Annotation of embedaddon/ipsec-tools/src/racoon/gssapi.c, revision 1.1
1.1 ! misho 1: /* $NetBSD: gssapi.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */
! 2:
! 3: /* $KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $ */
! 4:
! 5: /*
! 6: * Copyright 2000 Wasabi Systems, Inc.
! 7: * All rights reserved.
! 8: *
! 9: * This software was written by Frank van der Linden of Wasabi Systems
! 10: * for Zembu Labs, Inc. http://www.zembu.com/
! 11: *
! 12: * Redistribution and use in source and binary forms, with or without
! 13: * modification, are permitted provided that the following conditions
! 14: * are met:
! 15: * 1. Redistributions of source code must retain the above copyright
! 16: * notice, this list of conditions and the following disclaimer.
! 17: * 2. Redistributions in binary form must reproduce the above copyright
! 18: * notice, this list of conditions and the following disclaimer in the
! 19: * documentation and/or other materials provided with the distribution.
! 20: * 3. The name of Wasabi Systems, Inc. may not be used to endorse
! 21: * or promote products derived from this software without specific prior
! 22: * written permission.
! 23: *
! 24: * THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND
! 25: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
! 26: * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
! 27: * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC
! 28: * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
! 29: * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
! 30: * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
! 31: * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
! 32: * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
! 33: * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
! 34: * POSSIBILITY OF SUCH DAMAGE.
! 35: */
! 36:
! 37: #include "config.h"
! 38:
! 39: #ifdef HAVE_GSSAPI
! 40:
! 41: #include <sys/types.h>
! 42: #include <sys/queue.h>
! 43: #include <sys/socket.h>
! 44: #include <netdb.h>
! 45: #include <unistd.h>
! 46:
! 47: #include <stdlib.h>
! 48: #include <string.h>
! 49: #include <errno.h>
! 50:
! 51: #include "var.h"
! 52: #include "misc.h"
! 53: #include "vmbuf.h"
! 54: #include "plog.h"
! 55: #include "sockmisc.h"
! 56: #include "schedule.h"
! 57: #include "debug.h"
! 58:
! 59: #include "localconf.h"
! 60: #include "remoteconf.h"
! 61: #include "isakmp_var.h"
! 62: #include "isakmp.h"
! 63: #include "oakley.h"
! 64: #include "handler.h"
! 65: #include "ipsec_doi.h"
! 66: #include "crypto_openssl.h"
! 67: #include "pfkey.h"
! 68: #include "isakmp_ident.h"
! 69: #include "isakmp_inf.h"
! 70: #include "vendorid.h"
! 71: #include "gcmalloc.h"
! 72:
! 73: #include "gssapi.h"
! 74:
! 75: static void
! 76: gssapi_error(OM_uint32 status_code, const char *where,
! 77: const char *fmt, ...)
! 78: {
! 79: OM_uint32 message_context, maj_stat, min_stat;
! 80: gss_buffer_desc status_string;
! 81: va_list ap;
! 82:
! 83: va_start(ap, fmt);
! 84: plogv(LLV_ERROR, where, NULL, fmt, ap);
! 85: va_end(ap);
! 86:
! 87: message_context = 0;
! 88:
! 89: do {
! 90: maj_stat = gss_display_status(&min_stat, status_code,
! 91: GSS_C_MECH_CODE, GSS_C_NO_OID, &message_context,
! 92: &status_string);
! 93: if (GSS_ERROR(maj_stat))
! 94: plog(LLV_ERROR, LOCATION, NULL,
! 95: "UNABLE TO GET GSSAPI ERROR CODE\n");
! 96: else {
! 97: plog(LLV_ERROR, where, NULL,
! 98: "%s\n", (char *)status_string.value);
! 99: gss_release_buffer(&min_stat, &status_string);
! 100: }
! 101: } while (message_context != 0);
! 102: }
! 103:
! 104: /*
! 105: * vmbufs and gss_buffer_descs are really just the same on NetBSD, but
! 106: * this is to be portable.
