2 Copyright (c) 2004-2006 The Regents of the University of Michigan.
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions
9 1. Redistributions of source code must retain the above copyright
10 notice, this list of conditions and the following disclaimer.
11 2. Redistributions in binary form must reproduce the above copyright
12 notice, this list of conditions and the following disclaimer in the
13 documentation and/or other materials provided with the distribution.
14 3. Neither the name of the University nor the names of its
15 contributors may be used to endorse or promote products derived
16 from this software without specific prior written permission.
18 THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
19 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
20 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
25 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 #endif /* HAVE_CONFIG_H */
35 #ifndef HAVE_LUCID_CONTEXT_SUPPORT
42 #include <gssapi/gssapi.h>
44 #include <rpc/auth_gss.h>
52 #if (KRB5_VERSION > 131)
53 /* XXX argggg, there's gotta be a better way than just duplicating this
54 * whole struct. Unfortunately, this is in a "private" header file,
55 * so this is our best choice at this point :-/
58 typedef struct _krb5_gss_ctx_id_rec {
59 unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */
60 unsigned int established : 1;
61 unsigned int big_endian : 1;
62 unsigned int have_acceptor_subkey : 1;
63 unsigned int seed_init : 1; /* XXX tested but never actually set */
65 unsigned int testing_unknown_tokid : 1; /* for testing only */
68 unsigned char seed[16];
71 krb5_keyblock *subkey;
77 krb5_timestamp endtime;
79 /* XXX these used to be signed. the old spec is inspecific, and
80 the new spec specifies unsigned. I don't believe that the change
81 affects the wire encoding. */
82 uint64_t seq_send; /* gssint_uint64 */
83 uint64_t seq_recv; /* gssint_uint64 */
85 krb5_auth_context auth_context;
86 gss_OID_desc *mech_used; /* gss_OID_desc */
87 /* Protocol spec revision
88 0 => RFC 1964 with 3DES and RC4 enhancements
89 1 => draft-ietf-krb-wg-gssapi-cfx-01
90 No others defined so far. */
92 krb5_cksumtype cksumtype; /* for "main" subkey */
93 krb5_keyblock *acceptor_subkey; /* CFX only */
94 krb5_cksumtype acceptor_subkey_cksumtype;
96 gss_buffer_desc init_token;
98 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
100 #else /* KRB5_VERSION > 131 */
102 typedef struct _krb5_gss_ctx_id_rec {
106 unsigned char seed[16];
108 krb5_principal there;
109 krb5_keyblock *subkey;
115 krb5_timestamp endtime;
116 krb5_flags krb_flags;
122 krb5_auth_context auth_context;
123 gss_OID_desc *mech_used;
125 krb5_cksumtype *ctypes;
126 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
128 #endif /* KRB5_VERSION */
132 write_keyblock(char **p, char *end, struct _krb5_keyblock *arg)
136 if (WRITE_BYTES(p, end, arg->enctype)) return -1;
137 tmp.length = arg->length;
138 tmp.value = arg->contents;
139 if (write_buffer(p, end, &tmp)) return -1;
144 * We really shouldn't know about glue-layer context structure, but
145 * we need to get at the real krb5 context pointer. This should be
146 * removed as soon as we say there is no support for MIT Kerberos
147 * prior to 1.4 -- which gives us "legal" access to the context info.
149 typedef struct gss_union_ctx_id_t {
151 gss_ctx_id_t internal_ctx_id;
152 } gss_union_ctx_id_desc, *gss_union_ctx_id_t;
155 serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf, int32_t *endtime)
157 krb5_gss_ctx_id_t kctx = ((gss_union_ctx_id_t)ctx)->internal_ctx_id;
159 static int constant_zero = 0;
160 static int constant_one = 1;
161 static int constant_two = 2;
162 uint32_t word_seq_send;
163 u_int64_t seq_send_64bit;
164 uint32_t v2_flags = 0;
166 if (!(buf->value = calloc(1, MAX_CTX_LEN)))
169 end = buf->value + MAX_CTX_LEN;
171 switch (kctx->enc->enctype) {
172 case ENCTYPE_DES_CBC_CRC:
173 case ENCTYPE_DES_CBC_MD4:
174 case ENCTYPE_DES_CBC_MD5:
175 case ENCTYPE_DES_CBC_RAW:
176 /* Old format of context to the kernel */
177 if (kctx->initiate) {
178 if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
181 if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
183 if (kctx->seed_init) {
184 if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
187 if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
189 if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed)))
191 if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err;
192 if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err;
193 if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
195 *endtime = kctx->endtime;
196 word_seq_send = kctx->seq_send;
197 if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err;
198 if (write_oid(&p, end, kctx->mech_used)) goto out_err;
200 printerr(2, "serialize_krb5_ctx: serializing keys with "
201 "enctype %d and length %d\n",
202 kctx->enc->enctype, kctx->enc->length);
204 if (write_keyblock(&p, end, kctx->enc)) goto out_err;
205 if (write_keyblock(&p, end, kctx->seq)) goto out_err;
207 case ENCTYPE_DES3_CBC_RAW:
208 case ENCTYPE_DES3_CBC_SHA1:
209 case ENCTYPE_ARCFOUR_HMAC:
210 case ENCTYPE_ARCFOUR_HMAC_EXP:
211 case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
212 case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
213 /* New format of context to the kernel */
215 * #define KRB5_CTX_FLAG_INITIATOR 0x00000001
216 * #define KRB5_CTX_FLAG_CFX 0x00000002
217 * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
225 v2_flags |= KRB5_CTX_FLAG_INITIATOR;
226 if (kctx->proto == 1)
227 v2_flags |= KRB5_CTX_FLAG_CFX;
228 if (kctx->have_acceptor_subkey)
229 v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;
230 if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
231 if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
233 seq_send_64bit = kctx->seq_send;
234 if (WRITE_BYTES(&p, end, seq_send_64bit)) goto out_err;
236 if (kctx->have_acceptor_subkey) {
237 if (WRITE_BYTES(&p, end, kctx->acceptor_subkey->enctype))
239 printerr(2, "serialize_krb5_ctx: serializing subkey "
240 "with enctype %d and size %d\n",
241 kctx->acceptor_subkey->enctype,
242 kctx->acceptor_subkey->length);
244 if (write_bytes(&p, end,
245 kctx->acceptor_subkey->contents,
246 kctx->acceptor_subkey->length))
249 if (WRITE_BYTES(&p, end, kctx->enc->enctype))
251 printerr(2, "serialize_krb5_ctx: serializing key "
252 "with enctype %d and size %d\n",
253 kctx->enc->enctype, kctx->enc->length);
255 if (write_bytes(&p, end, kctx->enc->contents,
261 printerr(0, "ERROR: serialize_krb5_ctx: unsupported encryption "
262 "algorithm %d\n", kctx->enc->enctype);
266 buf->length = p - (char *)buf->value;
270 printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
279 #endif /* HAVE_KRB5 */
280 #endif /* HAVE_LUCID_CONTEXT_SUPPORT */