OM_uint32 _gss_spnego_seal
(OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,
int qop_req,
gss_buffer_t input_message_buffer,
int * conf_state,
gss_buffer_t output_message_buffer
)
{
gssspnego_ctx ctx;
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
ctx = (gssspnego_ctx)context_handle;
if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_seal(minor_status,
ctx->negotiated_ctx_id,
conf_req_flag,
qop_req,
input_message_buffer,
conf_state,
output_message_buffer);
}
static int
krb5_encode(void *app_data, const void *from, int length, int level, void **to,
struct connectdata *conn)
{
gss_ctx_id_t *context = app_data;
gss_buffer_desc dec, enc;
OM_uint32 maj, min;
int state;
int len;
/* shut gcc up */
conn = NULL;
/* NOTE that the cast is safe, neither of the krb5, gnu gss and heimdal
* libraries modify the input buffer in gss_seal()
*/
dec.value = (void*)from;
dec.length = length;
maj = gss_seal(&min, *context,
level == prot_private,
GSS_C_QOP_DEFAULT,
&dec, &state, &enc);
if(maj != GSS_S_COMPLETE)
return -1;
/* malloc a new buffer, in case gss_release_buffer doesn't work as expected */
*to = malloc(enc.length);
if(!*to)
return -1;
memcpy(*to, enc.value, enc.length);
len = enc.length;
gss_release_buffer(&min, &enc);
return len;
}
static int
krb5_encode(void *app_data, void *from, int length, int level, void **to,
struct connectdata *conn)
{
gss_ctx_id_t *context = app_data;
gss_buffer_desc dec, enc;
OM_uint32 maj, min;
int state;
int len;
/* shut gcc up */
conn = NULL;
dec.value = from;
dec.length = length;
maj = gss_seal(&min, *context,
level == prot_private,
GSS_C_QOP_DEFAULT,
&dec, &state, &enc);
if(maj != GSS_S_COMPLETE)
return -1;
/* malloc a new buffer, in case gss_release_buffer doesn't work as expected */
*to = malloc(enc.length);
if(!*to)
return -1;
memcpy(*to, enc.value, enc.length);
len = enc.length;
gss_release_buffer(&min, &enc);
return len;
}
static int
k5_encrypt(
void *cookie,
void *buf,
ssize_t buflen,
void **encbuf,
ssize_t *encbuflen)
{
struct tcp_conn *rc = cookie;
gss_buffer_desc dectok;
gss_buffer_desc enctok;
OM_uint32 maj_stat, min_stat;
int conf_state;
if (rc->conf_fn && rc->conf_fn("kencrypt", rc->datap)) {
auth_debug(1, _("krb5: k5_encrypt: enter %p\n"), rc);
dectok.length = buflen;
dectok.value = buf;
if (rc->auth == 1) {
assert(rc->gss_context != GSS_C_NO_CONTEXT);
maj_stat = gss_seal(&min_stat, rc->gss_context, 1,
GSS_C_QOP_DEFAULT, &dectok, &conf_state,
&enctok);
if (maj_stat != (OM_uint32)GSS_S_COMPLETE || conf_state == 0) {
auth_debug(1, _("krb5 encrypt error to %s: %s\n"),
rc->hostname, gss_error(maj_stat, min_stat));
return (-1);
}
auth_debug(1, _("krb5: k5_encrypt: give %zu bytes\n"),
enctok.length);
*encbuf = enctok.value;
*encbuflen = enctok.length;
} else {
*encbuf = buf;
*encbuflen = buflen;
}
auth_debug(1, _("krb5: k5_encrypt: exit\n"));
}
return (0);
}