! 107: */
! 108: static int
! 109: gssapi_vm2gssbuf(vchar_t *vmbuf, gss_buffer_t gsstoken)
! 110: {
! 111:
! 112: gsstoken->value = racoon_malloc(vmbuf->l);
! 113: if (gsstoken->value == NULL)
! 114: return -1;
! 115: memcpy(gsstoken->value, vmbuf->v, vmbuf->l);
! 116: gsstoken->length = vmbuf->l;
! 117:
! 118: return 0;
! 119: }
! 120:
! 121: static int
! 122: gssapi_gss2vmbuf(gss_buffer_t gsstoken, vchar_t **vmbuf)
! 123: {
! 124:
! 125: *vmbuf = vmalloc(gsstoken->length);
! 126: if (*vmbuf == NULL)
! 127: return -1;
! 128: memcpy((*vmbuf)->v, gsstoken->value, gsstoken->length);
! 129: (*vmbuf)->l = gsstoken->length;
! 130:
! 131: return 0;
! 132: }
! 133:
! 134: vchar_t *
! 135: gssapi_get_default_gss_id(void)
! 136: {
! 137: char name[NI_MAXHOST];
! 138: vchar_t *gssid;
! 139:
! 140: if (gethostname(name, sizeof(name)) != 0) {
! 141: plog(LLV_ERROR, LOCATION, NULL, "gethostname failed: %s\n",
! 142: strerror(errno));
! 143: return (NULL);
! 144: }
! 145: name[sizeof(name) - 1] = '\0';
! 146:
! 147: gssid = racoon_malloc(sizeof(*gssid));
! 148: gssid->l = asprintf(&gssid->v, "%s/%s", GSSAPI_DEF_NAME, name);
! 149:
! 150: return (gssid);
! 151: }
! 152:
! 153: static int
! 154: gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service)
! 155: {
! 156: char name[NI_MAXHOST];
! 157: struct sockaddr *sa;
! 158: char* buf = NULL;
! 159: gss_buffer_desc name_token;
! 160: OM_uint32 min_stat, maj_stat;
! 161:
! 162: sa = remote ? iph1->remote : iph1->local;
! 163:
! 164: if (getnameinfo(sa, sysdep_sa_len(sa), name, NI_MAXHOST, NULL, 0, 0) != 0)
! 165: return -1;
! 166:
! 167: name_token.length = asprintf(&buf, "%s@%s", GSSAPI_DEF_NAME, name);
! 168: name_token.value = buf;
! 169:
! 170: maj_stat = gss_import_name(&min_stat, &name_token,
! 171: GSS_C_NT_HOSTBASED_SERVICE, service);
! 172: if (GSS_ERROR(maj_stat)) {
! 173: gssapi_error(min_stat, LOCATION, "import name\n");
! 174: maj_stat = gss_release_buffer(&min_stat, &name_token);
! 175: if (GSS_ERROR(maj_stat))
! 176: gssapi_error(min_stat, LOCATION, "release name_token");
! 177: return -1;
! 178: }
! 179: maj_stat = gss_release_buffer(&min_stat, &name_token);
! 180: if (GSS_ERROR(maj_stat))
! 181: gssapi_error(min_stat, LOCATION, "release name_token");
! 182:
! 183: return 0;
! 184: }
! 185:
! 186: static int
! 187: gssapi_init(struct ph1handle *iph1)
! 188: {
! 189: struct gssapi_ph1_state *gps;
! 190: gss_buffer_desc id_token, cred_token;
! 191: gss_buffer_t cred = &cred_token;
! 192: gss_name_t princ, canon_princ;
! 193: OM_uint32 maj_stat, min_stat;
! 194:
