gss_release_cred(void *context,
424 OM_uint32 *minor_status,
425 gss_cred_id_t *cred_handle)
426 {
427 return( spnego_gss_release_cred(minor_status, cred_handle));
428 }
429
430 /*ARGSUSED*/
431 OM_uint32
432 spnego_gss_release_cred(OM_uint32 *minor_status,
433 gss_cred_id_t *cred_handle)
434 {
435 OM_uint32 status;
436
437 dsyslog("Entering spnego_gss_release_cred\n");
438
439 if (minor_status == NULL || cred_handle == NULL)
440 return (GSS_S_CALL_INACCESSIBLE_WRITE);
441
442 *minor_status = 0;
443
444 if (*cred_handle == GSS_C_NO_CREDENTIAL)
445 return (GSS_S_COMPLETE);
446
447 status = gss_release_cred(minor_status, cred_handle);
448
449 dsyslog("Leaving spnego_gss_release_cred\n");
450 return (status);
451 }
452
453 static void
454 check_spnego_options(spnego_gss_ctx_id_t spnego_ctx)
455 {
456 spnego_ctx->optionStr = gssint_get_modOptions(
457 (const gss_OID)&spnego_oids[0]);
458 }
459
460 static spnego_gss_ctx_id_t
461 create_spnego_ctx(void)
462 {
463 spnego_gss_ctx_id_t spnego_ctx = NULL;
464 spnego_ctx = (spnego_gss_ctx_id_t)
465 malloc(sizeof (spnego_gss_ctx_id_rec));
466
467 if (spnego_ctx == NULL) {
468 return (NULL);
469 }
470
471 spnego_ctx->magic_num = SPNEGO_MAGIC_ID;
472 spnego_ctx->ctx_handle = GSS_C_NO_CONTEXT;
473 spnego_ctx->internal_mech = NULL;
474 spnego_ctx->optionStr = NULL;
475 spnego_ctx->DER_mechTypes.length = 0;
476 spnego_ctx->DER_mechTypes.value = NULL;
477 spnego_ctx->default_cred = GSS_C_NO_CREDENTIAL;
478 spnego_ctx->mic_reqd = 0;
479 spnego_ctx->mic_sent = 0;
480 spnego_ctx->mic_rcvd = 0;
481 spnego_ctx->mech_complete = 0;
482 spnego_ctx->nego_done = 0;
483 spnego_ctx->internal_name = GSS_C_NO_NAME;
484 spnego_ctx->actual_mech = GSS_C_NO_OID;
485 spnego_ctx->err.msg = NULL;
486 spnego_ctx->err.scratch_buf[0] = 0;
487 check_spnego_options(spnego_ctx);
488
489 return (spnego_ctx);
490 }
491
492 /*
493 * Both initiator and acceptor call here to verify and/or create
494 * mechListMIC, and to consistency-check the MIC state.
495 */
496 static OM_uint32
497 handle_mic(OM_uint32 *minor_status, gss_buffer_t mic_in,
498 int send_mechtok, spnego_gss_ctx_id_t sc,
499 gss_buffer_t *mic_out,
500 OM_uint32 *negState, send_token_flag *tokflag)
501 {
502 OM_uint32 ret;
503
504 ret = GSS_S_FAILURE;
505 *mic_out = GSS_C_NO_BUFFER;
506 if (mic_in != GSS_C_NO_BUFFER) {
507 if (sc->mic_rcvd) {
508 /* Reject MIC if we've already received a MIC. */
509 *negState = REJECT;
510 *tokflag = ERROR_TOKEN_SEND;
511 return GSS_S_DEFECTIVE_TOKEN;
512 }
513 } else if (sc->mic_reqd && !send_mechtok) {
514 /*
515 * If the peer sends the final mechanism token, it
516 * must send the MIC with that token if the
517 * negotiation requires MICs.
518 */
519 *negState = REJECT;
520 *tokflag = ERROR_TOKEN_SEND;
521 return GSS_S_DEFECTIVE_TOKEN;
522 }
523 ret = process_mic(minor_status, mic_in, sc, mic_out,
524 negState, tokflag);
525 if (ret != GSS_S_COMPLETE) {
526 return ret;
527 }
528 if (sc->mic_reqd) {
529 assert(sc->mic_sent || sc->mic_rcvd);
530 }
531 if (sc->mic_sent && sc->mic_rcvd) {
532 ret = GSS_S_COMPLETE;
533 *negState = ACCEPT_COMPLETE;
534 if (*mic_out == GSS_C_NO_BUFFER) {
535 /*
536 * We sent a MIC on the previous pass; we
537 * shouldn't be sending a mechanism token.
538 */
539 assert(!send_mechtok);
540 *tokflag = NO_TOKEN_SEND;
541 } else {
542 *tokflag = CONT_TOKEN_SEND;
543 }
544 } else if (sc->mic_reqd) {
545 *negState = ACCEPT_INCOMPLETE;
546 ret = GSS_S_CONTINUE_NEEDED;
547 } else if (*negState == ACCEPT_COMPLETE) {
548 ret = GSS_S_COMPLETE;
549 } else {
550 ret = GSS_S_CONTINUE_NEEDED;
551 }
552 return ret;
553 }
554
555 /*
556 * Perform the actual verification and/or generation of mechListMIC.
557 */
558 static OM_uint32
559 process_mic(OM_uint32 *minor_status, gss_buffer_t mic_in,
560 spnego_gss_ctx_id_t sc, gss_buffer_t *mic_out,
561 OM_uint32 *negState, send_token_flag *tokflag)
562 {
563 OM_uint32 ret, tmpmin;
564 gss_qop_t qop_state;
565 gss_buffer_desc tmpmic = GSS_C_EMPTY_BUFFER;
566
567 ret = GSS_S_FAILURE;
568 if (mic_in != GSS_C_NO_BUFFER) {
569 ret = gss_verify_mic(minor_status, sc->ctx_handle,
570 &sc->DER_mechTypes,
571 mic_in, &qop_state);
572 if (ret != GSS_S_COMPLETE) {
573 *negState = REJECT;
574 *tokflag = ERROR_TOKEN_SEND;
575 return ret;
576 }
577 /* If we got a MIC, we must send a MIC. */
578 sc->mic_reqd = 1;
579 sc->mic_rcvd = 1;
580 }
581 if (sc->mic_reqd && !sc->mic_sent) {
582 ret = gss_get_mic(minor_status, sc->ctx_handle,
583 GSS_C_QOP_DEFAULT,
584 &sc->DER_mechTypes,
585 &tmpmic);
586 if (ret != GSS_S_COMPLETE) {
587 gss_release_buffer(&tmpmin, &tmpmic);
588 *tokflag = NO_TOKEN_SEND;
589 return ret;
590 }
591 *mic_out = malloc(sizeof(gss_buffer_desc));
592 if (*mic_out == GSS_C_NO_BUFFER) {
593 gss_release_buffer(&tmpmin, &tmpmic);
594 *tokflag = NO_TOKEN_SEND;
595 return GSS_S_FAILURE;
596 }
597 **mic_out = tmpmic;
598 sc->mic_sent = 1;
599 }
600 return GSS_S_COMPLETE;
601 }
602
603 /*
604 * Initial call to spnego_gss_init_sec_context().
605 */
606 static OM_uint32
607 init_ctx_new(OM_uint32 *minor_status,
608 gss_cred_id_t cred,
609 gss_ctx_id_t *ctx,
610 gss_OID_set *mechSet,
611 send_token_flag *tokflag)
612 {
613 OM_uint32 ret, tmpmin;
614 gss_cred_id_t creds = GSS_C_NO_CREDENTIAL;
615 spnego_gss_ctx_id_t sc = NULL;
616
617 /* determine negotiation mech set */
618 if (cred == GSS_C_NO_CREDENTIAL) {
619 ret = get_available_mechs(minor_status, GSS_C_NO_NAME,
620 GSS_C_INITIATE, &creds, mechSet);
621 gss_release_cred(&tmpmin, &creds);
622 } else {
623 /*
624 * Use the list of mechs included in the cred that we
625 * were given.
626 */
627 ret = gss_inquire_cred(minor_status, cred,
628 NULL, NULL, NULL, mechSet);
629 }
630 if (ret != GSS_S_COMPLETE)
631 return ret;
632
633 sc = create_spnego_ctx();
634 if (sc == NULL)
635 return GSS_S_FAILURE;
636
637 /*
638 * need to pull the first mech from mechSet to do first
639 * gss_init_sec_context()
640 */
641 ret = generic_gss_copy_oid(minor_status, (*mechSet)->elements,
642 &sc->internal_mech);
643 if (ret != GSS_S_COMPLETE) {
644 map_errcode(minor_status);
645 goto cleanup;
646 }
647
648 if (put_mech_set(*mechSet, &sc->DER_mechTypes) < 0) {
649 generic_gss_release_oid(&tmpmin, &sc->internal_mech);
650 ret = GSS_S_FAILURE;
651 goto cleanup;
652 }
653 /*
654 * The actual context is not yet determined, set the output
655 * context handle to refer to the spnego context itself.
656 */
657 sc->ctx_handle = GSS_C_NO_CONTEXT;
658 *ctx = (gss_ctx_id_t)sc;
659 *tokflag = INIT_TOKEN_SEND;
660 ret = GSS_S_CONTINUE_NEEDED;
661
662 cleanup:
663 gss_release_oid_set(&tmpmin, mechSet);
664 return ret;
665 }
666
667 /*
668 * Called by second and later calls to spnego_gss_init_sec_context()
669 * to decode reply and update state.
670 */
671 static OM_uint32
672 init_ctx_cont(OM_uint32 *minor_status, gss_ctx_id_t *ctx, gss_buffer_t buf,
673 gss_buffer_t *responseToken, gss_buffer_t *mechListMIC,
674 OM_uint32 *negState, send_token_flag *tokflag)
675 {
676 OM_uint32 ret, tmpmin, acc_negState;
677 unsigned char *ptr;
678 spnego_gss_ctx_id_t sc;
679 gss_OID supportedMech = GSS_C_NO_OID;
680
681 sc = (spnego_gss_ctx_id_t)*ctx;
682 *negState = REJECT;
683 *tokflag = ERROR_TOKEN_SEND;
684
685 ptr = buf->value;
686 ret = get_negTokenResp(minor_status, ptr, buf->length,
687 &acc_negState, &supportedMech,
688 responseToken, mechListMIC);
689 if (ret != GSS_S_COMPLETE)
690 goto cleanup;
691 if (acc_negState == ACCEPT_DEFECTIVE_TOKEN &&
692 supportedMech == GSS_C_NO_OID &&
693 *responseToken == GSS_C_NO_BUFFER &&
694 *mechListMIC == GSS_C_NO_BUFFER) {
695 /* Reject "empty" token. */
696 ret = GSS_S_DEFECTIVE_TOKEN;
697 }
698 if (acc_negState == REJECT) {
699 *minor_status = ERR_SPNEGO_NEGOTIATION_FAILED;
700 /* Solaris SPNEGO */
701 spnego_set_error_message(sc, *minor_status,
702 dgettext(TEXT_DOMAIN,
703 "SPNEGO failed to negotiate a mechanism: server rejected request"));
704 map_errcode(minor_status);
705 *tokflag = NO_TOKEN_SEND;
706 ret = GSS_S_FAILURE;
707 goto cleanup;
708 }
709 /*
710 * nego_done is false for the first call to init_ctx_cont()
711 */
712 if (!sc->nego_done) {
713 ret = init_ctx_nego(minor_status, sc,
714 acc_negState,
715 supportedMech, responseToken,
716 mechListMIC,
717 negState, tokflag);
718 } else if (!sc->mech_complete &&
719 *responseToken == GSS_C_NO_BUFFER) {
720 /*
721 * mech not finished and mech token missing
722 */
723 ret = GSS_S_DEFECTIVE_TOKEN;
724 } else if (sc->mic_reqd &&
725 (sc->ctx_flags & GSS_C_INTEG_FLAG)) {
726 *negState = ACCEPT_INCOMPLETE;
727 *tokflag = CONT_TOKEN_SEND;
728 ret = GSS_S_CONTINUE_NEEDED;
729 } else {
730 *negState = ACCEPT_COMPLETE;
731 *tokflag = NO_TOKEN_SEND;
732 ret = GSS_S_COMPLETE;
733 }
734 cleanup:
735 if (supportedMech != GSS_C_NO_OID)
736 generic_gss_release_oid(&tmpmin, &supportedMech);
737 return ret;
738 }
739
740 /*
741 * Consistency checking and mechanism negotiation handling for second
742 * call of spnego_gss_init_sec_context(). Call init_ctx_reselect() to
743 * update internal state if acceptor has counter-proposed.
744 */
745 static OM_uint32
746 init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
747 OM_uint32 acc_negState, gss_OID supportedMech,
748 gss_buffer_t *responseToken, gss_buffer_t *mechListMIC,
749 OM_uint32 *negState, send_token_flag *tokflag)
750 {
751 OM_uint32 ret;
752
753 *negState = REJECT;
754 *tokflag = ERROR_TOKEN_SEND;
755 ret = GSS_S_DEFECTIVE_TOKEN;
756 /*
757 * Both supportedMech and negState must be present in first
758 * acceptor token.
759 */
760 if (supportedMech == GSS_C_NO_OID) {
761 *minor_status = ERR_SPNEGO_NO_MECH_FROM_ACCEPTOR;
762 map_errcode(minor_status);
763 return GSS_S_DEFECTIVE_TOKEN;
764 }
765 if (acc_negState == ACCEPT_DEFECTIVE_TOKEN) {
766 *minor_status = ERR_SPNEGO_NEGOTIATION_FAILED;
767 /* Solaris SPNEGO */
768 spnego_set_error_message(sc, *minor_status,
769 dgettext(TEXT_DOMAIN,
770 "SPNEGO failed to negotiate a mechanism: defective token"));
771 map_errcode(minor_status);
772 return GSS_S_DEFECTIVE_TOKEN;
773 }
774
775 /*
776 * If the mechanism we sent is not the mechanism returned from
777 * the server, we need to handle the server's counter
778 * proposal. There is a bug in SAMBA servers that always send
779 * the old Kerberos mech OID, even though we sent the new one.
780 * So we will treat all the Kerberos mech OIDS as the same.
781 */
782 if (!(is_kerb_mech(supportedMech) &&
783 is_kerb_mech(sc->internal_mech)) &&
784 !g_OID_equal(supportedMech, sc->internal_mech)) {
785 ret = init_ctx_reselect(minor_status, sc,
786 acc_negState, supportedMech,
787 responseToken, mechListMIC,
788 negState, tokflag);
789
790 } else if (*responseToken == GSS_C_NO_BUFFER) {
791 if (sc->mech_complete) {
792 /*
793 * Mech completed on first call to its
794 * init_sec_context(). Acceptor sends no mech
795 * token.
796 */
797 *negState = ACCEPT_COMPLETE;
798 *tokflag = NO_TOKEN_SEND;
799 ret = GSS_S_COMPLETE;
800 } else {
801 /*
802 * Reject missing mech token when optimistic
803 * mech selected.
804 */
805 *minor_status = ERR_SPNEGO_NO_TOKEN_FROM_ACCEPTOR;
806 map_errcode(minor_status);
807 ret = GSS_S_DEFECTIVE_TOKEN;
808 }
809 } else if (sc->mech_complete) {
810 /* Reject spurious mech token. */
811 ret = GSS_S_DEFECTIVE_TOKEN;
812 } else {
813 *negState = ACCEPT_INCOMPLETE;
814 *tokflag = CONT_TOKEN_SEND;
815 ret = GSS_S_CONTINUE_NEEDED;
816 }
817 sc->nego_done = 1;
818 return ret;
819 }
820
821 /*
822 * Handle acceptor's counter-proposal of an alternative mechanism.
