OM_uint32 _gss_spnego_seal (OM_uint32 * minor_status, gss_ctx_id_t context_handle, int conf_req_flag, int qop_req, gss_buffer_t input_message_buffer, int * conf_state, gss_buffer_t output_message_buffer ) { gssspnego_ctx ctx; *minor_status = 0; if (context_handle == GSS_C_NO_CONTEXT) { return GSS_S_NO_CONTEXT; } ctx = (gssspnego_ctx)context_handle; if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { return GSS_S_NO_CONTEXT; } return gss_seal(minor_status, ctx->negotiated_ctx_id, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer); }
static int krb5_encode(void *app_data, const void *from, int length, int level, void **to, struct connectdata *conn) { gss_ctx_id_t *context = app_data; gss_buffer_desc dec, enc; OM_uint32 maj, min; int state; int len; /* shut gcc up */ conn = NULL; /* NOTE that the cast is safe, neither of the krb5, gnu gss and heimdal * libraries modify the input buffer in gss_seal() */ dec.value = (void*)from; dec.length = length; maj = gss_seal(&min, *context, level == prot_private, GSS_C_QOP_DEFAULT, &dec, &state, &enc); if(maj != GSS_S_COMPLETE) return -1; /* malloc a new buffer, in case gss_release_buffer doesn't work as expected */ *to = malloc(enc.length); if(!*to) return -1; memcpy(*to, enc.value, enc.length); len = enc.length; gss_release_buffer(&min, &enc); return len; }
static int krb5_encode(void *app_data, void *from, int length, int level, void **to, struct connectdata *conn) { gss_ctx_id_t *context = app_data; gss_buffer_desc dec, enc; OM_uint32 maj, min; int state; int len; /* shut gcc up */ conn = NULL; dec.value = from; dec.length = length; maj = gss_seal(&min, *context, level == prot_private, GSS_C_QOP_DEFAULT, &dec, &state, &enc); if(maj != GSS_S_COMPLETE) return -1; /* malloc a new buffer, in case gss_release_buffer doesn't work as expected */ *to = malloc(enc.length); if(!*to) return -1; memcpy(*to, enc.value, enc.length); len = enc.length; gss_release_buffer(&min, &enc); return len; }
static int k5_encrypt( void *cookie, void *buf, ssize_t buflen, void **encbuf, ssize_t *encbuflen) { struct tcp_conn *rc = cookie; gss_buffer_desc dectok; gss_buffer_desc enctok; OM_uint32 maj_stat, min_stat; int conf_state; if (rc->conf_fn && rc->conf_fn("kencrypt", rc->datap)) { auth_debug(1, _("krb5: k5_encrypt: enter %p\n"), rc); dectok.length = buflen; dectok.value = buf; if (rc->auth == 1) { assert(rc->gss_context != GSS_C_NO_CONTEXT); maj_stat = gss_seal(&min_stat, rc->gss_context, 1, GSS_C_QOP_DEFAULT, &dectok, &conf_state, &enctok); if (maj_stat != (OM_uint32)GSS_S_COMPLETE || conf_state == 0) { auth_debug(1, _("krb5 encrypt error to %s: %s\n"), rc->hostname, gss_error(maj_stat, min_stat)); return (-1); } auth_debug(1, _("krb5: k5_encrypt: give %zu bytes\n"), enctok.length); *encbuf = enctok.value; *encbuflen = enctok.length; } else { *encbuf = buf; *encbuflen = buflen; } auth_debug(1, _("krb5: k5_encrypt: exit\n")); } return (0); }
bool_t auth_gssapi_seal_seq( gss_ctx_id_t context, uint32_t seq_num, gss_buffer_t out_buf) { gss_buffer_desc in_buf; OM_uint32 gssstat, minor_stat; uint32_t nl_seq_num; nl_seq_num = htonl(seq_num); in_buf.length = sizeof(uint32_t); in_buf.value = (char *) &nl_seq_num; gssstat = gss_seal(&minor_stat, context, 0, GSS_C_QOP_DEFAULT, &in_buf, NULL, out_buf); if (gssstat != GSS_S_COMPLETE) { PRINTF(("gssapi_seal_seq: failed\n")); AUTH_GSSAPI_DISPLAY_STATUS(("sealing sequence number", gssstat, minor_stat)); return FALSE; } return TRUE; }
/** * @brief * encode a Job Credential Batch Request * * @param[in] c - socket descriptor * @param[in] type - credential type * @param[in] buf - credentials * @param[in] len - credential length * @param[in] rpp - indication for whether to use rpp * @param[in] msgid - msg id * * @return int * @retval 0 success * @retval !0(pbse error) error * */ int PBSD_jcred(int c, int type, char *buf, int len, int rpp, char **msgid) { int rc; struct batch_reply *reply = NULL; int sock; if (!rpp) { sock = connection[c].ch_socket; DIS_tcp_setup(sock); } else { sock = c; if ((rc = is_compose_cmd(sock, IS_CMD, msgid)) != DIS_SUCCESS) return rc; } #ifdef PBS_CRED_GRIDPROXY if (type == PBS_CREDTYPE_GRIDPROXY) { OM_uint32 major, minor; gss_buffer_desc input, output; /* OM_uint32 flag = GSS_C_CONF_FLAG|GSS_C_DELEG_FLAG; */ OM_uint32 flag = GSS_C_CONF_FLAG; gss_ctx_id_t