oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Initial revision

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17692 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-06-28 08:34:45 +00:00
parent 057d255d5c
commit 2baa7e7d61
98 changed files with 14146 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
lib/gssapi/mech/Makefile Normal file
View File

@@ -0,0 +1,95 @@
# $FreeBSD: src/lib/libgssapi/Makefile,v 1.2 2006/01/01 11:01:01 dfr Exp $
LIB= gssapi
SHLIB_MAJOR= 8
SRCS=
SRCS+= gss_utils.c
SRCS+= gss_mech_switch.c
SRCS+= gss_names.c
SRCS+= gss_acquire_cred.c
SRCS+= gss_release_cred.c
SRCS+= gss_init_sec_context.c
SRCS+= gss_accept_sec_context.c
SRCS+= gss_process_context_token.c
SRCS+= gss_delete_sec_context.c
SRCS+= gss_context_time.c
SRCS+= gss_get_mic.c
SRCS+= gss_verify_mic.c
SRCS+= gss_wrap.c
SRCS+= gss_unwrap.c
SRCS+= gss_display_status.c
SRCS+= gss_indicate_mechs.c
SRCS+= gss_compare_name.c
SRCS+= gss_display_name.c
SRCS+= gss_import_name.c
SRCS+= gss_export_name.c
SRCS+= gss_release_name.c
SRCS+= gss_inquire_cred.c
SRCS+= gss_inquire_context.c
SRCS+= gss_wrap_size_limit.c
SRCS+= gss_add_cred.c
SRCS+= gss_inquire_cred_by_mech.c
SRCS+= gss_export_sec_context.c
SRCS+= gss_import_sec_context.c
SRCS+= gss_inquire_names_for_mech.c
SRCS+= gss_inquire_mechs_for_name.c
SRCS+= gss_canonicalize_name.c
SRCS+= gss_duplicate_name.c
SRCS+= gss_sign.c
SRCS+= gss_verify.c
SRCS+= gss_seal.c
SRCS+= gss_unseal.c
SRCS+= gss_krb5.c
SRCS+= gss_create_empty_oid_set.c
SRCS+= gss_add_oid_set_member.c
SRCS+= gss_test_oid_set_member.c
SRCS+= gss_release_oid_set.c
SRCS+= gss_release_buffer.c
MAN=
MAN+= gssapi.3
MAN+= gss_accept_sec_context.3
MAN+= gss_acquire_cred.3
MAN+= gss_add_cred.3
MAN+= gss_add_oid_set_member.3
MAN+= gss_canonicalize_name.3
MAN+= gss_compare_name.3
MAN+= gss_context_time.3
MAN+= gss_create_empty_oid_set.3
MAN+= gss_delete_sec_context.3
MAN+= gss_display_name.3
MAN+= gss_display_status.3
MAN+= gss_duplicate_name.3
MAN+= gss_export_name.3
MAN+= gss_export_sec_context.3
MAN+= gss_get_mic.3
MAN+= gss_import_name.3
MAN+= gss_import_sec_context.3
MAN+= gss_indicate_mechs.3
MAN+= gss_init_sec_context.3
MAN+= gss_inquire_context.3
MAN+= gss_inquire_cred.3
MAN+= gss_inquire_cred_by_mech.3
MAN+= gss_inquire_mechs_for_name.3
MAN+= gss_inquire_names_for_mech.3
MAN+= gss_process_context_token.3
MAN+= gss_release_buffer.3
MAN+= gss_release_cred.3
MAN+= gss_release_name.3
MAN+= gss_release_oid_set.3
MAN+= gss_test_oid_set_member.3
MAN+= gss_unwrap.3
MAN+= gss_verify_mic.3
MAN+= gss_wrap.3
MAN+= gss_wrap_size_limit.3
MAN+= mech.5
MLINKS=
MLINKS+= gss_get_mic.3 gss_sign.3
MLINKS+= gss_unwrap.3 gss_unseal.3
MLINKS+= gss_verify_mic.3 gss_verify.3
MLINKS+= gss_wrap.3 gss_seal.3
MLINKS+= mech.5 qop.5
.include <bsd.lib.mk>

32
lib/gssapi/mech/context.h Normal file
View File

@@ -0,0 +1,32 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/context.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
struct _gss_context {
struct _gss_mech_switch *gc_mech;
gss_ctx_id_t gc_ctx;
};

43
lib/gssapi/mech/cred.h Normal file
View File

@@ -0,0 +1,43 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/cred.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <sys/queue.h>
struct _gss_mechanism_cred {
SLIST_ENTRY(_gss_mechanism_cred) gmc_link;
struct _gss_mech_switch *gmc_mech; /* mechanism ops for MC */
gss_OID gmc_mech_oid; /* mechanism oid for MC */
gss_cred_id_t gmc_cred; /* underlying MC */
};
SLIST_HEAD(_gss_mechanism_cred_list, _gss_mechanism_cred);
struct _gss_cred {
gss_cred_usage_t gc_usage;
struct _gss_mechanism_cred_list gc_mc;
};

484
lib/gssapi/mech/gss_accept_sec_context.3 Normal file
View File

@@ -0,0 +1,484 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_accept_sec_context.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_ACCEPT_SEC_CONTEXT 3 PRM
.Sh NAME
.Nm gss_accept_sec_context
.Nd Accept a security context initiated by a peer application
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_accept_sec_context
.Fa "OM_uint32 *minor_status
.Fa "gss_ctx_id_t *context_handle"
.Fa "const gss_cred_id_t acceptor_cred_handle"
.Fa "const gss_buffer_t input_token_buffer"
.Fa "const gss_channel_bindings_t input_chan_bindings"
.Fa "const gss_name_t *src_name"
.Fa "gss_OID *mech_type"
.Fa "gss_buffer_t output_token"
.Fa "OM_uint32 *ret_flags"
.Fa "OM_uint32 *time_rec"
.Fa "gss_cred_id_t *delegated_cred_handle"
.Fc
.Sh DESCRIPTION
Allows a remotely initiated security context between the application
and a remote peer to be established. The routine may return a
.Fa output_token
which should be transferred to the peer application,
where the peer application will present it to
.Xr gss_init_sec_context 3 .
If no token need be sent,
.Fn gss_accept_sec_context
will indicate this
by setting the length field of the
.Fa output_token
argument to zero.
To complete the context establishment, one or more reply tokens may be
required from the peer application; if so,
.Fn gss_accept_sec_context
will return a status flag of
.Dv GSS_S_CONTINUE_NEEDED , in which case it
should be called again when the reply token is received from the peer
application, passing the token to
.Fn gss_accept_sec_context
via the
.Fa input_token
parameters.
.Pp
Portable applications should be constructed to use the token length
and return status to determine whether a token needs to be sent or
waited for. Thus a typical portable caller should always invoke
.Fn gss_accept_sec_context
within a loop:
.Bd -literal
gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
do {
receive_token_from_peer(input_token);
maj_stat = gss_accept_sec_context(&min_stat,
&context_hdl,
cred_hdl,
input_token,
input_bindings,
&client_name,
&mech_type,
output_token,
&ret_flags,
&time_rec,
&deleg_cred);
if (GSS_ERROR(maj_stat)) {
report_error(maj_stat, min_stat);
};
if (output_token->length != 0) {
send_token_to_peer(output_token);
gss_release_buffer(&min_stat, output_token);
};
if (GSS_ERROR(maj_stat)) {
if (context_hdl != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&min_stat,
&context_hdl,
GSS_C_NO_BUFFER);
break;
};
} while (maj_stat & GSS_S_CONTINUE_NEEDED);
.Ed
.Pp
Whenever the routine returns a major status that includes the value
.Dv GSS_S_CONTINUE_NEEDED , the context is not fully established and the
following restrictions apply to the output parameters:
.Pp
The value returned via the
.Fa time_rec
parameter is undefined Unless the
accompanying
.Fa ret_flags
parameter contains the bit
.Dv GSS_C_PROT_READY_FLAG , indicating that per-message services may be
applied in advance of a successful completion status, the value
returned via the
.Fa mech_type
parameter may be undefined until the
routine returns a major status value of
.Dv GSS_S_COMPLETE .
.Pp
The values of the
.Dv GSS_C_DELEG_FLAG ,
.Dv GSS_C_MUTUAL_FLAG ,
.Dv GSS_C_REPLAY_FLAG ,
.Dv GSS_C_SEQUENCE_FLAG ,
.Dv GSS_C_CONF_FLAG ,
.Dv GSS_C_INTEG_FLAG
and
.Dv GSS_C_ANON_FLAG bits returned
via the
.Fa ret_flags
parameter should contain the values that the
implementation expects would be valid if context establishment were
to succeed.
.Pp
The values of the
.Dv GSS_C_PROT_READY_FLAG
and
.Dv GSS_C_TRANS_FLAG bits
within
.Fa ret_flags
should indicate the actual state at the time
.Fn gss_accept_sec_context
returns, whether or not the context is fully established.
.Pp
Although this requires that GSS-API implementations set the
.Dv GSS_C_PROT_READY_FLAG
in the final
.Fa ret_flags
returned to a caller
(i.e. when accompanied by a
.Dv GSS_S_COMPLETE
status code), applications
should not rely on this behavior as the flag was not defined in
Version 1 of the GSS-API. Instead, applications should be prepared to
use per-message services after a successful context establishment,
according to the
.Dv GSS_C_INTEG_FLAG
and
.Dv GSS_C_CONF_FLAG values.
.Pp
All other bits within the
.Fa ret_flags
argument should be set to zero.
While the routine returns
.Dv GSS_S_CONTINUE_NEEDED , the values returned
via the
.Fa ret_flags
argument indicate the services that the
implementation expects to be available from the established context.
.Pp
If the initial call of
.Fn gss_accept_sec_context
fails, the
implementation should not create a context object, and should leave
the value of the context_handle parameter set to
.Dv GSS_C_NO_CONTEXT to
indicate this. In the event of a failure on a subsequent call, the
implementation is permitted to delete the "half-built" security
context (in which case it should set the
.Fa context_handle
parameter to
.Dv GSS_C_NO_CONTEXT ), but the preferred behavior is to leave the
security context (and the context_handle parameter) untouched for the
application to delete (using
.Xr gss_delete_sec_context 3 ).
.Pp
During context establishment, the informational status bits
.Dv GSS_S_OLD_TOKEN
and
.Dv GSS_S_DUPLICATE_TOKEN
indicate fatal errors, and
GSS-API mechanisms should always return them in association with a
routine error of
.Dv GSS_S_FAILURE . This requirement for pairing did not
exist in version 1 of the GSS-API specification, so applications that
wish to run over version 1 implementations must special-case these
codes.
.Sh PARAMETERS
.Bl -tag
.It context_handle
Context handle for new context.
Supply
.Dv GSS_C_NO_CONTEXT for first
call; use value returned in subsequent calls.
Once
.Fn gss_accept_sec_context
has returned a
value via this parameter, resources have been
assigned to the corresponding context, and must
be freed by the application after use with a
call to
.Xr gss_delete_sec_context 3 .
.It acceptor_cred_handle
Credential handle claimed by context acceptor.
Specify
.Dv GSS_C_NO_CREDENTIAL to accept the context as a
default principal.
If
.Dv GSS_C_NO_CREDENTIAL is
specified, but no default acceptor principal is
defined,
.Dv GSS_S_NO_CRED will be returned.
.It input_token_buffer
Token obtained from remote application.
.It input_chan_bindings
Application-specified bindings.
Allows application to securely bind channel identification information
to the security context.
If channel bindings are not used, specify
.Dv GSS_C_NO_CHANNEL_BINDINGS .
.It src_name
Authenticated name of context initiator.
After use, this name should be deallocated by passing it to
.Xr gss_release_name 3 .
If not required, specify
.Dv NULL .
.It mech_type
Security mechanism used.
The returned OID value will be a pointer into static storage,
and should be treated as read-only by the caller
(in particular, it does not need to be freed).
If not required, specify
.Dv NULL .
.It output_token
Token to be passed to peer application.
If the length field of the returned token buffer is 0,
then no token need be passed to the peer application.
If a non-zero length field is returned,
the associated storage must be freed after use by the
application with a call to
.Xr gss_release_buffer 3 .
.It ret_flags
Contains various independent flags,
each of which indicates that the context supports a specific service option.
If not needed, specify
.Dv NULL .
Symbolic names are provided for each flag,
and the symbolic names corresponding to the required flags should be
logically-ANDed with the
.Fa ret_flags
value to test whether a given option is supported by the context.
The flags are:
.Bl -tag -width "WW"
.It GSS_C_DELEG_FLAG
.Bl -tag -width "False"
.It True
Delegated credentials are available via the delegated_cred_handle parameter
.It False
No credentials were delegated
.El
.It GSS_C_MUTUAL_FLAG
.Bl -tag -width "False"
.It True
Remote peer asked for mutual authentication
.It False
Remote peer did not ask for mutual authentication
.El
.It GSS_C_REPLAY_FLAG
.Bl -tag -width "False"
.It True
Replay of protected messages will be detected
.It False
Replayed messages will not be detected
.El
.It GSS_C_SEQUENCE_FLAG
.Bl -tag -width "False"
.It True
Out-of-sequence protected messages will be detected
.It False
Out-of-sequence messages will not be detected
.El
.It GSS_C_CONF_FLAG
.Bl -tag -width "False"
.It True
Confidentiality service may be invoked by calling the
.Xr gss_wrap 3
routine
.It False
No confidentiality service (via
.Xr gss_wrap 3 )
available.
.Xr gss_wrap 3
will provide message encapsulation,
data-origin authentication and integrity services only.
.El
.It GSS_C_INTEG_FLAG
.Bl -tag -width "False"
.It True
Integrity service may be invoked by calling either
.Xr gss_get_mic 3
or
.Xr gss_wrap 3
routines.
.It False
Per-message integrity service unavailable.
.El
.It GSS_C_ANON_FLAG
.Bl -tag -width "False"
.It True
The initiator does not wish to be authenticated; the
.Fa src_name
parameter (if requested) contains an anonymous internal name.
.It False
The initiator has been authenticated normally.
.El
.It GSS_C_PROT_READY_FLAG
.Bl -tag -width "False"
.It True
Protection services (as specified by the states of the
.Dv GSS_C_CONF_FLAG
and
.Dv GSS_C_INTEG_FLAG )
are available if the accompanying major status return value is either
.Dv GSS_S_COMPLETE
or
.Dv GSS_S_CONTINUE_NEEDED.
.It False
Protection services (as specified by the states of the
.Dv GSS_C_CONF_FLAG
and
.Dv GSS_C_INTEG_FLAG )
are available only if the accompanying major status return value is
.Dv GSS_S_COMPLETE .
.El
.It GSS_C_TRANS_FLAG
.Bl -tag -width "False"
.It True
The resultant security context may be transferred to other processes
via a call to
.Xr gss_export_sec_context 3 .
.It False
The security context is not transferable.
.El
.El
.Pp
All other bits should be set to zero.
.It time_rec
Number of seconds for which the context will remain valid.
Specify
.Dv NULL
if not required.
.It delegated_cred_handle
Credential
handle for credentials received from context initiator.
Only valid if
.Dv GSS_C_DELEG_FLAG
in
.Fa ret_flags
is true,
in which case an explicit credential handle
(i.e. not
.Dv GSS_C_NO_CREDENTIAL )
will be returned; if false,
.Fn gss_accept_context
will set this parameter to
.Dv GSS_C_NO_CREDENTIAL .
If a credential handle is returned,
the associated resources must be released by the application after use
with a call to
.Xr gss_release_cred 3 .
Specify
.Dv NULL if not required.
.It minor_status
Mechanism specific status code.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_CONTINUE_NEEDED
Indicates that a token from the peer application is required to
complete the context,
and that gss_accept_sec_context must be called again with that token.
.It GSS_S_DEFECTIVE_TOKEN
Indicates that consistency checks performed on the input_token failed.
.It GSS_S_DEFECTIVE_CREDENTIAL
Indicates that consistency checks performed on the credential failed.
.It GSS_S_NO_CRED
The supplied credentials were not valid for context acceptance,
or the credential handle did not reference any credentials.
.It GSS_S_CREDENTIALS_EXPIRED
The referenced credentials have expired.
.It GSS_S_BAD_BINDINGS
The input_token contains different channel bindings to those specified via the
input_chan_bindings parameter.
.It GSS_S_NO_CONTEXT
Indicates that the supplied context handle did not refer to a valid context.
.It GSS_S_BAD_SIG
The input_token contains an invalid MIC.
.It GSS_S_OLD_TOKEN
The input_token was too old.
This is a fatal error during context establishment.
.It GSS_S_DUPLICATE_TOKEN
The input_token is valid,
but is a duplicate of a token already processed.
This is a fatal error during context establishment.
.It GSS_S_BAD_MECH
The received token specified a mechanism that is not supported by
the implementation or the provided credential.
.El
.Sh SEE ALSO
.Xr gss_delete_sec_context 3 ,
.Xr gss_export_sec_context 3 ,
.Xr gss_get_mic 3 ,
.Xr gss_init_sec_context 3 ,
.Xr gss_release_buffer 3 ,
.Xr gss_release_cred 3 ,
.Xr gss_release_name 3 ,
.Xr gss_wrap 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.El
.\" .Sh HISTORY
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