823 */
824 static OM_uint32
825 init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
826 OM_uint32 acc_negState, gss_OID supportedMech,
827 gss_buffer_t *responseToken, gss_buffer_t *mechListMIC,
828 OM_uint32 *negState, send_token_flag *tokflag)
829 {
830 OM_uint32 ret, tmpmin;
831
832 generic_gss_release_oid(&tmpmin, &sc->internal_mech);
833 gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
834 GSS_C_NO_BUFFER);
835
836 ret = generic_gss_copy_oid(minor_status, supportedMech,
837 &sc->internal_mech);
838 if (ret != GSS_S_COMPLETE) {
839 map_errcode(minor_status);
840 sc->internal_mech = GSS_C_NO_OID;
841 *tokflag = NO_TOKEN_SEND;
842 return ret;
843 }
844 if (*responseToken != GSS_C_NO_BUFFER) {
845 /* Reject spurious mech token. */
846 return GSS_S_DEFECTIVE_TOKEN;
847 }
848 /*
849 * Windows 2003 and earlier don't correctly send a
850 * negState of request-mic when counter-proposing a
851 * mechanism. They probably don't handle mechListMICs
852 * properly either.
853 */
854 if (acc_negState != REQUEST_MIC)
855 return GSS_S_DEFECTIVE_TOKEN;
856
857 sc->mech_complete = 0;
858 sc->mic_reqd = 1;
859 *negState = REQUEST_MIC;
860 *tokflag = CONT_TOKEN_SEND;
861 return GSS_S_CONTINUE_NEEDED;
862 }
863
864 /*
865 * Wrap call to mechanism gss_init_sec_context() and update state
866 * accordingly.
867 */
868 static OM_uint32
869 init_ctx_call_init(OM_uint32 *minor_status,
870 spnego_gss_ctx_id_t sc,
871 gss_cred_id_t claimant_cred_handle,
872 gss_name_t target_name,
873 OM_uint32 req_flags,
874 OM_uint32 time_req,
875 gss_buffer_t mechtok_in,
876 gss_OID *actual_mech,
877 gss_buffer_t mechtok_out,
878 OM_uint32 *ret_flags,
879 OM_uint32 *time_rec,
880 OM_uint32 *negState,
881 send_token_flag *send_token)
882 {
883 OM_uint32 ret;
884
885 ret = gss_init_sec_context(minor_status,
886 claimant_cred_handle,
887 &sc->ctx_handle,
888 target_name,
889 sc->internal_mech,
890 (req_flags | GSS_C_INTEG_FLAG),
891 time_req,
892 GSS_C_NO_CHANNEL_BINDINGS,
893 mechtok_in,
894 &sc->actual_mech,
895 mechtok_out,
896 &sc->ctx_flags,
897 time_rec);
898 if (ret == GSS_S_COMPLETE) {
899 sc->mech_complete = 1;
900 if (ret_flags != NULL)
901 *ret_flags = sc->ctx_flags;
902 /*
903 * If this isn't the first time we've been called,
904 * we're done unless a MIC needs to be
905 * generated/handled.
906 */
907 if (*send_token == CONT_TOKEN_SEND &&
908 mechtok_out->length == 0 &&
909 (!sc->mic_reqd ||
910 !(sc->ctx_flags & GSS_C_INTEG_FLAG))) {
911
912 *negState = ACCEPT_COMPLETE;
913 ret = GSS_S_COMPLETE;
914 if (mechtok_out->length == 0) {
915 *send_token = NO_TOKEN_SEND;
916 }
917 } else {
918 *negState = ACCEPT_INCOMPLETE;
919 ret = GSS_S_CONTINUE_NEEDED;
920 }
921 } else if (ret != GSS_S_CONTINUE_NEEDED) {
922 if (*send_token == INIT_TOKEN_SEND) {
923 /* Don't output token on error if first call. */
924 *send_token = NO_TOKEN_SEND;
925 } else {
926 *send_token = ERROR_TOKEN_SEND;
927 }
928 *negState = REJECT;
929 }
930 return ret;
931 }
932
933 /*ARGSUSED*/
934 OM_uint32
935 glue_spnego_gss_init_sec_context(
936 void *context,
937 OM_uint32 *minor_status,
938 gss_cred_id_t claimant_cred_handle,
939 gss_ctx_id_t *context_handle,
940 gss_name_t target_name,
941 gss_OID mech_type,
942 OM_uint32 req_flags,
943 OM_uint32 time_req,
944 gss_channel_bindings_t input_chan_bindings,
945 gss_buffer_t input_token,
946 gss_OID *actual_mech,
947 gss_buffer_t output_token,
948 OM_uint32 *ret_flags,
949 OM_uint32 *time_rec)
950 {
951 return(spnego_gss_init_sec_context(
952 minor_status,
953 claimant_cred_handle,
954 context_handle,
955 target_name,
956 mech_type,
957 req_flags,
958 time_req,
959 input_chan_bindings,
960 input_token,
961 actual_mech,
962 output_token,
963 ret_flags,
964 time_rec));
965 }
966
967 /*ARGSUSED*/
968 OM_uint32
969 spnego_gss_init_sec_context(
970 OM_uint32 *minor_status,
971 gss_cred_id_t claimant_cred_handle,
972 gss_ctx_id_t *context_handle,
973 gss_name_t target_name,
974 gss_OID mech_type,
975 OM_uint32 req_flags,
976 OM_uint32 time_req,
977 gss_channel_bindings_t input_chan_bindings,
978 gss_buffer_t input_token,
979 gss_OID *actual_mech,
980 gss_buffer_t output_token,
981 OM_uint32 *ret_flags,
982 OM_uint32 *time_rec)
983 {
984 /*
985 * send_token is used to indicate in later steps
986 * what type of token, if any should be sent or processed.
987 * NO_TOKEN_SEND = no token should be sent
988 * INIT_TOKEN_SEND = initial token will be sent
989 * CONT_TOKEN_SEND = continuing tokens to be sent
990 * CHECK_MIC = no token to be sent, but have a MIC to check.
991 */
992 send_token_flag send_token = NO_TOKEN_SEND;
993 OM_uint32 tmpmin, ret, negState;
994 gss_buffer_t mechtok_in, mechListMIC_in, mechListMIC_out;
995 gss_buffer_desc mechtok_out = GSS_C_EMPTY_BUFFER;
996 gss_OID_set mechSet = GSS_C_NO_OID_SET;
997 spnego_gss_ctx_id_t spnego_ctx = NULL;
998
999 dsyslog("Entering init_sec_context\n");
1000
1001 mechtok_in = mechListMIC_out = mechListMIC_in = GSS_C_NO_BUFFER;
1002 negState = REJECT;
1003
1004 if (minor_status != NULL)
1005 *minor_status = 0;
1006 if (output_token != GSS_C_NO_BUFFER) {
1007 output_token->length = 0;
1008 output_token->value = NULL;
1009 }
1010 if (minor_status == NULL ||
1011 output_token == GSS_C_NO_BUFFER ||
1012 context_handle == NULL)
1013 return GSS_S_CALL_INACCESSIBLE_WRITE;
1014
1015 if (actual_mech != NULL)
1016 *actual_mech = GSS_C_NO_OID;
1017
1018 if (*context_handle == GSS_C_NO_CONTEXT) {
1019 ret = init_ctx_new(minor_status, claimant_cred_handle,
1020 context_handle, &mechSet, &send_token);
1021 if (ret != GSS_S_CONTINUE_NEEDED) {
1022 goto cleanup;
1023 }
1024 } else {
1025 ret = init_ctx_cont(minor_status, context_handle,
1026 input_token, &mechtok_in,
1027 &mechListMIC_in, &negState, &send_token);
1028 if (HARD_ERROR(ret)) {
1029 goto cleanup;
1030 }
1031 }
1032 spnego_ctx = (spnego_gss_ctx_id_t)*context_handle;
1033
1034 /* Solaris SPNEGO */
1035 if (*minor_status == ERR_SPNEGO_NEGOTIATION_FAILED)
1036 spnego_gss_save_error_info(*minor_status, spnego_ctx);
1037
1038 if (!spnego_ctx->mech_complete) {
1039 ret = init_ctx_call_init(
1040 minor_status, spnego_ctx,
1041 claimant_cred_handle,
1042 target_name, req_flags,
1043 time_req, mechtok_in,
1044 actual_mech, &mechtok_out,
1045 ret_flags, time_rec,
1046 &negState, &send_token);
1047 }
1048 /* create mic/check mic */
1049 if (!HARD_ERROR(ret) && spnego_ctx->mech_complete &&
1050 (spnego_ctx->ctx_flags & GSS_C_INTEG_FLAG)) {
1051
1052 ret = handle_mic(minor_status,
1053 mechListMIC_in,
1054 (mechtok_out.length != 0),
1055 spnego_ctx, &mechListMIC_out,
1056 &negState, &send_token);
1057 }
1058 cleanup:
1059 if (send_token == INIT_TOKEN_SEND) {
1060 if (make_spnego_tokenInit_msg(spnego_ctx,
1061 0,
1062 mechListMIC_out,
1063 req_flags,
1064 &mechtok_out, send_token,
1065 output_token) < 0) {
1066 ret = GSS_S_FAILURE;
1067 }
1068 } else if (send_token != NO_TOKEN_SEND) {
1069 if (make_spnego_tokenTarg_msg(negState, GSS_C_NO_OID,
1070 &mechtok_out, mechListMIC_out,
1071 send_token,
1072 output_token) < 0) {
1073 ret = GSS_S_FAILURE;
1074 }
1075 }
1076 gss_release_buffer(&tmpmin, &mechtok_out);
1077 if (ret == GSS_S_COMPLETE) {
1078 /*
1079 * Now, switch the output context to refer to the
1080 * negotiated mechanism's context.
1081 */
1082 *context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle;
1083 if (actual_mech != NULL)
1084 *actual_mech = spnego_ctx->actual_mech;
1085 if (ret_flags != NULL)
1086 *ret_flags = spnego_ctx->ctx_flags;
1087 release_spnego_ctx(&spnego_ctx);
1088 } else if (ret != GSS_S_CONTINUE_NEEDED) {
1089 if (spnego_ctx != NULL) {
1090 gss_delete_sec_context(&tmpmin,
1091 &spnego_ctx->ctx_handle,
1092 GSS_C_NO_BUFFER);
1093 release_spnego_ctx(&spnego_ctx);
1094 }
1095 *context_handle = GSS_C_NO_CONTEXT;
1096 }
1097 if (mechtok_in != GSS_C_NO_BUFFER) {
1098 gss_release_buffer(&tmpmin, mechtok_in);
1099 free(mechtok_in);
1100 }
1101 if (mechListMIC_in != GSS_C_NO_BUFFER) {
1102 gss_release_buffer(&tmpmin, mechListMIC_in);
1103 free(mechListMIC_in);
1104 }
1105 if (mechListMIC_out != GSS_C_NO_BUFFER) {
1106 gss_release_buffer(&tmpmin, mechListMIC_out);
1107 free(mechListMIC_out);
1108 }
1109 if (mechSet != GSS_C_NO_OID_SET) {
1110 gss_release_oid_set(&tmpmin, &mechSet);
1111 }
1112 return ret;
1113 } /* init_sec_context */
1114
1115 /* We don't want to import KRB5 headers here */
1116 static const gss_OID_desc gss_mech_krb5_oid =
1117 { 9, "\052\206\110\206\367\022\001\002\002" };
1118 static const gss_OID_desc gss_mech_krb5_wrong_oid =
1119 { 9, "\052\206\110\202\367\022\001\002\002" };
1120
1121 /*
1122 * verify that the input token length is not 0. If it is, just return.
1123 * If the token length is greater than 0, der encode as a sequence
1124 * and place in buf_out, advancing buf_out.
1125 */
1126
1127 static int
1128 put_neg_hints(unsigned char **buf_out, gss_buffer_t input_token,
1129 unsigned int buflen)
1130 {
1131 int ret;
1132
1133 /* if token length is 0, we do not want to send */
1134 if (input_token->length == 0)
1135 return (0);
1136
1137 if (input_token->length > buflen)
1138 return (-1);
1139
1140 *(*buf_out)++ = SEQUENCE;
1141 if ((ret = gssint_put_der_length(input_token->length, buf_out,
1142 input_token->length)))
1143 return (ret);
1144 TWRITE_STR(*buf_out, input_token->value, input_token->length);
1145 return (0);
1146 }
1147
1148 /*
1149 * NegHints ::= SEQUENCE {
1150 * hintName [0] GeneralString OPTIONAL,
1151 * hintAddress [1] OCTET STRING OPTIONAL
1152 * }
1153 */
1154
1155 #define HOST_PREFIX "host@"
1156 #define HOST_PREFIX_LEN (sizeof(HOST_PREFIX) - 1)
1157
1158 static int
1159 make_NegHints(OM_uint32 *minor_status,
1160 gss_cred_id_t cred, gss_buffer_t *outbuf)
1161 {
1162 gss_buffer_desc hintNameBuf;
1163 gss_name_t hintName = GSS_C_NO_NAME;
1164 gss_name_t hintKerberosName;
1165 gss_OID hintNameType;
1166 OM_uint32 major_status;
1167 OM_uint32 minor;
1168 unsigned int tlen = 0;
1169 unsigned int hintNameSize = 0;
1170 unsigned int negHintsSize = 0;
1171 unsigned char *ptr;
1172 unsigned char *t;
1173
1174 *outbuf = GSS_C_NO_BUFFER;
1175
1176 if (cred != GSS_C_NO_CREDENTIAL) {
1177 major_status = gss_inquire_cred(minor_status,
1178 cred,
1179 &hintName,
1180 NULL,
1181 NULL,
1182 NULL);
1183 if (major_status != GSS_S_COMPLETE)
1184 return (major_status);
1185 }
1186
1187 if (hintName == GSS_C_NO_NAME) {
1188 krb5_error_code code;
1189 krb5int_access kaccess;
1190 char hostname[HOST_PREFIX_LEN + MAXHOSTNAMELEN + 1] = HOST_PREFIX;
1191
1192 code = krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION);
1193 if (code != 0) {
1194 *minor_status = code;
1195 return (GSS_S_FAILURE);
1196 }
1197
1198 /* this breaks mutual authentication but Samba relies on it */
1199 code = (*kaccess.clean_hostname)(NULL, NULL,
1200 &hostname[HOST_PREFIX_LEN],
1201 MAXHOSTNAMELEN);
1202 if (code != 0) {
1203 *minor_status = code;
1204 return (GSS_S_FAILURE);
1205 }
1206
1207 hintNameBuf.value = hostname;
1208 hintNameBuf.length = strlen(hostname);
1209
1210 major_status = gss_import_name(minor_status,
1211 &hintNameBuf,
1212 GSS_C_NT_HOSTBASED_SERVICE,
1213 &hintName);
1214 if (major_status != GSS_S_COMPLETE) {
1215 return (major_status);
1216 }
1217 }
1218
1219 hintNameBuf.value = NULL;
1220 hintNameBuf.length = 0;
1221
1222 major_status = gss_canonicalize_name(minor_status,
1223 hintName,
1224 (gss_OID)&gss_mech_krb5_oid,
1225 &hintKerberosName);
1226 if (major_status != GSS_S_COMPLETE) {
1227 gss_release_name(&minor, &hintName);
1228 return (major_status);
1229 }
1230 gss_release_name(&minor, &hintName);
1231
1232 major_status = gss_display_name(minor_status,
1233 hintKerberosName,
1234 &hintNameBuf,
1235 &hintNameType);
1236 if (major_status != GSS_S_COMPLETE) {
1237 gss_release_name(&minor, &hintKerberosName);
1238 return (major_status);
1239 }
1240 gss_release_name(&minor, &hintKerberosName);
1241
1242 /*
1243 * Now encode the name hint into a NegHints ASN.1 type
1244 */
1245 major_status = GSS_S_FAILURE;
1246
1247 /* Length of DER encoded GeneralString */
1248 tlen = 1 + gssint_der_length_size(hintNameBuf.length) +
1249 hintNameBuf.length;
1250 hintNameSize = tlen;
1251
1252 /* Length of DER encoded hintName */
1253 tlen += 1 + gssint_der_length_size(hintNameSize);
1254 negHintsSize = tlen;
1255
1256 t = (unsigned char *)malloc(tlen);
1257 if (t == NULL) {
1258 *minor_status = ENOMEM;
1259 goto errout;
1260 }
1261
1262 ptr = t;
1263
1264 *ptr++ = CONTEXT | 0x00; /* hintName identifier */
1265 if (gssint_put_der_length(hintNameSize,
1266 &ptr, tlen - (int)(ptr-t)))
1267 goto errout;
1268
1269 *ptr++ = GENERAL_STRING;
1270 if (gssint_put_der_length(hintNameBuf.length,
1271 &ptr, tlen - (int)(ptr-t)))
1272 goto errout;
1273
1274 memcpy(ptr, hintNameBuf.value, hintNameBuf.length);
1275 ptr += hintNameBuf.length;
1276
1277 *outbuf = (gss_buffer_t)malloc(sizeof(gss_buffer_desc));
1278 if (*outbuf == NULL) {
1279 *minor_status = ENOMEM;
1280 goto errout;
1281 }
1282 (*outbuf)->value = (void *)t;
1283 (*outbuf)->length = ptr - t;
1284
1285 t = NULL; /* don't free */
1286
1287 *minor_status = 0;
1288 major_status = GSS_S_COMPLETE;
1289
1290 errout:
1291 if (t != NULL) {
1292 free(t);
1293 }
1294
1295 gss_release_buffer(&minor, &hintNameBuf);
1296 return (major_status);
1297 }
1298
1299 static OM_uint32
1300 acc_ctx_hints(OM_uint32 *minor_status,
1301 gss_ctx_id_t *ctx,
1302 gss_cred_id_t cred,
1303 gss_buffer_t *mechListMIC,
1304 OM_uint32 *negState,
1305 send_token_flag *return_token)
1306 {
1307 OM_uint32 tmpmin, ret;
1308 gss_OID_set supported_mechSet;
1309 spnego_gss_ctx_id_t sc = NULL;
1310
1311 *mechListMIC = GSS_C_NO_BUFFER;
1312 supported_mechSet = GSS_C_NO_OID_SET;
1313 *return_token = ERROR_TOKEN_SEND;
1314 *negState = REJECT;
1315 *minor_status = 0;
1316
1317 *ctx = GSS_C_NO_CONTEXT;
1318 ret = GSS_S_DEFECTIVE_TOKEN;
1319
1320 if (cred != GSS_C_NO_CREDENTIAL) {
1321 ret = gss_inquire_cred(minor_status, cred, NULL, NULL,
1322 NULL, &supported_mechSet);
1323 if (ret != GSS_S_COMPLETE) {
1324 *return_token = NO_TOKEN_SEND;
1325 goto cleanup;
1326 }
1327 } else {
1328 ret = get_available_mechs(minor_status, GSS_C_NO_NAME,
1329 GSS_C_ACCEPT, NULL,
1330 &supported_mechSet);
1331 if (ret != GSS_S_COMPLETE) {
1332 *return_token = NO_TOKEN_SEND;
1333 goto cleanup;
1334 }
1335 }
1336
1337 ret = make_NegHints(minor_status, cred, mechListMIC);
1338 if (ret != GSS_S_COMPLETE) {
1339 *return_token = NO_TOKEN_SEND;
1340 goto cleanup;
1341 }
1342
1343 /*
1344 * Select the best match between the list of mechs
1345 * that the initiator requested and the list that
1346 * the acceptor will support.