context = GSS_C_NO_CONTEXT; OM_uint32 life; int ret; output.length = 0; input.length = 0; for (;;) { major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &context, GSS_C_NO_NAME, GSS_C_NO_OID, flag, 0, GSS_C_NO_CHANNEL_BINDINGS, &input, NULL, &output, NULL, NULL); if (reply) PBSD_FreeReply(reply); rc = PBSD_GSS_context(sock, output.value, output.length); if (rc) { connection[c].ch_errtxt = strdup(dis_emsg[rc]); if (connection[c].ch_errtxt == NULL) return (pbs_errno = PBSE_SYSTEM); return (pbs_errno = PBSE_PROTOCOL); } if (GSS_ERROR(major)) { connection[c].ch_errtxt = pbs_gss_error("gss_init_sec_context", major, minor); return (pbs_errno = PBSE_PROTOCOL); } reply = PBSD_rdrpy(c); if (reply == NULL) return (pbs_errno = PBSE_PROTOCOL); if (pbs_errno != PBSE_NONE) { PBSD_FreeReply(reply); return pbs_errno; } if (reply->brp_choice == BATCH_REPLY_CHOICE_Text) { input.length = reply->brp_un.brp_txt.brp_txtlen; input.value = reply->brp_un.brp_txt.brp_str; } else { input.length = 0; input.value = NULL; } if (input.length == 0 && (major & GSS_S_CONTINUE_NEEDED) == 0) break; } if (reply) PBSD_FreeReply(reply); (void)gss_release_buffer(&minor, &output); if (major != GSS_S_COMPLETE || context == GSS_C_NO_CONTEXT) { connection[c].ch_errtxt = strdup("context could not be established"); if (connection[c].ch_errtxt == NULL) return (pbs_errno = PBSE_SYSTEM); return (pbs_errno = PBSE_PROTOCOL); } input.value = buf; input.length = len; output.length = 0; major = gss_seal(&minor, context, 1, GSS_C_QOP_DEFAULT, &input, &ret, &output); if (major != GSS_S_COMPLETE) { connection[c].ch_errtxt = pbs_gss_error("gss_seal", major, minor); return (pbs_errno = PBSE_PROTOCOL); } if (ret == 0) { connection[c].ch_errtxt = strdup("confidentiality not available"); if (connection[c].ch_errtxt == NULL) return (pbs_errno = PBSE_SYSTEM); return (pbs_errno = PBSE_PROTOCOL); } buf = output.value; len = output.length; output.length = 0; major = gss_delete_sec_context(&minor, &context, &output); if (major == GSS_S_COMPLETE && output.length > 0) { (void)gss_process_context_token(&minor, context, &output); (void)gss_release_buffer(&minor, &output); } } #endif if ((rc =encode_DIS_ReqHdr(sock, PBS_BATCH_JobCred, pbs_current_user)) || (rc = encode_DIS_JobCred(sock, type, buf, len)) || (rc = encode_DIS_ReqExtend(sock, (char *)0))) { if (!rpp) { connection[c].ch_errtxt = strdup(dis_emsg[rc]); if (connection[c].ch_errtxt == NULL) return (pbs_errno = PBSE_SYSTEM); } return (pbs_errno = PBSE_PROTOCOL); } if (rpp) { pbs_errno = PBSE_NONE; if (rpp_flush(sock)) pbs_errno = PBSE_PROTOCOL; return (pbs_errno); } if (DIS_tcp_wflush(sock)) { return (pbs_errno = PBSE_PROTOCOL); } reply = PBSD_rdrpy(c); PBSD_FreeReply(reply); return connection[c].ch_errno; }
bool_t auth_gssapi_wrap_data( OM_uint32 *major, OM_uint32 *minor, gss_ctx_id_t context, uint32_t seq_num, XDR *out_xdrs, bool_t (*xdr_func)(), caddr_t xdr_ptr) { gss_buffer_desc in_buf, out_buf; XDR temp_xdrs; int conf_state; unsigned int length; PRINTF(("gssapi_wrap_data: starting\n")); *major = GSS_S_COMPLETE; *minor = 0; /* assumption */ xdralloc_create(&temp_xdrs, XDR_ENCODE); /* serialize the sequence number into local memory */ PRINTF(("gssapi_wrap_data: encoding seq_num %d\n", seq_num)); if (! xdr_u_int32(&temp_xdrs, &seq_num)) { PRINTF(("gssapi_wrap_data: serializing seq_num failed\n")); XDR_DESTROY(&temp_xdrs); return FALSE; } /* serialize the arguments into local memory */ if (!(*xdr_func)(&temp_xdrs, xdr_ptr)) { PRINTF(("gssapi_wrap_data: serializing arguments failed\n")); XDR_DESTROY(&temp_xdrs); return FALSE; } in_buf.length = xdr_getpos(&temp_xdrs); in_buf.value = xdralloc_getdata(&temp_xdrs); *major = gss_seal(minor, context, 1, GSS_C_QOP_DEFAULT, &in_buf, &conf_state, &out_buf); if (*major != GSS_S_COMPLETE) { XDR_DESTROY(&temp_xdrs); return FALSE; } PRINTF(("gssapi_wrap_data: %d bytes data, %d bytes sealed\n", (int) in_buf.length, (int) out_buf.length)); /* write the token */ length = out_buf.length; if (! xdr_bytes(out_xdrs, (char **) &out_buf.value, (unsigned int *) &length, out_buf.length)) { PRINTF(("gssapi_wrap_data: serializing encrypted data failed\n")); XDR_DESTROY(&temp_xdrs); return FALSE; } *major = gss_release_buffer(minor, &out_buf); PRINTF(("gssapi_wrap_data: succeeding\n\n")); XDR_DESTROY(&temp_xdrs); return TRUE; }