! 195: gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
! 196: if (gps == NULL) {
! 197: plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
! 198: return -1;
! 199: }
! 200: gps->gss_context = GSS_C_NO_CONTEXT;
! 201: gps->gss_cred = GSS_C_NO_CREDENTIAL;
! 202:
! 203: gssapi_set_state(iph1, gps);
! 204:
! 205: if (iph1->rmconf->proposal->gssid != NULL) {
! 206: id_token.length = iph1->rmconf->proposal->gssid->l;
! 207: id_token.value = iph1->rmconf->proposal->gssid->v;
! 208: maj_stat = gss_import_name(&min_stat, &id_token, GSS_C_NO_OID,
! 209: &princ);
! 210: if (GSS_ERROR(maj_stat)) {
! 211: gssapi_error(min_stat, LOCATION, "import name\n");
! 212: gssapi_free_state(iph1);
! 213: return -1;
! 214: }
! 215: } else
! 216: gssapi_get_default_name(iph1, 0, &princ);
! 217:
! 218: maj_stat = gss_canonicalize_name(&min_stat, princ, GSS_C_NO_OID,
! 219: &canon_princ);
! 220: if (GSS_ERROR(maj_stat)) {
! 221: gssapi_error(min_stat, LOCATION, "canonicalize name\n");
! 222: maj_stat = gss_release_name(&min_stat, &princ);
! 223: if (GSS_ERROR(maj_stat))
! 224: gssapi_error(min_stat, LOCATION, "release princ\n");
! 225: gssapi_free_state(iph1);
! 226: return -1;
! 227: }
! 228: maj_stat = gss_release_name(&min_stat, &princ);
! 229: if (GSS_ERROR(maj_stat))
! 230: gssapi_error(min_stat, LOCATION, "release princ\n");
! 231:
! 232: maj_stat = gss_export_name(&min_stat, canon_princ, cred);
! 233: if (GSS_ERROR(maj_stat)) {
! 234: gssapi_error(min_stat, LOCATION, "export name\n");
! 235: maj_stat = gss_release_name(&min_stat, &canon_princ);
! 236: if (GSS_ERROR(maj_stat))
! 237: gssapi_error(min_stat, LOCATION,
! 238: "release canon_princ\n");
! 239: gssapi_free_state(iph1);
! 240: return -1;
! 241: }
! 242:
! 243: #if 0
! 244: /*
! 245: * XXXJRT Did this debug message ever work? This is a GSS name
! 246: * blob at this point.
! 247: */
! 248: plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s' creds\n",
! 249: cred->length, cred->value);
! 250: #endif
! 251:
! 252: maj_stat = gss_release_buffer(&min_stat, cred);
! 253: if (GSS_ERROR(maj_stat))
! 254: gssapi_error(min_stat, LOCATION, "release cred buffer\n");
! 255:
! 256: maj_stat = gss_acquire_cred(&min_stat, canon_princ, GSS_C_INDEFINITE,
! 257: GSS_C_NO_OID_SET, GSS_C_BOTH, &gps->gss_cred, NULL, NULL);
! 258: if (GSS_ERROR(maj_stat)) {
! 259: gssapi_error(min_stat, LOCATION, "acquire cred\n");
! 260: maj_stat = gss_release_name(&min_stat, &canon_princ);
! 261: if (GSS_ERROR(maj_stat))
! 262: gssapi_error(min_stat, LOCATION,
! 263: "release canon_princ\n");
! 264: gssapi_free_state(iph1);
! 265: return -1;
! 266: }