1347 */
1348 sc = create_spnego_ctx();
1349 if (sc == NULL) {
1350 ret = GSS_S_FAILURE;
1351 *return_token = NO_TOKEN_SEND;
1352 goto cleanup;
1353 }
1354 if (put_mech_set(supported_mechSet, &sc->DER_mechTypes) < 0) {
1355 ret = GSS_S_FAILURE;
1356 *return_token = NO_TOKEN_SEND;
1357 goto cleanup;
1358 }
1359 sc->internal_mech = GSS_C_NO_OID;
1360
1361 *negState = ACCEPT_INCOMPLETE;
1362 *return_token = INIT_TOKEN_SEND;
1363 sc->firstpass = 1;
1364 *ctx = (gss_ctx_id_t)sc;
1365 ret = GSS_S_COMPLETE;
1366
1367 cleanup:
1368 gss_release_oid_set(&tmpmin, &supported_mechSet);
1369 return ret;
1370 }
1371
1372 /*
1373 * Solaris SPNEGO
1374 * mechoidset2str()
1375 * Input an OID set of mechs and output a string like so:
1376 * '{ x y z } (mechname0), { a b c } (mechname1) ...'.
1377 * On error return NULL.
1378 * Caller needs to free returned string.
1379 */
1380 static const char *mech_no_map = "Can't map OID to mechname via /etc/gss/mech";
1381 static const char *oid_no_map = "Can't map OID to string";
1382 static char *
1383 mechoidset2str(gss_OID_set mechset)
1384 {
1385 int i, l;
1386 char buf[256] = {0};
1387 char *s = NULL;
1388
1389 if (!mechset)
1390 return NULL;
1391
1392 for (i = 0; i < mechset->count; i++) {
1393 OM_uint32 maj, min;
1394 gss_buffer_desc oidstr;
1395 gss_buffer_t oidstrp = &oidstr;
1396 gss_OID mech_oid = &mechset->elements[i];
1397 /* No need to free mech_name. */
1398 const char *mech_name = __gss_oid_to_mech(mech_oid);
1399
1400 if (i > 0)
1401 if (strlcat(buf, ", ", sizeof (buf)) >= sizeof (buf)) {
1402 if (oidstrp->value)
1403 gss_release_buffer(&min, oidstrp);
1404 break;
1405 }
1406
1407 /* Add '{ x y x ... }'. */
1408 maj = gss_oid_to_str(&min, mech_oid, oidstrp);
1409 if (strlcat(buf, maj ? oid_no_map : oidstrp->value,
1410 sizeof (buf)) >= sizeof (buf)) {
1411 if (oidstrp->value)
1412 gss_release_buffer(&min, oidstrp);
1413 break;
1414 }
1415 if (oidstrp->value)
1416 gss_release_buffer(&min, oidstrp);
1417
1418 /* Add '(mech name)'. */
1419 if (strlcat(buf, " (", sizeof (buf)) >= sizeof (buf))
1420 break;
1421 if (strlcat(buf, mech_name ? mech_name : mech_no_map,
1422 sizeof (buf)) >= sizeof (buf))
1423 break;
1424 if (strlcat(buf, ") ", sizeof (buf)) >= sizeof (buf))
1425 break;
1426 }
1427
1428 /* Even if we have buf overflow, let's output what we got so far. */
1429 if (mechset->count) {
1430 l = strlen(buf);
1431 if (l > 0) {
1432 s = malloc(l + 1);
1433 if (!s)
1434 return NULL;
1435 (void) strlcpy(s, buf, l);
1436 }
1437 }
1438
1439 return s ? s : NULL;
1440 }
1441
1442 /*
1443 * Set negState to REJECT if the token is defective, else
1444 * ACCEPT_INCOMPLETE or REQUEST_MIC, depending on whether initiator's
1445 * preferred mechanism is supported.
1446 */
1447 static OM_uint32
1448 acc_ctx_new(OM_uint32 *minor_status,
1449 gss_buffer_t buf,
1450 gss_ctx_id_t *ctx,
1451 gss_cred_id_t cred,
1452 gss_buffer_t *mechToken,
1453 gss_buffer_t *mechListMIC,
1454 OM_uint32 *negState,
1455 send_token_flag *return_token)
1456 {
1457 OM_uint32 tmpmin, ret, req_flags;
1458 gss_OID_set supported_mechSet, mechTypes;
1459 gss_buffer_desc der_mechTypes;
1460 gss_OID mech_wanted;
1461 spnego_gss_ctx_id_t sc = NULL;
1462
1463 ret = GSS_S_DEFECTIVE_TOKEN;
1464 der_mechTypes.length = 0;
1465 der_mechTypes.value = NULL;
1466 *mechToken = *mechListMIC = GSS_C_NO_BUFFER;
1467 supported_mechSet = mechTypes = GSS_C_NO_OID_SET;
1468 *return_token = ERROR_TOKEN_SEND;
1469 *negState = REJECT;
1470 *minor_status = 0;
1471
1472 ret = get_negTokenInit(minor_status, buf, &der_mechTypes,
1473 &mechTypes, &req_flags,
1474 mechToken, mechListMIC);
1475 if (ret != GSS_S_COMPLETE) {
1476 goto cleanup;
1477 }
1478 if (cred != GSS_C_NO_CREDENTIAL) {
1479 ret = gss_inquire_cred(minor_status, cred, NULL, NULL,
1480 NULL, &supported_mechSet);
1481 if (ret != GSS_S_COMPLETE) {
1482 *return_token = NO_TOKEN_SEND;
1483 goto cleanup;
1484 }
1485 } else {
1486 ret = get_available_mechs(minor_status, GSS_C_NO_NAME,
1487 GSS_C_ACCEPT, NULL,
1488 &supported_mechSet);
1489 if (ret != GSS_S_COMPLETE) {
1490 *return_token = NO_TOKEN_SEND;
1491 goto cleanup;
1492 }
1493 }
1494 /*
1495 * Select the best match between the list of mechs
1496 * that the initiator requested and the list that
1497 * the acceptor will support.
1498 */
1499 mech_wanted = negotiate_mech_type(minor_status,
1500 supported_mechSet,
1501 mechTypes,
1502 negState);
1503 if (*negState == REJECT) {
1504 /* Solaris SPNEGO: Spruce-up error msg */
1505 char *mechTypesStr = mechoidset2str(mechTypes);
1506 spnego_gss_ctx_id_t tmpsc = create_spnego_ctx();
1507 if (tmpsc && *minor_status == ERR_SPNEGO_NEGOTIATION_FAILED) {
1508 spnego_set_error_message(tmpsc, *minor_status,
1509 dgettext(TEXT_DOMAIN,
1510 "SPNEGO failed to negotiate a mechanism: client requested mech set '%s'"),
1511 mechTypesStr ? mechTypesStr : "<null>");
1512 }
1513 free(mechTypesStr);
1514
1515 /*
1516 * We save error here cuz the tmp ctx goes away (very) soon.
1517 * So callers of acc_ctx_new() should NOT call it again.
1518 */
1519 spnego_gss_save_error_info(*minor_status, tmpsc);
1520 if (tmpsc)
1521 release_spnego_ctx(&tmpsc);
1522 ret = GSS_S_BAD_MECH;
1523 goto cleanup;
1524 }
1525
1526 sc = (spnego_gss_ctx_id_t)*ctx;
1527 if (sc != NULL) {
1528 gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
1529 assert(mech_wanted != GSS_C_NO_OID);
1530 } else
1531 sc = create_spnego_ctx();
1532 if (sc == NULL) {
1533 ret = GSS_S_FAILURE;
1534 *return_token = NO_TOKEN_SEND;
1535 generic_gss_release_oid(&tmpmin, &mech_wanted);
1536 goto cleanup;
1537 }
1538 sc->internal_mech = mech_wanted;
1539 sc->DER_mechTypes = der_mechTypes;
1540 der_mechTypes.length = 0;
1541 der_mechTypes.value = NULL;
1542
1543 if (*negState == REQUEST_MIC)
1544 sc->mic_reqd = 1;
1545
1546 *return_token = INIT_TOKEN_SEND;
1547 sc->firstpass = 1;
1548 *ctx = (gss_ctx_id_t)sc;
1549 ret = GSS_S_COMPLETE;
1550 cleanup:
1551 gss_release_oid_set(&tmpmin, &mechTypes);
1552 gss_release_oid_set(&tmpmin, &supported_mechSet);
1553 if (der_mechTypes.length != 0)
1554 gss_release_buffer(&tmpmin, &der_mechTypes);
1555 return ret;
1556 }
1557
1558 static OM_uint32
1559 acc_ctx_cont(OM_uint32 *minstat,
1560 gss_buffer_t buf,
1561 gss_ctx_id_t *ctx,
1562 gss_buffer_t *responseToken,
1563 gss_buffer_t *mechListMIC,
1564 OM_uint32 *negState,
1565 send_token_flag *return_token)
1566 {
1567 OM_uint32 ret, tmpmin;
1568 gss_OID supportedMech;
1569 spnego_gss_ctx_id_t sc;
1570 unsigned int len;
1571 unsigned char *ptr, *bufstart;
1572
1573 sc = (spnego_gss_ctx_id_t)*ctx;
1574 ret = GSS_S_DEFECTIVE_TOKEN;
1575 *negState = REJECT;
1576 *minstat = 0;
1577 supportedMech = GSS_C_NO_OID;
1578 *return_token = ERROR_TOKEN_SEND;
1579 *responseToken = *mechListMIC = GSS_C_NO_BUFFER;
1580
1581 ptr = bufstart = buf->value;
1582 #define REMAIN (buf->length - (ptr - bufstart))
1583 if (REMAIN > INT_MAX)
1584 return GSS_S_DEFECTIVE_TOKEN;
1585
1586 /*
1587 * Attempt to work with old Sun SPNEGO.
1588 */
1589 if (*ptr == HEADER_ID) {
1590 ret = g_verify_token_header(gss_mech_spnego,
1591 &len, &ptr, 0, REMAIN);
1592 if (ret) {
1593 *minstat = ret;
1594 return GSS_S_DEFECTIVE_TOKEN;
1595 }
1596 }
1597 if (*ptr != (CONTEXT | 0x01)) {
1598 return GSS_S_DEFECTIVE_TOKEN;
1599 }
1600 ret = get_negTokenResp(minstat, ptr, REMAIN,
1601 negState, &supportedMech,
1602 responseToken, mechListMIC);
1603 if (ret != GSS_S_COMPLETE)
1604 goto cleanup;
1605
1606 if (*responseToken == GSS_C_NO_BUFFER &&
1607 *mechListMIC == GSS_C_NO_BUFFER) {
1608
1609 ret = GSS_S_DEFECTIVE_TOKEN;
1610 goto cleanup;
1611 }
1612 if (supportedMech != GSS_C_NO_OID) {
1613 ret = GSS_S_DEFECTIVE_TOKEN;
1614 goto cleanup;
1615 }
1616 sc->firstpass = 0;
1617 *negState = ACCEPT_INCOMPLETE;
1618 *return_token = CONT_TOKEN_SEND;
1619 cleanup:
1620 if (supportedMech != GSS_C_NO_OID) {
1621 generic_gss_release_oid(&tmpmin, &supportedMech);
1622 }
1623 return ret;
1624 #undef REMAIN
1625 }
1626
1627 /*
1628 * Verify that mech OID is either exactly the same as the negotiated
1629 * mech OID, or is a mech OID supported by the negotiated mech. MS
1630 * implementations can list a most preferred mech using an incorrect
1631 * krb5 OID while emitting a krb5 initiator mech token having the
1632 * correct krb5 mech OID.
1633 */
1634 static OM_uint32
1635 acc_ctx_vfy_oid(OM_uint32 *minor_status,
1636 spnego_gss_ctx_id_t sc, gss_OID mechoid,
1637 OM_uint32 *negState, send_token_flag *tokflag)
1638 {
1639 OM_uint32 ret, tmpmin;
1640 gss_mechanism mech = NULL;
1641 gss_OID_set mech_set = GSS_C_NO_OID_SET;
1642 int present = 0;
1643
1644 if (g_OID_equal(sc->internal_mech, mechoid))
1645 return GSS_S_COMPLETE;
1646
1647 /*
1648 * SUNW17PACresync
1649 * If both mechs are kerb, we are done.
1650 */
1651 if (is_kerb_mech(mechoid) && is_kerb_mech(sc->internal_mech)) {
1652 return GSS_S_COMPLETE;
1653 }
1654
1655 mech = gssint_get_mechanism(mechoid);
1656 if (mech == NULL || mech->gss_indicate_mechs == NULL) {
1657 *minor_status = ERR_SPNEGO_NEGOTIATION_FAILED;
1658 {
1659 /*
1660 * Solaris SPNEGO
1661 * Spruce-up error msg.