221
lib/gssapi/mech/gss_accept_sec_context.c Normal file
View File

@@ -0,0 +1,221 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_accept_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "context.h"
#include "cred.h"
#include "name.h"
OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_cred_id_t acceptor_cred_handle,
const gss_buffer_t input_token,
const gss_channel_bindings_t input_chan_bindings,
gss_name_t *src_name,
gss_OID *mech_type,
gss_buffer_t output_token,
OM_uint32 *ret_flags,
OM_uint32 *time_rec,
gss_cred_id_t *delegated_cred_handle)
{
OM_uint32 major_status;
struct _gss_mech_switch *m;
struct _gss_context *ctx = (struct _gss_context *) *context_handle;
struct _gss_cred *cred = (struct _gss_cred *) acceptor_cred_handle;
struct _gss_mechanism_cred *mc;
gss_cred_id_t acceptor_mc, delegated_mc;
gss_name_t src_mn;
int allocated_ctx;
*minor_status = 0;
if (src_name) *src_name = 0;
if (mech_type) *mech_type = 0;
if (ret_flags) *ret_flags = 0;
if (time_rec) *time_rec = 0;
if (delegated_cred_handle) *delegated_cred_handle = 0;
output_token->length = 0;
output_token->value = 0;
/*
* If this is the first call (*context_handle is NULL), we must
* parse the input token to figure out the mechanism to use.
*/
if (*context_handle == GSS_C_NO_CONTEXT) {
unsigned char *p = input_token->value;
size_t len = input_token->length;
size_t a, b;
gss_OID_desc mech_oid;
/*
* Token must start with [APPLICATION 0] SEQUENCE.
*/
if (len == 0 || *p != 0x60)
return (GSS_S_DEFECTIVE_TOKEN);
p++;
len--;
/*
* Decode the length and make sure it agrees with the
* token length.
*/
if (len == 0)
return (GSS_S_DEFECTIVE_TOKEN);
if ((*p & 0x80) == 0) {
a = *p;
p++;
len--;
} else {
b = *p & 0x7f;
p++;
len--;
if (len < b)
return (GSS_S_DEFECTIVE_TOKEN);
a = 0;
while (b) {
a = (a << 8) | *p;
p++;
len--;
b--;
}
}
if (a != len)
return (GSS_S_DEFECTIVE_TOKEN);
/*
* Decode the OID for the mechanism. Simplify life by
* assuming that the OID length is less than 128 bytes.
*/
if (len < 2 || *p != 0x06)
return (GSS_S_DEFECTIVE_TOKEN);
if ((p[1] & 0x80) || p[1] > (len - 2))
return (GSS_S_DEFECTIVE_TOKEN);
mech_oid.length = p[1];
p += 2;
len -= 2;
mech_oid.elements = p;
/*
* Now that we have a mechanism, we can find the
* implementation.
*/
ctx = malloc(sizeof(struct _gss_context));
if (!ctx) {
*minor_status = ENOMEM;
return (GSS_S_DEFECTIVE_TOKEN);
}
memset(ctx, 0, sizeof(struct _gss_context));
m = ctx->gc_mech = _gss_find_mech_switch(&mech_oid);
if (!m) {
free(ctx);
return (GSS_S_BAD_MECH);
}
allocated_ctx = 1;
} else {
m = ctx->gc_mech;
allocated_ctx = 0;
}
if (cred) {
SLIST_FOREACH(mc, &cred->gc_mc, gmc_link)
if (mc->gmc_mech == m)
break;
if (!mc)
return (GSS_S_BAD_MECH);
acceptor_mc = mc->gmc_cred;
} else {
acceptor_mc = GSS_C_NO_CREDENTIAL;
}
delegated_mc = GSS_C_NO_CREDENTIAL;
major_status = m->gm_accept_sec_context(minor_status,
&ctx->gc_ctx,
acceptor_mc,
input_token,
input_chan_bindings,
&src_mn,
mech_type,
output_token,
ret_flags,
time_rec,
&delegated_mc);
if (major_status != GSS_S_COMPLETE &&
major_status != GSS_S_CONTINUE_NEEDED)
return (major_status);
if (!src_name) {
m->gm_release_name(minor_status, &src_mn);
} else {
/*
* Make a new name and mark it as an MN.
*/
struct _gss_name *name = _gss_make_name(m, src_mn);
if (!name) {
m->gm_release_name(minor_status, &src_mn);
return (GSS_S_FAILURE);
}
*src_name = (gss_name_t) name;
}
if (*ret_flags & GSS_C_DELEG_FLAG) {
if (!delegated_cred_handle) {
m->gm_release_cred(minor_status, &delegated_mc);
*ret_flags &= ~GSS_C_DELEG_FLAG;
} else {
struct _gss_cred *cred;
struct _gss_mechanism_cred *mc;
cred = malloc(sizeof(struct _gss_cred));
if (!cred) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
mc = malloc(sizeof(struct _gss_mechanism_cred));
if (!mc) {
free(cred);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
m->gm_inquire_cred(minor_status, delegated_mc,
0, 0, &cred->gc_usage, 0);
mc->gmc_mech = m;
mc->gmc_mech_oid = &m->gm_mech_oid;
mc->gmc_cred = delegated_mc;
SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
*delegated_cred_handle = (gss_cred_id_t) cred;
}
}
*context_handle = (gss_ctx_id_t) ctx;
return (major_status);
}

238
lib/gssapi/mech/gss_acquire_cred.3 Normal file
View File

@@ -0,0 +1,238 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_acquire_cred.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_ACQUIRE_CRED 3 PRM
.Sh NAME
.Nm gss_acquire_cred
.Nd Obtain a GSS-API credential handle for pre-existing credentials
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_acquire_cred
.Fa "OM_uint32 *minor_status"
.Fa "const gss_name_t desired_name"
.Fa "OM_uint32 time_req"
.Fa "const gss_OID_set desired_mechs"
.Fa "gss_cred_usage_t cred_usage"
.Fa "gss_cred_id_t *output_cred_handle"
.Fa "gss_OID_set *actual_mechs"
.Fa "OM_uint32 *time_rec"
.Fc
.Sh DESCRIPTION
Allows an application to acquire a handle for a pre-existing
credential by name.
GSS-API implementations must impose a local
access-control policy on callers of this routine to prevent
unauthorized callers from acquiring credentials to which they are not
entitled.
This routine is not intended to provide a "login to the
network" function, as such a function would involve the creation of
new credentials rather than merely acquiring a handle to existing
credentials.
Such functions, if required, should be defined in
implementation-specific extensions to the API.
.Pp
If desired_name is
.Dv GSS_C_NO_NAME ,
the call is interpreted as a
request for a credential handle that will invoke default behavior
when passed to
.Fn gss_init_sec_context
(if cred_usage is
.Dv GSS_C_INITIATE
or
.Dv GSS_C_BOTH )
or
.Fn gss_accept_sec_context
(if cred_usage is
.Dv GSS_C_ACCEPT
or
.Dv GSS_C_BOTH ).
.Pp
Mechanisms should honor the
.Fa desired_mechs
parameter,
and return a credential that is suitable to use only with the
requested mechanisms.
An exception to this is the case where one underlying credential
element can be shared by multiple mechanisms;
in this case it is permissible for an implementation to indicate all
mechanisms with which the credential element may be used.
If
.Fa desired_mechs
is an empty set, behavior is undefined.
.Pp
This routine is expected to be used primarily by context acceptors,
since implementations are likely to provide mechanism-specific ways
of obtaining GSS-API initiator credentials from the system login
process.
Some implementations may therefore not support the acquisition of
.Dv GSS_C_INITIATE
or
.Dv GSS_C_BOTH
credentials via
.Fn gss_acquire_cred
for any name other than
.Dv GSS_C_NO_NAME ,
or a name produced by applying either
.Fn gss_inquire_cred
to a valid credential, or
.Fn gss_inquire_context
to an active context.
.Pp
If credential acquisition is time-consuming for a mechanism,
the mechanism may choose to delay the actual acquisition until the
credential is required
(e.g. by
.Fn gss_init_sec_context
or
.Fn gss_accept_sec_context ).
Such mechanism-specific implementation
decisions should be invisible to the calling application;
thus a call of
.Fn gss_inquire_cred
immediately following the call of
.Fn gss_acquire_cred
must return valid credential data,
and may therefore incur the overhead of a deferred credential acquisition.
.Sh PARAMETERS
.Bl -tag
.It desired_name
Name of principal whose credential should be acquired.
.It time_req
Number of seconds that credentials should remain valid.
Specify
.Dv GSS_C_INDEFINITE
to request that the credentials have the maximum
permitted lifetime.
.It desired_mechs
Set of underlying security mechanisms that may be used.
.Dv GSS_C_NO_OID_SET
may be used to obtain an implementation-specific default.
.It cred_usage
.Bl -tag -width "GSS_C_INITIATE"
.It GSS_C_BOTH
Credentials may be used either to initiate or accept security
contexts.
.It GSS_C_INITIATE
Credentials will only be used to initiate security contexts.
.It GSS_C_ACCEPT
Credentials will only be used to accept security contexts.
.El
.It output_cred_handle
The returned credential handle.
Resources
associated with this credential handle must be released by
the application after use with a call to
.Fn gss_release_cred .
.It actual_mechs
The set of mechanisms for which the credential is valid.
Storage associated with the returned OID-set must be released by the
application after use with a call to
.Fn gss_release_oid_set .
Specify
.Dv NULL if not required.
.It time_rec
Actual number of seconds for which the returned credentials will
remain valid.
If the implementation does not support expiration of credentials,
the value
.Dv GSS_C_INDEFINITE
will be returned.
Specify NULL if not required.
.It minor_status
Mechanism specific status code.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion.
.It GSS_S_BAD_MECH
Unavailable mechanism requested.
.It GSS_S_BAD_NAMETYPE
Type contained within desired_name parameter is not supported.
.It GSS_S_BAD_NAME
Value supplied for desired_name parameter is ill formed.
.It GSS_S_CREDENTIALS_EXPIRED
The credentials could not be acquired Because they have expired.
.It GSS_S_NO_CRED
No credentials were found for the specified name.
.El
.Sh SEE ALSO
.Xr gss_init_sec_context 3 ,
.Xr gss_accept_sec_context 3 ,
.Xr gss_inquire_cred 3 ,
.Xr gss_inquire_context 3 ,
.Xr gss_release_cred 3 ,
.Xr gss_release_oid_set 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

166
lib/gssapi/mech/gss_acquire_cred.c Normal file
View File

@@ -0,0 +1,166 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_acquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "name.h"
#include "cred.h"
OM_uint32
gss_acquire_cred(OM_uint32 *minor_status,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
OM_uint32 major_status;
gss_OID_set mechs = desired_mechs;
gss_OID_set_desc set;
struct _gss_name *name = (struct _gss_name *) desired_name;
struct _gss_mech_switch *m;
struct _gss_cred *cred;
struct _gss_mechanism_cred *mc;
struct _gss_mechanism_name *mn;
OM_uint32 min_time, time;
int i;
/*
* First make sure that at least one of the requested
* mechanisms is one that we support.
*/
if (mechs) {
_gss_load_mech();
for (i = 0; i < mechs->count; i++) {
int t;
gss_test_oid_set_member(minor_status,
&mechs->elements[i], _gss_mech_oids, &t);
if (t)
break;
}
if (i == mechs->count) {
*output_cred_handle = 0;
*minor_status = 0;
return (GSS_S_BAD_MECH);
}
}
if (actual_mechs) {
major_status = gss_create_empty_oid_set(minor_status,
actual_mechs);
if (major_status)
return (major_status);
}
cred = malloc(sizeof(struct _gss_cred));
if (!cred) {
if (actual_mechs)
gss_release_oid_set(minor_status, actual_mechs);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
cred->gc_usage = cred_usage;
SLIST_INIT(&cred->gc_mc);
if (mechs == GSS_C_NO_OID_SET)
mechs = _gss_mech_oids;
set.count = 1;
min_time = GSS_C_INDEFINITE;
for (i = 0; i < mechs->count; i++) {
m = _gss_find_mech_switch(&mechs->elements[i]);
if (!m)
continue;
if (desired_name != GSS_C_NO_NAME) {
mn = _gss_find_mn(name, &mechs->elements[i]);
if (!mn)
continue;
}
mc = malloc(sizeof(struct _gss_mechanism_cred));
if (!mc) {
continue;
}
mc->gmc_mech = m;
mc->gmc_mech_oid = &m->gm_mech_oid;
/*
* XXX Probably need to do something with actual_mechs.
*/
set.elements = &mechs->elements[i];
major_status = m->gm_acquire_cred(minor_status,
(desired_name != GSS_C_NO_NAME
? mn->gmn_name : GSS_C_NO_NAME),
time_req, &set, cred_usage,
&mc->gmc_cred, NULL, &time);
if (major_status) {
free(mc);
continue;
}
if (time < min_time)
min_time = time;
if (actual_mechs) {
major_status = gss_add_oid_set_member(minor_status,
mc->gmc_mech_oid, actual_mechs);
if (major_status) {
m->gm_release_cred(minor_status,
&mc->gmc_cred);
free(mc);
continue;
}
}
SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
}
/*
* If we didn't manage to create a single credential, return
* an error.
*/
if (!SLIST_FIRST(&cred->gc_mc)) {
free(cred);
if (actual_mechs)
gss_release_oid_set(minor_status, actual_mechs);
*output_cred_handle = 0;
*minor_status = 0;
return (GSS_S_NO_CRED);
}
if (time_rec)
*time_rec = min_time;
*output_cred_handle = (gss_cred_id_t) cred;
*minor_status = 0;
return (GSS_S_COMPLETE);
}