! 267: maj_stat = gss_release_name(&min_stat, &canon_princ);
! 268: if (GSS_ERROR(maj_stat))
! 269: gssapi_error(min_stat, LOCATION, "release canon_princ\n");
! 270:
! 271: return 0;
! 272: }
! 273:
! 274: int
! 275: gssapi_get_itoken(struct ph1handle *iph1, int *lenp)
! 276: {
! 277: struct gssapi_ph1_state *gps;
! 278: gss_buffer_desc empty, name_token;
! 279: gss_buffer_t itoken, rtoken, dummy;
! 280: OM_uint32 maj_stat, min_stat;
! 281: gss_name_t partner;
! 282:
! 283: if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0)
! 284: return -1;
! 285:
! 286: gps = gssapi_get_state(iph1);
! 287:
! 288: empty.length = 0;
! 289: empty.value = NULL;
! 290: dummy = ∅
! 291:
! 292: if (iph1->approval != NULL && iph1->approval->gssid != NULL) {
! 293: plog(LLV_DEBUG, LOCATION, NULL,
! 294: "using provided service '%.*s'\n",
! 295: (int)iph1->approval->gssid->l, iph1->approval->gssid->v);
! 296: name_token.length = iph1->approval->gssid->l;
! 297: name_token.value = iph1->approval->gssid->v;
! 298: maj_stat = gss_import_name(&min_stat, &name_token,
! 299: GSS_C_NO_OID, &partner);
! 300: if (GSS_ERROR(maj_stat)) {
! 301: gssapi_error(min_stat, LOCATION, "import of %.*s\n",
! 302: name_token.length, name_token.value);
! 303: return -1;
! 304: }
! 305: } else
! 306: if (gssapi_get_default_name(iph1, 1, &partner) < 0)
! 307: return -1;
! 308:
! 309: rtoken = gps->gsscnt_p == 0 ? dummy : &gps->gss_p[gps->gsscnt_p - 1];
! 310: itoken = &gps->gss[gps->gsscnt];
! 311:
! 312: gps->gss_status = gss_init_sec_context(&min_stat, gps->gss_cred,
! 313: &gps->gss_context, partner, GSS_C_NO_OID,
! 314: GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG |
! 315: GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG,
! 316: 0, GSS_C_NO_CHANNEL_BINDINGS, rtoken, NULL,
! 317: itoken, NULL, NULL);
! 318:
! 319: if (GSS_ERROR(gps->gss_status)) {
! 320: gssapi_error(min_stat, LOCATION, "init_sec_context\n");
! 321: maj_stat = gss_release_name(&min_stat, &partner);
! 322: if (GSS_ERROR(maj_stat))
! 323: gssapi_error(min_stat, LOCATION, "release name\n");
! 324: return -1;
! 325: }
! 326: maj_stat = gss_release_name(&min_stat, &partner);
! 327: if (GSS_ERROR(maj_stat))
! 328: gssapi_error(min_stat, LOCATION, "release name\n");
! 329:
! 330: plog(LLV_DEBUG, LOCATION, NULL, "gss_init_sec_context status %x\n",
! 331: gps->gss_status);
! 332:
! 333: if (lenp)
! 334: *lenp = itoken->length;
! 335:
! 336: if (itoken->length != 0)
! 337: gps->gsscnt++;
! 338:
! 339: return 0;
! 340: }
! 341:
! 342: /*
! 343: * Call gss_accept_context, with token just read from the wire.