1662 */
1663 OM_uint32 maj, maj_sc, min;
1664 gss_buffer_desc oidstr, oidstr_sc;
1665 /* No need to free mnamestr. */
1666 const char *mnamestr = __gss_oid_to_mech(
1667 sc->internal_mech);
1668 maj_sc = gss_oid_to_str(&min,
1669 sc->internal_mech,
1670 &oidstr_sc);
1671 maj = gss_oid_to_str(&min, mechoid, &oidstr);
1672 spnego_set_error_message(sc, *minor_status,
1673 dgettext(TEXT_DOMAIN,
1674 "SPNEGO failed to negotiate a mechanism: unsupported mech OID ('%s') in the token. Negotiated mech OID is '%s' (%s)"),
1675 maj ? oid_no_map: oidstr.value,
1676 maj_sc ? oid_no_map: oidstr_sc.value,
1677 mnamestr ? mnamestr : mech_no_map);
1678 if (!maj)
1679 (void) gss_release_buffer(&min, &oidstr);
1680 if (!maj_sc)
1681 (void) gss_release_buffer(&min, &oidstr_sc);
1682 }
1683 map_errcode(minor_status);
1684 *negState = REJECT;
1685 *tokflag = ERROR_TOKEN_SEND;
1686 return GSS_S_BAD_MECH;
1687 }
1688 ret = mech->gss_indicate_mechs(mech->context, minor_status, &mech_set);
1689 if (ret != GSS_S_COMPLETE) {
1690 *tokflag = NO_TOKEN_SEND;
1691 map_error(minor_status, mech);
1692 goto cleanup;
1693 }
1694 ret = gss_test_oid_set_member(minor_status, sc->internal_mech,
1695 mech_set, &present);
1696 if (ret != GSS_S_COMPLETE)
1697 goto cleanup;
1698 if (!present) {
1699 {
1700 /*
1701 * Solaris SPNEGO
1702 * Spruce-up error msg.
1703 */
1704 OM_uint32 maj, min;
1705 gss_buffer_desc oidstr;
1706 char *mech_set_str = mechoidset2str(mech_set);
1707 /* No need to free mnamestr. */
1708 const char *mnamestr =
1709 __gss_oid_to_mech(sc->internal_mech);
1710 maj = gss_oid_to_str(&min, sc->internal_mech, &oidstr);
1711 *minor_status = ERR_SPNEGO_NEGOTIATION_FAILED;
1712 spnego_set_error_message(sc, *minor_status,
1713 dgettext(TEXT_DOMAIN,
1714 "SPNEGO failed to negotiate a mechanism: negotiated mech OID '%s' (%s) not found in mechset ('%s') of token mech"),
1715 maj ? oid_no_map: oidstr.value,
1716 mnamestr ? mnamestr : mech_no_map,
1717 mech_set_str ? mech_set_str : "<null>");
1718 if (!maj)
1719 (void) gss_release_buffer(&min, &oidstr);
1720 free(mech_set_str);
1721 }
1722 map_errcode(minor_status);
1723 *negState = REJECT;
1724 *tokflag = ERROR_TOKEN_SEND;
1725 ret = GSS_S_BAD_MECH;
1726 }
1727 cleanup:
1728 gss_release_oid_set(&tmpmin, &mech_set);
1729 return ret;
1730 }
1731 #ifndef LEAN_CLIENT
1732 /*
1733 * Wrap call to gss_accept_sec_context() and update state
1734 * accordingly.
1735 */
1736 static OM_uint32
1737 acc_ctx_call_acc(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
1738 gss_cred_id_t cred, gss_buffer_t mechtok_in,
1739 gss_OID *mech_type, gss_buffer_t mechtok_out,
1740 OM_uint32 *ret_flags, OM_uint32 *time_rec,
1741 gss_cred_id_t *delegated_cred_handle,
1742 OM_uint32 *negState, send_token_flag *tokflag)
1743 {
1744 OM_uint32 ret;
1745 gss_OID_desc mechoid;
1746
1747 if (sc->ctx_handle == GSS_C_NO_CONTEXT) {
1748 /*
1749 * mechoid is an alias; don't free it.
1750 */
1751 ret = gssint_get_mech_type(&mechoid, mechtok_in);
1752 if (ret != GSS_S_COMPLETE) {
1753 *tokflag = NO_TOKEN_SEND;
1754 return ret;
1755 }
1756 ret = acc_ctx_vfy_oid(minor_status, sc, &mechoid,
1757 negState, tokflag);
1758 if (ret != GSS_S_COMPLETE)
1759 return ret;
1760 }
1761
1762 ret = gss_accept_sec_context(minor_status,
1763 &sc->ctx_handle,
1764 cred,
1765 mechtok_in,
1766 GSS_C_NO_CHANNEL_BINDINGS,
1767 &sc->internal_name,
1768 mech_type,
1769 mechtok_out,
1770 &sc->ctx_flags,
1771 time_rec,
1772 delegated_cred_handle);
1773
1774 if (ret == GSS_S_COMPLETE) {
1775 #ifdef MS_BUG_TEST
1776 /*
1777 * Force MIC to be not required even if we previously
1778 * requested a MIC.
1779 */
1780 char *envstr = getenv("MS_FORCE_NO_MIC");
1781
1782 if (envstr != NULL && strcmp(envstr, "1") == 0 &&
1783 !(sc->ctx_flags & GSS_C_MUTUAL_FLAG) &&
1784 sc->mic_reqd) {
1785
1786 sc->mic_reqd = 0;
1787 }
1788 #endif
1789 sc->mech_complete = 1;
1790 if (ret_flags != NULL)
1791 *ret_flags = sc->ctx_flags;
1792
1793 if (!sc->mic_reqd) {
1794 *negState = ACCEPT_COMPLETE;
1795 ret = GSS_S_COMPLETE;
1796 } else {
1797 ret = GSS_S_CONTINUE_NEEDED;
1798 }
1799 } else if (ret != GSS_S_CONTINUE_NEEDED) {
1800 *negState = REJECT;
1801 *tokflag = ERROR_TOKEN_SEND;
1802 }
1803 return ret;
1804 }
1805
1806 /*ARGSUSED*/
1807 OM_uint32
1808 glue_spnego_gss_accept_sec_context(
1809 void *context,
1810 OM_uint32 *minor_status,
1811 gss_ctx_id_t *context_handle,
1812 gss_cred_id_t verifier_cred_handle,
1813 gss_buffer_t input_token,
1814 gss_channel_bindings_t input_chan_bindings,
1815 gss_name_t *src_name,
1816 gss_OID *mech_type,
1817 gss_buffer_t output_token,
1818 OM_uint32 *ret_flags,
1819 OM_uint32 *time_rec,
1820 gss_cred_id_t *delegated_cred_handle)
1821 {
1822 return(spnego_gss_accept_sec_context(
1823 minor_status,
1824 context_handle,
1825 verifier_cred_handle,
1826 input_token,
1827 input_chan_bindings,
1828 src_name,
1829 mech_type,
1830 output_token,
1831 ret_flags,
1832 time_rec,
1833 delegated_cred_handle));
1834 }
1835
1836 /*ARGSUSED*/
1837 OM_uint32
1838 spnego_gss_accept_sec_context(
1839 OM_uint32 *minor_status,
1840 gss_ctx_id_t *context_handle,
1841 gss_cred_id_t verifier_cred_handle,
1842 gss_buffer_t input_token,
1843 gss_channel_bindings_t input_chan_bindings,
1844 gss_name_t *src_name,
1845 gss_OID *mech_type,
1846 gss_buffer_t output_token,
1847 OM_uint32 *ret_flags,
1848 OM_uint32 *time_rec,
1849 gss_cred_id_t *delegated_cred_handle)
1850 {
1851 OM_uint32 ret, tmpmin, negState;
1852 send_token_flag return_token;
1853 gss_buffer_t mechtok_in, mic_in, mic_out;
1854 gss_buffer_desc mechtok_out = GSS_C_EMPTY_BUFFER;
1855 spnego_gss_ctx_id_t sc = NULL;
1856 OM_uint32 mechstat = GSS_S_FAILURE;
1857 int sendTokenInit = 0, tmpret;
1858
1859 mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER;
1860
1861 if (minor_status != NULL)
1862 *minor_status = 0;
1863 if (output_token != GSS_C_NO_BUFFER) {
1864 output_token->length = 0;
1865 output_token->value = NULL;
1866 }
1867
1868
1869 if (minor_status == NULL ||
1870 output_token == GSS_C_NO_BUFFER ||
1871 context_handle == NULL) {
1872 return GSS_S_CALL_INACCESSIBLE_WRITE;
1873 }
1874
1875 if (input_token == GSS_C_NO_BUFFER) {
1876 return GSS_S_CALL_INACCESSIBLE_READ;
1877 }
1878
1879 sc = (spnego_gss_ctx_id_t)*context_handle;
1880 if (sc == NULL || sc->internal_mech == GSS_C_NO_OID) {
1881 if (src_name != NULL)
1882 *src_name = GSS_C_NO_NAME;
1883 if (mech_type != NULL)
1884 *mech_type = GSS_C_NO_OID;
1885 if (time_rec != NULL)
1886 *time_rec = 0;
1887 if (ret_flags != NULL)
1888 *ret_flags = 0;
1889 if (delegated_cred_handle != NULL)
1890 *delegated_cred_handle = GSS_C_NO_CREDENTIAL;
1891 if (input_token->length == 0) {
1892 ret = acc_ctx_hints(minor_status,
1893 context_handle,
1894 verifier_cred_handle,
1895 &mic_out,
1896 &negState,
1897 &return_token);
1898 if (ret != GSS_S_COMPLETE)
1899 goto cleanup;
1900 sendTokenInit = 1;
1901 ret = GSS_S_CONTINUE_NEEDED;
1902 } else {
1903 /* Can set negState to REQUEST_MIC */
1904 ret = acc_ctx_new(minor_status, input_token,
1905 context_handle, verifier_cred_handle,
1906 &mechtok_in, &mic_in,
1907 &negState, &return_token);
1908 if (ret != GSS_S_COMPLETE)
1909 goto cleanup;
1910 ret = GSS_S_CONTINUE_NEEDED;
1911 }
1912 } else {
1913 /* Can set negState to ACCEPT_INCOMPLETE */
1914 ret = acc_ctx_cont(minor_status, input_token,
1915 context_handle, &mechtok_in,
1916 &mic_in, &negState, &return_token);
1917 if (ret != GSS_S_COMPLETE)
1918 goto cleanup;
1919 ret = GSS_S_CONTINUE_NEEDED;
1920 }
1921
1922 sc = (spnego_gss_ctx_id_t)*context_handle;
1923 /*
1924 * Handle mechtok_in and mic_in only if they are
1925 * present in input_token. If neither is present, whether
1926 * this is an error depends on whether this is the first
1927 * round-trip. RET is set to a default value according to
1928 * whether it is the first round-trip.
1929 */
1930 mechstat = GSS_S_FAILURE;
1931 if (negState != REQUEST_MIC && mechtok_in != GSS_C_NO_BUFFER) {
1932 ret = acc_ctx_call_acc(minor_status, sc,
1933 verifier_cred_handle, mechtok_in,
1934 mech_type, &mechtok_out,
1935 ret_flags, time_rec,
1936 delegated_cred_handle,
1937 &negState, &return_token);
1938 } else if (negState == REQUEST_MIC) {
1939 mechstat = GSS_S_CONTINUE_NEEDED;
1940 }
1941
1942 /* Solaris SPNEGO */
1943 if (*minor_status == ERR_SPNEGO_NEGOTIATION_FAILED)
1944 spnego_gss_save_error_info(*minor_status, sc);
1945
1946 if (!HARD_ERROR(ret) && sc->mech_complete &&
1947 (sc->ctx_flags & GSS_C_INTEG_FLAG)) {
1948
1949 ret = handle_mic(minor_status, mic_in,
1950 (mechtok_out.length != 0),
1951 sc, &mic_out,
1952 &negState, &return_token);
1953 }
1954
1955 cleanup:
1956 if (return_token == INIT_TOKEN_SEND && sendTokenInit) {
1957 assert(sc != NULL);
1958 tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0,
1959 GSS_C_NO_BUFFER,
1960 return_token, output_token);
1961 if (tmpret < 0)
1962 ret = GSS_S_FAILURE;
1963 } else if (return_token != NO_TOKEN_SEND &&
1964 return_token != CHECK_MIC) {
1965 tmpret = make_spnego_tokenTarg_msg(negState,
1966 sc ? sc->internal_mech :
1967 GSS_C_NO_OID,
1968 &mechtok_out, mic_out,
1969 return_token,
1970 output_token);
1971 if (tmpret < 0)
1972 ret = GSS_S_FAILURE;
1973 }
1974 if (ret == GSS_S_COMPLETE) {
1975 *context_handle = (gss_ctx_id_t)sc->ctx_handle;
1976 if (sc->internal_name != GSS_C_NO_NAME &&
1977 src_name != NULL) {
1978 *src_name = sc->internal_name;
1979 }
1980 release_spnego_ctx(&sc);
1981 }
1982 gss_release_buffer(&tmpmin, &mechtok_out);
1983 if (mechtok_in != GSS_C_NO_BUFFER) {
1984 gss_release_buffer(&tmpmin, mechtok_in);
1985 free(mechtok_in);
1986 }
1987 if (mic_in != GSS_C_NO_BUFFER) {
1988 gss_release_buffer(&tmpmin, mic_in);
1989 free(mic_in);
1990 }
1991 if (mic_out != GSS_C_NO_BUFFER) {
1992 gss_release_buffer(&tmpmin, mic_out);
1993 free(mic_out);
1994 }
1995 return ret;
1996 }
1997 #endif /* LEAN_CLIENT */
1998
1999 /*ARGSUSED*/
2000 OM_uint32
2001 glue_spnego_gss_display_status(
2002 void *context,
2003 OM_uint32 *minor_status,
2004 OM_uint32 status_value,
2005 int status_type,
2006 gss_OID mech_type,
2007 OM_uint32 *message_context,
2008 gss_buffer_t status_string)
2009 {
2010 return (spnego_gss_display_status(minor_status,
2011 status_value,
2012 status_type,
2013 mech_type,
2014 message_context,
2015 status_string));
2016 }
2017
2018 /*ARGSUSED*/
2019 OM_uint32
2020 spnego_gss_display_status(
2021 OM_uint32 *minor_status,
2022 OM_uint32 status_value,
2023 int status_type,
2024 gss_OID mech_type,
2025 OM_uint32 *message_context,
2026 gss_buffer_t status_string)
2027 {
2028 dsyslog("Entering display_status\n");
2029
2030 *message_context = 0;
2031 switch (status_value) {
2032 case ERR_SPNEGO_NO_MECHS_AVAILABLE:
2033 /* CSTYLED */
2034 *status_string = make_err_msg("SPNEGO cannot find mechanisms to negotiate");
2035 break;
2036 case ERR_SPNEGO_NO_CREDS_ACQUIRED:
2037 /* CSTYLED */
2038 *status_string = make_err_msg("SPNEGO failed to acquire creds");
2039 break;
2040 case ERR_SPNEGO_NO_MECH_FROM_ACCEPTOR:
2041 /* CSTYLED */
2042 *status_string = make_err_msg("SPNEGO acceptor did not select a mechanism");
2043 break;
2044 case ERR_SPNEGO_NEGOTIATION_FAILED:
2045 /* CSTYLED */
2046 return(spnego_gss_display_status2(minor_status,
2047 status_value,
2048 status_type,
2049 mech_type,
2050 message_context,
2051 status_string));
2052 case ERR_SPNEGO_NO_TOKEN_FROM_ACCEPTOR:
2053 /* CSTYLED */
2054 *status_string = make_err_msg("SPNEGO acceptor did not return a valid token");
2055 break;
2056 default:
2057 /*
2058 * Solaris SPNEGO
2059 * If mech_spnego calls mech_krb5 (via libgss) and an
2060 * error occurs there, give it a shot.
