Branch data Line data Source code
1 : : /* msg.c --- Implementation of GSS-API Per-Message functions.
2 : : * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Simon Josefsson
3 : : *
4 : : * This file is part of the Generic Security Service (GSS).
5 : : *
6 : : * GSS is free software; you can redistribute it and/or modify it
7 : : * under the terms of the GNU General Public License as published by
8 : : * the Free Software Foundation; either version 3 of the License, or
9 : : * (at your option) any later version.
10 : : *
11 : : * GSS is distributed in the hope that it will be useful, but WITHOUT
12 : : * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 : : * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
14 : : * License for more details.
15 : : *
16 : : * You should have received a copy of the GNU General Public License
17 : : * along with GSS; if not, see http://www.gnu.org/licenses or write to
18 : : * the Free Software Foundation, Inc., 51 Franklin Street, Fifth
19 : : * Floor, Boston, MA 02110-1301, USA.
20 : : *
21 : : */
22 : :
23 : : #include "internal.h"
24 : :
25 : : /* _gss_find_mech */
26 : : #include "meta.h"
27 : :
28 : : /**
29 : : * gss_get_mic:
30 : : * @minor_status: (Integer, modify) Mechanism specific status code.
31 : : * @context_handle: (gss_ctx_id_t, read) Identifies the context on
32 : : * which the message will be sent.
33 : : * @qop_req: (gss_qop_t, read, optional) Specifies requested quality
34 : : * of protection. Callers are encouraged, on portability grounds,
35 : : * to accept the default quality of protection offered by the chosen
36 : : * mechanism, which may be requested by specifying GSS_C_QOP_DEFAULT
37 : : * for this parameter. If an unsupported protection strength is
38 : : * requested, gss_get_mic will return a major_status of
39 : : * GSS_S_BAD_QOP.
40 : : * @message_buffer: (buffer, opaque, read) Message to be protected.
41 : : * @message_token: (buffer, opaque, modify) Buffer to receive token. The
42 : : * application must free storage associated with this buffer after
43 : : * use with a call to gss_release_buffer().
44 : : *
45 : : * Generates a cryptographic MIC for the supplied message, and places
46 : : * the MIC in a token for transfer to the peer application. The
47 : : * qop_req parameter allows a choice between several cryptographic
48 : : * algorithms, if supported by the chosen mechanism.
49 : : *
50 : : * Since some application-level protocols may wish to use tokens
51 : : * emitted by gss_wrap() to provide "secure framing", implementations
52 : : * must support derivation of MICs from zero-length messages.
53 : : *
54 : : * Return value:
55 : : *
56 : : * `GSS_S_COMPLETE`: Successful completion.
57 : : *
58 : : * `GSS_S_CONTEXT_EXPIRED`: The context has already expired.
59 : : *
60 : : * `GSS_S_NO_CONTEXT`: The context_handle parameter did not identify a
61 : : * valid context.
62 : : *
63 : : * `GSS_S_BAD_QOP`: The specified QOP is not supported by the
64 : : * mechanism.
65 : : **/
66 : : OM_uint32
67 : 0 : gss_get_mic (OM_uint32 * minor_status,
68 : : const gss_ctx_id_t context_handle,
69 : : gss_qop_t qop_req,
70 : : const gss_buffer_t message_buffer, gss_buffer_t message_token)
71 : : {
72 : : _gss_mech_api_t mech;
73 : :
74 [ # # ]: 0 : if (!context_handle)
75 : : {
76 [ # # ]: 0 : if (minor_status)
77 : 0 : *minor_status = 0;
78 : 0 : return GSS_S_NO_CONTEXT;
79 : : }
80 : :
81 : 0 : mech = _gss_find_mech (context_handle->mech);
82 [ # # ]: 0 : if (mech == NULL)
83 : : {
84 [ # # ]: 0 : if (minor_status)
85 : 0 : *minor_status = 0;
86 : 0 : return GSS_S_BAD_MECH;
87 : : }
88 : :
89 : 0 : return mech->get_mic (minor_status, context_handle, qop_req,
90 : : message_buffer, message_token);
91 : : }
92 : :
93 : : /**
94 : : * gss_verify_mic:
95 : : * @minor_status: (Integer, modify) Mechanism specific status code.
96 : : * @context_handle: (gss_ctx_id_t, read) Identifies the context on
97 : : * which the message arrived.
98 : : * @message_buffer: (buffer, opaque, read) Message to be verified.
99 : : * @token_buffer: (buffer, opaque, read) Token associated with
100 : : * message.
101 : : * @qop_state: (gss_qop_t, modify, optional) Quality of protection
102 : : * gained from MIC Specify NULL if not required.
103 : : *
104 : : * Verifies that a cryptographic MIC, contained in the token
105 : : * parameter, fits the supplied message. The qop_state parameter
106 : : * allows a message recipient to determine the strength of protection
107 : : * that was applied to the message.