! 344: */
! 345: int
! 346: gssapi_get_rtoken(struct ph1handle *iph1, int *lenp)
! 347: {
! 348: struct gssapi_ph1_state *gps;
! 349: gss_buffer_desc name_token;
! 350: gss_buffer_t itoken, rtoken;
! 351: OM_uint32 min_stat, maj_stat;
! 352: gss_name_t client_name;
! 353:
! 354: if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0)
! 355: return -1;
! 356:
! 357: gps = gssapi_get_state(iph1);
! 358:
! 359: rtoken = &gps->gss_p[gps->gsscnt_p - 1];
! 360: itoken = &gps->gss[gps->gsscnt];
! 361:
! 362: gps->gss_status = gss_accept_sec_context(&min_stat, &gps->gss_context,
! 363: gps->gss_cred, rtoken, GSS_C_NO_CHANNEL_BINDINGS, &client_name,
! 364: NULL, itoken, NULL, NULL, NULL);
! 365:
! 366: if (GSS_ERROR(gps->gss_status)) {
! 367: gssapi_error(min_stat, LOCATION, "accept_sec_context\n");
! 368: return -1;
! 369: }
! 370:
! 371: maj_stat = gss_display_name(&min_stat, client_name, &name_token, NULL);
! 372: if (GSS_ERROR(maj_stat)) {
! 373: gssapi_error(min_stat, LOCATION, "gss_display_name\n");
! 374: maj_stat = gss_release_name(&min_stat, &client_name);
! 375: if (GSS_ERROR(maj_stat))
! 376: gssapi_error(min_stat, LOCATION,
! 377: "release client_name\n");
! 378: return -1;
! 379: }
! 380: maj_stat = gss_release_name(&min_stat, &client_name);
! 381: if (GSS_ERROR(maj_stat))
! 382: gssapi_error(min_stat, LOCATION, "release client_name\n");
! 383:
! 384: plog(LLV_DEBUG, LOCATION, NULL,
! 385: "gss_accept_sec_context: other side is %s\n",
! 386: (char *)name_token.value);
! 387: maj_stat = gss_release_buffer(&min_stat, &name_token);
! 388: if (GSS_ERROR(maj_stat))
! 389: gssapi_error(min_stat, LOCATION, "release name buffer\n");
! 390:
! 391: if (itoken->length != 0)
! 392: gps->gsscnt++;
! 393:
! 394: if (lenp)
! 395: *lenp = itoken->length;
! 396:
! 397: return 0;
! 398: }
! 399:
! 400: int
! 401: gssapi_save_received_token(struct ph1handle *iph1, vchar_t *token)
! 402: {
! 403: struct gssapi_ph1_state *gps;
! 404: gss_buffer_t gsstoken;
! 405: int ret;
! 406:
! 407: if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0)
! 408: return -1;
! 409:
! 410: gps = gssapi_get_state(iph1);
! 411:
! 412: gsstoken = &gps->gss_p[gps->gsscnt_p];
! 413:
! 414: ret = gssapi_vm2gssbuf(token, gsstoken);
! 415: if (ret < 0)
! 416: return ret;
! 417: gps->gsscnt_p++;
! 418:
! 419: return 0;
! 420: }
! 421:
! 422: int
! 423: gssapi_get_token_to_send(struct ph1handle *iph1, vchar_t **token)
! 424: {
! 425: struct gssapi_ph1_state *gps;
! 426: gss_buffer_t gsstoken;
! 427: int ret;
! 428:
! 429: gps = gssapi_get_state(iph1);
! 430: if (gps == NULL) {
! 431: plog(LLV_ERROR, LOCATION, NULL,
! 432: "gssapi not yet initialized?\n");
! 433: return -1;
! 434: }
! 435: gsstoken = &gps->gss[gps->gsscnt - 1];
! 436: ret = gssapi_gss2vmbuf(gsstoken, token);
! 437: if (ret < 0)
! 438: return ret;
! 439:
! 440: return 0;
! 441: }
! 442:
! 443: int
! 444: gssapi_get_itokens(struct ph1handle *iph1, vchar_t **tokens)
! 445: {
! 446: struct gssapi_ph1_state *gps;
! 447: int len, i;