2061 */
2062 /* CSTYLED */
2063 return(krb5_gss_display_status2(minor_status,
2064 status_value,
2065 status_type,
2066 (gss_OID)&gss_mech_krb5_oid,
2067 message_context,
2068 status_string));
2069
2070 }
2071
2072 dsyslog("Leaving display_status\n");
2073 return (GSS_S_COMPLETE);
2074 }
2075
2076 /*ARGSUSED*/
2077 OM_uint32
2078 glue_spnego_gss_import_name(
2079 void *context,
2080 OM_uint32 *minor_status,
2081 gss_buffer_t input_name_buffer,
2082 gss_OID input_name_type,
2083 gss_name_t *output_name)
2084 {
2085 return(spnego_gss_import_name(minor_status,
2086 input_name_buffer,
2087 input_name_type,
2088 output_name));
2089 }
2090
2091 /*ARGSUSED*/
2092 OM_uint32
2093 spnego_gss_import_name(
2094 OM_uint32 *minor_status,
2095 gss_buffer_t input_name_buffer,
2096 gss_OID input_name_type,
2097 gss_name_t *output_name)
2098 {
2099 OM_uint32 status;
2100
2101 dsyslog("Entering import_name\n");
2102
2103 status = gss_import_name(minor_status, input_name_buffer,
2104 input_name_type, output_name);
2105
2106 dsyslog("Leaving import_name\n");
2107 return (status);
2108 }
2109
2110 /*ARGSUSED*/
2111 OM_uint32
2112 glue_spnego_gss_release_name(
2113 void *context,
2114 OM_uint32 *minor_status,
2115 gss_name_t *input_name)
2116 {
2117 return(spnego_gss_release_name(minor_status, input_name));
2118 }
2119
2120 /*ARGSUSED*/
2121 OM_uint32
2122 spnego_gss_release_name(
2123 OM_uint32 *minor_status,
2124 gss_name_t *input_name)
2125 {
2126 OM_uint32 status;
2127
2128 dsyslog("Entering release_name\n");
2129
2130 status = gss_release_name(minor_status, input_name);
2131
2132 dsyslog("Leaving release_name\n");
2133 return (status);
2134 }
2135
2136 /*ARGSUSED*/
2137 OM_uint32
2138 glue_spnego_gss_compare_name(
2139 void *context,
2140 OM_uint32 *minor_status,
2141 const gss_name_t name1,
2142 const gss_name_t name2,
2143 int *name_equal)
2144 {
2145 return(spnego_gss_compare_name(minor_status,
2146 name1,
2147 name2,
2148 name_equal));
2149 }
2150 /*ARGSUSED*/
2151 OM_uint32
2152 spnego_gss_compare_name(
2153 OM_uint32 *minor_status,
2154 const gss_name_t name1,
2155 const gss_name_t name2,
2156 int *name_equal)
2157 {
2158 OM_uint32 status = GSS_S_COMPLETE;
2159 dsyslog("Entering compare_name\n");
2160
2161 status = gss_compare_name(minor_status, name1, name2, name_equal);
2162
2163 dsyslog("Leaving compare_name\n");
2164 return (status);
2165 }
2166
2167 /*ARGSUSED*/
2168 OM_uint32
2169 glue_spnego_gss_display_name(
2170 void *context,
2171 OM_uint32 *minor_status,
2172 gss_name_t input_name,
2173 gss_buffer_t output_name_buffer,
2174 gss_OID *output_name_type)
2175 {
2176 return(spnego_gss_display_name(
2177 minor_status,
2178 input_name,
2179 output_name_buffer,
2180 output_name_type));
2181 }
2182
2183 /*ARGSUSED*/
2184 OM_uint32
2185 spnego_gss_display_name(
2186 OM_uint32 *minor_status,
2187 gss_name_t input_name,
2188 gss_buffer_t output_name_buffer,
2189 gss_OID *output_name_type)
2190 {
2191 OM_uint32 status = GSS_S_COMPLETE;
2192 dsyslog("Entering display_name\n");
2193
2194 status = gss_display_name(minor_status, input_name,
2195 output_name_buffer, output_name_type);
2196
2197 dsyslog("Leaving display_name\n");
2198 return (status);
2199 }
2200
2201
2202 /*ARGSUSED*/
2203 OM_uint32
2204 glue_spnego_gss_inquire_names_for_mech(
2205 void *context,
2206 OM_uint32 *minor_status,
2207 gss_OID mechanism,
2208 gss_OID_set *name_types)
2209 {
2210 return(spnego_gss_inquire_names_for_mech(minor_status,
2211 mechanism,
2212 name_types));
2213 }
2214 /*ARGSUSED*/
2215 OM_uint32
2216 spnego_gss_inquire_names_for_mech(
2217 OM_uint32 *minor_status,
2218 gss_OID mechanism,
2219 gss_OID_set *name_types)
2220 {
2221 OM_uint32 major, minor;
2222
2223 dsyslog("Entering inquire_names_for_mech\n");
2224 /*
2225 * We only know how to handle our own mechanism.
2226 */
2227 if ((mechanism != GSS_C_NULL_OID) &&
2228 !g_OID_equal(gss_mech_spnego, mechanism)) {
2229 *minor_status = 0;
2230 return (GSS_S_FAILURE);
2231 }
2232
2233 major = gss_create_empty_oid_set(minor_status, name_types);
2234 if (major == GSS_S_COMPLETE) {
2235 /* Now add our members. */
2236 if (((major = gss_add_oid_set_member(minor_status,
2237 (gss_OID) GSS_C_NT_USER_NAME,
2238 name_types)) == GSS_S_COMPLETE) &&
2239 ((major = gss_add_oid_set_member(minor_status,
2240 (gss_OID) GSS_C_NT_MACHINE_UID_NAME,
2241 name_types)) == GSS_S_COMPLETE) &&
2242 ((major = gss_add_oid_set_member(minor_status,
2243 (gss_OID) GSS_C_NT_STRING_UID_NAME,
2244 name_types)) == GSS_S_COMPLETE)) {
2245 major = gss_add_oid_set_member(minor_status,
2246 (gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
2247 name_types);
2248 }
2249
2250 if (major != GSS_S_COMPLETE)
2251 (void) gss_release_oid_set(&minor, name_types);
2252 }
2253
2254 dsyslog("Leaving inquire_names_for_mech\n");
2255 return (major);
2256 }
2257
2258 OM_uint32
2259 spnego_gss_unwrap(
2260 OM_uint32 *minor_status,
2261 gss_ctx_id_t context_handle,
2262 gss_buffer_t input_message_buffer,
2263 gss_buffer_t output_message_buffer,
2264 int *conf_state,
2265 gss_qop_t *qop_state)
2266 {
2267 OM_uint32 ret;
2268 ret = gss_unwrap(minor_status,
2269 context_handle,
2270 input_message_buffer,
2271 output_message_buffer,
2272 conf_state,
2273 qop_state);
2274
2275 return (ret);
2276 }
2277
2278 OM_uint32
2279 spnego_gss_wrap(
2280 OM_uint32 *minor_status,
2281 gss_ctx_id_t context_handle,
2282 int conf_req_flag,
2283 gss_qop_t qop_req,
2284 gss_buffer_t input_message_buffer,
2285 int *conf_state,
2286 gss_buffer_t output_message_buffer)
2287 {
2288 OM_uint32 ret;
2289 ret = gss_wrap(minor_status,
2290 context_handle,
2291 conf_req_flag,
2292 qop_req,
2293 input_message_buffer,
2294 conf_state,
2295 output_message_buffer);
2296
2297 return (ret);
2298 }
2299
2300 OM_uint32
2301 spnego_gss_process_context_token(
2302 OM_uint32 *minor_status,
2303 const gss_ctx_id_t context_handle,
2304 const gss_buffer_t token_buffer)
2305 {
2306 OM_uint32 ret;
2307 ret = gss_process_context_token(minor_status,
2308 context_handle,
2309 token_buffer);
2310
2311 return (ret);
2312 }
2313
2314 OM_uint32
2315 glue_spnego_gss_delete_sec_context(
2316 void *context,
2317 OM_uint32 *minor_status,
2318 gss_ctx_id_t *context_handle,
2319 gss_buffer_t output_token)
2320 {
2321 return(spnego_gss_delete_sec_context(minor_status,
2322 context_handle, output_token));
2323 }
2324
2325 OM_uint32
2326 spnego_gss_delete_sec_context(
2327 OM_uint32 *minor_status,
2328 gss_ctx_id_t *context_handle,
2329 gss_buffer_t output_token)
2330 {
2331 OM_uint32 ret = GSS_S_COMPLETE;
2332 spnego_gss_ctx_id_t *ctx =
2333 (spnego_gss_ctx_id_t *)context_handle;
2334
2335 if (context_handle == NULL)
2336 return (GSS_S_FAILURE);
2337
2338 /*
2339 * If this is still an SPNEGO mech, release it locally.
2340 */
2341 if (*ctx != NULL &&
2342 (*ctx)->magic_num == SPNEGO_MAGIC_ID) {
2343 (void) release_spnego_ctx(ctx);
2344 /* SUNW17PACresync - MIT 1.7 bug (and our fix) */
2345 if (output_token) {
2346 output_token->length = 0;
2347 output_token->value = NULL;
2348 }
2349 } else {
2350 ret = gss_delete_sec_context(minor_status,
2351 context_handle,
2352 output_token);
2353 }
2354
2355 return (ret);
2356 }
2357
2358 OM_uint32
2359 glue_spnego_gss_context_time(
2360 void *context,
2361 OM_uint32 *minor_status,
2362 const gss_ctx_id_t context_handle,
2363 OM_uint32 *time_rec)
2364 {
2365 return(spnego_gss_context_time(minor_status,
2366 context_handle,
2367 time_rec));
2368 }
2369
2370 OM_uint32
2371 spnego_gss_context_time(
2372 OM_uint32 *minor_status,
2373 const gss_ctx_id_t context_handle,
2374 OM_uint32 *time_rec)
2375 {
2376 OM_uint32 ret;
2377 ret = gss_context_time(minor_status,
2378 context_handle,
2379 time_rec);
2380 return (ret);
2381 }
2382
2383 #ifndef LEAN_CLIENT
2384 OM_uint32
2385 glue_spnego_gss_export_sec_context(
2386 void *context,
2387 OM_uint32 *minor_status,
2388 gss_ctx_id_t *context_handle,
2389 gss_buffer_t interprocess_token)
2390 {
2391 return(spnego_gss_export_sec_context(minor_status,
2392 context_handle,
2393 interprocess_token));
2394 }
2395 OM_uint32
2396 spnego_gss_export_sec_context(
2397 OM_uint32 *minor_status,
2398 gss_ctx_id_t *context_handle,
2399 gss_buffer_t interprocess_token)
2400 {
2401 OM_uint32 ret;
2402 ret = gss_export_sec_context(minor_status,
2403 context_handle,
2404 interprocess_token);
2405 return (ret);
2406 }
2407
2408 OM_uint32
2409 glue_spnego_gss_import_sec_context(
2410 void *context,
2411 OM_uint32 *minor_status,
2412 const gss_buffer_t interprocess_token,
2413 gss_ctx_id_t *context_handle)
2414 {
2415 return(spnego_gss_import_sec_context(minor_status,
2416 interprocess_token,
2417 context_handle));
2418 }
2419 OM_uint32
2420 spnego_gss_import_sec_context(
2421 OM_uint32 *minor_status,
2422 const gss_buffer_t interprocess_token,
2423 gss_ctx_id_t *context_handle)
2424 {
2425 OM_uint32 ret;
2426 ret = gss_import_sec_context(minor_status,
2427 interprocess_token,
2428 context_handle);
2429 return (ret);
2430 }
2431 #endif /* LEAN_CLIENT */
2432
2433 OM_uint32
2434 glue_spnego_gss_inquire_context(
2435 void *context,
2436 OM_uint32 *minor_status,
2437 const gss_ctx_id_t context_handle,
2438 gss_name_t *src_name,
2439 gss_name_t *targ_name,
2440 OM_uint32 *lifetime_rec,
2441 gss_OID *mech_type,
2442 OM_uint32 *ctx_flags,
2443 int *locally_initiated,
2444 int *opened)
2445 {
2446 return(spnego_gss_inquire_context(
2447 minor_status,
2448 context_handle,
2449 src_name,
2450 targ_name,
2451 lifetime_rec,
2452 mech_type,
2453 ctx_flags,
2454 locally_initiated,
2455 opened));
2456 }
2457
2458 OM_uint32
2459 spnego_gss_inquire_context(
2460 OM_uint32 *minor_status,
2461 const gss_ctx_id_t context_handle,
2462 gss_name_t *src_name,
2463 gss_name_t *targ_name,
2464 OM_uint32 *lifetime_rec,
2465 gss_OID *mech_type,
2466 OM_uint32 *ctx_flags,
2467 int *locally_initiated,
2468 int *opened)
2469 {
2470 OM_uint32 ret = GSS_S_COMPLETE;
2471
2472 ret = gss_inquire_context(minor_status,
2473 context_handle,
2474 src_name,
2475 targ_name,
2476 lifetime_rec,
2477 mech_type,
2478 ctx_flags,
2479 locally_initiated,
2480 opened);
2481
2482 return (ret);
2483 }
2484
2485 OM_uint32
2486 glue_spnego_gss_wrap_size_limit(
2487 void *context,
2488 OM_uint32 *minor_status,
2489 const gss_ctx_id_t context_handle,
2490 int conf_req_flag,
2491 gss_qop_t qop_req,
2492 OM_uint32 req_output_size,
2493 OM_uint32 *max_input_size)
2494 {
2495 return(spnego_gss_wrap_size_limit(minor_status,
2496 context_handle,
2497 conf_req_flag,
2498 qop_req,
2499 req_output_size,
2500 max_input_size));
2501 }
2502
2503 OM_uint32
2504 spnego_gss_wrap_size_limit(
2505 OM_uint32 *minor_status,
2506 const gss_ctx_id_t context_handle,
2507 int conf_req_flag,
2508 gss_qop_t qop_req,
2509 OM_uint32 req_output_size,
2510 OM_uint32 *max_input_size)
2511 {
2512 OM_uint32 ret;
2513 ret = gss_wrap_size_limit(minor_status,
2514 context_handle,
2515 conf_req_flag,
2516 qop_req,
2517 req_output_size,
2518 max_input_size);
2519 return (ret);
2520 }
2521
2522 #if 0 /* SUNW17PACresync */
2523 OM_uint32
2524 spnego_gss_get_mic(
2525 OM_uint32 *minor_status,
2526 const gss_ctx_id_t context_handle,
2527 gss_qop_t qop_req,
2528 const gss_buffer_t message_buffer,
2529 gss_buffer_t message_token)
2530 {
2531 OM_uint32 ret;
2532 ret = gss_get_mic(minor_status,
2533 context_handle,
2534 qop_req,
2535 message_buffer,
2536 message_token);
2537 return (ret);
2538 }
2539 #endif
2540
2541 OM_uint32
2542 spnego_gss_verify_mic(
2543 OM_uint32 *minor_status,
2544 const gss_ctx_id_t context_handle,
2545 const gss_buffer_t msg_buffer,
2546 const gss_buffer_t token_buffer,
2547 gss_qop_t *qop_state)
2548 {
2549 OM_uint32 ret;
2550 ret = gss_verify_mic(minor_status,
2551 context_handle,
2552 msg_buffer,
2553 token_buffer,
2554 qop_state);
2555 return (ret);
2556 }
2557
2558 OM_uint32
2559 spnego_gss_inquire_sec_context_by_oid(
2560 OM_uint32 *minor_status,
2561 const gss_ctx_id_t context_handle,
2562 const gss_OID desired_object,
2563 gss_buffer_set_t *data_set)
2564 {
2565 OM_uint32 ret;
2566 ret = gss_inquire_sec_context_by_oid(minor_status,
2567 context_handle,
2568 desired_object,
2569 data_set);
2570 return (ret);
2571 }
2572
2573 /*
2574 * SUNW17PACresync
2575 * These GSS funcs not needed yet, so disable them.
2576 * Revisit for full 1.7 resync.
