2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * Return extended properties of a context handle.
37 #include "gssapiP_eap.h"
40 addEnctypeOidToBufferSet(OM_uint32 *minor,
41 krb5_enctype encryptionType,
42 gss_buffer_set_t *dataSet)
45 unsigned char oidBuf[16];
49 oid.length = sizeof(oidBuf);
50 oid.elements = oidBuf;
52 major = composeOid(minor,
53 "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04",
60 buf.length = oid.length;
61 buf.value = oid.elements;
63 major = gss_add_buffer_set_member(minor, &buf, dataSet);
69 zeroAndReleaseBufferSet(gss_buffer_set_t *dataSet)
72 gss_buffer_set_t set = *dataSet;
75 if (set == GSS_C_NO_BUFFER_SET)
78 for (i = 0; i <set->count; i++)
79 memset(set->elements[i].value, 0, set->elements[i].length);
81 gss_release_buffer_set(&tmpMinor, dataSet);
85 inquireSessionKey(OM_uint32 *minor,
86 const gss_ctx_id_t ctx,
87 const gss_OID desired_object GSSEAP_UNUSED,
88 gss_buffer_set_t *dataSet)
93 if (ctx->encryptionType == ENCTYPE_NULL) {
94 major = GSS_S_UNAVAILABLE;
95 *minor = GSSEAP_KEY_UNAVAILABLE;
99 buf.length = KRB_KEY_LENGTH(&ctx->rfc3961Key);
100 buf.value = KRB_KEY_DATA(&ctx->rfc3961Key);
102 major = gss_add_buffer_set_member(minor, &buf, dataSet);
103 if (GSS_ERROR(major))
106 major = addEnctypeOidToBufferSet(minor, ctx->encryptionType, dataSet);
107 if (GSS_ERROR(major))
110 major = GSS_S_COMPLETE;
114 if (GSS_ERROR(major))
115 zeroAndReleaseBufferSet(dataSet);
121 inquireNegoExKey(OM_uint32 *minor,
122 const gss_ctx_id_t ctx,
123 const gss_OID desired_object,
124 gss_buffer_set_t *dataSet)
126 OM_uint32 major, tmpMinor;
128 gss_buffer_desc salt;
129 gss_buffer_desc key = GSS_C_EMPTY_BUFFER;
132 bInitiatorKey = CTX_IS_INITIATOR(ctx);
134 if (ctx->encryptionType == ENCTYPE_NULL) {
135 major = GSS_S_UNAVAILABLE;
136 *minor = GSSEAP_KEY_UNAVAILABLE;
141 * If the caller supplied the verify key OID, then we need the acceptor
142 * key if we are the initiator, and vice versa.
144 if (desired_object->length == 11 &&
145 memcmp(desired_object->elements,
146 "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07", 11) == 0)
150 salt.length = NEGOEX_INITIATOR_SALT_LEN;
151 salt.value = NEGOEX_INITIATOR_SALT;
153 salt.length = NEGOEX_ACCEPTOR_SALT_LEN;
154 salt.value = NEGOEX_ACCEPTOR_SALT;
157 keySize = KRB_KEY_LENGTH(&ctx->rfc3961Key);
159 major = gssEapPseudoRandom(minor, ctx, GSS_C_PRF_KEY_FULL, &salt,
161 if (GSS_ERROR(major))
164 major = gss_add_buffer_set_member(minor, &key, dataSet);
165 if (GSS_ERROR(major))
168 major = addEnctypeOidToBufferSet(minor, ctx->encryptionType, dataSet);
169 if (GSS_ERROR(major))
172 major = GSS_S_COMPLETE;
176 if (key.value != NULL) {
177 memset(key.value, 0, key.length);
178 gss_release_buffer(&tmpMinor, &key);
180 if (GSS_ERROR(major))
181 zeroAndReleaseBufferSet(dataSet);
188 OM_uint32 (*inquire)(OM_uint32 *, const gss_ctx_id_t,
189 const gss_OID, gss_buffer_set_t *);
190 } inquireCtxOps[] = {
192 /* GSS_C_INQ_SSPI_SESSION_KEY */
193 { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" },
197 /* GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT + v1 */
198 { 12, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06\x01" },
199 gssEapExportLucidSecContext
202 /* GSS_C_INQ_NEGOEX_KEY */
203 { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06" },
207 /* GSS_C_INQ_NEGOEX_VERIFY_KEY */
208 { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07" },
213 OM_uint32 GSSAPI_CALLCONV
214 gss_inquire_sec_context_by_oid(OM_uint32 *minor,
215 const gss_ctx_id_t ctx,
216 const gss_OID desired_object,
217 gss_buffer_set_t *data_set)
222 *data_set = GSS_C_NO_BUFFER_SET;
224 GSSEAP_MUTEX_LOCK(&ctx->mutex);
227 if (!CTX_IS_ESTABLISHED(ctx)) {
228 *minor = GSSEAP_CONTEXT_INCOMPLETE;
229 major = GSS_S_NO_CONTEXT;
234 major = GSS_S_UNAVAILABLE;
235 *minor = GSSEAP_BAD_CONTEXT_OPTION;
237 for (i = 0; i < sizeof(inquireCtxOps) / sizeof(inquireCtxOps[0]); i++) {
238 if (oidEqual(&inquireCtxOps[i].oid, desired_object)) {
239 major = (*inquireCtxOps[i].inquire)(minor, ctx,
240 desired_object, data_set);
245 GSSEAP_MUTEX_UNLOCK(&ctx->mutex);