! 448: vchar_t *toks;
! 449: char *p;
! 450:
! 451: gps = gssapi_get_state(iph1);
! 452: if (gps == NULL) {
! 453: plog(LLV_ERROR, LOCATION, NULL,
! 454: "gssapi not yet initialized?\n");
! 455: return -1;
! 456: }
! 457:
! 458: for (i = len = 0; i < gps->gsscnt; i++)
! 459: len += gps->gss[i].length;
! 460:
! 461: toks = vmalloc(len);
! 462: if (toks == 0)
! 463: return -1;
! 464: p = (char *)toks->v;
! 465: for (i = 0; i < gps->gsscnt; i++) {
! 466: memcpy(p, gps->gss[i].value, gps->gss[i].length);
! 467: p += gps->gss[i].length;
! 468: }
! 469:
! 470: *tokens = toks;
! 471:
! 472: plog(LLV_DEBUG, LOCATION, NULL,
! 473: "%d itokens of length %zu\n", gps->gsscnt, (*tokens)->l);
! 474:
! 475: return 0;
! 476: }
! 477:
! 478: int
! 479: gssapi_get_rtokens(struct ph1handle *iph1, vchar_t **tokens)
! 480: {
! 481: struct gssapi_ph1_state *gps;
! 482: int len, i;
! 483: vchar_t *toks;
! 484: char *p;
! 485:
! 486: gps = gssapi_get_state(iph1);
! 487: if (gps == NULL) {
! 488: plog(LLV_ERROR, LOCATION, NULL,
! 489: "gssapi not yet initialized?\n");
! 490: return -1;
! 491: }
! 492:
! 493: if (gssapi_more_tokens(iph1)) {
! 494: plog(LLV_ERROR, LOCATION, NULL,
! 495: "gssapi roundtrips not complete\n");
! 496: return -1;
! 497: }
! 498:
! 499: for (i = len = 0; i < gps->gsscnt_p; i++)
! 500: len += gps->gss_p[i].length;
! 501:
! 502: toks = vmalloc(len);
! 503: if (toks == 0)
! 504: return -1;
! 505: p = (char *)toks->v;
! 506: for (i = 0; i < gps->gsscnt_p; i++) {
! 507: memcpy(p, gps->gss_p[i].value, gps->gss_p[i].length);
! 508: p += gps->gss_p[i].length;
! 509: }
! 510:
! 511: *tokens = toks;
! 512:
! 513: return 0;
! 514: }
! 515:
! 516: vchar_t *
! 517: gssapi_wraphash(struct ph1handle *iph1)
! 518: {
! 519: struct gssapi_ph1_state *gps;
! 520: OM_uint32 maj_stat, min_stat;
! 521: gss_buffer_desc hash_in_buf, hash_out_buf;
! 522: gss_buffer_t hash_in = &hash_in_buf, hash_out = &hash_out_buf;
! 523: vchar_t *outbuf;
! 524:
! 525: gps = gssapi_get_state(iph1);
! 526: if (gps == NULL) {
! 527: plog(LLV_ERROR, LOCATION, NULL,
! 528: "gssapi not yet initialized?\n");
! 529: return NULL;
! 530: }
! 531:
! 532: if (gssapi_more_tokens(iph1)) {
! 533: plog(LLV_ERROR, LOCATION, NULL,
! 534: "gssapi roundtrips not complete\n");
! 535: return NULL;
! 536: }
! 537:
! 538: if (gssapi_vm2gssbuf(iph1->hash, hash_in) < 0) {
! 539: plog(LLV_ERROR, LOCATION, NULL, "vm2gssbuf failed\n");
! 540: return NULL;
! 541: }
! 542:
! 543: maj_stat = gss_wrap(&min_stat, gps->gss_context, 1, GSS_C_QOP_DEFAULT,
! 544: hash_in, NULL, hash_out);
! 545: if (GSS_ERROR(maj_stat)) {
! 546: gssapi_error(min_stat, LOCATION, "wrapping hash value\n");
! 547: maj_stat = gss_release_buffer(&min_stat, hash_in);
! 548: if (GSS_ERROR(maj_stat))
! 549: gssapi_error(min_stat, LOCATION,
! 550: "release hash_in buffer\n");
! 551: return NULL;
! 552: }
! 553:
! 554: plog(LLV_DEBUG, LOCATION, NULL, "wrapped HASH, ilen %zu olen %zu\n",
! 555: hash_in->length, hash_out->length);
! 556:
