2 Copyright (c) 2004 The Regents of the University of Michigan.
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions
9 1. Redistributions of source code must retain the above copyright
10 notice, this list of conditions and the following disclaimer.
11 2. Redistributions in binary form must reproduce the above copyright
12 notice, this list of conditions and the following disclaimer in the
13 documentation and/or other materials provided with the distribution.
14 3. Neither the name of the University nor the names of its
15 contributors may be used to endorse or promote products derived
16 from this software without specific prior written permission.
18 THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
19 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
20 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
25 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35 #include <gssapi/gssapi.h>
37 #include <rpc/auth_gss.h>
46 /* XXX spkm3 seems to actually want it this big, yipes. */
47 #define MAX_CTX_LEN 4096
49 #ifdef HAVE_LUCID_CONTEXT_SUPPORT
51 /* Don't use the private structure, use the exported lucid structure */
52 #include <gssapi/gssapi_krb5.h>
54 #elif (KRB5_VERSION > 131)
55 /* XXX argggg, there's gotta be a better way than just duplicating this
56 * whole struct. Unfortunately, this is in a "private" header file,
57 * so this is our best choice at this point :-/
59 * XXX Does this match the Heimdal definition? */
61 typedef struct _krb5_gss_ctx_id_rec {
62 unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */
63 unsigned int established : 1;
64 unsigned int big_endian : 1;
65 unsigned int have_acceptor_subkey : 1;
66 unsigned int seed_init : 1; /* XXX tested but never actually set */
68 unsigned int testing_unknown_tokid : 1; /* for testing only */
71 unsigned char seed[16];
74 krb5_keyblock *subkey;
80 krb5_timestamp endtime;
82 /* XXX these used to be signed. the old spec is inspecific, and
83 the new spec specifies unsigned. I don't believe that the change
84 affects the wire encoding. */
85 uint64_t seq_send; /* gssint_uint64 */
86 uint64_t seq_recv; /* gssint_uint64 */
88 krb5_auth_context auth_context;
89 gss_buffer_desc *mech_used; /* gss_OID_desc */
90 /* Protocol spec revision
91 0 => RFC 1964 with 3DES and RC4 enhancements
92 1 => draft-ietf-krb-wg-gssapi-cfx-01
93 No others defined so far. */
95 krb5_cksumtype cksumtype; /* for "main" subkey */
96 krb5_keyblock *acceptor_subkey; /* CFX only */
97 krb5_cksumtype acceptor_subkey_cksumtype;
99 gss_buffer_desc init_token;
101 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
103 #else /* KRB5_VERSION > 131 */
105 typedef struct _krb5_gss_ctx_id_rec {
109 unsigned char seed[16];
111 krb5_principal there;
112 krb5_keyblock *subkey;
118 krb5_timestamp endtime;
119 krb5_flags krb_flags;
125 krb5_auth_context auth_context;
126 gss_buffer_desc *mech_used;
128 krb5_cksumtype *ctypes;
129 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
131 #endif /* KRB5_VERSION */
134 #ifdef HAVE_LUCID_CONTEXT_SUPPORT /* Lucid context support */
136 write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
140 if (WRITE_BYTES(p, end, key->type)) return -1;
141 tmp.length = key->length;
142 tmp.value = key->data;
143 if (write_buffer(p, end, &tmp)) return -1;
148 prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
149 gss_buffer_desc *buf)
152 static int constant_zero = 0;
153 unsigned char fakeseed[16];
154 uint32_t word_send_seq;
155 gss_krb5_lucid_key_t enc_key;
158 gss_buffer_desc fakeoid;
161 * The new Kerberos interface to get the gss context
162 * does not include the seed or seed_init fields
163 * because we never really use them. But for now,
164 * send down a fake buffer so we can use the same
165 * interface to the kernel.
167 memset(&enc_key, 0, sizeof(enc_key));
168 memset(&fakeoid, 0, sizeof(fakeoid));
170 if (!(buf->value = calloc(1, MAX_CTX_LEN)))
173 end = buf->value + MAX_CTX_LEN;
175 if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err;
177 /* seed_init and seed not used by kernel anyway */
178 if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
179 if (write_bytes(&p, end, &fakeseed, 16)) goto out_err;
181 if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err;
182 if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err;
183 if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
184 word_send_seq = lctx->send_seq; /* XXX send_seq is 64-bit */
185 if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err;
186 if (write_buffer(&p, end, (gss_buffer_desc*)&krb5oid)) goto out_err;
188 /* derive the encryption key and copy it into buffer */
189 enc_key.type = lctx->rfc1964_kd.ctx_key.type;
190 enc_key.length = lctx->rfc1964_kd.ctx_key.length;
191 if ((enc_key.data = calloc(1, enc_key.length)) == NULL)
193 skd = (char *) lctx->rfc1964_kd.ctx_key.data;
194 dkd = (char *) enc_key.data;
195 for (i = 0; i < enc_key.length; i++)
196 dkd[i] = skd[i] ^ 0xf0;
197 if (write_lucid_keyblock(&p, end, &enc_key)) {
203 if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
206 buf->length = p - (char *)buf->value;
209 printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
210 if (buf->value) free(buf->value);
212 if (enc_key.data) free(enc_key.data);
217 prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx,
218 gss_buffer_desc *buf)
220 printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n");
226 serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
228 OM_uint32 maj_stat, min_stat;
229 void *return_ctx = 0;
231 gss_krb5_lucid_context_v1_t *lctx = 0;
234 printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n");
235 maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, &ctx,
237 if (maj_stat != GSS_S_COMPLETE)
240 /* Check the version returned, we only support v1 right now */
241 vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
244 lctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
247 printerr(0, "ERROR: unsupported lucid sec context version %d\n",
253 /* Now lctx points to a lucid context that we can send down to kernel */
254 if (lctx->protocol == 0)
255 retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
257 retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf);
259 maj_stat = gss_krb5_free_lucid_sec_context(&min_stat,
261 if (maj_stat != GSS_S_COMPLETE)
262 printerr(0, "WARN: failed to free lucid sec context\n");
269 printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
274 #else /* HAVE_LUCID_CONTEXT_SUPPORT */
277 write_keyblock(char **p, char *end, struct _krb5_keyblock *arg)
281 if (WRITE_BYTES(p, end, arg->enctype)) return -1;
282 tmp.length = arg->length;
283 tmp.value = arg->contents;
284 if (write_buffer(p, end, &tmp)) return -1;
289 serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
291 krb5_gss_ctx_id_t kctx = (krb5_gss_ctx_id_t)ctx;
293 static int constant_one = 1;
294 static int constant_zero = 0;
295 uint32_t word_seq_send;
297 if (!(buf->value = calloc(1, MAX_CTX_LEN)))
300 end = buf->value + MAX_CTX_LEN;
302 if (kctx->initiate) {
303 if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
306 if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
308 if (kctx->seed_init) {
309 if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
312 if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
314 if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed)))
316 if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err;
317 if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err;
318 if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
319 word_seq_send = kctx->seq_send;
320 if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err;
321 if (write_buffer(&p, end, kctx->mech_used)) goto out_err;
322 if (write_keyblock(&p, end, kctx->enc)) goto out_err;
323 if (write_keyblock(&p, end, kctx->seq)) goto out_err;
325 buf->length = p - (char *)buf->value;
328 printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
329 if (buf->value) free(buf->value);
333 #endif /* HAVE_LUCID_CONTEXT_SUPPORT */
335 #endif /* HAVE_KRB5 */