1/* 2 * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2009 - 2010 Apple Inc. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#include "gsskrb5_locl.h" 37#include <gssapi_mech.h> 38 39/* 40 * The implementation must reserve static storage for a 41 * gss_OID_desc object containing the value 42 * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" 43 * "\x01\x02\x01\x01"}, 44 * corresponding to an object-identifier value of 45 * {iso(1) member-body(2) United States(840) mit(113554) 46 * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant 47 * GSS_C_NT_USER_NAME should be initialized to point 48 * to that gss_OID_desc. 49 */ 50 51gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_user_name_oid_desc = 52 {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")}; 53 54/* 55 * The implementation must reserve static storage for a 56 * gss_OID_desc object containing the value 57 * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" 58 * "\x01\x02\x01\x02"}, 59 * corresponding to an object-identifier value of 60 * {iso(1) member-body(2) United States(840) mit(113554) 61 * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. 62 * The constant GSS_C_NT_MACHINE_UID_NAME should be 63 * initialized to point to that gss_OID_desc. 64 */ 65 66gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_machine_uid_name_oid_desc = 67 {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")}; 68 69/* 70 * The implementation must reserve static storage for a 71 * gss_OID_desc object containing the value 72 * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" 73 * "\x01\x02\x01\x03"}, 74 * corresponding to an object-identifier value of 75 * {iso(1) member-body(2) United States(840) mit(113554) 76 * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. 77 * The constant GSS_C_NT_STRING_UID_NAME should be 78 * initialized to point to that gss_OID_desc. 79 */ 80 81gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_string_uid_name_oid_desc = 82 {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")}; 83 84/* 85 * The implementation must reserve static storage for a 86 * gss_OID_desc object containing the value 87 * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, 88 * corresponding to an object-identifier value of 89 * {iso(1) org(3) dod(6) internet(1) security(5) 90 * nametypes(6) gss-host-based-services(2)). The constant 91 * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point 92 * to that gss_OID_desc. This is a deprecated OID value, and 93 * implementations wishing to support hostbased-service names 94 * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, 95 * defined below, to identify such names; 96 * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym 97 * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input 98 * parameter, but should not be emitted by GSS-API 99 * implementations 100 */ 101 102gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_hostbased_service_x_oid_desc = 103 {6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")}; 104 105/* 106 * The implementation must reserve static storage for a 107 * gss_OID_desc object containing the value 108 * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" 109 * "\x01\x02\x01\x04"}, corresponding to an 110 * object-identifier value of {iso(1) member-body(2) 111 * Unites States(840) mit(113554) infosys(1) gssapi(2) 112 * generic(1) service_name(4)}. The constant 113 * GSS_C_NT_HOSTBASED_SERVICE should be initialized 114 * to point to that gss_OID_desc. 115 */ 116gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_hostbased_service_oid_desc = 117 {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")}; 118 119/* 120 * The implementation must reserve static storage for a 121 * gss_OID_desc object containing the value 122 * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, 123 * corresponding to an object identifier value of 124 * {1(iso), 3(org), 6(dod), 1(internet), 5(security), 125 * 6(nametypes), 3(gss-anonymous-name)}. The constant 126 * and GSS_C_NT_ANONYMOUS should be initialized to point 127 * to that gss_OID_desc. 128 */ 129 130gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_anonymous_oid_desc = 131 {6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")}; 132 133/* 134 * The implementation must reserve static storage for a 135 * gss_OID_desc object containing the value 136 * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, 137 * corresponding to an object-identifier value of 138 * {1(iso), 3(org), 6(dod), 1(internet), 5(security), 139 * 6(nametypes), 4(gss-api-exported-name)}. The constant 140 * GSS_C_NT_EXPORT_NAME should be initialized to point 141 * to that gss_OID_desc. 142 */ 143 144gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_export_name_oid_desc = 145 {6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") }; 146 147/* 148 * This name form shall be represented by the Object Identifier {iso(1) 149 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 150 * krb5(2) krb5_name(1)}. The recommended symbolic name for this type 151 * is "GSS_KRB5_NT_PRINCIPAL_NAME". 152 */ 153 154gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_oid_desc = 155 {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") }; 156 157/* 158 * Do not use 159 */ 160 161gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_oid_desc = 162 {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x02") }; 163 164/* 165 * Context for krb5 calls. 166 */ 167 168static gss_mo_desc krb5_mo[] = { 169 { 170 GSS_C_MA_SASL_MECH_NAME, 171 GSS_MO_MA, 172 "SASL mech name", 173 rk_UNCONST("GS2-KRB5"), 174 _gss_mo_get_ctx_as_string, 175 NULL 176 }, 177 { 178 GSS_C_MA_MECH_NAME, 179 GSS_MO_MA, 180 "Mechanism name", 181 rk_UNCONST("KRB5"), 182 _gss_mo_get_ctx_as_string, 183 NULL 184 }, 185 { 186 GSS_C_MA_MECH_DESCRIPTION, 187 GSS_MO_MA, 188 "Mechanism description", 189 rk_UNCONST("Heimdal Kerberos 5 mech"), 190 _gss_mo_get_ctx_as_string, 191 NULL 192 }, 193 { 194 GSS_C_MA_MECH_CONCRETE, 195 GSS_MO_MA 196 }, 197 { 198 GSS_C_MA_ITOK_FRAMED, 199 GSS_MO_MA 200 }, 201 { 202 GSS_C_MA_AUTH_INIT, 203 GSS_MO_MA 204 }, 205 { 206 GSS_C_MA_AUTH_TARG, 207 GSS_MO_MA 208 }, 209 { 210 GSS_C_MA_AUTH_INIT_ANON, 211 GSS_MO_MA 212 }, 213 { 214 GSS_C_MA_DELEG_CRED, 215 GSS_MO_MA 216 }, 217 { 218 GSS_C_MA_INTEG_PROT, 219 GSS_MO_MA 220 }, 221 { 222 GSS_C_MA_CONF_PROT, 223 GSS_MO_MA 224 }, 225 { 226 GSS_C_MA_MIC, 227 GSS_MO_MA 228 }, 229 { 230 GSS_C_MA_WRAP, 231 GSS_MO_MA 232 }, 233 { 234 GSS_C_MA_PROT_READY, 235 GSS_MO_MA 236 }, 237 { 238 GSS_C_MA_REPLAY_DET, 239 GSS_MO_MA 240 }, 241 { 242 GSS_C_MA_OOS_DET, 243 GSS_MO_MA 244 }, 245 { 246 GSS_C_MA_CBINDINGS, 247 GSS_MO_MA 248 }, 249 { 250 GSS_C_MA_PFS, 251 GSS_MO_MA 252 }, 253 { 254 GSS_C_MA_CTX_TRANS, 255 GSS_MO_MA 256 } 257}; 258 259/* 260 * 261 */ 262 263static gssapi_mech_interface_desc krb5_mech = { 264 GMI_VERSION, 265 "kerberos 5", 266 {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }, 267 0, 268 _gsskrb5_acquire_cred, 269 _gsskrb5_release_cred, 270 _gsskrb5_init_sec_context, 271 _gsskrb5_accept_sec_context, 272 _gsskrb5_process_context_token, 273 _gsskrb5_delete_sec_context, 274 _gsskrb5_context_time, 275 _gsskrb5_get_mic, 276 _gsskrb5_verify_mic, 277 _gsskrb5_wrap, 278 _gsskrb5_unwrap, 279 _gsskrb5_display_status, 280 NULL, 281 _gsskrb5_compare_name, 282 _gsskrb5_display_name, 283 _gsskrb5_import_name, 284 _gsskrb5_export_name, 285 _gsskrb5_release_name, 286 _gsskrb5_inquire_cred, 287 _gsskrb5_inquire_context, 288 _gsskrb5_wrap_size_limit, 289 _gsskrb5_add_cred, 290 _gsskrb5_inquire_cred_by_mech, 291 _gsskrb5_export_sec_context, 292 _gsskrb5_import_sec_context, 293 _gsskrb5_inquire_names_for_mech, 294 _gsskrb5_inquire_mechs_for_name, 295 _gsskrb5_canonicalize_name, 296 _gsskrb5_duplicate_name, 297 _gsskrb5_inquire_sec_context_by_oid, 298 _gsskrb5_inquire_cred_by_oid, 299 _gsskrb5_set_sec_context_option, 300 _gsskrb5_set_cred_option, 301 _gsskrb5_pseudo_random, 302 _gk_wrap_iov, 303 _gk_unwrap_iov, 304 _gk_wrap_iov_length, 305 _gsskrb5_store_cred, 306 _gsskrb5_export_cred, 307 _gsskrb5_import_cred, 308 _gss_krb5_acquire_cred_ext, 309 _gss_krb5_iter_creds_f, 310 _gsskrb5_destroy_cred, 311 _gsskrb5_cred_hold, 312 _gsskrb5_cred_unhold, 313 _gsskrb5_cred_label_get, 314 _gsskrb5_cred_label_set, 315 krb5_mo, 316 sizeof(krb5_mo) / sizeof(krb5_mo[0]), 317 _gsskrb5_pname_to_uid, 318 _gsskrb5_authorize_localname, 319 NULL, 320 NULL, 321 NULL, 322 NULL, 323 NULL, 324 NULL, 325 NULL, 326 _gsskrb5_appl_change_password 327}; 328 329static gssapi_mech_interface_desc iakerb_mech = { 330 GMI_VERSION, 331 "iakerb", 332 {6, "\x2b\x06\x01\x05\x02\x05" }, 333 0, 334 _gssiakerb_acquire_cred, 335 _gsskrb5_release_cred, 336 _gsskrb5_init_sec_context, 337 _gssiakerb_accept_sec_context, 338 _gsskrb5_process_context_token, 339 _gsskrb5_delete_sec_context, 340 _gsskrb5_context_time, 341 _gsskrb5_get_mic, 342 _gsskrb5_verify_mic, 343 _gsskrb5_wrap, 344 _gsskrb5_unwrap, 345 _gsskrb5_display_status, 346 NULL, 347 _gsskrb5_compare_name, 348 _gsskrb5_display_name, 349 _gssiakerb_import_name, 350 _gssiakerb_export_name, 351 _gsskrb5_release_name, 352 _gsskrb5_inquire_cred, 353 _gsskrb5_inquire_context, 354 _gsskrb5_wrap_size_limit, 355 _gsskrb5_add_cred, 356 _gsskrb5_inquire_cred_by_mech, 357 _gsskrb5_export_sec_context, 358 _gsskrb5_import_sec_context, 359 _gssiakerb_inquire_names_for_mech, 360 _gsskrb5_inquire_mechs_for_name, 361 _gsskrb5_canonicalize_name, 362 _gsskrb5_duplicate_name, 363 _gsskrb5_inquire_sec_context_by_oid, 364 _gsskrb5_inquire_cred_by_oid, 365 _gsskrb5_set_sec_context_option, 366 _gsskrb5_set_cred_option, 367 _gsskrb5_pseudo_random, 368 _gk_wrap_iov, 369 _gk_unwrap_iov, 370 _gk_wrap_iov_length, 371 _gsskrb5_store_cred, 372 _gsskrb5_export_cred, 373 _gsskrb5_import_cred, 374 _gss_iakerb_acquire_cred_ext, 375 _gss_iakerb_iter_creds_f, 376 _gsskrb5_destroy_cred, 377 _gsskrb5_cred_hold, 378 _gsskrb5_cred_unhold, 379 _gsskrb5_cred_label_get, 380 _gsskrb5_cred_label_set, 381 NULL, 382 0, 383 _gsskrb5_pname_to_uid, 384 _gsskrb5_authorize_localname, 385 NULL, 386 NULL, 387 NULL, 388 NULL, 389 NULL, 390 NULL, 391 NULL, 392 _gsskrb5_appl_change_password 393}; 394 395 396#ifdef PKINIT 397 398static gssapi_mech_interface_desc pku2u_mech = { 399 GMI_VERSION, 400 "pku2u", 401 {6, "\x2b\x05\x01\x05\x02\x07" }, 402 0, 403 _gsspku2u_acquire_cred, 404 _gsskrb5_release_cred, 405 _gsskrb5_init_sec_context, 406 _gsspku2u_accept_sec_context, 407 _gsskrb5_process_context_token, 408 _gsskrb5_delete_sec_context, 409 _gsskrb5_context_time, 410 _gsskrb5_get_mic, 411 _gsskrb5_verify_mic, 412 _gsskrb5_wrap, 413 _gsskrb5_unwrap, 414 _gsskrb5_display_status, 415 NULL, 416 _gsskrb5_compare_name, 417 _gsskrb5_display_name, 418 _gsspku2u_import_name, 419 _gsspku2u_export_name, 420 _gsskrb5_release_name, 421 _gsskrb5_inquire_cred, 422 _gsskrb5_inquire_context, 423 _gsskrb5_wrap_size_limit, 424 _gsskrb5_add_cred, 425 _gsskrb5_inquire_cred_by_mech, 426 _gsskrb5_export_sec_context, 427 _gsskrb5_import_sec_context, 428 _gsspku2u_inquire_names_for_mech, 429 _gsskrb5_inquire_mechs_for_name, 430 _gsskrb5_canonicalize_name, 431 _gsskrb5_duplicate_name, 432 _gsskrb5_inquire_sec_context_by_oid, 433 _gsskrb5_inquire_cred_by_oid, 434 _gsskrb5_set_sec_context_option, 435 _gsskrb5_set_cred_option, 436 _gsskrb5_pseudo_random, 437 _gk_wrap_iov, 438 _gk_unwrap_iov, 439 _gk_wrap_iov_length, 440 _gsskrb5_store_cred, 441 _gsskrb5_export_cred, 442 _gsskrb5_import_cred, 443 _gss_krb5_acquire_cred_ext, 444 _gss_pku2u_iter_creds_f, 445 _gsskrb5_destroy_cred, 446 _gsskrb5_cred_hold, 447 _gsskrb5_cred_unhold, 448 _gsskrb5_cred_label_get, 449 _gsskrb5_cred_label_set, 450 NULL, 451 0, 452 _gsskrb5_pname_to_uid, 453 _gsskrb5_authorize_localname, 454 NULL, 455 NULL, 456 NULL, 457 NULL, 458 NULL, 459 NULL, 460 NULL, 461 _gsskrb5_appl_change_password 462}; 463 464#endif 465 466gssapi_mech_interface 467__gss_krb5_initialize(void) 468{ 469 return &krb5_mech; 470} 471 472gssapi_mech_interface 473__gss_pku2u_initialize(void) 474{ 475 return &iakerb_mech; 476} 477 478gssapi_mech_interface 479__gss_iakerb_initialize(void) 480{ 481#ifdef PKINIT 482 return &pku2u_mech; 483#else 484 return NULL; 485#endif 486} 487 488/* 489 * compat glue 490 */ 491 492gss_OID_desc GSSAPI_LIB_VARIABLE __gss_appl_lkdc_supported_desc = 493 {6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x03") }; 494gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_uuid_desc = 495 {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1e")}; 496