! 557: maj_stat = gss_release_buffer(&min_stat, hash_in);
! 558: if (GSS_ERROR(maj_stat))
! 559: gssapi_error(min_stat, LOCATION, "release hash_in buffer\n");
! 560:
! 561: if (gssapi_gss2vmbuf(hash_out, &outbuf) < 0) {
! 562: plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
! 563: maj_stat = gss_release_buffer(&min_stat, hash_out);
! 564: if (GSS_ERROR(maj_stat))
! 565: gssapi_error(min_stat, LOCATION,
! 566: "release hash_out buffer\n");
! 567: return NULL;
! 568: }
! 569: maj_stat = gss_release_buffer(&min_stat, hash_out);
! 570: if (GSS_ERROR(maj_stat))
! 571: gssapi_error(min_stat, LOCATION, "release hash_out buffer\n");
! 572:
! 573: return outbuf;
! 574: }
! 575:
! 576: vchar_t *
! 577: gssapi_unwraphash(struct ph1handle *iph1)
! 578: {
! 579: struct gssapi_ph1_state *gps;
! 580: OM_uint32 maj_stat, min_stat;
! 581: gss_buffer_desc hashbuf, hash_outbuf;
! 582: gss_buffer_t hash_in = &hashbuf, hash_out = &hash_outbuf;
! 583: vchar_t *outbuf;
! 584:
! 585: gps = gssapi_get_state(iph1);
! 586: if (gps == NULL) {
! 587: plog(LLV_ERROR, LOCATION, NULL,
! 588: "gssapi not yet initialized?\n");
! 589: return NULL;
! 590: }
! 591:
! 592:
! 593: hashbuf.length = ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash);
! 594: hashbuf.value = (char *)(iph1->pl_hash + 1);
! 595:
! 596: plog(LLV_DEBUG, LOCATION, NULL, "unwrapping HASH of len %zu\n",
! 597: hashbuf.length);
! 598:
! 599: maj_stat = gss_unwrap(&min_stat, gps->gss_context, hash_in, hash_out,
! 600: NULL, NULL);
! 601: if (GSS_ERROR(maj_stat)) {
! 602: gssapi_error(min_stat, LOCATION, "unwrapping hash value\n");
! 603: return NULL;
! 604: }
! 605:
! 606: if (gssapi_gss2vmbuf(hash_out, &outbuf) < 0) {
! 607: plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
! 608: maj_stat = gss_release_buffer(&min_stat, hash_out);
! 609: if (GSS_ERROR(maj_stat))
! 610: gssapi_error(min_stat, LOCATION,
! 611: "release hash_out buffer\n");
! 612: return NULL;
! 613: }
! 614: maj_stat = gss_release_buffer(&min_stat, hash_out);
! 615: if (GSS_ERROR(maj_stat))
! 616: gssapi_error(min_stat, LOCATION, "release hash_out buffer\n");
! 617:
! 618: return outbuf;
! 619: }
! 620:
! 621: void
! 622: gssapi_set_id_sent(struct ph1handle *iph1)
! 623: {
! 624: struct gssapi_ph1_state *gps;
! 625:
! 626: gps = gssapi_get_state(iph1);
! 627:
! 628: gps->gss_flags |= GSSFLAG_ID_SENT;
! 629: }
! 630:
! 631: int
! 632: gssapi_id_sent(struct ph1handle *iph1)
! 633: {
! 634: struct gssapi_ph1_state *gps;
! 635:
! 636: gps = gssapi_get_state(iph1);
! 637:
! 638: return (gps->gss_flags & GSSFLAG_ID_SENT) != 0;
! 639: }
! 640:
! 641: void
! 642: gssapi_set_id_rcvd(struct ph1handle *iph1)
! 643: {
! 644: struct gssapi_ph1_state *gps;
! 645:
! 646: gps = gssapi_get_state(iph1);
! 647:
! 648: gps->gss_flags |= GSSFLAG_ID_RCVD;
! 649: }
! 650:
! 651: int
! 652: gssapi_id_rcvd(struct ph1handle *iph1)
! 653: {
! 654: struct gssapi_ph1_state *gps;
! 655:
! 656: gps = gssapi_get_state(iph1);
! 657:
! 658: return (gps->gss_flags & GSSFLAG_ID_RCVD) != 0;