bool_t auth_gssapi_seal_seq(
gss_ctx_id_t context,
uint32_t seq_num,
gss_buffer_t out_buf)
{
gss_buffer_desc in_buf;
OM_uint32 gssstat, minor_stat;
uint32_t nl_seq_num;
nl_seq_num = htonl(seq_num);
in_buf.length = sizeof(uint32_t);
in_buf.value = (char *) &nl_seq_num;
gssstat = gss_seal(&minor_stat, context, 0, GSS_C_QOP_DEFAULT,
&in_buf, NULL, out_buf);
if (gssstat != GSS_S_COMPLETE) {
PRINTF(("gssapi_seal_seq: failed\n"));
AUTH_GSSAPI_DISPLAY_STATUS(("sealing sequence number",
gssstat, minor_stat));
return FALSE;
}
return TRUE;
}
/**
* @brief
* encode a Job Credential Batch Request
*
* @param[in] c - socket descriptor
* @param[in] type - credential type
* @param[in] buf - credentials
* @param[in] len - credential length
* @param[in] rpp - indication for whether to use rpp
* @param[in] msgid - msg id
*
* @return int
* @retval 0 success
* @retval !0(pbse error) error
*
*/
int
PBSD_jcred(int c, int type, char *buf, int len, int rpp, char **msgid)
{
int rc;
struct batch_reply *reply = NULL;
int sock;
if (!rpp) {
sock = connection[c].ch_socket;
DIS_tcp_setup(sock);
} else {
sock = c;
if ((rc = is_compose_cmd(sock, IS_CMD, msgid)) != DIS_SUCCESS)
return rc;
}
#ifdef PBS_CRED_GRIDPROXY
if (type == PBS_CREDTYPE_GRIDPROXY) {
OM_uint32 major, minor;
gss_buffer_desc input, output;
/*
OM_uint32 flag = GSS_C_CONF_FLAG|GSS_C_DELEG_FLAG;
*/
OM_uint32 flag = GSS_C_CONF_FLAG;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
OM_uint32 life;
int ret;
output.length = 0;
input.length = 0;
for (;;) {
major = gss_init_sec_context(&minor,
GSS_C_NO_CREDENTIAL, &context,
GSS_C_NO_NAME, GSS_C_NO_OID, flag, 0,
GSS_C_NO_CHANNEL_BINDINGS, &input, NULL,
&output, NULL, NULL);
if (reply)
PBSD_FreeReply(reply);
rc = PBSD_GSS_context(sock, output.value, output.length);
if (rc) {
connection[c].ch_errtxt = strdup(dis_emsg[rc]);
if (connection[c].ch_errtxt == NULL)
return (pbs_errno = PBSE_SYSTEM);
return (pbs_errno = PBSE_PROTOCOL);
}
if (GSS_ERROR(major)) {
connection[c].ch_errtxt =
pbs_gss_error("gss_init_sec_context",
major, minor);
return (pbs_errno = PBSE_PROTOCOL);
}
reply = PBSD_rdrpy(c);
if (reply == NULL)
return (pbs_errno = PBSE_PROTOCOL);
if (pbs_errno != PBSE_NONE) {
PBSD_FreeReply(reply);
return pbs_errno;
}
if (reply->brp_choice == BATCH_REPLY_CHOICE_Text) {
input.length = reply->brp_un.brp_txt.brp_txtlen;
input.value = reply->brp_un.brp_txt.brp_str;
}
else {
input.length = 0;
input.value = NULL;
}
if (input.length == 0 &&
(major & GSS_S_CONTINUE_NEEDED) == 0)
break;
}
if (reply)
PBSD_FreeReply(reply);
(void)gss_release_buffer(&minor, &output);
if (major != GSS_S_COMPLETE || context == GSS_C_NO_CONTEXT) {
connection[c].ch_errtxt =
strdup("context could not be established");
if (connection[c].ch_errtxt == NULL)
return (pbs_errno = PBSE_SYSTEM);
return (pbs_errno = PBSE_PROTOCOL);
}
input.value = buf;
input.length = len;
output.length = 0;
major = gss_seal(&minor, context, 1, GSS_C_QOP_DEFAULT,
&input, &ret, &output);
if (major != GSS_S_COMPLETE) {
connection[c].ch_errtxt =
pbs_gss_error("gss_seal", major, minor);
return (pbs_errno = PBSE_PROTOCOL);
}
if (ret == 0) {
connection[c].ch_errtxt =
strdup("confidentiality not available");
if (connection[c].ch_errtxt == NULL)
return (pbs_errno = PBSE_SYSTEM);
return (pbs_errno = PBSE_PROTOCOL);
}
buf = output.value;
len = output.length;
output.length = 0;
major = gss_delete_sec_context(&minor, &context, &output);
if (major == GSS_S_COMPLETE && output.length > 0) {
(void)gss_process_context_token(&minor,
context, &output);
(void)gss_release_buffer(&minor, &output);
}
}
#endif
if ((rc =encode_DIS_ReqHdr(sock, PBS_BATCH_JobCred, pbs_current_user)) ||
(rc = encode_DIS_JobCred(sock, type, buf, len)) ||
(rc = encode_DIS_ReqExtend(sock, (char *)0))) {
if (!rpp) {
connection[c].ch_errtxt = strdup(dis_emsg[rc]);
if (connection[c].ch_errtxt == NULL)
return (pbs_errno = PBSE_SYSTEM);
}
return (pbs_errno = PBSE_PROTOCOL);
}
if (rpp) {
pbs_errno = PBSE_NONE;
if (rpp_flush(sock))
pbs_errno = PBSE_PROTOCOL;
return (pbs_errno);
}
if (DIS_tcp_wflush(sock)) {
return (pbs_errno = PBSE_PROTOCOL);
}
reply = PBSD_rdrpy(c);
PBSD_FreeReply(reply);
return connection[c].ch_errno;
}
bool_t auth_gssapi_wrap_data(
OM_uint32 *major,
OM_uint32 *minor,
gss_ctx_id_t context,
uint32_t seq_num,
XDR *out_xdrs,
bool_t (*xdr_func)(),
caddr_t xdr_ptr)
{
gss_buffer_desc in_buf, out_buf;
XDR temp_xdrs;
int conf_state;
unsigned int length;
PRINTF(("gssapi_wrap_data: starting\n"));
*major = GSS_S_COMPLETE;
*minor = 0; /* assumption */
xdralloc_create(&temp_xdrs, XDR_ENCODE);
/* serialize the sequence number into local memory */
PRINTF(("gssapi_wrap_data: encoding seq_num %d\n", seq_num));
if (! xdr_u_int32(&temp_xdrs, &seq_num)) {
PRINTF(("gssapi_wrap_data: serializing seq_num failed\n"));
XDR_DESTROY(&temp_xdrs);
return FALSE;
}
/* serialize the arguments into local memory */
if (!(*xdr_func)(&temp_xdrs, xdr_ptr)) {
PRINTF(("gssapi_wrap_data: serializing arguments failed\n"));
XDR_DESTROY(&temp_xdrs);
return FALSE;
}
in_buf.length = xdr_getpos(&temp_xdrs);
in_buf.value = xdralloc_getdata(&temp_xdrs);
*major = gss_seal(minor, context, 1,
GSS_C_QOP_DEFAULT, &in_buf, &conf_state,
&out_buf);
if (*major != GSS_S_COMPLETE) {
XDR_DESTROY(&temp_xdrs);
return FALSE;
}
PRINTF(("gssapi_wrap_data: %d bytes data, %d bytes sealed\n",
(int) in_buf.length, (int) out_buf.length));
/* write the token */
length = out_buf.length;
if (! xdr_bytes(out_xdrs, (char **) &out_buf.value,
(unsigned int *) &length,
out_buf.length)) {
PRINTF(("gssapi_wrap_data: serializing encrypted data failed\n"));
XDR_DESTROY(&temp_xdrs);
return FALSE;
}
*major = gss_release_buffer(minor, &out_buf);
PRINTF(("gssapi_wrap_data: succeeding\n\n"));
XDR_DESTROY(&temp_xdrs);
return TRUE;
}