108 : : *
109 : : * Since some application-level protocols may wish to use tokens
110 : : * emitted by gss_wrap() to provide "secure framing", implementations
111 : : * must support the calculation and verification of MICs over
112 : : * zero-length messages.
113 : : *
114 : : * Return value:
115 : : *
116 : : * `GSS_S_COMPLETE`: Successful completion.
117 : : *
118 : : * `GSS_S_DEFECTIVE_TOKEN`: The token failed consistency checks.
119 : : *
120 : : * `GSS_S_BAD_SIG`: The MIC was incorrect.
121 : : *
122 : : * `GSS_S_DUPLICATE_TOKEN`: The token was valid, and contained a
123 : : * correct MIC for the message, but it had already been processed.
124 : : *
125 : : * `GSS_S_OLD_TOKEN`: The token was valid, and contained a correct MIC
126 : : * for the message, but it is too old to check for duplication.
127 : : *
128 : : * `GSS_S_UNSEQ_TOKEN`: The token was valid, and contained a correct
129 : : * MIC for the message, but has been verified out of sequence; a later
130 : : * token has already been received.
131 : : *
132 : : * `GSS_S_GAP_TOKEN`: The token was valid, and contained a correct MIC
133 : : * for the message, but has been verified out of sequence; an earlier
134 : : * expected token has not yet been received.
135 : : *
136 : : * `GSS_S_CONTEXT_EXPIRED`: The context has already expired.
137 : : *
138 : : * `GSS_S_NO_CONTEXT`: The context_handle parameter did not identify a
139 : : * valid context.
140 : : **/
141 : : OM_uint32
142 : 0 : gss_verify_mic (OM_uint32 * minor_status,
143 : : const gss_ctx_id_t context_handle,
144 : : const gss_buffer_t message_buffer,
145 : : const gss_buffer_t token_buffer, gss_qop_t * qop_state)
146 : : {
147 : : _gss_mech_api_t mech;
148 : :
149 [ # # ]: 0 : if (!context_handle)
150 : : {
151 [ # # ]: 0 : if (minor_status)
152 : 0 : *minor_status = 0;
153 : 0 : return GSS_S_NO_CONTEXT;
154 : : }
155 : :
156 : 0 : mech = _gss_find_mech (context_handle->mech);
157 [ # # ]: 0 : if (mech == NULL)
158 : : {
159 [ # # ]: 0 : if (minor_status)
160 : 0 : *minor_status = 0;
161 : 0 : return GSS_S_BAD_MECH;
162 : : }
163 : :
164 : 0 : return mech->verify_mic (minor_status, context_handle,
165 : : message_buffer, token_buffer, qop_state);
166 : : }
167 : :
168 : : /**
169 : : * gss_wrap:
170 : : * @minor_status: (Integer, modify) Mechanism specific status code.
171 : : * @context_handle: (gss_ctx_id_t, read) Identifies the context on
172 : : * which the message will be sent.
173 : : * @conf_req_flag: (boolean, read) Non-zero - Both confidentiality and
174 : : * integrity services are requested. Zero - Only integrity service is
175 : : * requested.
176 : : * @qop_req: (gss_qop_t, read, optional) Specifies required quality of
177 : : * protection. A mechanism-specific default may be requested by
178 : : * setting qop_req to GSS_C_QOP_DEFAULT. If an unsupported
179 : : * protection strength is requested, gss_wrap will return a
180 : : * major_status of GSS_S_BAD_QOP.
181 : : * @input_message_buffer: (buffer, opaque, read) Message to be
182 : : * protected.
183 : : * @conf_state: (boolean, modify, optional) Non-zero -
184 : : * Confidentiality, data origin authentication and integrity
185 : : * services have been applied. Zero - Integrity and data origin
186 : : * services only has been applied. Specify NULL if not required.
187 : : * @output_message_buffer: (buffer, opaque, modify) Buffer to receive
188 : : * protected message. Storage associated with this message must be
189 : : * freed by the application after use with a call to
190 : : * gss_release_buffer().
191 : : *
192 : : * Attaches a cryptographic MIC and optionally encrypts the specified
193 : : * input_message. The output_message contains both the MIC and the
194 : : * message. The qop_req parameter allows a choice between several
195 : : * cryptographic algorithms, if supported by the chosen mechanism.
196 : : *
197 : : * Since some application-level protocols may wish to use tokens
198 : : * emitted by gss_wrap() to provide "secure framing", implementations
199 : : * must support the wrapping of zero-length messages.
200 : : *
201 : : * Return value:
202 : : *
203 : : * `GSS_S_COMPLETE`: Successful completion.
204 : : *
205 : : * `GSS_S_CONTEXT_EXPIRED`: The context has already expired.
206 : : *
207 : : * `GSS_S_NO_CONTEXT`: The context_handle parameter did not identify a
208 : : * valid context.
209 : : *
210 : : * `GSS_S_BAD_QOP`: The specified QOP is not supported by the
211 : : * mechanism.
212 : : **/
213 : : OM_uint32
214 : 3 : gss_wrap (OM_uint32 * minor_status,
215 : : const gss_ctx_id_t context_handle,
216 : : int conf_req_flag,
217 : : gss_qop_t qop_req,
218 : : const gss_buffer_t input_message_buffer,
219 : : int *conf_state, gss_buffer_t output_message_buffer)
220 : : {
221 : : _gss_mech_api_t mech;
222 : :
223 [ - + ]: 3 : if (!context_handle)
224 : : {
225 [ # # ]: 0 : if (minor_status)
226 : 0 : *minor_status = 0;
227 : 0 : return GSS_S_NO_CONTEXT;
228 : : }
229 : :
230 : 3 : mech = _gss_find_mech (context_handle->mech);
231 [ - + ]: 3 : if (mech == NULL)
232 : : {
233 [ # # ]: 0 : if (minor_status)
234 : 0 : *minor_status = 0;
235 : 0 : return GSS_S_BAD_MECH;
236 : : }
237 : :
238 : 3 : return mech->wrap (minor_status, context_handle, conf_req_flag, qop_req,
239 : : input_message_buffer, conf_state, output_message_buffer);
240 : : }
241 : :
242 : : /**
243 : : * gss_unwrap:
244 : : * @minor_status: (Integer, modify) Mechanism specific status code.
245 : : * @context_handle: (gss_ctx_id_t, read) Identifies the context on
246 : : * which the message arrived.
247 : : * @input_message_buffer: (buffer, opaque, read) Protected message.
248 : : * @output_message_buffer: (buffer, opaque, modify) Buffer to receive
249 : : * unwrapped message. Storage associated with this buffer must be
250 : : * freed by the application after use use with a call to
251 : : * gss_release_buffer().
252 : : * @conf_state: (boolean, modify, optional) Non-zero - Confidentiality
253 : : * and integrity protection were used. Zero - Integrity service only
254 : : * was used. Specify NULL if not required.
255 : : * @qop_state: (gss_qop_t, modify, optional) Quality of protection
256 : : * provided. Specify NULL if not required.
257 : : *
258 : : * Converts a message previously protected by gss_wrap back to a
259 : : * usable form, verifying the embedded MIC. The conf_state parameter
260 : : * indicates whether the message was encrypted; the qop_state
261 : : * parameter indicates the strength of protection that was used to
262 : : * provide the confidentiality and integrity services.
263 : : *
264 : : * Since some application-level protocols may wish to use tokens
265 : : * emitted by gss_wrap() to provide "secure framing", implementations
266 : : * must support the wrapping and unwrapping of zero-length messages.
267 : : *
268 : : * Return value:
269 : : *
270 : : * `GSS_S_COMPLETE`: Successful completion.
271 : : *
272 : : * `GSS_S_DEFECTIVE_TOKEN`: The token failed consistency checks.
273 : : *
274 : : * `GSS_S_BAD_SIG`: The MIC was incorrect.
275 : : *
276 : : * `GSS_S_DUPLICATE_TOKEN`: The token was valid, and contained a
277 : : * correct MIC for the message, but it had already been processed.
278 : : *
279 : : * `GSS_S_OLD_TOKEN`: The token was valid, and contained a correct MIC
280 : : * for the message, but it is too old to check for duplication.
281 : : *
282 : : * `GSS_S_UNSEQ_TOKEN`: The token was valid, and contained a correct
283 : : * MIC for the message, but has been verified out of sequence; a later
284 : : * token has already been received.
285 : : *
286 : : * `GSS_S_GAP_TOKEN`: The token was valid, and contained a correct MIC
287 : : * for the message, but has been verified out of sequence; an earlier
288 : : * expected token has not yet been received.
289 : : *
290 : : * `GSS_S_CONTEXT_EXPIRED`: The context has already expired.
291 : : *
292 : : * `GSS_S_NO_CONTEXT`: The context_handle parameter did not identify a
293 : : * valid context.
294 : : **/
295 : : OM_uint32
296 : 3 : gss_unwrap (OM_uint32 * minor_status,
297 : : const gss_ctx_id_t context_handle,
298 : : const gss_buffer_t input_message_buffer,
299 : : gss_buffer_t output_message_buffer,
300 : : int *conf_state, gss_qop_t * qop_state)
301 : : {
302 : : _gss_mech_api_t mech;
303 : :
304 [ - + ]: 3 : if (!context_handle)
305 : : {
306 [ # # ]: 0 : if (minor_status)
307 : 0 : *minor_status = 0;
308 : 0 : return GSS_S_NO_CONTEXT;
309 : : }
310 : :
311 : 3 : mech = _gss_find_mech (context_handle->mech);
312 [ - + ]: 3 : if (mech == NULL)
313 : : {
314 [ # # ]: 0 : if (minor_status)
315 : 0 : *minor_status = 0;
316 : 0 : return GSS_S_BAD_MECH;
317 : : }
318 : :
319 : 3 : return mech->unwrap (minor_status, context_handle, input_message_buffer,
320 : : output_message_buffer, conf_state, qop_state);
321 : : }
|