! 659: }
! 660:
! 661: void
! 662: gssapi_free_state(struct ph1handle *iph1)
! 663: {
! 664: struct gssapi_ph1_state *gps;
! 665: OM_uint32 maj_stat, min_stat;
! 666:
! 667: gps = gssapi_get_state(iph1);
! 668:
! 669: if (gps == NULL)
! 670: return;
! 671:
! 672: gssapi_set_state(iph1, NULL);
! 673:
! 674: if (gps->gss_cred != GSS_C_NO_CREDENTIAL) {
! 675: maj_stat = gss_release_cred(&min_stat, &gps->gss_cred);
! 676: if (GSS_ERROR(maj_stat))
! 677: gssapi_error(min_stat, LOCATION,
! 678: "releasing credentials\n");
! 679: }
! 680: racoon_free(gps);
! 681: }
! 682:
! 683: vchar_t *
! 684: gssapi_get_id(struct ph1handle *iph1)
! 685: {
! 686: gss_buffer_desc id_buffer;
! 687: gss_buffer_t id = &id_buffer;
! 688: gss_name_t defname, canon_name;
! 689: OM_uint32 min_stat, maj_stat;
! 690: vchar_t *vmbuf;
! 691:
! 692: if (iph1->rmconf->proposal->gssid != NULL)
! 693: return (vdup(iph1->rmconf->proposal->gssid));
! 694:
! 695: if (gssapi_get_default_name(iph1, 0, &defname) < 0)
! 696: return NULL;
! 697:
! 698: maj_stat = gss_canonicalize_name(&min_stat, defname, GSS_C_NO_OID,
! 699: &canon_name);
! 700: if (GSS_ERROR(maj_stat)) {
! 701: gssapi_error(min_stat, LOCATION, "canonicalize name\n");
! 702: maj_stat = gss_release_name(&min_stat, &defname);
! 703: if (GSS_ERROR(maj_stat))
! 704: gssapi_error(min_stat, LOCATION,
! 705: "release default name\n");
! 706: return NULL;
! 707: }
! 708: maj_stat = gss_release_name(&min_stat, &defname);
! 709: if (GSS_ERROR(maj_stat))
! 710: gssapi_error(min_stat, LOCATION, "release default name\n");
! 711:
! 712: maj_stat = gss_export_name(&min_stat, canon_name, id);
! 713: if (GSS_ERROR(maj_stat)) {
! 714: gssapi_error(min_stat, LOCATION, "export name\n");
! 715: maj_stat = gss_release_name(&min_stat, &canon_name);
! 716: if (GSS_ERROR(maj_stat))
! 717: gssapi_error(min_stat, LOCATION,
! 718: "release canonical name\n");
! 719: return NULL;
! 720: }
! 721: maj_stat = gss_release_name(&min_stat, &canon_name);
! 722: if (GSS_ERROR(maj_stat))
! 723: gssapi_error(min_stat, LOCATION, "release canonical name\n");
! 724:
! 725: #if 0
! 726: /*
! 727: * XXXJRT Did this debug message ever work? This is a GSS name
! 728: * blob at this point.
! 729: */
! 730: plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s' creds\n",
! 731: id->length, id->value);
! 732: #endif
! 733:
! 734: if (gssapi_gss2vmbuf(id, &vmbuf) < 0) {
! 735: plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
! 736: maj_stat = gss_release_buffer(&min_stat, id);
! 737: if (GSS_ERROR(maj_stat))
! 738: gssapi_error(min_stat, LOCATION, "release id buffer\n");
! 739: return NULL;
! 740: }
! 741: maj_stat = gss_release_buffer(&min_stat, id);
! 742: if (GSS_ERROR(maj_stat))
! 743: gssapi_error(min_stat, LOCATION, "release id buffer\n");
! 744:
! 745: return vmbuf;
! 746: }
! 747: #else
! 748: int __gssapi_dUmMy;
! 749: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to gssapi.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon