From 996edd872f5c8be5947200fc2dc0d8b32f748d9d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 30 Jul 2012 18:53:25 -0400 Subject: Implement privacy/integrity mechglue wrappers --- proxy/Makefile.am | 1 + proxy/src/mechglue/gpp_priv_integ.c | 346 ++++++++++++++++++++++++++++++++++++ proxy/src/mechglue/gss_plugin.h | 74 ++++++++ 3 files changed, 421 insertions(+) create mode 100644 proxy/src/mechglue/gpp_priv_integ.c (limited to 'proxy') diff --git a/proxy/Makefile.am b/proxy/Makefile.am index 609b0de..baeff16 100644 --- a/proxy/Makefile.am +++ b/proxy/Makefile.am @@ -109,6 +109,7 @@ GP_MECHGLUE_OBJ = \ src/mechglue/gpp_display_status.c \ src/mechglue/gpp_import_and_canon_name.c \ src/mechglue/gpp_indicate_mechs.c \ + src/mechglue/gpp_priv_integ.c \ src/mechglue/gss_plugin.c dist_noinst_HEADERS = \ diff --git a/proxy/src/mechglue/gpp_priv_integ.c b/proxy/src/mechglue/gpp_priv_integ.c new file mode 100644 index 0000000..a27dae4 --- /dev/null +++ b/proxy/src/mechglue/gpp_priv_integ.c @@ -0,0 +1,346 @@ +/* + GSS-PROXY + + Copyright (C) 2012 Red Hat, Inc. + Copyright (C) 2012 Simo Sorce + + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + DEALINGS IN THE SOFTWARE. +*/ + +#include "gss_plugin.h" + +OM_uint32 gssi_wrap(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer) +{ + struct gpp_context_handle *ctx_handle; + OM_uint32 maj, min; + + ctx_handle = (struct gpp_context_handle *)context_handle; + if (!ctx_handle) { + return GSS_S_CALL_INACCESSIBLE_READ; + } + + /* for now we do encryption only locally and only for specific known + * mechanisms for which we can export/import the context */ + if (ctx_handle->remote && !ctx_handle->local) { + maj = gpp_remote_to_local_ctx(&min, &ctx_handle->remote, + &ctx_handle->local); + if (maj != GSS_S_COMPLETE) { + *minor_status = gpp_map_error(min); + return maj; + } + } + + return gss_wrap(minor_status, ctx_handle->local, + conf_req_flag, qop_req, + input_message_buffer, conf_state, + output_message_buffer); +} + +OM_uint32 gssi_wrap_size_limit(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_output_size, + OM_uint32 *max_input_size) +{ + struct gpp_context_handle *ctx_handle; + OM_uint32 maj, min; + + ctx_handle = (struct gpp_context_handle *)context_handle; + if (!ctx_handle) { + return GSS_S_CALL_INACCESSIBLE_READ; + } + + /* for now we do encryption only locally and only for specific known + * mechanisms for which we can export/import the context */ + if (ctx_handle->remote && !ctx_handle->local) { + maj = gpp_remote_to_local_ctx(&min, &ctx_handle->remote, + &ctx_handle->local); + if (maj != GSS_S_COMPLETE) { + *minor_status = gpp_map_error(min); + return maj; + } + } + + return gss_wrap_size_limit(minor_status, ctx_handle->local, + conf_req_flag, qop_req, + req_output_size, max_input_size); +} + +OM_uint32 gssi_wrap_iov(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + struct gpp_context_handle *ctx_handle; + OM_uint32 maj, min; + + ctx_handle = (struct gpp_context_handle *)context_handle; + if (!ctx_handle) { + return GSS_S_CALL_INACCESSIBLE_READ; + } + + /* for now we do encryption only locally and only for specific known + * mechanisms for which we can export/import the context */ + if (ctx_handle->remote && !ctx_handle->local) { + maj = gpp_remote_to_local_ctx(&min, &ctx_handle->remote, + &ctx_handle->local); + if (maj != GSS_S_COMPLETE) { + *minor_status = gpp_map_error(min); + return maj; + } + } + + return gss_wrap_iov(minor_status, ctx_handle->local, + conf_req_flag, qop_req, conf_state, + iov, iov_count); +} + +OM_uint32 gssi_wrap_iov_length(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + struct gpp_context_handle *ctx_handle; + OM_uint32 maj, min; + + ctx_handle = (struct gpp_context_handle *)context_handle; + if (!ctx_handle) { + return GSS_S_CALL_INACCESSIBLE_READ; + } + + /* for now we do encryption only locally and only for specific known + * mechanisms for which we can export/import the context */ + if (ctx_handle->remote && !ctx_handle->local) { + maj = gpp_remote_to_local_ctx(&min, &ctx_handle->remote, + &ctx_handle->local); + if (maj != GSS_S_COMPLETE) { + *minor_status = gpp_map_error(min); + return maj; + } + } + + return gss_wrap_iov_length(minor_status, ctx_handle->local, + conf_req_flag, qop_req, conf_state, + iov, iov_count); +} + +OM_uint32 gssi_wrap_aead(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + gss_buffer_t input_assoc_buffer, + gss_buffer_t input_payload_buffer, + int *conf_state, + gss_buffer_t output_message_buffer) +{ + struct gpp_context_handle *ctx_handle; + OM_uint32 maj, min; + + ctx_handle = (struct gpp_context_handle *)context_handle; + if (!ctx_handle) { + return GSS_S_CALL_INACCESSIBLE_READ; + } + + /* for now we do encryption only locally and only for specific known + * mechanisms for which we can export/import the context */ + if (ctx_handle->remote && !ctx_handle->local) { + maj = gpp_remote_to_local_ctx(&min, &ctx_handle->remote, + &ctx_handle->local); + if (maj != GSS_S_COMPLETE) { + *minor_status = gpp_map_error(min); + return maj; + } + } + + return gss_wrap_aead(minor_status, ctx_handle->local, + conf_req_flag, qop_req, + input_assoc_buffer, input_payload_buffer, + conf_state, output_message_buffer); +} + +OM_uint32 gssi_unwrap(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + gss_qop_t *qop_state) +{ + struct gpp_context_handle *ctx_handle; + OM_uint32 maj, min; + + ctx_handle = (struct gpp_context_handle *)context_handle; + if (!ctx_handle) { + return GSS_S_CALL_INACCESSIBLE_READ; + } + + /* for now we do encryption only locally and only for specific known + * mechanisms for which we can export/import the context */ + if (ctx_handle->remote && !ctx_handle->local) { + maj = gpp_remote_to_local_ctx(&min, &ctx_handle->remote, + &ctx_handle->local); + if (maj != GSS_S_COMPLETE) { + *minor_status = gpp_map_error(min); + return maj; + } + } + + return gss_unwrap(minor_status, ctx_handle->local, + input_message_buffer, output_message_buffer, + conf_state, qop_state); +} + +OM_uint32 gssi_unwrap_iov(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int *conf_state, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + struct gpp_context_handle *ctx_handle; + OM_uint32 maj, min; + + ctx_handle = (struct gpp_context_handle *)context_handle; + if (!ctx_handle) { + return GSS_S_CALL_INACCESSIBLE_READ; + } + + /* for now we do encryption only locally and only for specific known + * mechanisms for which we can export/import the context */ + if (ctx_handle->remote && !ctx_handle->local) { + maj = gpp_remote_to_local_ctx(&min, &ctx_handle->remote, + &ctx_handle->local); + if (maj != GSS_S_COMPLETE) { + *minor_status = gpp_map_error(min); + return maj; + } + } + + return gss_unwrap_iov(minor_status, ctx_handle->local, + conf_state, qop_state, iov, iov_count); +} + +OM_uint32 gssi_unwrap_aead(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t input_message_buffer, + gss_buffer_t input_assoc_buffer, + gss_buffer_t output_payload_buffer, + int *conf_state, + gss_qop_t *qop_state) +{ + struct gpp_context_handle *ctx_handle; + OM_uint32 maj, min; + + ctx_handle = (struct gpp_context_handle *)context_handle; + if (!ctx_handle) { + return GSS_S_CALL_INACCESSIBLE_READ; + } + + /* for now we do encryption only locally and only for specific known + * mechanisms for which we can export/import the context */ + if (ctx_handle->remote && !ctx_handle->local) { + maj = gpp_remote_to_local_ctx(&min, &ctx_handle->remote, + &ctx_handle->local); + if (maj != GSS_S_COMPLETE) { + *minor_status = gpp_map_error(min); + return maj; + } + } + + return gss_unwrap_aead(minor_status, ctx_handle->local, + input_message_buffer, input_assoc_buffer, + output_payload_buffer, + conf_state, qop_state); +} + +OM_uint32 gssi_get_mic(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_qop_t qop_req, + gss_buffer_t message_buffer, + gss_buffer_t message_token) +{ + struct gpp_context_handle *ctx_handle; + OM_uint32 maj, min; + + ctx_handle = (struct gpp_context_handle *)context_handle; + if (!ctx_handle) { + return GSS_S_CALL_INACCESSIBLE_READ; + } + + /* for now we do encryption only locally and only for specific known + * mechanisms for which we can export/import the context */ + if (ctx_handle->remote && !ctx_handle->local) { + maj = gpp_remote_to_local_ctx(&min, &ctx_handle->remote, + &ctx_handle->local); + if (maj != GSS_S_COMPLETE) { + *minor_status = gpp_map_error(min); + return maj; + } + } + + return gss_get_mic(minor_status, + ctx_handle->local, + qop_req, + message_buffer, + message_token); +} + +OM_uint32 gssi_verify_mic(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t message_buffer, + gss_buffer_t message_token, + gss_qop_t *qop_state) +{ + struct gpp_context_handle *ctx_handle; + OM_uint32 maj, min; + + ctx_handle = (struct gpp_context_handle *)context_handle; + if (!ctx_handle) { + return GSS_S_CALL_INACCESSIBLE_READ; + } + + /* for now we do encryption only locally and only for specific known + * mechanisms for which we can export/import the context */ + if (ctx_handle->remote && !ctx_handle->local) { + maj = gpp_remote_to_local_ctx(&min, &ctx_handle->remote, + &ctx_handle->local); + if (maj != GSS_S_COMPLETE) { + *minor_status = gpp_map_error(min); + return maj; + } + } + + return gss_verify_mic(minor_status, + ctx_handle->local, + message_buffer, + message_token, + qop_state); +} diff --git a/proxy/src/mechglue/gss_plugin.h b/proxy/src/mechglue/gss_plugin.h index 06e4b96..e69e1ec 100644 --- a/proxy/src/mechglue/gss_plugin.h +++ b/proxy/src/mechglue/gss_plugin.h @@ -311,4 +311,78 @@ OM_uint32 gssi_inquire_mech_for_saslname(OM_uint32 *minor_status, const gss_buffer_t sasl_mech_name, gss_OID *mech_type); +OM_uint32 gssi_wrap(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer); + +OM_uint32 gssi_wrap_size_limit(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_output_size, + OM_uint32 *max_input_size); + +OM_uint32 gssi_wrap_iov(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count); + +OM_uint32 gssi_wrap_iov_length(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count); + +OM_uint32 gssi_wrap_aead(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + gss_buffer_t input_assoc_buffer, + gss_buffer_t input_payload_buffer, + int *conf_state, + gss_buffer_t output_message_buffer); + +OM_uint32 gssi_unwrap(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + gss_qop_t *qop_state); + +OM_uint32 gssi_unwrap_iov(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int *conf_state, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count); + +OM_uint32 gssi_unwrap_aead(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t input_message_buffer, + gss_buffer_t input_assoc_buffer, + gss_buffer_t output_payload_buffer, + int *conf_state, + gss_qop_t *qop_state); + +OM_uint32 gssi_get_mic(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_qop_t qop_req, + gss_buffer_t message_buffer, + gss_buffer_t message_token); + +OM_uint32 gssi_verify_mic(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t message_buffer, + gss_buffer_t message_token, + gss_qop_t *qop_state); + #endif /* _GSS_PLUGIN_H_ */ -- cgit