2577 */
2578 #if 0
2579 OM_uint32
2580 spnego_gss_set_sec_context_option(
2581 OM_uint32 *minor_status,
2582 gss_ctx_id_t *context_handle,
2583 const gss_OID desired_object,
2584 const gss_buffer_t value)
2585 {
2586 OM_uint32 ret;
2587 ret = gss_set_sec_context_option(minor_status,
2588 context_handle,
2589 desired_object,
2590 value);
2591 return (ret);
2592 }
2593
2594 OM_uint32
2595 spnego_gss_wrap_aead(OM_uint32 *minor_status,
2596 gss_ctx_id_t context_handle,
2597 int conf_req_flag,
2598 gss_qop_t qop_req,
2599 gss_buffer_t input_assoc_buffer,
2600 gss_buffer_t input_payload_buffer,
2601 int *conf_state,
2602 gss_buffer_t output_message_buffer)
2603 {
2604 OM_uint32 ret;
2605 ret = gss_wrap_aead(minor_status,
2606 context_handle,
2607 conf_req_flag,
2608 qop_req,
2609 input_assoc_buffer,
2610 input_payload_buffer,
2611 conf_state,
2612 output_message_buffer);
2613
2614 return (ret);
2615 }
2616
2617 OM_uint32
2618 spnego_gss_unwrap_aead(OM_uint32 *minor_status,
2619 gss_ctx_id_t context_handle,
2620 gss_buffer_t input_message_buffer,
2621 gss_buffer_t input_assoc_buffer,
2622 gss_buffer_t output_payload_buffer,
2623 int *conf_state,
2624 gss_qop_t *qop_state)
2625 {
2626 OM_uint32 ret;
2627 ret = gss_unwrap_aead(minor_status,
2628 context_handle,
2629 input_message_buffer,
2630 input_assoc_buffer,
2631 output_payload_buffer,
2632 conf_state,
2633 qop_state);
2634 return (ret);
2635 }
2636
2637 OM_uint32
2638 spnego_gss_wrap_iov(OM_uint32 *minor_status,
2639 gss_ctx_id_t context_handle,
2640 int conf_req_flag,
2641 gss_qop_t qop_req,
2642 int *conf_state,
2643 gss_iov_buffer_desc *iov,
2644 int iov_count)
2645 {
2646 OM_uint32 ret;
2647 ret = gss_wrap_iov(minor_status,
2648 context_handle,
2649 conf_req_flag,
2650 qop_req,
2651 conf_state,
2652 iov,
2653 iov_count);
2654 return (ret);
2655 }
2656
2657 OM_uint32
2658 spnego_gss_unwrap_iov(OM_uint32 *minor_status,
2659 gss_ctx_id_t context_handle,
2660 int *conf_state,
2661 gss_qop_t *qop_state,
2662 gss_iov_buffer_desc *iov,
2663 int iov_count)
2664 {
2665 OM_uint32 ret;
2666 ret = gss_unwrap_iov(minor_status,
2667 context_handle,
2668 conf_state,
2669 qop_state,
2670 iov,
2671 iov_count);
2672 return (ret);
2673 }
2674
2675 OM_uint32
2676 spnego_gss_wrap_iov_length(OM_uint32 *minor_status,
2677 gss_ctx_id_t context_handle,
2678 int conf_req_flag,
2679 gss_qop_t qop_req,
2680 int *conf_state,
2681 gss_iov_buffer_desc *iov,
2682 int iov_count)
2683 {
2684 OM_uint32 ret;
2685 ret = gss_wrap_iov_length(minor_status,
2686 context_handle,
2687 conf_req_flag,
2688 qop_req,
2689 conf_state,
2690 iov,
2691 iov_count);
2692 return (ret);
2693 }
2694
2695
2696 OM_uint32
2697 spnego_gss_complete_auth_token(
2698 OM_uint32 *minor_status,
2699 const gss_ctx_id_t context_handle,
2700 gss_buffer_t input_message_buffer)
2701 {
2702 OM_uint32 ret;
2703 ret = gss_complete_auth_token(minor_status,
2704 context_handle,
2705 input_message_buffer);
2706 return (ret);
2707 }
2708 #endif /* 0 */
2709
2710 /*
2711 * We will release everything but the ctx_handle so that it
2712 * can be passed back to init/accept context. This routine should
2713 * not be called until after the ctx_handle memory is assigned to
2714 * the supplied context handle from init/accept context.
2715 */
2716 static void
2717 release_spnego_ctx(spnego_gss_ctx_id_t *ctx)
2718 {
2719 spnego_gss_ctx_id_t context;
2720 OM_uint32 minor_stat;
2721 context = *ctx;
2722
2723 if (context != NULL) {
2724 (void) gss_release_buffer(&minor_stat,
2725 &context->DER_mechTypes);
2726
2727 (void) generic_gss_release_oid(&minor_stat,
2728 &context->internal_mech);
2729
2730 if (context->optionStr != NULL) {
2731 free(context->optionStr);
2732 context->optionStr = NULL;
2733 }
2734 free(context);
2735 *ctx = NULL;
2736 }
2737 }
2738
2739 /*
2740 * Can't use gss_indicate_mechs by itself to get available mechs for
2741 * SPNEGO because it will also return the SPNEGO mech and we do not
2742 * want to consider SPNEGO as an available security mech for
2743 * negotiation. For this reason, get_available_mechs will return
2744 * all available mechs except SPNEGO.
2745 *
2746 * If a ptr to a creds list is given, this function will attempt
2747 * to acquire creds for the creds given and trim the list of
2748 * returned mechanisms to only those for which creds are valid.
2749 *
2750 */
2751 static OM_uint32
2752 get_available_mechs(OM_uint32 *minor_status,
2753 gss_name_t name, gss_cred_usage_t usage,
2754 gss_cred_id_t *creds, gss_OID_set *rmechs)
2755 {
2756 unsigned int i;
2757 int found = 0;
2758 OM_uint32 major_status = GSS_S_COMPLETE, tmpmin;
2759 gss_OID_set mechs, goodmechs;
2760
2761 major_status = gss_indicate_mechs(minor_status, &mechs);
2762
2763 if (major_status != GSS_S_COMPLETE) {
2764 return (major_status);
2765 }
2766
2767 major_status = gss_create_empty_oid_set(minor_status, rmechs);
2768
2769 if (major_status != GSS_S_COMPLETE) {
2770 (void) gss_release_oid_set(minor_status, &mechs);
2771 return (major_status);
2772 }
2773
2774 for (i = 0; i < mechs->count && major_status == GSS_S_COMPLETE; i++) {
2775 if ((mechs->elements[i].length
2776 != spnego_mechanism.mech_type.length) ||
2777 memcmp(mechs->elements[i].elements,
2778 spnego_mechanism.mech_type.elements,
2779 spnego_mechanism.mech_type.length)) {
2780 /*
2781 * Solaris SPNEGO Kerberos: gss_indicate_mechs is stupid as
2782 * it never inferences any of the related OIDs of the
2783 * mechanisms configured, e.g. KRB5_OLD, KRB5_WRONG.
2784 * We add KRB5_WRONG here so that old MS clients can
2785 * negotiate this mechanism, which allows extensions
2786 * in Kerberos (clock skew adjustment, refresh ccache).
2787 */
2788 if (is_kerb_mech(&mechs->elements[i])) {
2789 extern gss_OID_desc * const gss_mech_krb5_wrong;
2790
2791 major_status =
2792 gss_add_oid_set_member(minor_status,
2793 gss_mech_krb5_wrong, rmechs);
2794 }
2795
2796 major_status = gss_add_oid_set_member(minor_status,
2797 &mechs->elements[i],
2798 rmechs);
2799 if (major_status == GSS_S_COMPLETE)
2800 found++;
2801 }
2802 }
2803
2804 /*
2805 * If the caller wanted a list of creds returned,
2806 * trim the list of mechanisms down to only those
2807 * for which the creds are valid.
2808 */
2809 if (found > 0 && major_status == GSS_S_COMPLETE && creds != NULL) {
2810 major_status = gss_acquire_cred(minor_status,
2811 name, GSS_C_INDEFINITE,
2812 *rmechs, usage, creds,
2813 &goodmechs, NULL);
2814
2815 /*
2816 * Drop the old list in favor of the new
2817 * "trimmed" list.
2818 */
2819 (void) gss_release_oid_set(&tmpmin, rmechs);
2820 if (major_status == GSS_S_COMPLETE) {
2821 (void) gssint_copy_oid_set(&tmpmin,
2822 goodmechs, rmechs);
2823 (void) gss_release_oid_set(&tmpmin, &goodmechs);
2824 }
2825 }
2826
2827 (void) gss_release_oid_set(&tmpmin, &mechs);
2828 if (found == 0 || major_status != GSS_S_COMPLETE) {
2829 *minor_status = ERR_SPNEGO_NO_MECHS_AVAILABLE;
2830 map_errcode(minor_status);
2831 if (major_status == GSS_S_COMPLETE)
2832 major_status = GSS_S_FAILURE;
2833 }
2834
2835 return (major_status);
2836 }
2837
2838 /* following are token creation and reading routines */
2839
2840 /*
2841 * If buff_in is not pointing to a MECH_OID, then return NULL and do not
2842 * advance the buffer, otherwise, decode the mech_oid from the buffer and
2843 * place in gss_OID.
2844 */
2845 static gss_OID
2846 get_mech_oid(OM_uint32 *minor_status, unsigned char **buff_in, size_t length)
2847 {
2848 OM_uint32 status;
2849 gss_OID_desc toid;
2850 gss_OID mech_out = NULL;
2851 unsigned char *start, *end;
2852
2853 if (length < 1 || **buff_in != MECH_OID)
2854 return (NULL);
2855
2856 start = *buff_in;
2857 end = start + length;
2858
2859 (*buff_in)++;
2860 toid.length = *(*buff_in)++;
2861
2862 if ((*buff_in + toid.length) > end)
2863 return (NULL);
2864
2865 toid.elements = *buff_in;
2866 *buff_in += toid.length;
2867
2868 status = generic_gss_copy_oid(minor_status, &toid, &mech_out);
2869
2870 if (status != GSS_S_COMPLETE) {
2871 map_errcode(minor_status);
2872 mech_out = NULL;
2873 }
2874
2875 return (mech_out);
2876 }
2877
2878 /*
2879 * der encode the given mechanism oid into buf_out, advancing the
2880 * buffer pointer.
2881 */
2882
2883 static int
2884 put_mech_oid(unsigned char **buf_out, gss_OID_const mech, unsigned int buflen)
2885 {
2886 if (buflen < mech->length + 2)
2887 return (-1);
2888 *(*buf_out)++ = MECH_OID;
2889 *(*buf_out)++ = (unsigned char) mech->length;
2890 memcpy((void *)(*buf_out), mech->elements, mech->length);
2891 *buf_out += mech->length;
2892 return (0);
2893 }
2894
2895 /*
2896 * verify that buff_in points to an octet string, if it does not,
2897 * return NULL and don't advance the pointer. If it is an octet string
2898 * decode buff_in into a gss_buffer_t and return it, advancing the
2899 * buffer pointer.
2900 */
2901 static gss_buffer_t
2902 get_input_token(unsigned char **buff_in, unsigned int buff_length)
2903 {
2904 gss_buffer_t input_token;
2905 unsigned int bytes;
2906
2907 if (**buff_in != OCTET_STRING)
2908 return (NULL);
2909
2910 (*buff_in)++;
2911 input_token = (gss_buffer_t)malloc(sizeof (gss_buffer_desc));
2912
2913 if (input_token == NULL)
2914 return (NULL);
2915
2916 input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes);
2917 if ((int)input_token->length == -1) {
2918 free(input_token);
2919 return (NULL);
2920 }
2921 input_token->value = malloc(input_token->length);
2922
2923 if (input_token->value == NULL) {
2924 free(input_token);
2925 return (NULL);
2926 }
2927
2928 (void) memcpy(input_token->value, *buff_in, input_token->length);
2929 *buff_in += input_token->length;
2930 return (input_token);
2931 }
2932
2933 /*
2934 * verify that the input token length is not 0. If it is, just return.
2935 * If the token length is greater than 0, der encode as an octet string
2936 * and place in buf_out, advancing buf_out.
2937 */
2938
2939 static int
2940 put_input_token(unsigned char **buf_out, gss_buffer_t input_token,
2941 unsigned int buflen)
2942 {
2943 int ret;
2944
2945 /* if token length is 0, we do not want to send */
2946 if (input_token->length == 0)
2947 return (0);
2948
2949 if (input_token->length > buflen)
2950 return (-1);
2951
2952 *(*buf_out)++ = OCTET_STRING;
2953 if ((ret = gssint_put_der_length(input_token->length, buf_out,
2954 input_token->length)))
2955 return (ret);
2956 TWRITE_STR(*buf_out, input_token->value, input_token->length);
2957 return (0);
2958 }
2959
2960 /*
2961 * verify that buff_in points to a sequence of der encoding. The mech
2962 * set is the only sequence of encoded object in the token, so if it is
2963 * a sequence of encoding, decode the mechset into a gss_OID_set and
2964 * return it, advancing the buffer pointer.
2965 */
2966 static gss_OID_set
2967 get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in,
2968 unsigned int buff_length)
2969 {
2970 gss_OID_set returned_mechSet;
2971 OM_uint32 major_status;
2972 int length; /* SUNW17PACresync */
2973 OM_uint32 bytes;
2974 OM_uint32 set_length;
2975 unsigned char *start;
2976 int i;
2977
2978 if (**buff_in != SEQUENCE_OF)
2979 return (NULL);
2980
2981 start = *buff_in;
2982 (*buff_in)++;
2983
2984 length = gssint_get_der_length(buff_in, buff_length, &bytes);
2985 if (length < 0) /* SUNW17PACresync - MIT17 lacks this check */
2986 return (NULL);
2987
2988 major_status = gss_create_empty_oid_set(minor_status,
2989 &returned_mechSet);
2990 if (major_status != GSS_S_COMPLETE)
2991 return (NULL);
2992
2993 for (set_length = 0, i = 0; set_length < length; i++) {
2994 gss_OID_desc *temp = get_mech_oid(minor_status, buff_in,
2995 buff_length - (*buff_in - start));
2996 if (temp != NULL) {
2997 major_status = gss_add_oid_set_member(minor_status,
2998 temp, &returned_mechSet);
2999 if (major_status == GSS_S_COMPLETE) {
3000 set_length += returned_mechSet->elements[i].length +2;
3001 if (generic_gss_release_oid(minor_status, &temp))
3002 map_errcode(minor_status);
3003 }
3004 }
3005 }
3006
3007 return (returned_mechSet);
3008 }
3009
3010 /*
3011 * Encode mechSet into buf.
3012 */
3013 static int
3014 put_mech_set(gss_OID_set mechSet, gss_buffer_t buf)
3015 {
3016 unsigned char *ptr;
3017 unsigned int i;
3018 unsigned int tlen, ilen;
3019
3020 tlen = ilen = 0;
3021 for (i = 0; i < mechSet->count; i++) {
3022 /*
3023 * 0x06 [DER LEN] [OID]
3024 */
3025 ilen += 1 +
3026 gssint_der_length_size(mechSet->elements[i].length) +
3027 mechSet->elements[i].length;
3028 }
3029 /*
3030 * 0x30 [DER LEN]
3031 */
3032 tlen = 1 + gssint_der_length_size(ilen) + ilen;
3033 ptr = malloc(tlen);
3034 if (ptr == NULL)
3035 return -1;
3036
3037 buf->value = ptr;
3038 buf->length = tlen;
3039 #define REMAIN (buf->length - ((unsigned char *)buf->value - ptr))
3040
3041 *ptr++ = SEQUENCE_OF;
3042 if (gssint_put_der_length(ilen, &ptr, REMAIN) < 0)
3043 return -1;
3044 for (i = 0; i < mechSet->count; i++) {
3045 if (put_mech_oid(&ptr, &mechSet->elements[i], REMAIN) < 0) {
3046 return -1;
3047 }
3048 }
3049 return 0;
3050 #undef REMAIN
3051 }
3052
3053 /*
3054 * Verify that buff_in is pointing to a BIT_STRING with the correct
3055 * length and padding for the req_flags. If it is, decode req_flags
3056 * and return them, otherwise, return NULL.
