diff options
Diffstat (limited to 'third_party/heimdal/lib/gssapi/sanon')
31 files changed, 2693 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/gssapi/sanon/accept_sec_context.c b/third_party/heimdal/lib/gssapi/sanon/accept_sec_context.c new file mode 100644 index 0000000..72cbe09 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/accept_sec_context.c @@ -0,0 +1,169 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_accept_sec_context(OM_uint32 *minor, + gss_ctx_id_t *context_handle, + gss_const_cred_id_t verifier_cred_handle, + const gss_buffer_t input_token, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t *src_name, + gss_OID *mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + gss_cred_id_t *delegated_cred_handle) +{ + static gss_buffer_desc empty = GSS_C_EMPTY_BUFFER; + OM_uint32 major, tmp; + sanon_ctx sc = (sanon_ctx)*context_handle; + gss_buffer_desc mech_input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc initiator_pk = GSS_C_EMPTY_BUFFER; + gss_buffer_desc hok_mic = GSS_C_EMPTY_BUFFER; + gss_buffer_desc session_key = GSS_C_EMPTY_BUFFER; + OM_uint32 req_flags = 0; + + if (output_token == GSS_C_NO_BUFFER) { + *minor = EINVAL; + major = GSS_S_FAILURE; + goto out; + } + + _mg_buffer_zero(output_token); + + if (input_token == GSS_C_NO_BUFFER) { + major = GSS_S_DEFECTIVE_TOKEN; + goto out; + } else if (sc != NULL) { + major = GSS_S_BAD_STATUS; + goto out; + } + + major = gss_decapsulate_token(input_token, + GSS_SANON_X25519_MECHANISM, + &mech_input_token); + if (major != GSS_S_COMPLETE) + goto out; + + sc = calloc(1, sizeof(*sc)); + if (sc == NULL) { + *minor = ENOMEM; + major = GSS_S_FAILURE; + goto out; + } + + /* initiator token can include optional 64-bit flags */ + if (mech_input_token.length != crypto_scalarmult_curve25519_BYTES && + mech_input_token.length != crypto_scalarmult_curve25519_BYTES + 8) { + *minor = 0; + major = GSS_S_DEFECTIVE_TOKEN; + goto out; + } + + initiator_pk = mech_input_token; + initiator_pk.length = crypto_scalarmult_curve25519_BYTES; + + /* compute public and secret keys */ + major = _gss_sanon_curve25519_base(minor, sc); + if (major != GSS_S_COMPLETE) + goto out; + + if (mech_input_token.length > crypto_scalarmult_curve25519_BYTES) { + /* extra flags */ + uint8_t *p = (uint8_t *)mech_input_token.value + crypto_scalarmult_curve25519_BYTES; + uint32_t dummy; + + _gss_mg_decode_be_uint32(p, &dummy); /* upper 32 bits presently unused */ + _gss_mg_decode_be_uint32(&p[4], &req_flags); + } + + /* compute shared secret */ + major = _gss_sanon_curve25519(minor, sc, &initiator_pk, req_flags, + input_chan_bindings, &session_key); + if (major != GSS_S_COMPLETE) + goto out; + + /* do not let initiator set any other flags */ + req_flags &= SANON_PROTOCOL_FLAG_MASK; + + req_flags |= GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | + GSS_C_INTEG_FLAG | GSS_C_ANON_FLAG | GSS_C_TRANS_FLAG | + GSS_C_CHANNEL_BOUND_FLAG; /* CB part of KDF, so always validated */ + + major = _gss_sanon_import_rfc4121_context(minor, sc, req_flags, &session_key); + if (major != GSS_S_COMPLETE) + goto out; + + major = _gss_sanon_get_mic(minor, (gss_const_ctx_id_t)sc, + GSS_C_QOP_DEFAULT, &empty, &hok_mic); + if (major != GSS_S_COMPLETE) + goto out; + + output_token->length = sizeof(sc->pk) + hok_mic.length; + output_token->value = malloc(output_token->length); + if (output_token->value == NULL) { + output_token->length = 0; + *minor = ENOMEM; + major = GSS_S_FAILURE; + goto out; + } + + memcpy(output_token->value, sc->pk, sizeof(sc->pk)); + memcpy((uint8_t *)output_token->value + sizeof(sc->pk), hok_mic.value, hok_mic.length); + + major = GSS_S_COMPLETE; + + *context_handle = (gss_ctx_id_t)sc; + + if (src_name) + *src_name = _gss_sanon_anonymous_identity; + if (ret_flags) + *ret_flags = req_flags; + if (time_rec) + *time_rec = GSS_C_INDEFINITE; + +out: + if (mech_type) + *mech_type = GSS_SANON_X25519_MECHANISM; + if (delegated_cred_handle) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + if (GSS_ERROR(major)) { + _gss_sanon_delete_sec_context(&tmp, (gss_ctx_id_t *)&sc, GSS_C_NO_BUFFER); + *context_handle = GSS_C_NO_CONTEXT; + } + gss_release_buffer(&tmp, &mech_input_token); + gss_release_buffer(&tmp, &hok_mic); + _gss_secure_release_buffer(&tmp, &session_key); + + return major; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/acquire_cred.c b/third_party/heimdal/lib/gssapi/sanon/acquire_cred.c new file mode 100644 index 0000000..7aedd3e --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/acquire_cred.c @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +/* SAnon credential handles are aliases of their underyling name */ + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_acquire_cred_from(OM_uint32 *minor, + gss_const_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_stor, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec) +{ + *minor = 0; + + if (desired_name == GSS_C_NO_NAME || + desired_name == _gss_sanon_anonymous_identity) + *output_cred_handle = _gss_sanon_anonymous_cred; + else + *output_cred_handle = _gss_sanon_non_anonymous_cred; + + if (time_rec) + *time_rec = GSS_C_INDEFINITE; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/add_cred.c b/third_party/heimdal/lib/gssapi/sanon/add_cred.c new file mode 100644 index 0000000..f1dfeba --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/add_cred.c @@ -0,0 +1,65 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_add_cred_from(OM_uint32 *minor, + gss_cred_id_t input_cred_handle, + gss_const_name_t desired_name, + const gss_OID desired_mech, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_const_key_value_set_t cred_store, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *initiator_time_rec, + OM_uint32 *acceptor_time_rec) +{ + *minor = 0; + + if (output_cred_handle != NULL) { + if (desired_name == GSS_C_NO_NAME || + desired_name == _gss_sanon_anonymous_identity) + *output_cred_handle = _gss_sanon_anonymous_cred; + else + *output_cred_handle = _gss_sanon_non_anonymous_cred; + } + + if (initiator_time_rec) + *initiator_time_rec = GSS_C_INDEFINITE; + if (acceptor_time_rec) + *acceptor_time_rec = GSS_C_INDEFINITE; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/canonicalize_name.c b/third_party/heimdal/lib/gssapi/sanon/canonicalize_name.c new file mode 100644 index 0000000..fa1ade0 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/canonicalize_name.c @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_canonicalize_name(OM_uint32 *minor, + gss_const_name_t src_name, + const gss_OID mech_type, + gss_name_t *dest_name) +{ + *minor = 0; + + if (src_name == GSS_C_NO_NAME) + return GSS_S_BAD_NAME; + + *dest_name = (gss_name_t)src_name; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/compare_name.c b/third_party/heimdal/lib/gssapi/sanon/compare_name.c new file mode 100644 index 0000000..85b13b2 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/compare_name.c @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_compare_name(OM_uint32 *minor, + gss_const_name_t name1, + gss_const_name_t name2, + int *name_equal) +{ + *minor = 0; + + /* + * RFC 2743 Section 2.4.3: + * If either name presented to GSS_Compare_name() denotes + * an anonymous principal, GSS_Compare_name() shall indicate + * FALSE + * + * We also have to apply the same logic to non-anonymous + * names as we erase their contents. + */ + *name_equal = FALSE; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/context_time.c b/third_party/heimdal/lib/gssapi/sanon/context_time.c new file mode 100644 index 0000000..338f3ac --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/context_time.c @@ -0,0 +1,50 @@ +/* + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_context_time(OM_uint32 *minor, + gss_const_ctx_id_t context_handle, + OM_uint32 *time_rec) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + + *minor = 0; + *time_rec = GSS_C_INDEFINITE; + + if (sc == NULL) + return GSS_S_NO_CONTEXT; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/crypto.c b/third_party/heimdal/lib/gssapi/sanon/crypto.c new file mode 100644 index 0000000..0c7a67f --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/crypto.c @@ -0,0 +1,333 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_wrap(OM_uint32 *minor, + gss_const_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + const gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + *minor = GSS_KRB5_S_KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + + return gss_wrap(minor, sc->rfc4121, + conf_req_flag, qop_req, + input_message_buffer, conf_state, + output_message_buffer); +} + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_wrap_size_limit(OM_uint32 *minor, + gss_const_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_output_size, + OM_uint32 *max_input_size) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + *minor = GSS_KRB5_S_KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + + return gss_wrap_size_limit(minor, sc->rfc4121, + conf_req_flag, qop_req, + req_output_size, max_input_size); +} + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_wrap_iov(OM_uint32 *minor, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + *minor = GSS_KRB5_S_KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + + return gss_wrap_iov(minor, sc->rfc4121, + conf_req_flag, qop_req, + conf_state, iov, iov_count); +} + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_wrap_iov_length(OM_uint32 *minor, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + *minor = GSS_KRB5_S_KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + + return gss_wrap_iov_length(minor, sc->rfc4121, + conf_req_flag, qop_req, + conf_state, iov, iov_count); +} + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_unwrap(OM_uint32 *minor, + gss_const_ctx_id_t context_handle, + const gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + gss_qop_t * qop_state) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + *minor = GSS_KRB5_S_KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + + return gss_unwrap(minor, sc->rfc4121, + input_message_buffer, output_message_buffer, + conf_state, qop_state); +} + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_unwrap_iov(OM_uint32 *minor, + gss_ctx_id_t context_handle, + int *conf_state, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + *minor = GSS_KRB5_S_KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + + return gss_unwrap_iov(minor, sc->rfc4121, + conf_state, qop_state, + iov, iov_count); +} + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_get_mic(OM_uint32 *minor, + gss_const_ctx_id_t context_handle, + gss_qop_t qop_req, + const gss_buffer_t message_buffer, + gss_buffer_t message_token) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + *minor = GSS_KRB5_S_KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + + return gss_get_mic(minor, sc->rfc4121, + qop_req, message_buffer, + message_token); +} + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_verify_mic(OM_uint32 *minor, + gss_const_ctx_id_t context_handle, + const gss_buffer_t message_buffer, + const gss_buffer_t token_buffer, + gss_qop_t *qop_state) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + *minor = GSS_KRB5_S_KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + + return gss_verify_mic(minor, sc->rfc4121, + message_buffer, token_buffer, + qop_state); +} + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_pseudo_random(OM_uint32 *minor, + gss_ctx_id_t context_handle, + int prf_key, + const gss_buffer_t prf_in, + ssize_t desired_output_len, + gss_buffer_t prf_out) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + *minor = GSS_KRB5_S_KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + + return gss_pseudo_random(minor, sc->rfc4121, + prf_key, prf_in, desired_output_len, + prf_out); +} + +/* + * Generate a curve25519 secret and public key + */ + +OM_uint32 +_gss_sanon_curve25519_base(OM_uint32 *minor, sanon_ctx sc) +{ + krb5_generate_random_block(sc->sk, crypto_scalarmult_curve25519_BYTES); + + if (crypto_scalarmult_curve25519_base(sc->pk, sc->sk) != 0) { + *minor = EINVAL; + return GSS_S_FAILURE; + } + + return GSS_S_COMPLETE; +} + +/* + * Derive the context session key using SP800-108 KDF in HMAC mode + * and the public keys and channel binding data. + */ + +OM_uint32 +_gss_sanon_curve25519(OM_uint32 *minor, + sanon_ctx sc, + gss_buffer_t pk, + OM_uint32 gss_flags, + const gss_channel_bindings_t input_chan_bindings, + gss_buffer_t session_key) +{ + uint8_t shared[crypto_scalarmult_curve25519_BYTES], *p; + krb5_error_code ret; + krb5_context context; + krb5_data kdf_K1, kdf_label, kdf_context, keydata; + + _mg_buffer_zero(session_key); + + if (pk == GSS_C_NO_BUFFER || pk->length != crypto_scalarmult_curve25519_BYTES) + return GSS_S_DEFECTIVE_TOKEN; + + if (crypto_scalarmult_curve25519(shared, sc->sk, pk->value) != 0) + return GSS_S_FAILURE; + + ret = krb5_init_context(&context); + if (ret != 0) { + *minor = ret; + return GSS_S_FAILURE; + } + + kdf_K1.data = shared; + kdf_K1.length = sizeof(shared); + + kdf_label.data = "sanon-x25519"; + kdf_label.length = sizeof("sanon-x25519") - 1; + + ret = krb5_data_alloc(&kdf_context, + 2 * crypto_scalarmult_curve25519_BYTES + 8 + + (input_chan_bindings ? input_chan_bindings->application_data.length : 0)); + if (ret != 0) { + krb5_free_context(context); + *minor = ret; + return GSS_S_FAILURE; + } + + p = kdf_context.data; + + if (sc->is_initiator) { + memcpy(p, sc->pk, sizeof(sc->pk)); + memcpy(&p[pk->length], pk->value, pk->length); + } else { + memcpy(p, pk->value, pk->length); + memcpy(&p[sizeof(sc->pk)], sc->pk, sizeof(sc->pk)); + } + p += 2 * crypto_scalarmult_curve25519_BYTES; + _gss_mg_encode_be_uint32(0, p); /* upper 32 bits presently unused */ + p += 4; + _gss_mg_encode_be_uint32(gss_flags, p); + p += 4; + + if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS && + input_chan_bindings->application_data.value != NULL) { + memcpy(p, input_chan_bindings->application_data.value, + input_chan_bindings->application_data.length); + } + + ret = krb5_data_alloc(&keydata, 16); + if (ret == 0) { + ret = _krb5_SP800_108_HMAC_KDF(context, &kdf_K1, &kdf_label, + &kdf_context, EVP_sha256(), &keydata); + + session_key->length = keydata.length; + session_key->value = keydata.data; + } else { + krb5_data_free(&keydata); + } + + memset_s(kdf_context.data, kdf_context.length, 0, kdf_context.length); + krb5_data_free(&kdf_context); + + memset_s(shared, sizeof(shared), 0, sizeof(shared)); + + krb5_free_context(context); + + *minor = ret; + return ret != 0 ? GSS_S_FAILURE : GSS_S_COMPLETE; +} + +OM_uint32 +_gss_sanon_import_rfc4121_context(OM_uint32 *minor, + sanon_ctx sc, + OM_uint32 gss_flags, + gss_const_buffer_t session_key) +{ + return _gss_mg_import_rfc4121_context(minor, sc->is_initiator, gss_flags, + KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128, + session_key, &sc->rfc4121); +} + diff --git a/third_party/heimdal/lib/gssapi/sanon/delete_sec_context.c b/third_party/heimdal/lib/gssapi/sanon/delete_sec_context.c new file mode 100644 index 0000000..fdb8a85 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/delete_sec_context.c @@ -0,0 +1,62 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_delete_sec_context(OM_uint32 *minor, + gss_ctx_id_t *context_handle, + gss_buffer_t output_token) +{ + sanon_ctx sc; + + *minor = 0; + + if (output_token != GSS_C_NO_BUFFER) { + output_token->length = 0; + output_token->value = NULL; + } + + if (*context_handle == GSS_C_NO_CONTEXT) + return GSS_S_COMPLETE; + + sc = (sanon_ctx)*context_handle; + + *context_handle = GSS_C_NO_CONTEXT; + + gss_delete_sec_context(minor, &sc->rfc4121, GSS_C_NO_BUFFER); + + memset_s(sc, sizeof(*sc), 0, sizeof(*sc)); + free(sc); + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/display_name.c b/third_party/heimdal/lib/gssapi/sanon/display_name.c new file mode 100644 index 0000000..1bd55f3 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/display_name.c @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_display_name(OM_uint32 *minor, + gss_const_name_t input_name, + gss_buffer_t output_name_buffer, + gss_OID *output_name_type) +{ + *minor = 0; + + if (input_name != _gss_sanon_anonymous_identity) + return GSS_S_BAD_NAME; + + if (output_name_type) + *output_name_type = GSS_C_NT_ANONYMOUS; + + return _gss_copy_buffer(minor, _gss_sanon_wellknown_user_name, + output_name_buffer); +} diff --git a/third_party/heimdal/lib/gssapi/sanon/display_status.c b/third_party/heimdal/lib/gssapi/sanon/display_status.c new file mode 100644 index 0000000..4e039c6 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/display_status.c @@ -0,0 +1,60 @@ +/* + * Copyright (c) 1998 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_display_status(OM_uint32 *minor, + OM_uint32 status_value, + int status_type, + const gss_OID mech_type, + OM_uint32 *message_context, + gss_buffer_t status_string) +{ + _mg_buffer_zero(status_string); + + if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && + gss_oid_equal(mech_type, GSS_SANON_X25519_MECHANISM) == 0) { + *minor = 0; + return GSS_S_BAD_MECH; + } + + if (status_type == GSS_C_MECH_CODE) { + return gss_display_status(minor, status_value, + GSS_C_MECH_CODE, GSS_KRB5_MECHANISM, + message_context, status_string); + } else { + *minor = EINVAL; + return GSS_S_BAD_STATUS; + } +} diff --git a/third_party/heimdal/lib/gssapi/sanon/duplicate_cred.c b/third_party/heimdal/lib/gssapi/sanon/duplicate_cred.c new file mode 100644 index 0000000..8c5c5d8 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/duplicate_cred.c @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_duplicate_cred(OM_uint32 *minor, + gss_const_cred_id_t input_cred_handle, + gss_cred_id_t *output_cred_handle) +{ + *minor = 0; + *output_cred_handle = (gss_cred_id_t)input_cred_handle; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/duplicate_name.c b/third_party/heimdal/lib/gssapi/sanon/duplicate_name.c new file mode 100644 index 0000000..698e83d --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/duplicate_name.c @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_duplicate_name(OM_uint32 *minor, + gss_const_name_t src_name, + gss_name_t *dest_name) +{ + *minor = 0; + *dest_name = (gss_name_t)src_name; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/export_cred.c b/third_party/heimdal/lib/gssapi/sanon/export_cred.c new file mode 100644 index 0000000..359eefd --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/export_cred.c @@ -0,0 +1,78 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_export_cred(OM_uint32 *minor, + gss_cred_id_t input_cred, + gss_buffer_t token) +{ + gss_buffer_desc buf; + krb5_storage *sp; + krb5_data data_out, data; + OM_uint32 major, junk; + + token->value = NULL; + token->length = 0; + + major = _gss_sanon_export_name(minor, (gss_name_t)input_cred, &buf); + if (major) + return major; + + sp = krb5_storage_emem(); + if (sp == NULL) { + gss_release_buffer(&junk, &buf); + *minor = ENOMEM; + return GSS_S_FAILURE; + } + + major = _gss_mg_store_oid(minor, sp, GSS_SANON_X25519_MECHANISM); + if (major) { + gss_release_buffer(&junk, &buf); + krb5_storage_free(sp); + return major; + } + data_out.length = 0; + data_out.data = NULL; + data.length = buf.length; + data.data = buf.value; + *minor = krb5_store_data(sp, data); + if (*minor == 0) + *minor = krb5_storage_to_data(sp, &data_out); + if (*minor == 0) { + token->value = data_out.data; + token->length = data_out.length; + } + gss_release_buffer(&junk, &buf); + krb5_storage_free(sp); + return major; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/export_name.c b/third_party/heimdal/lib/gssapi/sanon/export_name.c new file mode 100644 index 0000000..474c58c --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/export_name.c @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_export_name(OM_uint32 *minor, + gss_const_name_t input_name, + gss_buffer_t exported_name) +{ + uint8_t is_anonymous; + + *minor = 0; + + if (input_name == GSS_C_NO_NAME) + return GSS_S_BAD_NAME; + + is_anonymous = input_name == _gss_sanon_anonymous_identity; + if (!is_anonymous) + return GSS_S_BAD_NAME; + + return gss_mg_export_name(minor, GSS_SANON_X25519_MECHANISM, + &is_anonymous, 1, exported_name); +} diff --git a/third_party/heimdal/lib/gssapi/sanon/export_sec_context.c b/third_party/heimdal/lib/gssapi/sanon/export_sec_context.c new file mode 100644 index 0000000..52ba6fb --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/export_sec_context.c @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_export_sec_context(OM_uint32 *minor, + gss_ctx_id_t *context_handle, + gss_buffer_t interprocess_token) +{ + OM_uint32 major; + const sanon_ctx sc = (sanon_ctx)*context_handle; + + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + _mg_buffer_zero(interprocess_token); + *minor = 0; + return GSS_S_UNAVAILABLE; + } + + major = gss_export_sec_context(minor, &sc->rfc4121, interprocess_token); + if (major == GSS_S_COMPLETE) + _gss_sanon_delete_sec_context(minor, context_handle, GSS_C_NO_BUFFER); + return major; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/external.c b/third_party/heimdal/lib/gssapi/sanon/external.c new file mode 100644 index 0000000..8812f9e --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/external.c @@ -0,0 +1,270 @@ +/* + * Copyright (c) 2006-2020 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "sanon_locl.h" + +static uint8_t anonymous_identity; +gss_name_t +_gss_sanon_anonymous_identity = (gss_name_t)&anonymous_identity; +gss_cred_id_t +_gss_sanon_anonymous_cred = (gss_cred_id_t)&anonymous_identity; + +static uint8_t non_anonymous_identity; +gss_name_t +_gss_sanon_non_anonymous_identity = (gss_name_t)&non_anonymous_identity; +gss_cred_id_t +_gss_sanon_non_anonymous_cred = (gss_cred_id_t)&non_anonymous_identity; + +static gss_buffer_desc wellknown_user_name = { + SANON_WELLKNOWN_USER_NAME_LEN, + SANON_WELLKNOWN_USER_NAME +}; +gss_buffer_t +_gss_sanon_wellknown_user_name = &wellknown_user_name; + +static gss_buffer_desc wellknown_service_name = { + SANON_WELLKNOWN_SERVICE_NAME_LEN, + SANON_WELLKNOWN_SERVICE_NAME +}; +gss_buffer_t +_gss_sanon_wellknown_service_name = &wellknown_service_name; + +static gss_mo_desc sanon_mo[] = { + { + GSS_C_MA_MECH_NAME, + GSS_MO_MA, + "Mechanism name", + rk_UNCONST("SANON-X25519"), + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_DESCRIPTION, + GSS_MO_MA, + "Mechanism description", + rk_UNCONST("Heimdal Simple Anonymous (X25519) Mechanism"), + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_CONCRETE, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_ITOK_FRAMED, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_AUTH_INIT_ANON, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_AUTH_TARG_ANON, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_INTEG_PROT, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_CONF_PROT, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_MIC, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_WRAP, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_REPLAY_DET, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_OOS_DET, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_CBINDINGS, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_PFS, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_CTX_TRANS, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + }, + { + GSS_C_MA_NEGOEX_AND_SPNEGO, + GSS_MO_MA, + NULL, + NULL, + NULL, + NULL + } +}; + +static gssapi_mech_interface_desc sanon_mech = { + GMI_VERSION, + "sanon-x25519", + { 10, rk_UNCONST("\x2b\x06\x01\x04\x01\xa9\x4a\x1a\x01\x6e") }, + 0, + NULL, + _gss_sanon_release_cred, + _gss_sanon_init_sec_context, + _gss_sanon_accept_sec_context, + _gss_sanon_process_context_token, + _gss_sanon_delete_sec_context, + _gss_sanon_context_time, + _gss_sanon_get_mic, + _gss_sanon_verify_mic, + _gss_sanon_wrap, + _gss_sanon_unwrap, + _gss_sanon_display_status, + NULL, /* gm_indicate_mechs */ + _gss_sanon_compare_name, + _gss_sanon_display_name, + _gss_sanon_import_name, + _gss_sanon_export_name, + _gss_sanon_release_name, + _gss_sanon_inquire_cred, + _gss_sanon_inquire_context, + _gss_sanon_wrap_size_limit, + NULL, /* gm_add_cred */ + _gss_sanon_inquire_cred_by_mech, + _gss_sanon_export_sec_context, + _gss_sanon_import_sec_context, + _gss_sanon_inquire_names_for_mech, + _gss_sanon_inquire_mechs_for_name, + _gss_sanon_canonicalize_name, + _gss_sanon_duplicate_name, + _gss_sanon_inquire_sec_context_by_oid, + NULL, /* gm_inquire_cred_by_oid */ + NULL, /* gm_set_sec_context_option */ + NULL, /* gm_set_cred_option */ + _gss_sanon_pseudo_random, + _gss_sanon_wrap_iov, + _gss_sanon_unwrap_iov, + _gss_sanon_wrap_iov_length, + NULL, /* gm_store_cred */ + _gss_sanon_export_cred, + _gss_sanon_import_cred, + _gss_sanon_acquire_cred_from, + NULL, /* gm_acquire_cred_impersonate_name */ + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + sanon_mo, + sizeof(sanon_mo) / sizeof(sanon_mo[0]), + NULL, /* gm_localname */ + NULL, /* gm_authorize_localname */ + NULL, /* gm_display_name_ext */ + NULL, /* gm_inquire_name */ + NULL, /* gm_get_name_attribute */ + NULL, /* gm_set_name_attribute */ + NULL, /* gm_delete_name_attribute */ + NULL, /* gm_export_name_composite */ + _gss_sanon_duplicate_cred, + _gss_sanon_add_cred_from, + NULL, /* gm_store_cred_into */ + _gssspi_sanon_query_mechanism_info, + _gssspi_sanon_query_meta_data, + _gssspi_sanon_exchange_meta_data, + NULL, /* gm_store_cred_into2 */ + NULL, /* gm_compat */ +}; + +gssapi_mech_interface +__gss_sanon_initialize(void) +{ + return &sanon_mech; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/import_cred.c b/third_party/heimdal/lib/gssapi/sanon/import_cred.c new file mode 100644 index 0000000..4266ef1 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/import_cred.c @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_import_cred(OM_uint32 *minor, + gss_buffer_t token, + gss_cred_id_t *cred_handle) +{ + return _gss_sanon_import_name(minor, token, + GSS_C_NT_EXPORT_NAME, + (gss_name_t *)cred_handle); +} diff --git a/third_party/heimdal/lib/gssapi/sanon/import_name.c b/third_party/heimdal/lib/gssapi/sanon/import_name.c new file mode 100644 index 0000000..1a228b6 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/import_name.c @@ -0,0 +1,163 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +static int +is_anonymous_identity_p(gss_buffer_t name_string, gss_OID name_type) +{ + if (gss_oid_equal(name_type, GSS_C_NT_ANONYMOUS)) + return TRUE; + else if ((name_type == GSS_C_NO_OID || + gss_oid_equal(name_type, GSS_C_NT_USER_NAME) || + gss_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) && + buffer_equal_p(name_string, _gss_sanon_wellknown_user_name)) + return TRUE; + else if (gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE) && + buffer_equal_p(name_string, _gss_sanon_wellknown_service_name)) + return TRUE; + + return FALSE; +} + +static krb5_error_code +storage_ret_der_oid(krb5_storage *sp, gss_OID_desc *oid) +{ + krb5_error_code ret; + uint16_t der_oid_len; + uint8_t oid_len, tag; + + oid->length = 0; + oid->elements = NULL; + + ret = krb5_ret_uint16(sp, &der_oid_len); + if (ret == 0) + ret = krb5_ret_uint8(sp, &tag); + if (ret == 0) + ret = krb5_ret_uint8(sp, &oid_len); + if (ret) + return ret; + if (tag != 0x06) + return EINVAL; + + if (der_oid_len != 2 + oid_len) + return EINVAL; + + oid->elements = malloc(oid_len); + if (oid->elements == NULL) + return ENOMEM; + + if (krb5_storage_read(sp, oid->elements, oid_len) != oid_len) { + free(oid->elements); + oid->elements = NULL; + oid->length = 0; + return EINVAL; + } + + oid->length = oid_len; + + return 0; +} + +static OM_uint32 +import_export_name(OM_uint32 *minor, + const gss_buffer_t input_name_buffer, + gss_name_t *output_name) +{ + OM_uint32 major; + krb5_error_code ret; + krb5_storage *sp; + uint32_t name_len = 0; + uint16_t tok_id; + gss_OID_desc oid_buf = { 0, NULL }; + uint8_t is_anonymous; + + sp = krb5_storage_from_readonly_mem(input_name_buffer->value, + input_name_buffer->length); + if (sp == NULL) { + *minor = ENOMEM; + return GSS_S_FAILURE; + } + + krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); + + major = GSS_S_BAD_NAME; + *minor = 0; + + ret = krb5_ret_uint16(sp, &tok_id); + if (ret == 0 && tok_id != 0x0401) + ret = EINVAL; + if (ret == 0) + ret = storage_ret_der_oid(sp, &oid_buf); + if (ret == 0) { + if (!gss_oid_equal(&oid_buf, GSS_SANON_X25519_MECHANISM)) + ret = EINVAL; + free(oid_buf.elements); + } + if (ret == 0) + ret = krb5_ret_uint32(sp, &name_len); + if (ret == 0) + ret = krb5_ret_uint8(sp, &is_anonymous); + if (ret == 0) { + if (name_len != 1) + ret = EINVAL; + if (is_anonymous == 1) { + *output_name = _gss_sanon_anonymous_identity; + major = GSS_S_COMPLETE; + } else { + major = GSS_S_BAD_NAME; + } + } + + krb5_storage_free(sp); + + if (*minor == 0) + *minor = ret; + + return major; +} + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_import_name(OM_uint32 *minor, + const gss_buffer_t input_name_buffer, + const gss_OID input_name_type, + gss_name_t *output_name) +{ + if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) + return import_export_name(minor, input_name_buffer, output_name); + + *minor = 0; + *output_name = + is_anonymous_identity_p(input_name_buffer, input_name_type) ? + _gss_sanon_anonymous_identity : _gss_sanon_non_anonymous_identity; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/import_sec_context.c b/third_party/heimdal/lib/gssapi/sanon/import_sec_context.c new file mode 100644 index 0000000..9aa682a --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/import_sec_context.c @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_import_sec_context(OM_uint32 *minor, + const gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle) +{ + OM_uint32 major = GSS_S_FAILURE; + sanon_ctx sc; + + *minor = ENOMEM; + *context_handle = GSS_C_NO_CONTEXT; + + if ((sc = calloc(1, sizeof(*sc))) && + (major = gss_import_sec_context(minor, + interprocess_token, + &sc->rfc4121)) == GSS_S_COMPLETE) { + *context_handle = (gss_ctx_id_t)sc; + sc = NULL; + } + + free(sc); + return major; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/init_sec_context.c b/third_party/heimdal/lib/gssapi/sanon/init_sec_context.c new file mode 100644 index 0000000..4c199ed --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/init_sec_context.c @@ -0,0 +1,205 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +int +_gss_sanon_available_p(gss_const_cred_id_t claimant_cred_handle, + gss_const_name_t target_name, + OM_uint32 req_flags) +{ + OM_uint32 minor; + gss_name_t initiator_name = GSS_C_NO_NAME; + int available; + + if (claimant_cred_handle != GSS_C_NO_CREDENTIAL) { + _gss_sanon_inquire_cred(&minor, claimant_cred_handle, + &initiator_name, NULL, NULL, NULL); + heim_assert(initiator_name != GSS_C_NO_NAME, + "Invalid null SAnon initiator name"); + } + + /* + * SAnon is available if one of the following is true: + * + * The caller set anon_req_flag (GSS_C_ANON_FLAG) + * The claimant_cred_handle identity is anonymous + * The claimant_cred_handle is the default credential + * and target_name is anonymous + */ + if (req_flags & GSS_C_ANON_FLAG) + available = TRUE; + else if (initiator_name == _gss_sanon_anonymous_identity) + available = TRUE; + else if (claimant_cred_handle == GSS_C_NO_CREDENTIAL && + target_name == _gss_sanon_anonymous_identity) + available = TRUE; + else + available = FALSE; + + _gss_sanon_release_name(&minor, &initiator_name); + return available; +} + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_init_sec_context(OM_uint32 *minor, + gss_const_cred_id_t cred_handle, + gss_ctx_id_t *context_handle, + gss_const_name_t target_name, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec) +{ + gss_buffer_desc mech_token = GSS_C_EMPTY_BUFFER; + OM_uint32 major, tmp; + sanon_ctx sc = (sanon_ctx)*context_handle; + OM_uint32 flags; + gss_buffer_desc session_key = GSS_C_EMPTY_BUFFER; + + *minor = 0; + _mg_buffer_zero(output_token); + + if (!_gss_sanon_available_p(cred_handle, target_name, req_flags)) { + major = GSS_S_UNAVAILABLE; + goto out; + } + + /* we always support the following flags */ + flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | + GSS_C_INTEG_FLAG | GSS_C_ANON_FLAG; + /* we support the following optional flags */ + flags |= req_flags & SANON_PROTOCOL_FLAG_MASK; + + if (sc == NULL) { + uint8_t pk_and_flags[crypto_scalarmult_curve25519_BYTES + 8]; + + if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { + major = GSS_S_DEFECTIVE_TOKEN; + goto out; + } + + sc = calloc(1, sizeof(*sc)); + if (sc == NULL) { + *minor = ENOMEM; + major = GSS_S_FAILURE; + goto out; + } + + sc->is_initiator = 1; + + /* compute public and secret keys */ + major = _gss_sanon_curve25519_base(minor, sc); + if (major != GSS_S_COMPLETE) + goto out; + + if (flags & SANON_PROTOCOL_FLAG_MASK) { + memcpy(pk_and_flags, sc->pk, sizeof(sc->pk)); + _gss_mg_encode_be_uint32(0, &pk_and_flags[sizeof(sc->pk)]); + _gss_mg_encode_be_uint32(flags & SANON_PROTOCOL_FLAG_MASK, + &pk_and_flags[sizeof(sc->pk) + 4]); + mech_token.length = sizeof(pk_and_flags); + mech_token.value = pk_and_flags; + } else { + mech_token.length = sizeof(sc->pk); + mech_token.value = sc->pk; + } + + /* send public key to acceptor */ + major = gss_encapsulate_token(&mech_token, + GSS_SANON_X25519_MECHANISM, + output_token); + if (major != GSS_S_COMPLETE) + goto out; + + *context_handle = (gss_ctx_id_t)sc; + major = GSS_S_CONTINUE_NEEDED; + } else { + static gss_buffer_desc empty = GSS_C_EMPTY_BUFFER; + gss_buffer_desc pk, hok_mic; + + if (input_token == GSS_C_NO_BUFFER || + input_token->length < crypto_scalarmult_curve25519_BYTES) { + major = GSS_S_DEFECTIVE_TOKEN; + goto out; + } else if (sc->rfc4121 != GSS_C_NO_CONTEXT || !(sc->is_initiator)) { + major = GSS_S_BAD_STATUS; + goto out; + } + + pk.length = crypto_scalarmult_curve25519_BYTES; + pk.value = input_token->value; + + /* compute shared secret */ + major = _gss_sanon_curve25519(minor, sc, &pk, + flags & SANON_PROTOCOL_FLAG_MASK, + input_chan_bindings, &session_key); + if (major != GSS_S_COMPLETE) + goto out; + + flags |= GSS_C_TRANS_FLAG; + + major = _gss_sanon_import_rfc4121_context(minor, sc, flags, &session_key); + if (major != GSS_S_COMPLETE) + goto out; + + /* verify holder of key MIC */ + hok_mic.length = input_token->length - pk.length; + hok_mic.value = (uint8_t *)input_token->value + pk.length; + + major = _gss_sanon_verify_mic(minor, (gss_const_ctx_id_t)sc, + &empty, &hok_mic, NULL); + if (major != GSS_S_COMPLETE) + goto out; + } + + if (ret_flags) + *ret_flags = flags; + if (time_rec) + *time_rec = GSS_C_INDEFINITE; + +out: + if (actual_mech_type) + *actual_mech_type = GSS_SANON_X25519_MECHANISM; + + if (GSS_ERROR(major)) { + _gss_sanon_delete_sec_context(&tmp, (gss_ctx_id_t *)&sc, GSS_C_NO_BUFFER); + *context_handle = GSS_C_NO_CONTEXT; + } + _gss_secure_release_buffer(&tmp, &session_key); + + return major; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/inquire_context.c b/third_party/heimdal/lib/gssapi/sanon/inquire_context.c new file mode 100644 index 0000000..f5aa727 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/inquire_context.c @@ -0,0 +1,75 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_inquire_context(OM_uint32 *minor, + gss_const_ctx_id_t context_handle, + gss_name_t *src_name, + gss_name_t *targ_name, + OM_uint32 *lifetime_rec, + gss_OID *mech_type, + OM_uint32 *ctx_flags, + int *locally_initiated, + int *open_context) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + OM_uint32 major = GSS_S_COMPLETE; + + *minor = 0; + + if (sc == NULL) + return GSS_S_NO_CONTEXT; + + if (src_name) + *src_name = _gss_sanon_anonymous_identity; + if (targ_name) + *targ_name = _gss_sanon_anonymous_identity; + if (lifetime_rec) + *lifetime_rec = GSS_C_INDEFINITE; + if (mech_type) + *mech_type = GSS_SANON_X25519_MECHANISM; + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + if (locally_initiated) + *locally_initiated = sc->is_initiator; + if (open_context) + *open_context = 0; + if (ctx_flags) + *ctx_flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | + GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | GSS_C_ANON_FLAG; + } else { + major = gss_inquire_context(minor, sc->rfc4121, NULL, NULL, NULL, + NULL, ctx_flags, locally_initiated, + open_context); + } + return major; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/inquire_cred.c b/third_party/heimdal/lib/gssapi/sanon/inquire_cred.c new file mode 100644 index 0000000..b25ff2f --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/inquire_cred.c @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +_gss_sanon_inquire_cred(OM_uint32 *minor, + gss_const_cred_id_t cred_handle, + gss_name_t *name_ret, + OM_uint32 *lifetime, + gss_cred_usage_t *cred_usage, + gss_OID_set *mechanisms) +{ + *minor = 0; + + if (cred_handle == GSS_C_NO_CREDENTIAL) + return GSS_S_NO_CRED; + + /* the credential handle is a reference to the cred name */ + if (name_ret) + *name_ret = (gss_name_t)cred_handle; + if (lifetime) + *lifetime = GSS_C_INDEFINITE; + if (cred_usage) + *cred_usage = GSS_C_BOTH; + if (mechanisms) + *mechanisms = GSS_C_NO_OID_SET; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/inquire_cred_by_mech.c b/third_party/heimdal/lib/gssapi/sanon/inquire_cred_by_mech.c new file mode 100644 index 0000000..4f8bf66 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/inquire_cred_by_mech.c @@ -0,0 +1,74 @@ +/* + * Copyright (c) 2003, 2006, 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_inquire_cred_by_mech(OM_uint32 *minor, + gss_const_cred_id_t cred_handle, + const gss_OID mech_type, + gss_name_t *name, + OM_uint32 *initiator_lifetime, + OM_uint32 *acceptor_lifetime, + gss_cred_usage_t *cred_usage) +{ + gss_cred_usage_t usage; + OM_uint32 major; + OM_uint32 lifetime; + + major = _gss_sanon_inquire_cred(minor, cred_handle, + name, &lifetime, &usage, NULL); + if (major) + return major; + + if (initiator_lifetime) { + if (usage == GSS_C_INITIATE || usage == GSS_C_BOTH) + *initiator_lifetime = lifetime; + else + *initiator_lifetime = 0; + } + + if (acceptor_lifetime) { + if (usage == GSS_C_ACCEPT || usage == GSS_C_BOTH) + *acceptor_lifetime = lifetime; + else + *acceptor_lifetime = 0; + } + + if (cred_usage) + *cred_usage = usage; + + *minor = 0; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/inquire_mechs_for_name.c b/third_party/heimdal/lib/gssapi/sanon/inquire_mechs_for_name.c new file mode 100644 index 0000000..df7387c --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/inquire_mechs_for_name.c @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_inquire_mechs_for_name(OM_uint32 *minor_status, + gss_const_name_t input_name, + gss_OID_set *mech_types) +{ + OM_uint32 ret, tmp; + + ret = gss_create_empty_oid_set(minor_status, mech_types); + if (ret != GSS_S_COMPLETE) + return ret; + + ret = gss_add_oid_set_member(minor_status, + GSS_SANON_X25519_MECHANISM, + mech_types); + if (ret != GSS_S_COMPLETE) + gss_release_oid_set(&tmp, mech_types); + + return ret; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/inquire_names_for_mech.c b/third_party/heimdal/lib/gssapi/sanon/inquire_names_for_mech.c new file mode 100644 index 0000000..c8b7f23 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/inquire_names_for_mech.c @@ -0,0 +1,77 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "sanon_locl.h" + +static gss_OID name_list[] = { + GSS_C_NT_HOSTBASED_SERVICE, + GSS_C_NT_USER_NAME, + GSS_C_NT_EXPORT_NAME, + GSS_C_NT_ANONYMOUS, + GSS_KRB5_NT_PRINCIPAL_NAME, + NULL +}; + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_inquire_names_for_mech(OM_uint32 *minor, + const gss_OID mechanism, + gss_OID_set *name_types) +{ + OM_uint32 ret, tmp; + int i; + + *minor = 0; + + if (gss_oid_equal(mechanism, GSS_SANON_X25519_MECHANISM) == 0 && + gss_oid_equal(mechanism, GSS_C_NULL_OID) == 0) { + *name_types = GSS_C_NO_OID_SET; + return GSS_S_BAD_MECH; + } + + ret = gss_create_empty_oid_set(minor, name_types); + if (ret != GSS_S_COMPLETE) + return ret; + + for (i = 0; name_list[i] != NULL; i++) { + ret = gss_add_oid_set_member(minor, + name_list[i], + name_types); + if (ret != GSS_S_COMPLETE) + break; + } + + if (ret != GSS_S_COMPLETE) + gss_release_oid_set(&tmp, name_types); + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/inquire_sec_context_by_oid.c b/third_party/heimdal/lib/gssapi/sanon/inquire_sec_context_by_oid.c new file mode 100644 index 0000000..1d8bc4b --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/inquire_sec_context_by_oid.c @@ -0,0 +1,61 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_inquire_sec_context_by_oid(OM_uint32 *minor, + gss_const_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + const sanon_ctx sc = (const sanon_ctx)context_handle; + + if (sc == NULL) + return GSS_S_NO_CONTEXT; + + *data_set = GSS_C_NO_BUFFER_SET; + + if (gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY) || + gss_oid_equal(desired_object, GSS_KRB5_GET_SUBKEY_X) || + gss_oid_equal(desired_object, GSS_KRB5_GET_INITIATOR_SUBKEY_X) || + gss_oid_equal(desired_object, GSS_KRB5_GET_ACCEPTOR_SUBKEY_X) || + gss_oid_equal(desired_object, GSS_KRB5_EXPORT_LUCID_CONTEXT_X)) + return gss_inquire_sec_context_by_oid(minor, sc->rfc4121, + desired_object, data_set); + else if (gss_oid_equal(desired_object, GSS_C_INQ_NEGOEX_KEY) || + gss_oid_equal(desired_object, GSS_C_INQ_NEGOEX_VERIFY_KEY)) + return _gss_sanon_inquire_negoex_key(minor, sc, desired_object, data_set); + else { + *minor = EINVAL; + return GSS_S_UNAVAILABLE; + } +} diff --git a/third_party/heimdal/lib/gssapi/sanon/negoex.c b/third_party/heimdal/lib/gssapi/sanon/negoex.c new file mode 100644 index 0000000..c6a21dd --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/negoex.c @@ -0,0 +1,131 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gssspi_sanon_query_mechanism_info(OM_uint32 *minor, + gss_const_OID mech_oid, + unsigned char auth_scheme[16]) +{ + heim_assert(gss_oid_equal(mech_oid, GSS_SANON_X25519_MECHANISM), + "Invalid mechanism OID passed to query_mechanism_info"); + + *minor = 0; + + /* {DEE384FF-1086-4E86-BE78-B94170BFD376} */ + memcpy(auth_scheme, + "\xff\x84\xe3\xde\x86\x10\x86\x4e\xbe\x78\xb9\x41\x70\xbf\xd3\x76", 16); + + return GSS_S_COMPLETE; +} + +OM_uint32 +_gss_sanon_inquire_negoex_key(OM_uint32 *minor, + const sanon_ctx sc, + gss_const_OID desired_object, + gss_buffer_set_t *data_set) +{ + OM_uint32 major, tmpMinor; + int initiator_key; + uint8_t typebytes[4]; + gss_buffer_desc salt, keyvalue = GSS_C_EMPTY_BUFFER, keytype; + + if (sc->rfc4121 == GSS_C_NO_CONTEXT) { + *minor = KRB5KRB_AP_ERR_NOKEY; + return GSS_S_UNAVAILABLE; + } + + initiator_key = !!(sc->is_initiator); + + if (gss_oid_equal(desired_object, GSS_C_INQ_NEGOEX_VERIFY_KEY)) + initiator_key ^= 1; + else if (!gss_oid_equal(desired_object, GSS_C_INQ_NEGOEX_KEY)) + return GSS_S_UNAVAILABLE; + + if (initiator_key) { + salt.length = sizeof("sanon-x25519-initiator-negoex-key") - 1; + salt.value = "sanon-x25519-initiator-negoex-key"; + } else { + salt.length = sizeof("sanon-x25519-acceptor-negoex-key") - 1; + salt.value = "sanon-x25519-acceptor-negoex-key"; + } + + _gss_mg_encode_le_uint32(KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128, typebytes); + + keytype.length = sizeof(typebytes); + keytype.value = typebytes; + + major = gss_pseudo_random(minor, sc->rfc4121, + GSS_C_PRF_KEY_FULL, &salt, + 16, &keyvalue); + if (major == GSS_S_COMPLETE) + major = gss_add_buffer_set_member(minor, &keyvalue, data_set); + if (major == GSS_S_COMPLETE) + major = gss_add_buffer_set_member(minor, &keytype, data_set); + + _gss_secure_release_buffer(&tmpMinor, &keyvalue); + + return major; +} + +OM_uint32 GSSAPI_CALLCONV +_gssspi_sanon_query_meta_data(OM_uint32 *minor, + gss_const_OID mech_oid, + gss_cred_id_t cred_handle, + gss_ctx_id_t *context_handle, + gss_const_name_t targ_name, + OM_uint32 req_flags, + gss_buffer_t meta_data) +{ + int is_initiator = (targ_name != GSS_C_NO_NAME); + + *minor = 0; + + if (is_initiator && + !_gss_sanon_available_p(cred_handle, targ_name, req_flags)) + return GSS_S_UNAVAILABLE; + + return GSS_S_COMPLETE; +} + +OM_uint32 GSSAPI_CALLCONV +_gssspi_sanon_exchange_meta_data(OM_uint32 *minor, + gss_const_OID mech_oid, + gss_cred_id_t cred_handle, + gss_ctx_id_t *context_handle, + gss_const_name_t targ_name, + OM_uint32 req_flags, + gss_const_buffer_t meta_data) +{ + *minor = 0; + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/process_context_token.c b/third_party/heimdal/lib/gssapi/sanon/process_context_token.c new file mode 100644 index 0000000..077c8cb --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/process_context_token.c @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +_gss_sanon_process_context_token(OM_uint32 *minor, + gss_const_ctx_id_t context_handle, + const gss_buffer_t token_buffer) +{ + *minor = 0; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/release_cred.c b/third_party/heimdal/lib/gssapi/sanon/release_cred.c new file mode 100644 index 0000000..aa95272 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/release_cred.c @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_release_cred(OM_uint32 *minor, + gss_cred_id_t *cred_handle) +{ + *minor = 0; + *cred_handle = GSS_C_NO_CREDENTIAL; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/release_name.c b/third_party/heimdal/lib/gssapi/sanon/release_name.c new file mode 100644 index 0000000..7ba788c --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/release_name.c @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "sanon_locl.h" + +OM_uint32 GSSAPI_CALLCONV +_gss_sanon_release_name(OM_uint32 *minor, + gss_name_t *input_name) +{ + *minor = 0; + *input_name = GSS_C_NO_NAME; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/sanon/sanon_locl.h b/third_party/heimdal/lib/gssapi/sanon/sanon_locl.h new file mode 100644 index 0000000..93d6aa8 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/sanon/sanon_locl.h @@ -0,0 +1,84 @@ +/* + * Copyright (c) 2019-2020, AuriStor, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef SANON_LOCL_H +#define SANON_LOCL_H 1 + +#include <config.h> + +#include <krb5_locl.h> /* for _krb5_SP800_108_HMAC_KDF() */ + +#include <hcrypto/x25519_ref10.h> + +#include <gssapi.h> +#include <gkrb5_err.h> /* for GSS_KRB5_S_XXX */ + +#include "mech/mech_locl.h" + +typedef struct sanon_ctx_desc { + /* X25519 ECDH secret key */ + uint8_t sk[crypto_scalarmult_curve25519_BYTES]; + /* X25519 ECDH public key */ + uint8_t pk[crypto_scalarmult_curve25519_BYTES]; + /* krb5 context for message protection/PRF */ + gss_ctx_id_t rfc4121; + unsigned is_initiator : 1; +} *sanon_ctx; + +extern gss_name_t _gss_sanon_anonymous_identity; +extern gss_name_t _gss_sanon_non_anonymous_identity; + +extern gss_cred_id_t _gss_sanon_anonymous_cred; +extern gss_cred_id_t _gss_sanon_non_anonymous_cred; + +#include "sanon-private.h" + +#define SANON_WELLKNOWN_USER_NAME "WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS" +#define SANON_WELLKNOWN_USER_NAME_LEN (sizeof(SANON_WELLKNOWN_USER_NAME) - 1) + +extern gss_buffer_t _gss_sanon_wellknown_user_name; + +#define SANON_WELLKNOWN_SERVICE_NAME "WELLKNOWN@ANONYMOUS" +#define SANON_WELLKNOWN_SERVICE_NAME_LEN (sizeof(SANON_WELLKNOWN_SERVICE_NAME) - 1) + +extern gss_buffer_t _gss_sanon_wellknown_service_name; + +static inline int +buffer_equal_p(gss_const_buffer_t b1, gss_const_buffer_t b2) +{ + return b1->length == b2->length && + memcmp(b1->value, b2->value, b2->length) == 0; +} + +/* flags that are valid to be sent from a SAnon initiator in the flags field */ +#define SANON_PROTOCOL_FLAG_MASK ( GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG | GSS_C_EXTENDED_ERROR_FLAG ) + +#endif /* SANON_LOCL_H */ |