3057 */
3058 static OM_uint32
3059 get_req_flags(unsigned char **buff_in, OM_uint32 bodysize,
3060 OM_uint32 *req_flags)
3061 {
3062 unsigned int len;
3063
3064 if (**buff_in != (CONTEXT | 0x01))
3065 return (0);
3066
3067 if (g_get_tag_and_length(buff_in, (CONTEXT | 0x01),
3068 bodysize, &len) < 0)
3069 return GSS_S_DEFECTIVE_TOKEN;
3070
3071 if (*(*buff_in)++ != BIT_STRING)
3072 return GSS_S_DEFECTIVE_TOKEN;
3073
3074 if (*(*buff_in)++ != BIT_STRING_LENGTH)
3075 return GSS_S_DEFECTIVE_TOKEN;
3076
3077 if (*(*buff_in)++ != BIT_STRING_PADDING)
3078 return GSS_S_DEFECTIVE_TOKEN;
3079
3080 *req_flags = (OM_uint32) (*(*buff_in)++ >> 1);
3081 return (0);
3082 }
3083
3084 static OM_uint32
3085 get_negTokenInit(OM_uint32 *minor_status,
3086 gss_buffer_t buf,
3087 gss_buffer_t der_mechSet,
3088 gss_OID_set *mechSet,
3089 OM_uint32 *req_flags,
3090 gss_buffer_t *mechtok,
3091 gss_buffer_t *mechListMIC)
3092 {
3093 OM_uint32 err;
3094 unsigned char *ptr, *bufstart;
3095 unsigned int len;
3096 gss_buffer_desc tmpbuf;
3097
3098 *minor_status = 0;
3099 der_mechSet->length = 0;
3100 der_mechSet->value = NULL;
3101 *mechSet = GSS_C_NO_OID_SET;
3102 *req_flags = 0;
3103 *mechtok = *mechListMIC = GSS_C_NO_BUFFER;
3104
3105 ptr = bufstart = buf->value;
3106 if ((buf->length - (ptr - bufstart)) > INT_MAX)
3107 return GSS_S_FAILURE;
3108 #define REMAIN (buf->length - (ptr - bufstart))
3109
3110 err = g_verify_token_header(gss_mech_spnego,
3111 &len, &ptr, 0, REMAIN);
3112 if (err) {
3113 *minor_status = err;
3114 map_errcode(minor_status);
3115 return GSS_S_FAILURE;
3116 }
3117 *minor_status = g_verify_neg_token_init(&ptr, REMAIN);
3118 if (*minor_status) {
3119 map_errcode(minor_status);
3120 return GSS_S_FAILURE;
3121 }
3122
3123 /* alias into input_token */
3124 tmpbuf.value = ptr;
3125 tmpbuf.length = REMAIN;
3126 *mechSet = get_mech_set(minor_status, &ptr, REMAIN);
3127 if (*mechSet == NULL)
3128 return GSS_S_FAILURE;
3129
3130 tmpbuf.length = ptr - (unsigned char *)tmpbuf.value;
3131 der_mechSet->value = malloc(tmpbuf.length);
3132 if (der_mechSet->value == NULL)
3133 return GSS_S_FAILURE;
3134 memcpy(der_mechSet->value, tmpbuf.value, tmpbuf.length);
3135 der_mechSet->length = tmpbuf.length;
3136
3137 err = get_req_flags(&ptr, REMAIN, req_flags);
3138 if (err != GSS_S_COMPLETE) {
3139 return err;
3140 }
3141 if (g_get_tag_and_length(&ptr, (CONTEXT | 0x02),
3142 REMAIN, &len) >= 0) {
3143 *mechtok = get_input_token(&ptr, len);
3144 if (*mechtok == GSS_C_NO_BUFFER) {
3145 return GSS_S_FAILURE;
3146 }
3147 }
3148 if (g_get_tag_and_length(&ptr, (CONTEXT | 0x03),
3149 REMAIN, &len) >= 0) {
3150 *mechListMIC = get_input_token(&ptr, len);
3151 if (*mechListMIC == GSS_C_NO_BUFFER) {
3152 return GSS_S_FAILURE;
3153 }
3154 }
3155 return GSS_S_COMPLETE;
3156 #undef REMAIN
3157 }
3158
3159 static OM_uint32
3160 get_negTokenResp(OM_uint32 *minor_status,
3161 unsigned char *buf, unsigned int buflen,
3162 OM_uint32 *negState,
3163 gss_OID *supportedMech,
3164 gss_buffer_t *responseToken,
3165 gss_buffer_t *mechListMIC)
3166 {
3167 unsigned char *ptr, *bufstart;
3168 unsigned int len;
3169 int tmplen;
3170 unsigned int tag, bytes;
3171
3172 *negState = ACCEPT_DEFECTIVE_TOKEN;
3173 *supportedMech = GSS_C_NO_OID;
3174 *responseToken = *mechListMIC = GSS_C_NO_BUFFER;
3175 ptr = bufstart = buf;
3176 #define REMAIN (buflen - (ptr - bufstart))
3177
3178 if (g_get_tag_and_length(&ptr, (CONTEXT | 0x01), REMAIN, &len) < 0)
3179 return GSS_S_DEFECTIVE_TOKEN;
3180 if (*ptr++ == SEQUENCE) {
3181 tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
3182 if (tmplen < 0)
3183 return GSS_S_DEFECTIVE_TOKEN;
3184 }
3185 if (REMAIN < 1)
3186 tag = 0;
3187 else
3188 tag = *ptr++;
3189
3190 if (tag == CONTEXT) {
3191 tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
3192 if (tmplen < 0)
3193 return GSS_S_DEFECTIVE_TOKEN;
3194
3195 if (g_get_tag_and_length(&ptr, ENUMERATED,
3196 REMAIN, &len) < 0)
3197 return GSS_S_DEFECTIVE_TOKEN;
3198
3199 if (len != ENUMERATION_LENGTH)
3200 return GSS_S_DEFECTIVE_TOKEN;
3201
3202 if (REMAIN < 1)
3203 return GSS_S_DEFECTIVE_TOKEN;
3204 *negState = *ptr++;
3205
3206 if (REMAIN < 1)
3207 tag = 0;
3208 else
3209 tag = *ptr++;
3210 }
3211 if (tag == (CONTEXT | 0x01)) {
3212 tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
3213 if (tmplen < 0)
3214 return GSS_S_DEFECTIVE_TOKEN;
3215
3216 *supportedMech = get_mech_oid(minor_status, &ptr, REMAIN);
3217 if (*supportedMech == GSS_C_NO_OID)
3218 return GSS_S_DEFECTIVE_TOKEN;
3219
3220 if (REMAIN < 1)
3221 tag = 0;
3222 else
3223 tag = *ptr++;
3224 }
3225 if (tag == (CONTEXT | 0x02)) {
3226 tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
3227 if (tmplen < 0)
3228 return GSS_S_DEFECTIVE_TOKEN;
3229
3230 *responseToken = get_input_token(&ptr, REMAIN);
3231 if (*responseToken == GSS_C_NO_BUFFER)
3232 return GSS_S_DEFECTIVE_TOKEN;
3233
3234 if (REMAIN < 1)
3235 tag = 0;
3236 else
3237 tag = *ptr++;
3238 }
3239 if (tag == (CONTEXT | 0x03)) {
3240 tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
3241 if (tmplen < 0)
3242 return GSS_S_DEFECTIVE_TOKEN;
3243
3244 *mechListMIC = get_input_token(&ptr, REMAIN);
3245 if (*mechListMIC == GSS_C_NO_BUFFER)
3246 return GSS_S_DEFECTIVE_TOKEN;
3247 }
3248 return GSS_S_COMPLETE;
3249 #undef REMAIN
3250 }
3251
3252 /*
3253 * der encode the passed negResults as an ENUMERATED type and
3254 * place it in buf_out, advancing the buffer.
3255 */
3256
3257 static int
3258 put_negResult(unsigned char **buf_out, OM_uint32 negResult,
3259 unsigned int buflen)
3260 {
3261 if (buflen < 3)
3262 return (-1);
3263 *(*buf_out)++ = ENUMERATED;
3264 *(*buf_out)++ = ENUMERATION_LENGTH;
3265 *(*buf_out)++ = (unsigned char) negResult;
3266 return (0);
3267 }
3268
3269 /*
3270 * This routine compares the recieved mechset to the mechset that
3271 * this server can support. It looks sequentially through the mechset
3272 * and the first one that matches what the server can support is
3273 * chosen as the negotiated mechanism. If one is found, negResult
3274 * is set to ACCEPT_INCOMPLETE if it's the first mech, REQUEST_MIC if
3275 * it's not the first mech, otherwise we return NULL and negResult
3276 * is set to REJECT.
3277 *
3278 * NOTE: There is currently no way to specify a preference order of
3279 * mechanisms supported by the acceptor.
3280 */
3281 static gss_OID
3282 negotiate_mech_type(OM_uint32 *minor_status,
3283 gss_OID_set supported_mechSet,
3284 gss_OID_set mechset,
3285 OM_uint32 *negResult)
3286 {
3287 gss_OID returned_mech;
3288 OM_uint32 status;
3289 int present;
3290 unsigned int i;
3291
3292 for (i = 0; i < mechset->count; i++) {
3293 gss_OID mech_oid = &mechset->elements[i];
3294
3295 /*
3296 * Solaris SPNEGO Kerberos: MIT compares against MS' wrong OID, but
3297 * we actually want to select it if the client supports, as this
3298 * will enable features on MS clients that allow credential
3299 * refresh on rekeying and caching system times from servers.
3300 */
3301 #if 0
3302 /* Accept wrong mechanism OID from MS clients */
3303 if (mech_oid->length == gss_mech_krb5_wrong_oid.length &&
3304 memcmp(mech_oid->elements, gss_mech_krb5_wrong_oid.elements, mech_oid->length) == 0)
3305 mech_oid = (gss_OID)&gss_mech_krb5_oid;
3306 #endif
3307
3308 gss_test_oid_set_member(minor_status, mech_oid, supported_mechSet, &present);
3309 if (!present)
3310 continue;
3311
3312 if (i == 0)
3313 *negResult = ACCEPT_INCOMPLETE;
3314 else
3315 *negResult = REQUEST_MIC;
3316
3317 status = generic_gss_copy_oid(minor_status,
3318 &mechset->elements[i],
3319 &returned_mech);
3320 if (status != GSS_S_COMPLETE) {
3321 *negResult = REJECT;
3322 map_errcode(minor_status);
3323 return (NULL);
3324 }
3325 return (returned_mech);
3326 }
3327 /* Solaris SPNEGO */
3328 *minor_status= ERR_SPNEGO_NEGOTIATION_FAILED;
3329
3330 *negResult = REJECT;
3331 return (NULL);
3332 }
3333
3334 /*
3335 * the next two routines make a token buffer suitable for
3336 * spnego_gss_display_status. These currently take the string
3337 * in name and place it in the token. Eventually, if
3338 * spnego_gss_display_status returns valid error messages,
3339 * these routines will be changes to return the error string.
3340 */
3341 static spnego_token_t
3342 make_spnego_token(char *name)
3343 {
3344 return (spnego_token_t)strdup(name);
3345 }
3346
3347 static gss_buffer_desc
3348 make_err_msg(char *name)
3349 {
3350 gss_buffer_desc buffer;
3351
3352 if (name == NULL) {
3353 buffer.length = 0;
3354 buffer.value = NULL;
3355 } else {
3356 buffer.length = strlen(name)+1;
3357 buffer.value = make_spnego_token(name);
3358 }
3359
3360 return (buffer);
3361 }
3362
3363 /*
3364 * Create the client side spnego token passed back to gss_init_sec_context
3365 * and eventually up to the application program and over to the server.
3366 *
3367 * Use DER rules, definite length method per RFC 2478
3368 */
3369 static int
3370 make_spnego_tokenInit_msg(spnego_gss_ctx_id_t spnego_ctx,
3371 int negHintsCompat,
3372 gss_buffer_t mechListMIC, OM_uint32 req_flags,
3373 gss_buffer_t data, send_token_flag sendtoken,
3374 gss_buffer_t outbuf)
3375 {
3376 int ret = 0;
3377 unsigned int tlen, dataLen = 0;
3378 unsigned int negTokenInitSize = 0;
3379 unsigned int negTokenInitSeqSize = 0;
3380 unsigned int negTokenInitContSize = 0;
3381 unsigned int rspTokenSize = 0;
3382 unsigned int mechListTokenSize = 0;
3383 unsigned int micTokenSize = 0;
3384 unsigned char *t;
3385 unsigned char *ptr;
3386
3387 if (outbuf == GSS_C_NO_BUFFER)
3388 return (-1);
3389
3390 outbuf->length = 0;
3391 outbuf->value = NULL;
3392
3393 /* calculate the data length */
3394
3395 /*
3396 * 0xa0 [DER LEN] [mechTypes]
3397 */
3398 mechListTokenSize = 1 +
3399 gssint_der_length_size(spnego_ctx->DER_mechTypes.length) +
3400 spnego_ctx->DER_mechTypes.length;
3401 dataLen += mechListTokenSize;
3402
3403 /*
3404 * If a token from gss_init_sec_context exists,
3405 * add the length of the token + the ASN.1 overhead
3406 */
3407 if (data != NULL) {
3408 /*
3409 * Encoded in final output as:
3410 * 0xa2 [DER LEN] 0x04 [DER LEN] [DATA]
3411 * -----s--------|--------s2----------
3412 */
3413 rspTokenSize = 1 +
3414 gssint_der_length_size(data->length) +
3415 data->length;
3416 dataLen += 1 + gssint_der_length_size(rspTokenSize) +
3417 rspTokenSize;
3418 }
3419
3420 if (mechListMIC) {
3421 /*
3422 * Encoded in final output as:
3423 * 0xa3 [DER LEN] 0x04 [DER LEN] [DATA]
3424 * --s-- -----tlen------------
3425 */
3426 micTokenSize = 1 +
3427 gssint_der_length_size(mechListMIC->length) +
3428 mechListMIC->length;
3429 dataLen += 1 +
3430 gssint_der_length_size(micTokenSize) +
3431 micTokenSize;
3432 }
3433
3434 /*
3435 * Add size of DER encoding
3436 * [ SEQUENCE { MechTypeList | ReqFLags | Token | mechListMIC } ]
3437 * 0x30 [DER_LEN] [data]
3438 *
3439 */
3440 negTokenInitContSize = dataLen;
3441 negTokenInitSeqSize = 1 + gssint_der_length_size(dataLen) + dataLen;
3442 dataLen = negTokenInitSeqSize;
3443
3444 /*
3445 * negTokenInitSize indicates the bytes needed to
3446 * hold the ASN.1 encoding of the entire NegTokenInit
3447 * SEQUENCE.
3448 * 0xa0 [DER_LEN] + data
3449 *
3450 */
3451 negTokenInitSize = 1 +
3452 gssint_der_length_size(negTokenInitSeqSize) +
3453 negTokenInitSeqSize;
3454
3455 tlen = g_token_size(gss_mech_spnego, negTokenInitSize);
3456
3457 t = (unsigned char *) malloc(tlen);
3458
3459 if (t == NULL) {
3460 return (-1);
3461 }
3462
3463 ptr = t;
3464
3465 /* create the message */
3466 if ((ret = g_make_token_header(gss_mech_spnego, negTokenInitSize,
3467 &ptr, tlen)))
3468 goto errout;
3469
3470 *ptr++ = CONTEXT; /* NegotiationToken identifier */
3471 if ((ret = gssint_put_der_length(negTokenInitSeqSize, &ptr, tlen)))
3472 goto errout;
3473
3474 *ptr++ = SEQUENCE;
3475 if ((ret = gssint_put_der_length(negTokenInitContSize, &ptr,
3476 tlen - (int)(ptr-t))))
3477 goto errout;
3478
3479 *ptr++ = CONTEXT | 0x00; /* MechTypeList identifier */
3480 if ((ret = gssint_put_der_length(spnego_ctx->DER_mechTypes.length,
3481 &ptr, tlen - (int)(ptr-t))))
3482 goto errout;
3483
3484 /* We already encoded the MechSetList */
3485 (void) memcpy(ptr, spnego_ctx->DER_mechTypes.value,
3486 spnego_ctx->DER_mechTypes.length);
3487
3488 ptr += spnego_ctx->DER_mechTypes.length;
3489
3490 if (data != NULL) {
3491 *ptr++ = CONTEXT | 0x02;
3492 if ((ret = gssint_put_der_length(rspTokenSize,
3493 &ptr, tlen - (int)(ptr - t))))
3494 goto errout;
3495
3496 if ((ret = put_input_token(&ptr, data,
3497 tlen - (int)(ptr - t))))
3498 goto errout;
3499 }
3500
3501 if (mechListMIC != GSS_C_NO_BUFFER) {
3502 *ptr++ = CONTEXT | 0x03;
3503 if ((ret = gssint_put_der_length(micTokenSize,
3504 &ptr, tlen - (int)(ptr - t))))
3505 goto errout;
3506
3507 if (negHintsCompat) {
3508 ret = put_neg_hints(&ptr, mechListMIC,
3509 tlen - (int)(ptr - t));
3510 if (ret)
3511 goto errout;
3512 } else if ((ret = put_input_token(&ptr, mechListMIC,
3513 tlen - (int)(ptr - t))))
3514 goto errout;
3515 }
3516
3517 errout:
3518 if (ret != 0) {
3519 free(t);
3520 t = NULL;
3521 tlen = 0;
3522 }
3523 outbuf->length = tlen;
3524 outbuf->value = (void *) t;
3525
3526 return (ret);
3527 }
3528
3529 /*
3530 * create the server side spnego token passed back to
3531 * gss_accept_sec_context and eventually up to the application program
3532 * and over to the client.
3533 */
3534 static int
3535 make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted,
3536 gss_buffer_t data, gss_buffer_t mechListMIC,
3537 send_token_flag sendtoken,
3538 gss_buffer_t outbuf)
3539 {
3540 unsigned int tlen = 0;
3541 unsigned int ret = 0;
3542 unsigned int NegTokenTargSize = 0;
3543 unsigned int NegTokenSize = 0;
3544 unsigned int rspTokenSize = 0;
3545 unsigned int micTokenSize = 0;
3546 unsigned int dataLen = 0;
3547 unsigned char *t;
3548 unsigned char *ptr;
3549
3550 if (outbuf == GSS_C_NO_BUFFER)
3551 return (GSS_S_DEFECTIVE_TOKEN);
3552
3553 outbuf->length = 0;
3554 outbuf->value = NULL;
3555
3556 /*
3557 * ASN.1 encoding of the negResult
3558 * ENUMERATED type is 3 bytes
3559 * ENUMERATED TAG, Length, Value,
3560 * Plus 2 bytes for the CONTEXT id and length.
3561 */
3562 dataLen = 5;
3563
3564 /*
3565 * calculate data length
3566 *
3567 * If this is the initial token, include length of
3568 * mech_type and the negotiation result fields.
3569 */
3570 if (sendtoken == INIT_TOKEN_SEND) {
3571 int mechlistTokenSize;
3572 /*
3573 * 1 byte for the CONTEXT ID(0xa0),
3574 * 1 byte for the OID ID(0x06)
3575 * 1 byte for OID Length field
3576 * Plus the rest... (OID Length, OID value)
3577 */
3578 mechlistTokenSize = 3 + mech_wanted->length +
3579 gssint_der_length_size(mech_wanted->length);
3580
3581 dataLen += mechlistTokenSize;
3582 }
3583 if (data != NULL && data->length > 0) {
3584 /* Length of the inner token */
3585 rspTokenSize = 1 + gssint_der_length_size(data->length) +
3586 data->length;
3587
3588 dataLen += rspTokenSize;
3589
3590 /* Length of the outer token */
3591 dataLen += 1 + gssint_der_length_size(rspTokenSize);
3592 }
3593 if (mechListMIC != NULL) {
3594
3595 /* Length of the inner token */
3596 micTokenSize = 1 + gssint_der_length_size(mechListMIC->length) +
3597 mechListMIC->length;
3598
3599 dataLen += micTokenSize;
3600
3601 /* Length of the outer token */
3602 dataLen += 1 + gssint_der_length_size(micTokenSize);
3603 }
3604 /*
3605 * Add size of DER encoded:
3606 * NegTokenTarg [ SEQUENCE ] of
3607 * NegResult[0] ENUMERATED {
3608 * accept_completed(0),
3609 * accept_incomplete(1),
3610 * reject(2) }
3611 * supportedMech [1] MechType OPTIONAL,
3612 * responseToken [2] OCTET STRING OPTIONAL,
3613 * mechListMIC [3] OCTET STRING OPTIONAL
3614 *
3615 * size = data->length + MechListMic + SupportedMech len +
3616 * Result Length + ASN.1 overhead
3617 */
3618 NegTokenTargSize = dataLen;
3619 dataLen += 1 + gssint_der_length_size(NegTokenTargSize);
3620
3621 /*
3622 * NegotiationToken [ CHOICE ]{
3623 * negTokenInit [0] NegTokenInit,
3624 * negTokenTarg [1] NegTokenTarg }
3625 */
3626 NegTokenSize = dataLen;
3627 dataLen += 1 + gssint_der_length_size(NegTokenSize);
3628
3629 tlen = dataLen;
3630 t = (unsigned char *) malloc(tlen);
3631
3632 if (t == NULL) {
3633 ret = GSS_S_DEFECTIVE_TOKEN;
3634 goto errout;
3635 }
3636
3637 ptr = t;
3638
3639 /*
3640 * Indicate that we are sending CHOICE 1
3641 * (NegTokenTarg)
3642 */
3643 *ptr++ = CONTEXT | 0x01;
3644 if (gssint_put_der_length(NegTokenSize, &ptr, dataLen) < 0) {
3645 ret = GSS_S_DEFECTIVE_TOKEN;
3646 goto errout;
3647 }
3648 *ptr++ = SEQUENCE;
3649 if (gssint_put_der_length(NegTokenTargSize, &ptr,
3650 tlen - (int)(ptr-t)) < 0) {
3651 ret = GSS_S_DEFECTIVE_TOKEN;
3652 goto errout;
3653 }
3654
3655 /*
3656 * First field of the NegTokenTarg SEQUENCE
3657 * is the ENUMERATED NegResult.
3658 */
3659 *ptr++ = CONTEXT;
3660 if (gssint_put_der_length(3, &ptr,
3661 tlen - (int)(ptr-t)) < 0) {
3662 ret = GSS_S_DEFECTIVE_TOKEN;
3663 goto errout;
3664 }
3665 if (put_negResult(&ptr, status, tlen - (int)(ptr - t)) < 0) {
3666 ret = GSS_S_DEFECTIVE_TOKEN;
3667 goto errout;
3668 }
3669 if (sendtoken == INIT_TOKEN_SEND) {
3670 /*
3671 * Next, is the Supported MechType
3672 */
3673 *ptr++ = CONTEXT | 0x01;
3674 if (gssint_put_der_length(mech_wanted->length + 2,
3675 &ptr,
3676 tlen - (int)(ptr - t)) < 0) {
3677 ret = GSS_S_DEFECTIVE_TOKEN;
3678 goto errout;
3679 }
3680 if (put_mech_oid(&ptr, mech_wanted,
3681 tlen - (int)(ptr - t)) < 0) {
3682 ret = GSS_S_DEFECTIVE_TOKEN;
3683 goto errout;
3684 }
3685 }
3686 if (data != NULL && data->length > 0) {
3687 *ptr++ = CONTEXT | 0x02;
3688 if (gssint_put_der_length(rspTokenSize, &ptr,
3689 tlen - (int)(ptr - t)) < 0) {
3690 ret = GSS_S_DEFECTIVE_TOKEN;
3691 goto errout;
3692 }
3693 if (put_input_token(&ptr, data,
3694 tlen - (int)(ptr - t)) < 0) {
3695 ret = GSS_S_DEFECTIVE_TOKEN;
3696 goto errout;
3697 }
3698 }
3699 if (mechListMIC != NULL) {
3700 *ptr++ = CONTEXT | 0x03;
3701 if (gssint_put_der_length(micTokenSize, &ptr,
3702 tlen - (int)(ptr - t)) < 0) {
3703 ret = GSS_S_DEFECTIVE_TOKEN;
3704 goto errout;
3705 }
3706 if (put_input_token(&ptr, mechListMIC,
3707 tlen - (int)(ptr - t)) < 0) {
3708 ret = GSS_S_DEFECTIVE_TOKEN;
3709 goto errout;
3710 }
3711 }
3712 ret = GSS_S_COMPLETE;
3713 errout:
3714 if (ret != GSS_S_COMPLETE) {
3715 free(t);
3716 } else {
3717 outbuf->length = ptr - t;
3718 outbuf->value = (void *) t;
3719 }
3720
3721 return (ret);
3722 }
3723
3724 /* determine size of token */
3725 static int
3726 g_token_size(gss_OID_const mech, unsigned int body_size)
3727 {
3728 int hdrsize;
3729
3730 /*
3731 * Initialize the header size to the
3732 * MECH_OID byte + the bytes needed to indicate the
3733 * length of the OID + the OID itself.
3734 *
3735 * 0x06 [MECHLENFIELD] MECHDATA
3736 */
3737 hdrsize = 1 + gssint_der_length_size(mech->length) + mech->length;
3738
3739 /*
3740 * Now add the bytes needed for the initial header
3741 * token bytes:
3742 * 0x60 + [DER_LEN] + HDRSIZE
3743 */
3744 hdrsize += 1 + gssint_der_length_size(body_size + hdrsize);
3745
3746 return (hdrsize + body_size);
3747 }
3748
3749 /*
3750 * generate token header.
3751 *
3752 * Use DER Definite Length method per RFC2478
3753 * Use of indefinite length encoding will not be compatible
3754 * with Microsoft or others that actually follow the spec.
3755 */
3756 static int
3757 g_make_token_header(gss_OID_const mech,
3758 unsigned int body_size,
3759 unsigned char **buf,
3760 unsigned int totallen)
3761 {
3762 int ret = 0;
3763 unsigned int hdrsize;
3764 unsigned char *p = *buf;
3765
3766 hdrsize = 1 + gssint_der_length_size(mech->length) + mech->length;
3767
3768 *(*buf)++ = HEADER_ID;
3769 if ((ret = gssint_put_der_length(hdrsize + body_size, buf, totallen)))
3770 return (ret);
3771
3772 *(*buf)++ = MECH_OID;
3773 if ((ret = gssint_put_der_length(mech->length, buf,
3774 totallen - (int)(p - *buf))))
3775 return (ret);
3776 TWRITE_STR(*buf, mech->elements, mech->length);
3777 return (0);
3778 }
3779
3780 /*
3781 * NOTE: This checks that the length returned by
3782 * gssint_get_der_length() is not greater than the number of octets
3783 * remaining, even though gssint_get_der_length() already checks, in
3784 * theory.
3785 */
3786 static int
3787 g_get_tag_and_length(unsigned char **buf, int tag,
3788 unsigned int buflen, unsigned int *outlen)
3789 {
3790 unsigned char *ptr = *buf;
3791 int ret = -1; /* pessimists, assume failure ! */
3792 unsigned int encoded_len;
3793 unsigned int tmplen = 0;
3794
3795 *outlen = 0;
3796 if (buflen > 1 && *ptr == tag) {
3797 ptr++;
3798 tmplen = gssint_get_der_length(&ptr, buflen - 1,
3799 &encoded_len);
3800 if (tmplen < 0) {
3801 ret = -1;
3802 } else if (tmplen > buflen - (ptr - *buf)) {
3803 ret = -1;
3804 } else
3805 ret = 0;
3806 }
3807 *outlen = tmplen;
3808 *buf = ptr;
3809 return (ret);
3810 }
3811
3812 static int
3813 g_verify_neg_token_init(unsigned char **buf_in, unsigned int cur_size)
3814 {
3815 unsigned char *buf = *buf_in;
3816 unsigned char *endptr = buf + cur_size;
3817 unsigned int seqsize;
3818 int ret = 0;
3819 unsigned int bytes;
3820
3821 /*
3822 * Verify this is a NegotiationToken type token
3823 * - check for a0(context specific identifier)
3824 * - get length and verify that enoughd ata exists
3825 */
3826 if (g_get_tag_and_length(&buf, CONTEXT, cur_size, &seqsize) < 0)
3827 return (G_BAD_TOK_HEADER);
3828
3829 cur_size = seqsize; /* should indicate bytes remaining */
3830
3831 /*
3832 * Verify the next piece, it should identify this as
3833 * a strucure of type NegTokenInit.
3834 */
3835 if (*buf++ == SEQUENCE) {
3836 if ((seqsize = gssint_get_der_length(&buf, cur_size, &bytes)) < 0)
3837 return (G_BAD_TOK_HEADER);
3838 /*
3839 * Make sure we have the entire buffer as described
3840 */
3841 if (buf + seqsize > endptr)
3842 return (G_BAD_TOK_HEADER);
3843 } else {
3844 return (G_BAD_TOK_HEADER);
3845 }
3846
3847 cur_size = seqsize; /* should indicate bytes remaining */
3848
3849 /*
3850 * Verify that the first blob is a sequence of mechTypes
3851 */
3852 if (*buf++ == CONTEXT) {
3853 if ((seqsize = gssint_get_der_length(&buf, cur_size, &bytes)) < 0)
3854 return (G_BAD_TOK_HEADER);
3855 /*
3856 * Make sure we have the entire buffer as described
3857 */
3858 if (buf + bytes > endptr)
3859 return (G_BAD_TOK_HEADER);
3860 } else {
3861 return (G_BAD_TOK_HEADER);
3862 }
3863
3864 /*
3865 * At this point, *buf should be at the beginning of the
3866 * DER encoded list of mech types that are to be negotiated.
3867 */
3868 *buf_in = buf;
3869
3870 return (ret);
3871
3872 }
3873
3874 /* verify token header. */
3875 static int
3876 g_verify_token_header(gss_OID_const mech,
3877 unsigned int *body_size,
3878 unsigned char **buf_in,
3879 int tok_type,
3880 unsigned int toksize)
3881 {
3882 unsigned char *buf = *buf_in;
3883 int seqsize;
3884 gss_OID_desc toid;
3885 int ret = 0;
3886 unsigned int bytes;
3887
3888 if (toksize-- < 1)
3889 return (G_BAD_TOK_HEADER);
3890
3891 if (*buf++ != HEADER_ID)
3892 return (G_BAD_TOK_HEADER);
3893
3894 if ((seqsize = gssint_get_der_length(&buf, toksize, &bytes)) < 0)
3895 return (G_BAD_TOK_HEADER);
3896
3897 if ((seqsize + bytes) != toksize)
3898 return (G_BAD_TOK_HEADER);
3899
3900 if (toksize-- < 1)
3901 return (G_BAD_TOK_HEADER);
3902
3903
3904 if (*buf++ != MECH_OID)
3905 return (G_BAD_TOK_HEADER);
3906
3907 if (toksize-- < 1)
3908 return (G_BAD_TOK_HEADER);
3909
3910 toid.length = *buf++;
3911
3912 if (toksize < toid.length)
3913 return (G_BAD_TOK_HEADER);
3914 else
3915 toksize -= toid.length;
3916
3917 toid.elements = buf;
3918 buf += toid.length;
3919
3920 if (!g_OID_equal(&toid, mech))
3921 ret = G_WRONG_MECH;
3922
3923 /*
3924 * G_WRONG_MECH is not returned immediately because it's more important
3925 * to return G_BAD_TOK_HEADER if the token header is in fact bad
3926 */
3927 if (toksize < 2)
3928 return (G_BAD_TOK_HEADER);
3929 else
3930 toksize -= 2;
3931
3932 if (!ret) {
3933 *buf_in = buf;
3934 *body_size = toksize;
3935 }
3936
3937 return (ret);
3938 }
3939
3940 /*
3941 * Return non-zero if the oid is one of the kerberos mech oids,
3942 * otherwise return zero.
3943 *
3944 * N.B. There are 3 oids that represent the kerberos mech:
3945 * RFC-specified GSS_MECH_KRB5_OID,
3946 * Old pre-RFC GSS_MECH_KRB5_OLD_OID,
3947 * Incorrect MS GSS_MECH_KRB5_WRONG_OID
3948 */
3949
3950 static int
3951 is_kerb_mech(gss_OID oid)
3952 {
3953 int answer = 0;
3954 OM_uint32 minor;
3955 extern const gss_OID_set_desc * const gss_mech_set_krb5_both;
3956
3957 (void) gss_test_oid_set_member(&minor,
3958 oid, (gss_OID_set)gss_mech_set_krb5_both, &answer);
3959
3960 return (answer);
3961 }
unleashed repo fork