338
lib/gssapi/mech/gss_add_cred.3 Normal file
View File

@@ -0,0 +1,338 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_add_cred.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_ADD_CRED 3 PRM
.Sh NAME
.Nm gss_add_cred
.Nd Construct credentials incrementally
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_add_cred
.Fa "OM_uint32 *minor_status"
.Fa "const gss_cred_id_t input_cred_handle"
.Fa "const gss_name_t desired_name"
.Fa "const gss_OID desired_mech"
.Fa "gss_cred_usage_t cred_usage"
.Fa "OM_uint32 initiator_time_req"
.Fa "OM_uint32 acceptor_time_req"
.Fa "gss_cred_id_t *output_cred_handle"
.Fa "gss_OID_set *actual_mechs"
.Fa "OM_uint32 *initiator_time_rec"
.Fa "OM_uint32 *acceptor_time_rec"
.Fc
.Sh DESCRIPTION
Adds a credential-element to a credential.
The credential-element is identified by the name of the principal to
which it refers.
GSS-API implementations must impose a local access-control policy on
callers of this routine to prevent unauthorized callers from acquiring
credential-elements to which they are not entitled.
This routine is not intended to provide a "login to the network"
function,
as such a function would involve the creation of new
mechanism-specific authentication data,
rather than merely acquiring a GSS-API handle to existing data.
Such functions,
if required,
should be defined in implementation-specific extensions to the API.
.Pp
If
.Fa desired_name
is
.Dv GSS_C_NO_NAME ,
the call is interpreted as a request to add a credential element that
will invoke default behavior when passed to
.Fn gss_init_sec_context
(if cred_usage is
.Dv GSS_C_INITIATE
or
.Dv GSS_C_BOTH )
or
.Fn gss_accept_sec_context
(if
.Fa cred_usage
is
.Dv GSS_C_ACCEPT
or
.Dv GSS_C_BOTH ).
.PP
This routine is expected to be used primarily by context acceptors,
since implementations are likely to provide mechanism-specific ways of
obtaining GSS-API initiator credentials from the system login process.
Some implementations may therefore not support the acquisition of
.Dv GSS_C_INITIATE
or
.Dv GSS_C_BOTH
credentials via
.Fn gss_acquire_cred
for any name other than
.Dv GSS_C_NO_NAME ,
or a name produced by applying either
.Fn gss_inquire_cred
to a valid credential,
or
.Fn gss_inquire_context
to an active context.
.Pp
If credential acquisition is time-consuming for a mechanism,
the mechanism may choose to delay the actual acquisition until the
credential is required (e.g. by
.Fn gss_init_sec_context
or
.Fn gss_accept_sec_context ).
Such mechanism-specific implementation decisions should be invisible
to the calling application;
thus a call of
.Fn gss_inquire_cred
immediately following the call of
.Fn gss_add_cred
must return valid credential data,
and may therefore incur the overhead of a deferred credential acquisition.
.Pp
This routine can be used to either compose a new credential containing
all credential-elements of the original in addition to the
newly-acquire credential-element,
or to add the new credential-element to an existing credential.
If
.Dv NULL
is specified for the
.Fa output_cred_handle
parameter argument,
the new credential-element will be added to the credential identified
by
.Fa input_cred_handle ;
if a valid pointer is specified for the
.Fa output_cred_handle
parameter,
a new credential handle will be created.
.Pp
If
.Dv GSS_C_NO_CREDENTIAL
is specified as the
.Fa input_cred_handle ,
.Fn gss_add_cred
will compose a credential (and set the
.Fa output_cred_handle
parameter accordingly) based on default behavior.
That is, the call will have the same effect as if the application had
first made a call to
.Fn gss_acquire_cred ,
specifying the same usage and passing
.Dv GSS_C_NO_NAME
as the
.Fa desired_name
parameter to obtain an explicit credential handle embodying default
behavior,
passed this credential handle to
.Fn gss_add_cred ,
and finally called
.Fn gss_release_cred
on the first credential handle.
.Pp
If
.Dv GSS_C_NO_CREDENTIAL
is specified as the
.Fa input_cred_handle
parameter,
a non-
.Dv NULL
.Fa output_cred_handle
must be supplied.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It input_cred_handle
The credential to which a credential-element will be added.
If
.Dv GSS_C_NO_CREDENTIAL
is specified, the routine will compose the new credential based on
default behavior (see description above).
Note that, while the credential-handle is not modified by
.Fn gss_add_cred ,
the underlying credential will be modified if
.Fa output_credential_handle
is
.Dv NULL .
.It desired_name
Name of principal whose credential should be acquired.
.It desired_mech
Underlying security mechanism with which the credential may be used.
.It cred_usage
.Bl -tag -width "GSS_C_INITIATE"
.It GSS_C_BOTH
Credential may be used either to initiate or accept security
contexts.
.It GSS_C_INITIATE
Credential will only be used to initiate security contexts.
.It GSS_C_ACCEPT
Credential will only be used to accept security contexts.
.El
.It initiator_time_req
Number of seconds that the credential should remain valid for
initiating security contexts.
This argument is ignored if the composed credentials are of type
.Dv GSS_C_ACCEPT .
Specify
.Dv GSS_C_INDEFINITE
to request that the credentials have the maximum permitted initiator lifetime.
.It acceptor_time_req
Number of seconds that the credential should remain valid for
accepting security contexts.
This argument is ignored if the composed credentials are of type
.Dv GSS_C_INITIATE .
Specify
.Dv GSS_C_INDEFINITE
to request that the credentials have the maximum permitted initiator lifetime.
.It output_cred_handle
The returned credential handle,
containing
the new credential-element and all the credential-elements from
.Fa input_cred_handle .
If a valid pointer to a
.Fa gss_cred_id_t
is supplied for this parameter,
.Fn gss_add_cred
creates a new credential handle containing all credential-elements
from the
.Fa input_cred_handle
and the newly acquired credential-element;
if
.Dv NULL
is specified for this parameter,
the newly acquired credential-element will be added to the credential
identified by
.Fa input_cred_handle .
.Pp
The resources associated with any credential handle returned via this
parameter must be released by the application after use with a call to
.Fn gss_release_cred .
.It actual_mechs
The complete set of mechanisms for which the new credential is valid.
Storage for the returned OID-set must be freed by the application
after use with a call to
.Fn gss_release_oid_set .
Specify
.Dv NULL if not required.
.It initiator_time_rec
Actual number of seconds for which the returned credentials will
remain valid for initiating contexts using the specified mechanism.
If the implementation or mechanism does not support expiration of
credentials,
the value
.Dv GSS_C_INDEFINITE
will be returned.
Specify
.Dv NULL
if not required.
.It acceptor_time_rec
Actual number of seconds for which the returned credentials will
remain valid for accepting security contexts using the specified
mechanism.
If the implementation or mechanism does not support expiration of
credentials,
the value
.Dv GSS_C_INDEFINITE
will be returned.
Specify
.Dv NULL
if not required.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion.
.It GSS_S_BAD_MECH
Unavailable mechanism requested.
.It GSS_S_BAD_NAMETYPE
Type contained within desired_name parameter is not supported
.It GSS_S_BAD_NAME
Value supplied for desired_name parameter is ill-formed.
.It GSS_S_DUPLICATE_ELEMENT
The credential already contains an element for the requested mechanism
with overlapping usage and validity period.
.It GSS_S_CREDENTIALS_EXPIRED
The required credentials could not be added because they have expired.
.It GSS_S_NO_CRED
No credentials were found for the specified name.
.El
.Sh SEE ALSO
.Xr gss_init_sec_context 3 ,
.Xr gss_accept_sec_context 3 ,
.Xr gss_acquire_cred 3 ,
.Xr gss_inquire_cred 3 ,
.Xr gss_inquire_context 3 ,
.Xr gss_release_cred 3 ,
.Xr gss_release_oid_set 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

178
lib/gssapi/mech/gss_add_cred.c Normal file
View File

@@ -0,0 +1,178 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_add_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <errno.h>
#include "mech_switch.h"
#include "cred.h"
#include "name.h"
static struct _gss_mechanism_cred *
_gss_copy_cred(struct _gss_mechanism_cred *mc)
{
struct _gss_mechanism_cred *new_mc;
struct _gss_mech_switch *m = mc->gmc_mech;
OM_uint32 major_status, minor_status;
gss_name_t name;
gss_cred_id_t cred;
OM_uint32 initiator_lifetime, acceptor_lifetime;
gss_cred_usage_t cred_usage;
major_status = m->gm_inquire_cred_by_mech(&minor_status,
mc->gmc_cred, mc->gmc_mech_oid,
&name, &initiator_lifetime, &acceptor_lifetime, &cred_usage);
if (major_status)
return (0);
major_status = m->gm_add_cred(&minor_status,
GSS_C_NO_CREDENTIAL, name, mc->gmc_mech_oid,
cred_usage, initiator_lifetime, acceptor_lifetime,
&cred, 0, 0, 0);
m->gm_release_name(&minor_status, &name);
if (major_status)
return (0);
new_mc = malloc(sizeof(struct _gss_mechanism_cred));
if (!new_mc) {
m->gm_release_cred(&minor_status, &cred);
return (0);
}
new_mc->gmc_mech = m;
new_mc->gmc_mech_oid = &m->gm_mech_oid;
new_mc->gmc_cred = cred;
return (new_mc);
}
OM_uint32
gss_add_cred(OM_uint32 *minor_status,
const gss_cred_id_t input_cred_handle,
const gss_name_t desired_name,
const gss_OID desired_mech,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
OM_uint32 acceptor_time_req,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
OM_uint32 major_status;
struct _gss_mech_switch *m;
gss_OID_set_desc set;
struct _gss_name *name = (struct _gss_name *) desired_name;
struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle;
struct _gss_cred *new_cred;
struct _gss_mechanism_cred *mc, *target_mc, *copy_mc;
struct _gss_mechanism_name *mn;
OM_uint32 min_time, time, junk;
int i;
*output_cred_handle = 0;
*minor_status = 0;
new_cred = malloc(sizeof(struct _gss_cred));
if (!new_cred) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
new_cred->gc_usage = cred_usage;
SLIST_INIT(&new_cred->gc_mc);
/*
* We go through all the mc attached to the input_cred_handle
* and check the mechanism. If it matches, we call
* gss_add_cred for that mechanism, otherwise we copy the mc
* to new_cred.
*/
target_mc = 0;
if (cred) {
SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
if (_gss_oid_equal(mc->gmc_mech, desired_mech)) {
target_mc = mc;
}
copy_mc = _gss_copy_cred(mc);
if (!copy_mc) {
gss_release_cred(&junk, (gss_cred_id_t*) &new_cred);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
SLIST_INSERT_HEAD(&new_cred->gc_mc, copy_mc, gmc_link);
}
}
/*
* Figure out a suitable mn, if any.
*/
if (desired_name) {
mn = _gss_find_mn((struct _gss_name *) desired_name,
desired_mech);
if (!mn) {
free(new_cred);
return (GSS_S_BAD_NAME);
}
} else {
mn = 0;
}
m = _gss_find_mech_switch(desired_mech);
mc = malloc(sizeof(struct _gss_mechanism_cred));
if (!mc) {
gss_release_cred(&junk, (gss_cred_id_t*) &new_cred);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
mc->gmc_mech = m;
mc->gmc_mech_oid = &m->gm_mech_oid;
major_status = m->gm_add_cred(minor_status,
target_mc ? target_mc->gmc_cred : GSS_C_NO_CREDENTIAL,
desired_name ? mn->gmn_name : GSS_C_NO_NAME,
desired_mech,
cred_usage,
initiator_time_req,
acceptor_time_req,
&mc->gmc_cred,
actual_mechs,
initiator_time_rec,
acceptor_time_rec);
if (major_status) {
gss_release_cred(&junk, (gss_cred_id_t*) &new_cred);
free(mc);
return (major_status);
}
SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link);
*output_cred_handle = (gss_cred_id_t) new_cred;
return (GSS_S_COMPLETE);
}

130
lib/gssapi/mech/gss_add_oid_set_member.3 Normal file
View File

@@ -0,0 +1,130 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_add_oid_set_member.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_ADD_OID_SET_MEMBER 3 PRM
.Sh NAME
.Nm gss_add_oid_set_member
.Nd Add an object identifier to a set
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_add_oid_set_member
.Fa "OM_uint32 *minor_status"
.Fa "const gss_OID member_oid"
.Fa "gss_OID_set *oid_set"
.Fc
.Sh DESCRIPTION
Add an Object Identifier to an Object Identifier set.
This routine is intended for use in conjunction with
.Fn gss_create_empty_oid_set
when constructing a set of mechanism OIDs for input to
.Fn gss_acquire_cred .
The
.Fa oid_set
parameter must refer to an OID-set that was created by GSS-API
(e.g. a set returned by
.Fn gss_create_empty_oid_set ).
GSS-API creates a copy of the
.Fa member_oid
and inserts this copy into the set,
expanding the storage allocated to the OID-set's elements array if
necessary.
The routine may add the new member OID anywhere within the elements
array,
and implementations should verify that the new
.Fa member_oid
is not already contained within the elements array;
if the
.Fa member_oid
is already present,
the
.Fa oid_set
should remain unchanged.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It member_oid
The object identifier to copied into the set.
.It oid_set
The set in which the object identifier should be inserted.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.El
.Sh SEE ALSO
.Xr gss_create_empty_oid_set 3 ,
.Xr gss_acquire_cred 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

77
lib/gssapi/mech/gss_add_oid_set_member.c Normal file
View File

@@ -0,0 +1,77 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_add_oid_set_member.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
OM_uint32
gss_add_oid_set_member(OM_uint32 *minor_status,
const gss_OID member_oid,
gss_OID_set *oid_set)
{
OM_uint32 major_status;
gss_OID_set set = *oid_set;
gss_OID new_elements;
gss_OID new_oid;
int t;
*minor_status = 0;
major_status = gss_test_oid_set_member(minor_status,
member_oid, *oid_set, &t);
if (major_status)
return (major_status);
if (t)
return (GSS_S_COMPLETE);
new_elements = malloc((set->count + 1) * sizeof(gss_OID_desc));
if (!new_elements) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
new_oid = &new_elements[set->count];
new_oid->elements = malloc(member_oid->length);
if (!new_oid->elements) {
free(new_elements);
return (GSS_S_FAILURE);
}
new_oid->length = member_oid->length;
memcpy(new_oid->elements, member_oid->elements, member_oid->length);
if (set->elements) {
memcpy(new_elements, set->elements,
set->count * sizeof(gss_OID_desc));
free(set->elements);
}
set->elements = new_elements;
set->count++;
return (GSS_S_COMPLETE);
}

137
lib/gssapi/mech/gss_canonicalize_name.3 Normal file
View File

@@ -0,0 +1,137 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_canonicalize_name.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_CANONICALIZE_NAME 3 PRM
.Sh NAME
.Nm gss_canonicalize_name
.Nd Convert an internal name to an MN
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_canonicalize_name
.Fa "OM_uint32 *minor_status"
.Fa "const gss_name_t input_name"
.Fa "const gss_OID mech_type"
.Fa "gss_name_t *output_name"
.Fc
.Sh DESCRIPTION
Generate a canonical mechanism name (MN) from an arbitrary internal
name.
The mechanism name is the name that would be returned to a context
acceptor on successful authentication of a context where the initiator
used the
.Fa input_name
in a successful call to
.Fn gss_acquire_cred ,
specifying an OID set containing
.Fa mech_type
as its only member,
followed by a call to
.Fn gss_init_sec_context ,
specifying
.Fa mech_type
as the authentication mechanism.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It input_name
The name for which a canonical form is desired.
.It mech_type
The authentication mechanism for which the canonical form of the name
is desired.
The desired mechanism must be specified explicitly;
no default is provided.
.It output_name
The resultant canonical name.
Storage associated with this name must be freed by the application
after use with a call to
.Fn gss_release_name .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion.
.It GSS_S_BAD_MECH
The identified mechanism is not supported.
.It GSS_S_BAD_NAMETYPE
The provided internal name contains no elements that could be
processed by the specified mechanism.
.It GSS_S_BAD_NAME
The provided internal name was ill-formed.
.El
.Sh SEE ALSO
.Xr gss_acquire_cred 3 ,
.Xr gss_init_sec_context 3 ,
.Xr gss_release_name 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

91
lib/gssapi/mech/gss_canonicalize_name.c Normal file
View File

@@ -0,0 +1,91 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_canonicalize_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "name.h"
OM_uint32
gss_canonicalize_name(OM_uint32 *minor_status,
const gss_name_t input_name,
const gss_OID mech_type,
gss_name_t *output_name)
{
OM_uint32 major_status;
struct _gss_name *name = (struct _gss_name *) input_name;
struct _gss_mechanism_name *mn;
struct _gss_mech_switch *m = _gss_find_mech_switch(mech_type);
gss_name_t new_canonical_name;
*minor_status = 0;
*output_name = 0;
mn = _gss_find_mn(name, mech_type);
if (!mn) {
return (GSS_S_BAD_MECH);
}
m = mn->gmn_mech;
major_status = m->gm_canonicalize_name(minor_status,
mn->gmn_name, mech_type, &new_canonical_name);
if (major_status)
return (major_status);
/*
* Now we make a new name and mark it as an MN.
*/
*minor_status = 0;
name = malloc(sizeof(struct _gss_name));
if (!name) {
m->gm_release_name(minor_status, &new_canonical_name);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
memset(name, 0, sizeof(struct _gss_name));
mn = malloc(sizeof(struct _gss_mechanism_name));
if (!mn) {
m->gm_release_name(minor_status, &new_canonical_name);
free(name);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
SLIST_INIT(&name->gn_mn);
mn->gmn_mech = m;
mn->gmn_mech_oid = &m->gm_mech_oid;
mn->gmn_name = new_canonical_name;
SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
*output_name = (gss_name_t) name;
return (GSS_S_COMPLETE);
}

122
lib/gssapi/mech/gss_compare_name.3 Normal file
View File

@@ -0,0 +1,122 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_compare_name.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_COMPARE_NAME PRM
.Sh NAME
.Nm gss_compare_name
.Nd Compare two internal-form names
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_compare_name
.Fa "OM_uint32 *minor_status"
.Fa "const gss_name_t name1"
.Fa "const gss_name_t name2"
.Fa "int *name_equal"
.Fc
.Sh DESCRIPTION
Allows an application to compare two internal-form names to determine
whether they refer to the same entity.
.Pp
If either name presented to
.Fn gss_compare_name
denotes an anonymous principal,
the routines should indicate that the two names do not refer to the
same identity.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It name1
Internal-form name.
.It name2
Internal-form name.
.It name_equal
.Bl -tag
.It non-zero
Names refer to same entity
.It zero
Names refer to different entities (strictly, the names are not known
to refer to the same identity).
.El
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_BAD_NAMETYPE
The two names were of incomparable types.
.It GSS_S_BAD_NAME
One or both of name1 or name2 was ill-formed.
.El
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

76
lib/gssapi/mech/gss_compare_name.c Normal file
View File

@@ -0,0 +1,76 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_compare_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "name.h"
OM_uint32
gss_compare_name(OM_uint32 *minor_status,
const gss_name_t name1_arg,
const gss_name_t name2_arg,
int *name_equal)
{
struct _gss_name *name1 = (struct _gss_name *) name1_arg;
struct _gss_name *name2 = (struct _gss_name *) name2_arg;
/*
* First check the implementation-independant name if both
* names have one. Otherwise, try to find common mechanism
* names and compare them.
*/
if (name1->gn_value.value && name2->gn_value.value) {
*name_equal = 1;
if (!_gss_oid_equal(name1->gn_type, name2->gn_type)) {
*name_equal = 0;
} else if (name1->gn_value.length != name2->gn_value.length ||
memcmp(name1->gn_value.value, name1->gn_value.value,
name1->gn_value.length)) {
*name_equal = 0;
}
} else {
struct _gss_mechanism_name *mn1;
struct _gss_mechanism_name *mn2;
SLIST_FOREACH(mn1, &name1->gn_mn, gmn_link) {
mn2 = _gss_find_mn(name2, mn1->gmn_mech_oid);
if (mn2) {
return (mn1->gmn_mech->gm_compare_name(
minor_status,
mn1->gmn_name,
mn2->gmn_name,
name_equal));
}
}
*name_equal = 0;
}
*minor_status = 0;
return (GSS_S_COMPLETE);
}

108
lib/gssapi/mech/gss_context_time.3 Normal file
View File

@@ -0,0 +1,108 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_context_time.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_CONTEXT_TIME 3 PRM
.Sh NAME
.Nm gss_context_time
.Nd Determine for how long a context will remain valid
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_context_time
.Fa "OM_uint32 *minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "OM_uint32 *time_rec"
.Fc
.Sh DESCRIPTION
Determines the number of seconds for which the specified context will
remain valid.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It context_handle
Identifies the context to be interrogated.
.It time_rec
Number of seconds that the context will remain valid.
If the context has already expired, zero will be returned.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_CONTEXT_EXPIRED
The context has already expired
.It GSS_S_NO_CONTEXT
The context_handle parameter did not identify a valid context
.El
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

43
lib/gssapi/mech/gss_context_time.c Normal file
View File

@@ -0,0 +1,43 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_context_time.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "context.h"
OM_uint32
gss_context_time(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
OM_uint32 *time_rec)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
struct _gss_mech_switch *m = ctx->gc_mech;
return (m->gm_context_time(minor_status, ctx->gc_ctx, time_rec));
}

112
lib/gssapi/mech/gss_create_empty_oid_set.3 Normal file
View File

@@ -0,0 +1,112 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_create_empty_oid_set.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_CREATE_EMPTY_OID_SET 3 PRM
.Sh NAME
.Nm gss_create_empty_oid_set
.Nd Create a set containing no object identifiers
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_create_empty_oid_set
.Fa "OM_uint32 *minor_status"
.Fa "gss_OID_set *oid_set"
.Fc
.Sh DESCRIPTION
Create an object-identifier set containing no object identifiers,
to which members may be subsequently added using the
.Fn gss_add_oid_set_member
routine.
These routines are intended to be used to construct sets of mechanism
object identifiers for input to
.Fn gss_acquire_cred .
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It oid_set
The empty object identifier set.
The routine will allocate the gss_OID_set_desc object,
which the application must free after use with a call to
.Fn gss_release_oid_set .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.El
.Sh SEE ALSO
.Xr gss_add_oid_set_member 3 ,
.Xr gss_acquire_cred 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

53
lib/gssapi/mech/gss_create_empty_oid_set.c Normal file
View File

@@ -0,0 +1,53 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_create_empty_oid_set.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
OM_uint32
gss_create_empty_oid_set(OM_uint32 *minor_status,
gss_OID_set *oid_set)
{
gss_OID_set set;
*minor_status = 0;
*oid_set = 0;
set = malloc(sizeof(gss_OID_set_desc));
if (!set) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
set->count = 0;
set->elements = 0;
*oid_set = set;
return (GSS_S_COMPLETE);
}

163
lib/gssapi/mech/gss_delete_sec_context.3 Normal file
View File

@@ -0,0 +1,163 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_delete_sec_context.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_DELETE_SEC_CONTEXT 3 PRM
.Sh NAME
.Nm gss_delete_sec_context
.Nd Discard a security context
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_delete_sec_context
.Fa "OM_uint32 *minor_status"
.Fa "gss_ctx_id_t *context_handle"
.Fa "gss_buffer_t output_token"
.Fc
.Sh DESCRIPTION
Delete a security context.
.Fn gss_delete_sec_context
will delete the local data structures associated with the specified
security context,
and may generate an output_token,
which when passed to the peer
.Fn gss_process_context_token
will instruct it to do likewise.
If no token is required by the mechanism,
the GSS-API should set the length field of the output_token (if
provided) to zero.
No further security services may be obtained using the context
specified by
.Fa context_handle .
.Pp
In addition to deleting established security contexts,
.Fn gss_delete_sec_context
must also be able to delete "half-built" security contexts resulting
from an incomplete sequence of
.Fn gss_init_sec_context
/
.Fn gss_accept_sec_context
calls.
.Pp
The
.Fa output_token
parameter is retained for compatibility with version 1 of the GSS-API.
It is recommended that both peer applications invoke
.Fn gss_delete_sec_context
passing the value
.Dv GSS_C_NO_BUFFER
for the
.Fa output_token
parameter,
indicating that no token is required,
and that
.Fn gss_delete_sec_context
should simply delete local context data structures.
If the application does pass a valid buffer to
.Fn gss_delete_sec_context ,
mechanisms are encouraged to return a zero-length token,
indicating that no peer action is necessary,
and that no token should be transferred by the application.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It context_handle
Context handle identifying context to delete.
After deleting the context,
the GSS-API will set this context handle to
.Dv GSS_C_NO_CONTEXT .
.It output_token
Token to be sent to remote application to instruct it to also delete
the context.
It is recommended that applications specify
.Dv GSS_C_NO_BUFFER
for this parameter,
requesting local deletion only.
If a buffer parameter is provided by the application,
the mechanism may return a token in it;
mechanisms that implement only local deletion should set the length
field of this token to zero to indicate to the application that no
token is to be sent to the peer.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_NO_CONTEXT
No valid context was supplied
.El
.Sh SEE ALSO
.Xr gss_process_context_token 3 ,
.Xr gss_init_sec_context 3 ,
.Xr gss_accept_sec_context 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

62
lib/gssapi/mech/gss_delete_sec_context.c Normal file
View File

@@ -0,0 +1,62 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_delete_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "context.h"
OM_uint32
gss_delete_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t output_token)
{
OM_uint32 major_status;
struct _gss_context *ctx = (struct _gss_context *) *context_handle;
*minor_status = 0;
if (ctx) {
/*
* If we have an implementation ctx, delete it,
* otherwise fake an empty token.
*/
if (ctx->gc_ctx) {
major_status = ctx->gc_mech->gm_delete_sec_context(
minor_status, &ctx->gc_ctx, output_token);
} else if (output_token != GSS_C_NO_BUFFER) {
output_token->length = 0;
output_token->value = 0;
}
free(ctx);
*context_handle = 0;
}
return (GSS_S_COMPLETE);
}

151
lib/gssapi/mech/gss_display_name.3 Normal file
View File

@@ -0,0 +1,151 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_display_name.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_DISPLAY_NAME 3 PRM
.Sh NAME
.Nm gss_display_name
.Nd Convert internal-form name to text
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_display_name
.Fa "OM_uint32 *minor_status"
.Fa "const gss_name_t input_name"
.Fa "gss_buffer_t output_name_buffer"
.Fa "gss_OID *output_name_type"
.Fc
.Sh DESCRIPTION
Allows an application to obtain a textual representation of an opaque
internal-form name for display purposes.
The syntax of a printable name is defined by the GSS-API implementation.
.Pp
If
.Fa input_name
denotes an anonymous principal,
the implementation should return the
.Fa gss_OID
value
.Dv GSS_C_NT_ANONYMOUS
as the
.Fa output_name_type ,
and a textual name that is syntactically distinct from all valid
supported printable names in
.Fa output_name_buffer .
.Pp
If
.Fa input_name
was created by a call to
.Fn gss_import_name ,
specifying
.Dv GSS_C_NO_OID
as the name-type,
implementations that employ lazy conversion between name types may
return
.Dv GSS_C_NO_OID
via the
.Fa output_name_type
parameter.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It input_name
Name to be displayed.
.It output_name_buffer
Buffer to receive textual name string.
The application must free storage associated with this name after use
with a call to
.Fn gss_release_buffer .
.It output_name_type
The type of the returned name.
The returned
.Fa gss_OID
will be a pointer into static storage,
and should be treated as read-only by the caller
(in particular, the application should not attempt to free it).
Specify
.Dv NULL
if not required.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_BAD_NAME
.Fa input_name
was ill-formed
.El
.Sh SEE ALSO
.Xr gss_import_name 3 ,
.Xr gss_release_buffer 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

78
lib/gssapi/mech/gss_display_name.c Normal file
View File

@@ -0,0 +1,78 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_display_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "name.h"
OM_uint32
gss_display_name(OM_uint32 *minor_status,
const gss_name_t input_name,
gss_buffer_t output_name_buffer,
gss_OID *output_name_type)
{
OM_uint32 major_status;
struct _gss_name *name = (struct _gss_name *) input_name;
struct _gss_mechanism_name *mn;
/*
* If we know it, copy the buffer used to import the name in
* the first place. Otherwise, ask all the MNs in turn if
* they can display the thing.
*/
if (name->gn_value.value) {
output_name_buffer->value = malloc(name->gn_value.length);
if (!output_name_buffer->value) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
output_name_buffer->length = name->gn_value.length;
memcpy(output_name_buffer->value, name->gn_value.value,
output_name_buffer->length);
if (output_name_type)
*output_name_type = &name->gn_type;
*minor_status = 0;
return (GSS_S_COMPLETE);
} else {
SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
major_status = mn->gmn_mech->gm_display_name(
minor_status, mn->gmn_name,
output_name_buffer,
output_name_type);
if (major_status == GSS_S_COMPLETE)
return (GSS_S_COMPLETE);
}
}
*minor_status = 0;
return (GSS_S_FAILURE);
}

210
lib/gssapi/mech/gss_display_status.3 Normal file
View File

@@ -0,0 +1,210 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_display_status.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_DISPLAY_STATUS 3 PRM
.Sh NAME
.Nm gss_display_status
.Nd Convert a GSS-API status code to text
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_display_status
.Fa "OM_uint32 *minor_status"
.Fa "OM_uint32 status_value"
.Fa "int status_type"
.Fa "const gss_OID mech_type"
.Fa "OM_uint32 *message_context"
.Fa "gss_buffer_t status_string"
.Fc
.Sh DESCRIPTION
Allows an application to obtain a textual representation of a GSS-API
status code,
for display to the user or for logging purposes.
Since some status values may indicate multiple conditions,
applications may need to call
.Fn gss_display_status
multiple times,
each call generating a single text string.
The
.Fa message_context
parameter is used by
.Fn gss_display_status
to store state information about which error messages have already
been extracted from a given
.Fa status_value ;
.Fa message_context
must be initialized to zero by the application prior to the first call,
and
.Fn gss_display_status
will return a non-zero value in this parameter if there are further
messages to extract.
.Pp
The
.Fa message_context
parameter contains all state information required by
.Fn gss_display_status
in order to extract further messages from the
.Fa status_value ;
even when a non-zero value is returned in this parameter,
the application is not required to call
.Fn gss_display_status
again unless subsequent messages are desired.
The following code extracts all messages from a given status code and prints them to stderr:
.Bd -literal
OM_uint32 message_context;
OM_uint32 status_code;
OM_uint32 maj_status;
OM_uint32 min_status;
gss_buffer_desc status_string;
...
message_context = 0;
do {
maj_status = gss_display_status (
&min_status,
status_code,
GSS_C_GSS_CODE,
GSS_C_NO_OID,
&message_context,
&status_string)
fprintf(stderr,
"%.*s\\n",
(int)status_string.length,
(char *)status_string.value);
gss_release_buffer(&min_status, &status_string);
} while (message_context != 0);
.Ed
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It status_value
Status value to be converted
.It status_type
.Bl -tag
.It GSS_C_GSS_CODE
.Fa status_value
is a GSS status code
.It GSS_C_MECH_CODE
.Fa status_value
is a mechanism status code
.El
.It mech_type
Underlying mechanism (used to interpret a minor status value).
Supply
.Dv GSS_C_NO_OID
to obtain the system default.
.It message_context
Should be initialized to zero by the application prior to the first
call.
On return from
.Fn gss_display_status ,
a non-zero status_value parameter indicates that additional messages
may be extracted from the status code via subsequent calls to
.Fn gss_display_status ,
passing the same
.Fa status_value ,
.Fa status_type ,
.Fa mech_type ,
and
.Fa message_context
parameters.
.It status_string
Textual interpretation of the
.Fa status_value .
Storage associated with this parameter must be freed by the
application after use with a call to
.Fn gss_release_buffer .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_BAD_MECH
Indicates that translation in accordance with an unsupported mechanism
type was requested
.It GSS_S_BAD_STATUS
The status value was not recognized, or the status type was neither
.Dv GSS_C_GSS_CODE
nor
.Dv GSS_C_MECH_CODE .
.El
.Sh SEE ALSO
.Xr gss_release_buffer 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

110
lib/gssapi/mech/gss_display_status.c Normal file
View File

@@ -0,0 +1,110 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_display_status.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <string.h>
#include "mech_switch.h"
struct _gss_status_desc {
OM_uint32 gs_status;
const char* gs_desc;
};
static struct _gss_status_desc _gss_status_descs[] = {
GSS_S_BAD_MECH, "An unsupported mechanism was requested",
GSS_S_BAD_NAME, "An invalid name was supplied",
GSS_S_BAD_NAMETYPE, "A supplied name was of an unsupported type",
GSS_S_BAD_BINDINGS, "Incorrect channel bindings were supplied",
GSS_S_BAD_STATUS, "An invalid status code was supplied",
GSS_S_BAD_MIC, "A token had an invalid MIC",
GSS_S_NO_CRED, "No credentials were supplied, or the "
"credentials were unavailable or inaccessible",
GSS_S_NO_CONTEXT, "No context has been established",
GSS_S_DEFECTIVE_TOKEN, "A token was invalid",
GSS_S_DEFECTIVE_CREDENTIAL, "A credential was invalid",
GSS_S_CREDENTIALS_EXPIRED, "The referenced credentials have expired",
GSS_S_CONTEXT_EXPIRED, "The context has expired",
GSS_S_FAILURE, "Miscellaneous failure",
GSS_S_BAD_QOP, "The quality-of-protection requested could "
"not be provided",
GSS_S_UNAUTHORIZED, "The operation is forbidden by local security "
"policy",
GSS_S_UNAVAILABLE, "The operation or option is unavailable",
GSS_S_DUPLICATE_ELEMENT, "The requested credential element already "
"exists",
GSS_S_NAME_NOT_MN, "The provided name was not a mechanism name"
};
#define _gss_status_desc_count \
sizeof(_gss_status_descs) / sizeof(_gss_status_descs[0])
OM_uint32
gss_display_status(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
const gss_OID mech_type,
OM_uint32 *message_content,
gss_buffer_t status_string)
{
OM_uint32 major_status;
struct _gss_mech_switch *m;
int i;
const char *message;
*minor_status = 0;
switch (status_type) {
case GSS_C_GSS_CODE:
for (i = 0; i < _gss_status_desc_count; i++) {
if (_gss_status_descs[i].gs_status == status_value) {
message = _gss_status_descs[i].gs_desc;
status_string->length = strlen(message);
status_string->value = strdup(message);
return (GSS_S_COMPLETE);
}
}
/*
* Fall through to attempt to get some underlying
* implementation to describe the value.
*/
case GSS_C_MECH_CODE:
SLIST_FOREACH(m, &_gss_mechs, gm_link) {
if (mech_type &&
!_gss_oid_equal(&m->gm_mech_oid, mech_type))
continue;
major_status = m->gm_display_status(minor_status,
status_value, status_type, mech_type,
message_content, status_string);
if (major_status == GSS_S_COMPLETE)
return (GSS_S_COMPLETE);
}
}
return (GSS_S_BAD_STATUS);
}

123
lib/gssapi/mech/gss_duplicate_name.3 Normal file
View File

@@ -0,0 +1,123 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_duplicate_name.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_DUPLICATE_NAME 3 PRM
.Sh NAME
.Nm gss_duplicate_name
.Nd Create a copy of an internal name
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_duplicate_name
.Fa "OM_uint32 *minor_status"
.Fa "const gss_name_t src_name"
.Fa "gss_name_t *dest_name"
.Fc
.Sh DESCRIPTION
Create an exact duplicate of the existing internal name
.Fa src_name .
The new
.Fa dest_name
will be independent of
.Fa src_name
(i.e.
.Fa src_name
and
.Fa dest_name
must both be released,
and the release of one shall not affect the validity of the other).
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It src_name
Internal name to be duplicated.
.It dest_name
The resultant copy of
.Fa src_name.
Storage associated with this name must be freed by the application
after use with a call to
.Fn gss_release_name .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_BAD_NAME
The
.Fa src_name
parameter was ill-formed
.El
.Sh SEE ALSO
.Xr gss_release_name 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

78
lib/gssapi/mech/gss_duplicate_name.c Normal file
View File

@@ -0,0 +1,78 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_duplicate_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <errno.h>
#include "mech_switch.h"
#include "name.h"
OM_uint32 gss_duplicate_name(OM_uint32 *minor_status,
const gss_name_t src_name,
gss_name_t *dest_name)
{
OM_uint32 major_status;
struct _gss_name *name = (struct _gss_name *) src_name;
struct _gss_name *new_name;
struct _gss_mechanism_name *mn;
*minor_status = 0;
/*
* If this name has a value (i.e. it didn't come from
* gss_canonicalize_name(), we re-import the thing. Otherwise,
* we make an empty name to hold the MN copy.
*/
if (name->gn_value.value) {
major_status = gss_import_name(minor_status,
&name->gn_value, &name->gn_type, dest_name);
if (major_status != GSS_S_COMPLETE)
return (major_status);
new_name = (struct _gss_name *) *dest_name;
} else {
new_name = malloc(sizeof(struct _gss_name));
if (!new_name) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
memset(new_name, 0, sizeof(struct _gss_name));
SLIST_INIT(&name->gn_mn);
*dest_name = (gss_name_t) new_name;
}
/*
* Import the new name into any mechanisms listed in the
* original name. We could probably get away with only doing
* this if the original was canonical.
*/
SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
_gss_find_mn(new_name, mn->gmn_mech_oid);
}
return (GSS_S_COMPLETE);
}

128
lib/gssapi/mech/gss_export_name.3 Normal file
View File

@@ -0,0 +1,128 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_export_name.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_EXPORT_NAME 3 PRM
.Sh NAME
.Nm gss_export_name
.Nd Convert an MN to export form
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_export_name
.Fa "OM_uint32 *minor_status"
.Fa "const gss_name_t input_name"
.Fa "gss_buffer_t exported_name"
.Fc
.Sh DESCRIPTION
To produce a canonical contiguous string representation of a mechanism
name (MN),
suitable for direct comparison
(e.g. with memcmp)
for use in authorization functions
(e.g. matching entries in an access-control list).
The
.Fa input_name
parameter must specify a valid MN
(i.e. an internal name generated by
.Fn gss_accept_sec_context
or by
.Fn gss_canonicalize_name ).
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It input_name
The MN to be exported.
.It exported_name
The canonical contiguous string form of
.Fa input_name .
Storage associated with this string must freed by the application
after use with
.Fn gss_release_buffer .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_NAME_NOT_MN
The provided internal name was not a mechanism name.
.It GSS_S_BAD_NAME
The provided internal name was ill-formed.
.It GSS_S_BAD_NAMETYPE
The internal name was of a type not supported by the GSS-API implementation.
.El
.Sh SEE ALSO
.Xr gss_accept_sec_context 3 ,
.Xr gss_canonicalize_name 3 ,
.Xr gss_release_buffer 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

58
lib/gssapi/mech/gss_export_name.c Normal file
View File

@@ -0,0 +1,58 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_export_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "name.h"
OM_uint32
gss_export_name(OM_uint32 *minor_status,
const gss_name_t input_name,
gss_buffer_t exported_name)
{
struct _gss_name *name = (struct _gss_name *) input_name;
struct _gss_mechanism_name *mn;
/*
* If this name already has any attached MNs, export the first
* one, otherwise export based on the first mechanism in our
* list.
*/
mn = SLIST_FIRST(&name->gn_mn);
if (!mn)
mn = _gss_find_mn(name,
&SLIST_FIRST(&_gss_mechs)->gm_mech_oid);
if (!mn) {
*minor_status = 0;
return (GSS_S_BAD_MECH);
}
return mn->gmn_mech->gm_export_name(minor_status,
mn->gmn_name, exported_name);
}

168
lib/gssapi/mech/gss_export_sec_context.3 Normal file
View File

@@ -0,0 +1,168 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_export_sec_context.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_EXPORT_SEC_CONTEXT 3 PRM
.Sh NAME
.Nm gss_export_sec_context
.Nd Transfer a security context to another process
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_export_sec_context
.Fa "OM_uint32 *minor_status"
.Fa "gss_ctx_id_t *context_handle"
.Fa "gss_buffer_t interprocess_token"
.Fc
.Sh DESCRIPTION
Provided to support the sharing of work between multiple processes.
This routine will typically be used by the context-acceptor,
in an application where a single process receives incoming connection
requests and accepts security contexts over them,
then passes the established context to one or more other processes for
message exchange.
.Fn gss_export_sec_context
deactivates the security context for the calling process and creates
an interprocess token which,
when passed to
.Fn gss_import_sec_context
in another process,
will re-activate the context in the second process.
Only a single instantiation of a given context may be active at any
one time;
a subsequent attempt by a context exporter to access the exported security context will fail.
.Pp
The implementation may constrain the set of processes by which the
interprocess token may be imported,
either as a function of local security policy,
or as a result of implementation decisions.
For example,
some implementations may constrain contexts to be passed only between
processes that run under the same account,
or which are part of the same process group.
.Pp
The interprocess token may contain security-sensitive information
(for example cryptographic keys).
While mechanisms are encouraged to either avoid placing such sensitive
information within interprocess tokens,
or to encrypt the token before returning it to the application,
in a typical object-library GSS-API implementation this may not be
possible.
Thus the application must take care to protect the interprocess token,
and ensure that any process to which the token is transferred is
trustworthy.
.Pp
If creation of the interprocess token is successful,
the implementation shall deallocate all process-wide resources
associated with the security context,
and set the context_handle to
.Dv GSS_C_NO_CONTEXT .
In the event of an error that makes it impossible to complete the
export of the security context,
the implementation must not return an interprocess token,
and should strive to leave the security context referenced by the
.Fa context_handle
parameter untouched.
If this is impossible,
it is permissible for the implementation to delete the security
context,
providing it also sets the
.Fa context_handle
parameter to
.Dv GSS_C_NO_CONTEXT .
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It context_handle
Context handle identifying the context to transfer.
.It interprocess_token
Token to be transferred to target process.
Storage associated with this token must be freed by the application
after use with a call to
.Fn gss_release_buffer .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_CONTEXT_EXPIRED
The context has expired
.It GSS_S_NO_CONTEXT
The context was invalid
.It GSS_S_UNAVAILABLE
The operation is not supported
.El
.Sh SEE ALSO
.Xr gss_import_sec_context 3 ,
.Xr gss_release_buffer 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

77
lib/gssapi/mech/gss_export_sec_context.c Normal file
View File

@@ -0,0 +1,77 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_export_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "context.h"
OM_uint32
gss_export_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t interprocess_token)
{
OM_uint32 major_status;
struct _gss_context *ctx = (struct _gss_context *) *context_handle;
struct _gss_mech_switch *m = ctx->gc_mech;
gss_buffer_desc buf;
major_status = m->gm_export_sec_context(minor_status,
&ctx->gc_ctx, &buf);
if (major_status == GSS_S_COMPLETE) {
unsigned char *p;
free(ctx);
*context_handle = GSS_C_NO_CONTEXT;
interprocess_token->length = buf.length
+ 2 + m->gm_mech_oid.length;
interprocess_token->value = malloc(interprocess_token->length);
if (!interprocess_token->value) {
/*
* We are in trouble here - the context is
* already gone. This is allowed as long as we
* set the caller's context_handle to
* GSS_C_NO_CONTEXT, which we did above.
* Return GSS_S_FAILURE.
*/
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
p = interprocess_token->value;
p[0] = m->gm_mech_oid.length >> 8;
p[1] = m->gm_mech_oid.length;
memcpy(p + 2, m->gm_mech_oid.elements, m->gm_mech_oid.length);
memcpy(p + 2 + m->gm_mech_oid.length, buf.value, buf.length);
gss_release_buffer(minor_status, &buf);
}
return (major_status);
}

165
lib/gssapi/mech/gss_get_mic.3 Normal file
View File

@@ -0,0 +1,165 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_get_mic.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_GET_MIC 3 PRM
.Sh NAME
.Nm gss_get_mic ,
.Nm gss_sign
.Nd Calculate a cryptographic message integrity code (MIC) for a
message; integrity service
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_get_mic
.Fa "OM_uint32 *minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "gss_qop_t qop_req"
.Fa "const gss_buffer_t message_buffer"
.Fa "gss_buffer_t msg_token"
.Fc
.Ft OM_uint32
.Fo gss_sign
.Fa "OM_uint32 *minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "gss_qop_t qop_req"
.Fa "gss_buffer_t message_buffer"
.Fa "gss_buffer_t msg_token"
.Fc
.Sh DESCRIPTION
Generates a cryptographic MIC for the supplied message,
and places the MIC in a token for transfer to the peer application.
The
.Fa qop_req
parameter allows a choice between several cryptographic algorithms,
if supported by the chosen mechanism.
.Pp
Since some application-level protocols may wish to use tokens emitted
by
.Fn gss_wrap
to provide "secure framing",
implementations must support derivation of MICs from zero-length messages.
.Pp
The
.Fn gss_sign
routine is an obsolete variant of
.Fn gss_get_mic .
It is
provided for backwards
compatibility with applications using the GSS-API V1 interface.
A distinct entrypoint (as opposed to #define) is provided,
both to allow GSS-API V1 applications to link
and to retain the slight parameter type differences between the
obsolete versions of this routine and its current form.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It context_handle
Identifies the context on which the message will be sent.
.It qop_req
Specifies requested quality of protection.
Callers are encouraged, on portability grounds,
to accept the default quality of protection offered by the chosen
mechanism,
which may be requested by specifying
.Dv GSS_C_QOP_DEFAULT
for this parameter.
If an unsupported protection strength is requested,
.Fn gss_get_mic
will return a
.Fa major_status
of
.Dv GSS_S_BAD_QOP .
.It message_buffer
Message to be protected.
.It msg_token
Buffer to receive token.
The application must free storage associated with this buffer after
use with a call to
.Fn gss_release_buffer .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_CONTEXT_EXPIRED
The context has already expired
.It GSS_S_NO_CONTEXT
The context_handle parameter did not identify a valid context
.It GSS_S_BAD_QOP
The specified QOP is not supported by the mechanism
.El
.Sh SEE ALSO
.Xr gss_wrap 3 ,
.Xr gss_release_buffer 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

46
lib/gssapi/mech/gss_get_mic.c Normal file
View File

@@ -0,0 +1,46 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_get_mic.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "context.h"
OM_uint32
gss_get_mic(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
struct _gss_mech_switch *m = ctx->gc_mech;
return (m->gm_get_mic(minor_status, ctx->gc_ctx, qop_req,
message_buffer, message_token));
}

139
lib/gssapi/mech/gss_import_name.3 Normal file
View File

@@ -0,0 +1,139 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_import_name.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_IMPORT_NAME 3 PRM
.Sh NAME
.Nm gss_import_name
.Nd Convert a contiguous string name to internal-form
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_import_name
.Fa "OM_uint32 *minor_status"
.Fa "const gss_buffer_t input_name_buffer"
.Fa "const gss_OID input_name_type"
.Fa "gss_name_t *output_name"
.Fc
.Sh DESCRIPTION
Convert a contiguous string name to internal form.
In general,
the internal name returned (via the
.Fa output_name
parameter) will not be an MN;
the exception to this is if the
.Fa input_name_type
indicates that the contiguous string provided via the
.Fa input_name_buffer
parameter is of type
.Dv GSS_C_NT_EXPORT_NAME ,
in which case the returned internal name will be an MN for the
mechanism that exported the name.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It input_name_buffer
Buffer containing contiguous string name to convert.
.It input_name_type
Object ID specifying type of printable name.
Applications may specify either
.Dv GSS_C_NO_OID
to use a mechanism-specific default printable syntax,
or an OID recognized by the GSS-API implementation to name a specific
namespace.
.It output_name
Returned name in internal form.
Storage associated with this name must be freed by the application
after use with a call to
.Fn gss_release_name .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_BAD_NAMETYPE
The
.Fa input_name_type
was unrecognized
.It GSS_S_BAD_NAME
The
.Fa input_name
parameter could not be interpreted as a name of the specified type
.It GSS_S_BAD_MECH
The input name-type was
.Dv GSS_C_NT_EXPORT_NAME ,
but the mechanism contained within the input-name is not supported
.El
.Sh SEE ALSO
.Xr gss_release_name 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

219
lib/gssapi/mech/gss_import_name.c Normal file
View File

@@ -0,0 +1,219 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_import_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "utils.h"
#include "name.h"
static OM_uint32
_gss_import_export_name(OM_uint32 *minor_status,
const gss_buffer_t input_name_buffer,
gss_name_t *output_name)
{
OM_uint32 major_status;
unsigned char *p = input_name_buffer->value;
size_t len = input_name_buffer->length;
size_t t;
gss_OID_desc mech_oid;
struct _gss_mech_switch *m;
struct _gss_name *name;
struct _gss_mechanism_name *mn;
gss_name_t new_canonical_name;
*minor_status = 0;
*output_name = 0;
/*
* Make sure that TOK_ID is {4, 1}.
*/
if (len < 2)
return (GSS_S_BAD_NAME);
if (p[0] != 4 || p[1] != 1)
return (GSS_S_BAD_NAME);
p += 2;
len -= 2;
/*
* Get the mech length and the name length and sanity
* check the size of of the buffer.
*/
if (len < 2)
return (GSS_S_BAD_NAME);
t = (p[0] << 8) + p[1];
p += 2;
len -= 2;
/*
* Check the DER encoded OID to make sure it agrees with the
* length we just decoded.
*/
if (p[0] != 6) /* 6=OID */
return (GSS_S_BAD_NAME);
p++;
len--;
t--;
if (p[0] & 0x80) {
int digits = p[0];
p++;
len--;
t--;
mech_oid.length = 0;
while (digits--) {
mech_oid.length = (mech_oid.length << 8) | p[0];
p++;
len--;
t--;
}
} else {
mech_oid.length = p[0];
p++;
len--;
t--;
}
if (mech_oid.length != t)
return (GSS_S_BAD_NAME);
mech_oid.elements = p;
if (len < t + 4)
return (GSS_S_BAD_NAME);
p += t;
len -= t;
t = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
p += 4;
len -= 4;
if (len != t)
return (GSS_S_BAD_NAME);
m = _gss_find_mech_switch(&mech_oid);
if (!m)
return (GSS_S_BAD_MECH);
/*
* Ask the mechanism to import the name.
*/
major_status = m->gm_import_name(minor_status,
input_name_buffer, GSS_C_NT_EXPORT_NAME, &new_canonical_name);
/*
* Now we make a new name and mark it as an MN.
*/
name = _gss_make_name(m, new_canonical_name);
if (!name) {
m->gm_release_name(minor_status, &new_canonical_name);
return (GSS_S_FAILURE);
}
*output_name = (gss_name_t) name;
*minor_status = 0;
return (GSS_S_COMPLETE);
}
OM_uint32
gss_import_name(OM_uint32 *minor_status,
const gss_buffer_t input_name_buffer,
const gss_OID input_name_type,
gss_name_t *output_name)
{
gss_OID name_type = input_name_type;
OM_uint32 major_status;
struct _gss_name *name;
if (input_name_buffer->length == 0) {
*minor_status = 0;
*output_name = 0;
return (GSS_S_BAD_NAME);
}
/*
* Use GSS_NT_USER_NAME as default name type.
*/
if (name_type == GSS_C_NO_OID)
name_type = GSS_C_NT_USER_NAME;
/*
* If this is an exported name, we need to parse it to find
* the mechanism and then import it as an MN. See RFC 2743
* section 3.2 for a description of the format.
*/
if (_gss_oid_equal(name_type, GSS_C_NT_EXPORT_NAME)) {
return _gss_import_export_name(minor_status,
input_name_buffer, output_name);
}
/*
* Only allow certain name types. This is pretty bogus - we
* should figure out the list of supported name types using
* gss_inquire_names_for_mech.
*/
if (!_gss_oid_equal(name_type, GSS_C_NT_USER_NAME)
&& !_gss_oid_equal(name_type, GSS_C_NT_MACHINE_UID_NAME)
&& !_gss_oid_equal(name_type, GSS_C_NT_STRING_UID_NAME)
&& !_gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE_X)
&& !_gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE)
&& !_gss_oid_equal(name_type, GSS_C_NT_ANONYMOUS)
&& !_gss_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) {
*minor_status = 0;
*output_name = 0;
return (GSS_S_BAD_NAMETYPE);
}
*minor_status = 0;
name = malloc(sizeof(struct _gss_name));
if (!name) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
memset(name, 0, sizeof(struct _gss_name));
major_status = _gss_copy_oid(minor_status,
name_type, &name->gn_type);
if (major_status) {
free(name);
return (GSS_S_FAILURE);
}
major_status = _gss_copy_buffer(minor_status,
input_name_buffer, &name->gn_value);
if (major_status) {
gss_release_name(minor_status, (gss_name_t*) &name);
return (GSS_S_FAILURE);
}
SLIST_INIT(&name->gn_mn);
*output_name = (gss_name_t) name;
return (GSS_S_COMPLETE);
}

120
lib/gssapi/mech/gss_import_sec_context.3 Normal file
View File

@@ -0,0 +1,120 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_import_sec_context.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_IMPORT_SEC_CONTEXT 3 PRM
.Sh NAME
.Nm gss_import_sec_context
.Nd Import a transferred context
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_import_sec_context
.Fa "OM_uint32 *minor_status"
.Fa "const gss_buffer_t interprocess_token"
.Fa "gss_ctx_id_t *context_handle"
.Fc
.Sh DESCRIPTION
Allows a process to import a security context established by another
process.
A given interprocess token may be imported only once.
See
.Fn gss_export_sec_context .
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It interprocess_token
Token received from exporting process.
.It context_handle
Context handle of newly reactivated context.
Resources associated with this context handle must be released by the
application after use with a call to
.Fn gss_delete_sec_context .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_NO_CONTEXT
The token did not contain a valid context reference
.It GSS_S_DEFECTIVE_TOKEN
The token was invalid
.It GSS_S_UNAVAILABLE
The operation is unavailable
.It GSS_S_UNAUTHORIZED
Local policy prevents the import of this context by the current process
.El
.Sh SEE ALSO
.Xr gss_export_sec_context 3 ,
.Xr gss_delete_sec_context 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

86
lib/gssapi/mech/gss_import_sec_context.c Normal file
View File

@@ -0,0 +1,86 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_import_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "context.h"
OM_uint32
gss_import_sec_context(OM_uint32 *minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle)
{
OM_uint32 major_status;
struct _gss_mech_switch *m;
struct _gss_context *ctx;
gss_OID_desc mech_oid;
gss_buffer_desc buf;
unsigned char *p;
size_t len;
*minor_status = 0;
*context_handle = 0;
/*
* We added an oid to the front of the token in
* gss_export_sec_context.
*/
p = interprocess_token->value;
len = interprocess_token->length;
if (len < 2)
return (GSS_S_DEFECTIVE_TOKEN);
mech_oid.length = (p[0] << 8) | p[1];
if (len < mech_oid.length + 2)
return (GSS_S_DEFECTIVE_TOKEN);
mech_oid.elements = p + 2;
buf.length = len - 2 - mech_oid.length;
buf.value = p + 2 + mech_oid.length;
m = _gss_find_mech_switch(&mech_oid);
if (!m)
return (GSS_S_DEFECTIVE_TOKEN);
ctx = malloc(sizeof(struct _gss_context));
if (!ctx) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
ctx->gc_mech = m;
major_status = m->gm_import_sec_context(minor_status,
&buf, &ctx->gc_ctx);
if (major_status != GSS_S_COMPLETE) {
free(ctx);
} else {
*context_handle = (gss_ctx_id_t) ctx;
}
return (major_status);
}

107
lib/gssapi/mech/gss_indicate_mechs.3 Normal file
View File

@@ -0,0 +1,107 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_indicate_mechs.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_INDICATE_MECHS 3 PRM
.Sh NAME
.Nm gss_indicate_mechs
.Nd Determine available underlying authentication mechanisms
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_indicate_mechs
.Fa "OM_uint32 *minor_status"
.Fa "gss_OID_set *mech_set"
.Fc
.Sh DESCRIPTION
Allows an application to determine which underlying security
mechanisms are available.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It mech_set
Set of implementation-supported mechanisms.
The returned
.Fa mech_set
value will be a dynamically-allocated OID set,
that should be released by the caller after use with a call to
.Fn gss_release_oid_set .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.El
.Sh SEE ALSO
.Xr gss_release_oid_set 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

60
lib/gssapi/mech/gss_indicate_mechs.c Normal file
View File

@@ -0,0 +1,60 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_indicate_mechs.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
OM_uint32
gss_indicate_mechs(OM_uint32 *minor_status,
gss_OID_set *mech_set)
{
struct _gss_mech_switch *m;
OM_uint32 major_status;
gss_OID_set set;
int i;
_gss_load_mech();
major_status = gss_create_empty_oid_set(minor_status, mech_set);
if (major_status)
return (major_status);
SLIST_FOREACH(m, &_gss_mechs, gm_link) {
major_status = m->gm_indicate_mechs(minor_status, &set);
if (major_status)
continue;
for (i = 0; i < set->count; i++)
major_status = gss_add_oid_set_member(minor_status,
&set->elements[i], mech_set);
gss_release_oid_set(minor_status, &set);
}
*minor_status = 0;
return (GSS_S_COMPLETE);
}

571
lib/gssapi/mech/gss_init_sec_context.3 Normal file
View File

@@ -0,0 +1,571 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_init_sec_context.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_INIT_SEC_CONTEXT 3 PRM
.Sh NAME
.Nm gss_init_sec_context
.Nd Initiate a security context with a peer application
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_init_sec_context
.Fa "OM_uint32 *minor_status"
.Fa "const gss_cred_id_t initiator_cred_handle"
.Fa "gss_ctx_id_t *context_handle"
.Fa "const gss_name_t target_name"
.Fa "const gss_OID mech_type"
.Fa "OM_uint32 req_flags"
.Fa "OM_uint32 time_req"
.Fa "const gss_channel_bindings_t input_chan_bindings"
.Fa "const gss_buffer_t input_token"
.Fa "gss_OID *actual_mech_type"
.Fa "gss_buffer_t output_token"
.Fa "OM_uint32 *ret_flags"
.Fa "OM_uint32 *time_rec"
.Fc
.Sh DESCRIPTION
Initiates the establishment of a security context between the
application and a remote peer.
Initially, the input_token parameter should be specified either as
.Dv GSS_C_NO_BUFFER, or as a pointer to a
gss_buffer_desc object whose length field contains the value zero.
The routine may return a output_token which should be transferred to
the peer application, where the peer application will present it to
.Xr gss_accept_sec_context 3 . If no token need be sent,
.Fn gss_init_sec_context
will indicate this by setting the
.Dv length field
of the output_token argument to zero. To complete the context
establishment, one or more reply tokens may be required from the peer
application; if so,
.Fn gss_init_sec_context
will return a status
containing the supplementary information bit
.Dv GSS_S_CONTINUE_NEEDED.
In this case,
.Fn gss_init_sec_context
should be called again when the reply token is received from the peer
application, passing the reply token to
.Fn gss_init_sec_context
via the input_token parameters.
.Pp
Portable applications should be constructed to use the token length
and return status to determine whether a token needs to be sent or
waited for. Thus a typical portable caller should always invoke
.Fn gss_init_sec_context
within a loop:
.Bd -literal
int context_established = 0;
gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
...
input_token->length = 0;
while (!context_established) {
maj_stat = gss_init_sec_context(&min_stat,
cred_hdl,
&context_hdl,
target_name,
desired_mech,
desired_services,
desired_time,
input_bindings,
input_token,
&actual_mech,
output_token,
&actual_services,
&actual_time);
if (GSS_ERROR(maj_stat)) {
report_error(maj_stat, min_stat);
};
if (output_token->length != 0) {
send_token_to_peer(output_token);
gss_release_buffer(&min_stat, output_token)
};
if (GSS_ERROR(maj_stat)) {
if (context_hdl != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&min_stat,
&context_hdl,
GSS_C_NO_BUFFER);
break;
};
if (maj_stat & GSS_S_CONTINUE_NEEDED) {
receive_token_from_peer(input_token);
} else {
context_established = 1;
};
};
.Ed
.Pp
Whenever the routine returns a major status that includes the value
.Dv GSS_S_CONTINUE_NEEDED, the context is not fully established and the
following restrictions apply to the output parameters:
.Bl -bullet
.It
The value returned via the
.Fa time_rec
parameter is undefined Unless
the accompanying
.Fa ret_flags
parameter contains the bit
.Dv GSS_C_PROT_READY_FLAG, indicating that per-message services may be
applied in advance of a successful completion status, the value
returned via the
.Fa actual_mech_type
parameter is undefined until the
routine returns a major status value of
.Dv GSS_S_COMPLETE.
.It
The values of the
.Dv GSS_C_DELEG_FLAG ,
.Dv GSS_C_MUTUAL_FLAG ,
.Dv GSS_C_REPLAY_FLAG ,
.Dv GSS_C_SEQUENCE_FLAG ,
.Fv GSS_C_CONF_FLAG ,
.Dv GSS_C_INTEG_FLAG and
.Dv GSS_C_ANON_FLAG bits returned via the
.Fa ret_flags
parameter should contain the values that the
implementation expects would be valid if context establishment
were to succeed. In particular, if the application has requested
a service such as delegation or anonymous authentication via the
.Fa req_flags
argument, and such a service is unavailable from the
underlying mechanism,
.Fn gss_init_sec_context
should generate a token
that will not provide the service, and indicate via the
.Fa ret_flags
argument that the service will not be supported. The application
may choose to abort the context establishment by calling
.Xr gss_delete_sec_context 3
(if it cannot continue in the absence of
the service), or it may choose to transmit the token and continue
context establishment (if the service was merely desired but not
mandatory).
.It
The values of the
.Dv GSS_C_PROT_READY_FLAG and
.Dv GSS_C_TRANS_FLAG bits
within
.Fa ret_flags
should indicate the actual state at the time
.Fn gss_init_sec_context
returns, whether or not the context is fully established.
.It
GSS-API implementations that support per-message protection are
encouraged to set the
.Dv GSS_C_PROT_READY_FLAG in the final
.Fa ret_flags
returned to a caller (i.e. when accompanied by a
.Dv GSS_S_COMPLETE
status code). However, applications should not rely on this
behavior as the flag was not defined in Version 1 of the GSS-API.
Instead, applications should determine what per-message services
are available after a successful context establishment according
to the
.Dv GSS_C_INTEG_FLAG and
.Dv GSS_C_CONF_FLAG values.
.It
All other bits within the
.Fa ret_flags
argument should be set to
zero.
.El
.Pp
If the initial call of
.Fn gss_init_sec_context
fails, the
implementation should not create a context object, and should leave
the value of the
.Fa context_handle
parameter set to
.Dv GSS_C_NO_CONTEXT to
indicate this. In the event of a failure on a subsequent call, the
implementation is permitted to delete the "half-built" security
context (in which case it should set the
.Fa context_handle
parameter to
.Dv GSS_C_NO_CONTEXT ), but the preferred behavior is to leave the
security context untouched for the application to delete (using
.Xr gss_delete_sec_context 3 ).
.Pp
During context establishment, the informational status bits
.Dv GSS_S_OLD_TOKEN and
.Dv GSS_S_DUPLICATE_TOKEN indicate fatal errors, and
GSS-API mechanisms should always return them in association with a
routine error of
.Dv GSS_S_FAILURE .
This requirement for pairing did not
exist in version 1 of the GSS-API specification, so applications that
wish to run over version 1 implementations must special-case these
codes.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It initiator_cred_handle
handle for credentials claimed. Supply
.Dv GSS_C_NO_CREDENTIAL to act as a default
initiator principal. If no default
initiator is defined, the function will
return
.Dv GSS_S_NO_CRED.
.It context_handle
context handle for new context. Supply
.Dv GSS_C_NO_CONTEXT for first call; use value
returned by first call in continuation calls.
Resources associated with this context-handle
must be released by the application after use
with a call to
.Fn gss_delete_sec_context .
.It target_name
Name of target
.It mech_type
Object ID of desired mechanism. Supply
.Dv GSS_C_NO_OID to obtain an implementation
specific default
.It req_flags
Contains various independent flags, each of
which requests that the context support a
specific service option. Symbolic
names are provided for each flag, and the
symbolic names corresponding to the required
flags should be logically-ORed
together to form the bit-mask value. The
flags are:
.Bl -tag -width "WW"
.It GSS_C_DELEG_FLAG
.Bl -tag -width "False"
.It True
Delegate credentials to remote peer
.It False
Don't delegate
.El
.It GSS_C_MUTUAL_FLAG
.Bl -tag -width "False"
.It True
Request that remote peer authenticate itself
.It False
Authenticate self to remote peer only
.El
.It GSS_C_REPLAY_FLAG
.Bl -tag -width "False"
.It True
Enable replay detection for messages protected with
.Xr gss_wrap 3
or
.Xr gss_get_mic 3
.It False
Don't attempt to detect replayed messages
.El
.It GSS_C_SEQUENCE_FLAG
.Bl -tag -width "False"
.It True
Enable detection of out-of-sequence protected messages
.It False
Don't attempt to detect out-of-sequence messages
.El
.It GSS_C_CONF_FLAG
.Bl -tag -width "False"
.It True
Request that confidentiality service be made available (via
.Xr gss_wrap 3 )
.It False
No per-message confidentiality service is required.
.El
.It GSS_C_INTEG_FLAG
.Bl -tag -width "False"
.It True
Request that integrity service be made available (via
.Xr gss_wrap 3
or
.Xr gss_get_mic 3 )
.It False
No per-message integrity service is required.
.El
.It GSS_C_ANON_FLAG
.Bl -tag -width "False"
.It True
Do not reveal the initiator's identity to the acceptor.
.It False
Authenticate normally.
.El
.El
.It time_req
Desired number of seconds for which context
should remain valid. Supply 0 to request a
default validity period.
.It input_chan_bindings
Application-specified bindings. Allows
application to securely bind channel
identification information to the security
context. Specify
.Dv GSS_C_NO_CHANNEL_BINDINGS
if channel bindings are not used.
.It input_token
Token received from peer application.
Supply
.Dv GSS_C_NO_BUFFER, or a pointer to
a buffer containing the value
.Dv GSS_C_EMPTY_BUFFER
on initial call.
.It actual_mech_type
Actual mechanism used. The OID returned via
this parameter will be a pointer to static
storage that should be treated as read-only;
In particular the application should not attempt
to free it. Specify
.Dv NULL if not required.
.It output_token
token to be sent to peer application. If
the length field of the returned buffer is
zero, no token need be sent to the peer
application. Storage associated with this
buffer must be freed by the application
after use with a call to
.Xr gss_release_buffer 3 .
.It ret_flags
Contains various independent flags, each of which
indicates that the context supports a specific
service option. Specify
.Dv NULL if not
required. Symbolic names are provided
for each flag, and the symbolic names
corresponding to the required flags should be
logically-ANDed with the
.Fa ret_flags
value to test
whether a given option is supported by the
context. The flags are:
.Bl -tag -width "WW"
.It GSS_C_DELEG_FLAG
.Bl -tag -width "False"
.It True
Credentials were delegated to the remote peer
.It False
No credentials were delegated
.El
.It GSS_C_MUTUAL_FLAG
.Bl -tag -width "False"
.It True
The remote peer has authenticated itself.
.It False
Remote peer has not authenticated itself.
.El
.It GSS_C_REPLAY_FLAG
.Bl -tag -width "False"
.It True
Replay of protected messages will be detected
.It False
Replayed messages will not be detected
.El
.It GSS_C_SEQUENCE_FLAG
.Bl -tag -width "False"
.It True
Out-of-sequence protected messages will be detected
.It False
Out-of-sequence messages will not be detected
.El
.It GSS_C_CONF_FLAG
.Bl -tag -width "False"
.It True
Confidentiality service may be invoked by calling
.Xr gss_wrap 3
routine
.It False
No confidentiality service (via
.Xr gss_wrap 3 ) available.
.Xr gss_wrap 3 will
provide message encapsulation,
data-origin authentication and
integrity services only.
.El
.It GSS_C_INTEG_FLAG
.Bl -tag -width "False"
.It True
Integrity service may be invoked by calling either
.Xr gss_get_mic 3
or
.Xr gss_wrap 3
routines.
.It False
Per-message integrity service unavailable.
.El
.It GSS_C_ANON_FLAG
.Bl -tag -width "False"
.It True
The initiator's identity has not been
revealed, and will not be revealed if
any emitted token is passed to the
acceptor.
.It False
The initiator's identity has been or will be authenticated normally.
.El
.It GSS_C_PROT_READY_FLAG
.Bl -tag -width "False"
.It True
Protection services (as specified by the states of the
.Dv GSS_C_CONF_FLAG
and
.Dv GSS_C_INTEG_FLAG ) are available for
use if the accompanying major status
return value is either
.Dv GSS_S_COMPLETE
or
.Dv GSS_S_CONTINUE_NEEDED.
.It False
Protection services (as specified by the states of the
.Dv GSS_C_CONF_FLAG
and
.Dv GSS_C_INTEG_FLAG ) are available
only if the accompanying major status
return value is
.Dv GSS_S_COMPLETE.
.El
.It GSS_C_TRANS_FLAG
.Bl -tag -width "False"
.It True
The resultant security context may be transferred to other processes via
a call to
.Fn gss_export_sec_context .
.It False
The security context is not transferable.
.El
.El
.Pp
All other bits should be set to zero.
.It time_rec
Number of seconds for which the context
will remain valid. If the implementation does
not support context expiration, the value
.Dv GSS_C_INDEFINITE will be returned. Specify
.Dv NULL if not required.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_CONTINUE_NEEDED
Indicates that a token from the peer
application is required to complete the
context, and that gss_init_sec_context
must be called again with that token.
.It GSS_S_DEFECTIVE_TOKEN
Indicates that consistency checks performed
on the input_token failed
.It GSS_S_DEFECTIVE_CREDENTIAL
Indicates that consistency checks
performed on the credential failed.
.It GSS_S_NO_CRED
The supplied credentials were not valid for
context initiation, or the credential handle
did not reference any credentials.
.It GSS_S_CREDENTIALS_EXPIRED
The referenced credentials have expired
.It GSS_S_BAD_BINDINGS
The input_token contains different channel
bindings to those specified via the
input_chan_bindings parameter
.It GSS_S_BAD_SIG
The input_token contains an invalid MIC, or a MIC
that could not be verified
.It GSS_S_OLD_TOKEN
The input_token was too old. This is a fatal
error during context establishment
.It GSS_S_DUPLICATE_TOKEN
The input_token is valid, but is a duplicate
of a token already processed. This is a
fatal error during context establishment.
.It GSS_S_NO_CONTEXT
Indicates that the supplied context handle did
not refer to a valid context
.It GSS_S_BAD_NAMETYPE
The provided target_name parameter contained an
invalid or unsupported type of name
.It GSS_S_BAD_NAME
The provided target_name parameter was ill-formed.
.It GSS_S_BAD_MECH
The specified mechanism is not supported by the
provided credential, or is unrecognized by the
implementation.
.El
.Sh SEE ALSO
.Xr gss_accept_sec_context 3 ,
.Xr gss_delete_sec_context 3 ,
.Xr gss_get_mic 3 ,
.Xr gss_release_buffer 3 ,
.Xr gss_wrap 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.El
.\" .Sh HISTORY
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

129
lib/gssapi/mech/gss_init_sec_context.c Normal file
View File

@@ -0,0 +1,129 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_init_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "name.h"
#include "cred.h"
#include "context.h"
OM_uint32
gss_init_sec_context(OM_uint32 * minor_status,
const gss_cred_id_t initiator_cred_handle,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID * actual_mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec)
{
OM_uint32 major_status;
struct _gss_mech_switch *m;
struct _gss_name *name = (struct _gss_name *) target_name;
struct _gss_mechanism_name *mn;
struct _gss_context *ctx = (struct _gss_context *) *context_handle;
struct _gss_cred *cred = (struct _gss_cred *) initiator_cred_handle;
struct _gss_mechanism_cred *mc;
gss_cred_id_t cred_handle;
int allocated_ctx;
*minor_status = 0;
/*
* If we haven't allocated a context yet, do so now and lookup
* the mechanism switch table. If we have one already, make
* sure we use the same mechanism switch as before.
*/
if (!ctx) {
ctx = malloc(sizeof(struct _gss_context));
if (!ctx) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
memset(ctx, 0, sizeof(struct _gss_context));
m = ctx->gc_mech = _gss_find_mech_switch(mech_type);
if (!m) {
free(ctx);
return (GSS_S_BAD_MECH);
}
allocated_ctx = 1;
} else {
m = ctx->gc_mech;
allocated_ctx = 0;
}
/*
* Find the MN for this mechanism.
*/
mn = _gss_find_mn(name, mech_type);
/*
* If we have a cred, find the cred for this mechanism.
*/
cred_handle = GSS_C_NO_CREDENTIAL;
if (cred) {
SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
if (_gss_oid_equal(mech_type, mc->gmc_mech_oid)) {
cred_handle = mc->gmc_cred;
break;
}
}
}
major_status = m->gm_init_sec_context(minor_status,
cred_handle,
&ctx->gc_ctx,
mn->gmn_name,
mech_type,
req_flags,
time_req,
input_chan_bindings,
input_token,
actual_mech_type,
output_token,
ret_flags,
time_rec);
if (major_status != GSS_S_COMPLETE
&& major_status != GSS_S_CONTINUE_NEEDED) {
if (allocated_ctx)
free(ctx);
} else {
*context_handle = (gss_ctx_id_t) ctx;
}
return (major_status);
}

284
lib/gssapi/mech/gss_inquire_context.3 Normal file
View File

@@ -0,0 +1,284 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_inquire_context.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_INQUIRE_CONTEXT 3 PRM
.Sh NAME
.Nm gss_inquire_context
.Nd Obtain information about a security context
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_inquire_context
.Fa "OM_uint32 *minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "gss_name_t *src_name"
.Fa "gss_name_t *targ_name"
.Fa "OM_uint32 *lifetime_rec"
.Fa "gss_OID *mech_type"
.Fa "OM_uint32 *ctx_flags"
.Fa "int *locally_initiated"
.Fa "int *open"
.Fc
.Sh DESCRIPTION
Obtains information about a security context.
The caller must already have obtained a handle that refers to the
context,
although the context need not be fully established.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It context_handle
A handle that refers to the security context.
.It src_name
The name of the context initiator.
If the context was established using anonymous authentication,
and if the application invoking
.Fn gss_inquire_context
is the context acceptor,
an anonymous name will be returned.
Storage associated with this name must be freed by the application
after use with a call to
.Fn gss_release_name .
Specify
.Dv NULL
if not required.
.It targ_name
The name of the context acceptor.
Storage associated with this name must be freed by the application
after use with a call to
.Fn gss_release_name .
If the context acceptor did not authenticate itself,
and if the initiator did not specify a target name in its call to
.Fn gss_init_sec_context ,
the value
.Dv GSS_C_NO_NAME
will be returned.
Specify
.Dv NULL
if not required.
.It lifetime_rec
The number of seconds for which the context will remain valid.
If the context has expired,
this parameter will be set to zero.
If the implementation does not support context expiration,
the value
.Dv GSS_C_INDEFINITE
will be returned.
Specify
.Dv NULL
if not required.
.It mech_type
The security mechanism providing the context.
The returned OID will be a pointer to static storage that should be
treated as read-only by the application;
in particular the application should not attempt to free it.
Specify
.Dv NULL
if not required.
.It ctx_flags
Contains various independent flags,
each of which indicates that the context supports
(or is expected to support, if
.Fa open
is false)
a specific service option.
If not needed, specify
.Dv NULL .
Symbolic names are provided for each flag,
and the symbolic names corresponding to the required flags should be
logically-ANDed with the
.Fa ctx_flags
value to test whether a given option is supported by the context.
The flags are:
.Bl -tag -width "WW"
.It GSS_C_DELEG_FLAG
.Bl -tag -width "False"
.It True
Credentials were delegated from the initiator to the acceptor.
.It False
No credentials were delegated.
.El
.It GSS_C_MUTUAL_FLAG
.Bl -tag -width "False"
.It True
The acceptor was authenticated to the initiator.
.It False
The acceptor did not authenticate itself.
.El
.It GSS_C_REPLAY_FLAG
.Bl -tag -width "False"
.It True
Replay of protected messages will be detected.
.It False
Replayed messages will not be detected.
.El
.It GSS_C_SEQUENCE_FLAG
.Bl -tag -width "False"
.It True
Out-of-sequence protected messages will be detected.
.It False
Out-of-sequence messages will not be detected.
.El
.It GSS_C_CONF_FLAG
.Bl -tag -width "False"
.It True
Confidentiality service may be invoked by calling
.Fn gss_wrap
routine.
.It False
No confidentiality service
(via
.Fn gss_wrap )
available.
.Fn gss_wrap
will provide message encapsulation,
data-origin authentication and integrity services only.
.El
.It GSS_C_INTEG_FLAG
.Bl -tag -width "False"
.It True
Integrity service may be invoked by calling either
.Fn gss_get_mic
or
.Fn gss_wrap
routines.
.It False
Per-message integrity service unavailable.
.El
.It GSS_C_ANON_FLAG
.Bl -tag -width "False"
.It True
The initiator's identity will not be revealed to the acceptor.
The
.Fa src_name
parameter (if requested) contains an anonymous internal name.
.It False
The initiator has been authenticated normally.
.El
.It GSS_C_PROT_READY_FLAG
.Bl -tag -width "False"
.It True
Protection services
(as specified by the states of the
.Dv GSS_C_CONF_FLAG
and
.Dv GSS_C_INTEG_FLAG )
are available for use.
.It False
Protection services
(as specified by the states of the
.Dv GSS_C_CONF_FLAG
and
.Dv GSS_C_INTEG_FLAG )
are available only if the context is fully established
(i.e. if the
.Fa open
parameter is non-zero).
.El
.It GSS_C_TRANS_FLAG
.Bl -tag -width "False"
.It True
The security context may be transferred to other processes via a call to
.Fn gss_export_sec_context .
.It False
The security context is not transferable.
.El
.El
.It locally_initiated
Non-zero if the invoking application is the context initiator.
Specify
.Dv NULL
if not required.
.It open
Non-zero if the context is fully established;
Zero if a context-establishment token is expected from the peer
application.
Specify
.Dv NULL
if not required.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_NO_CONTEXT
The referenced context could not be accessed
.El
.Sh SEE ALSO
.Xr gss_release_name 3 ,
.Xr gss_init_sec_context 3 ,
.Xr gss_wrap 3 ,
.Xr gss_get_mic 3 ,
.Xr gss_export_sec_context 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

88
lib/gssapi/mech/gss_inquire_context.c Normal file
View File

@@ -0,0 +1,88 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_inquire_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "context.h"
#include "name.h"
OM_uint32
gss_inquire_context(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
gss_name_t *src_name,
gss_name_t *targ_name,
OM_uint32 *lifetime_rec,
gss_OID *mech_type,
OM_uint32 *ctx_flags,
int *locally_initiated,
int *open)
{
OM_uint32 major_status;
struct _gss_context *ctx = (struct _gss_context *) context_handle;
struct _gss_mech_switch *m = ctx->gc_mech;
struct _gss_name *name;
gss_name_t src_mn, targ_mn;
major_status = m->gm_inquire_context(minor_status,
ctx->gc_ctx,
src_name ? &src_mn : 0,
targ_name ? &targ_mn : 0,
lifetime_rec,
mech_type,
ctx_flags,
locally_initiated,
open);
if (src_name) *src_name = 0;
if (targ_name) *targ_name = 0;
if (major_status != GSS_S_COMPLETE) {
return (major_status);
}
if (src_name) {
name = _gss_make_name(m, src_mn);
if (!name) {
minor_status = 0;
return (GSS_S_FAILURE);
}
*src_name = (gss_name_t) name;
}
if (targ_name) {
name = _gss_make_name(m, targ_mn);
if (!name) {
minor_status = 0;
return (GSS_S_FAILURE);
}
*targ_name = (gss_name_t) name;
}
return (GSS_S_COMPLETE);
}

158
lib/gssapi/mech/gss_inquire_cred.3 Normal file
View File

@@ -0,0 +1,158 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_inquire_cred.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_INQUIRE_CRED 3 PRM
.Sh NAME
.Nm gss_inquire_cred
.Nd Obtain information about a credential
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_inquire_cred
.Fa "OM_uint32 *minor_status"
.Fa "const gss_cred_id_t cred_handle"
.Fa "gss_ctx_id_t *context_handle"
.Fa "gss_name_t *name"
.Fa "OM_uint32 *lifetime"
.Fa "gss_cred_usage_t *cred_usage"
.Fa "gss_OID_set *mechanisms"
.Fc
.Sh DESCRIPTION
Obtains information about a credential.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It cred_handle
A handle that refers to the target credential.
Specify
.Dv GSS_C_NO_CREDENTIAL
to inquire about the default initiator principal.
.It name
The name whose identity the credential asserts.
Storage associated with this name should be freed by the application
after use with a call to
.Fn gss_release_name .
Specify
.Dv NULL
if not required.
.It lifetime
The number of seconds for which the credential will remain valid.
If the credential has expired,
this parameter will be set to zero.
If the implementation does not support credential expiration,
the value GSS_C_INDEFINITE will be returned.
Specify
.Dv NULL
if not required.
.It cred_usage
How the credential may be used.
One of the following:
.Bl -item -offset indent -compact
.It
.Dv GSS_C_INITIATE
.It
.Dv GSS_C_ACCEPT
.It
.Dv GSS_C_BOTH
.El
Specify
.Dv NULL
if not required.
.It mechanisms
Set of mechanisms supported by the credential.
Storage associated with this OID set must be freed by the application
after use with a call to
.Fn gss_release_oid_set .
Specify
.Dv NULL
if not required.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_NO_CRED
The referenced credentials could not be accessed
.It GSS_S_DEFECTIVE_CREDENTIAL
The referenced credentials were invalid
.It GSS_S_CREDENTIALS_EXPIRED
The referenced credentials have expired.
If the lifetime parameter was not passed as
.Dv NULL ,
it will be set to 0
.El
.Sh SEE ALSO
.Xr gss_release_name 3 ,
.Xr gss_release_oid_set 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

167
lib/gssapi/mech/gss_inquire_cred.c Normal file
View File

@@ -0,0 +1,167 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_inquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "name.h"
#include "cred.h"
OM_uint32
gss_inquire_cred(OM_uint32 *minor_status,
const gss_cred_id_t cred_handle,
gss_name_t *name_ret,
OM_uint32 *lifetime,
gss_cred_usage_t *cred_usage,
gss_OID_set *mechanisms)
{
OM_uint32 major_status;
struct _gss_mech_switch *m;
struct _gss_cred *cred = (struct _gss_cred *) cred_handle;
struct _gss_mechanism_cred *mc;
struct _gss_name *name;
struct _gss_mechanism_name *mn;
OM_uint32 min_lifetime;
*minor_status = 0;
if (name_ret)
*name_ret = 0;
if (lifetime)
*lifetime = 0;
if (cred_usage)
*cred_usage = 0;
if (name_ret) {
name = malloc(sizeof(struct _gss_name));
if (!name) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
memset(name, 0, sizeof(struct _gss_name));
SLIST_INIT(&name->gn_mn);
} else {
name = 0;
}
if (mechanisms) {
major_status = gss_create_empty_oid_set(minor_status,
mechanisms);
if (major_status) {
if (name) free(name);
return (major_status);
}
}
min_lifetime = GSS_C_INDEFINITE;
if (cred) {
SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
gss_name_t mc_name;
OM_uint32 mc_lifetime;
major_status = mc->gmc_mech->gm_inquire_cred(minor_status,
mc->gmc_cred, &mc_name, &mc_lifetime, NULL, NULL);
if (major_status)
continue;
if (name) {
mn = malloc(sizeof(struct _gss_mechanism_name));
if (!mn) {
mc->gmc_mech->gm_release_name(minor_status,
&mc_name);
continue;
}
mn->gmn_mech = mc->gmc_mech;
mn->gmn_mech_oid = mc->gmc_mech_oid;
mn->gmn_name = mc_name;
SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
} else {
mc->gmc_mech->gm_release_name(minor_status,
&mc_name);
}
if (mc_lifetime < min_lifetime)
min_lifetime = mc_lifetime;
if (mechanisms)
gss_add_oid_set_member(minor_status,
mc->gmc_mech_oid, mechanisms);
}
} else {
SLIST_FOREACH(m, &_gss_mechs, gm_link) {
gss_name_t mc_name;
OM_uint32 mc_lifetime;
major_status = m->gm_inquire_cred(minor_status,
GSS_C_NO_CREDENTIAL, &mc_name, &mc_lifetime,
cred_usage, NULL);
if (major_status)
continue;
if (name && mc_name) {
mn = malloc(
sizeof(struct _gss_mechanism_name));
if (!mn) {
mc->gmc_mech->gm_release_name(
minor_status, &mc_name);
continue;
}
mn->gmn_mech = mc->gmc_mech;
mn->gmn_mech_oid = mc->gmc_mech_oid;
mn->gmn_name = mc_name;
SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
} else if (mc_name) {
mc->gmc_mech->gm_release_name(minor_status,
&mc_name);
}
if (mc_lifetime < min_lifetime)
min_lifetime = mc_lifetime;
if (mechanisms)
gss_add_oid_set_member(minor_status,
&m->gm_mech_oid, mechanisms);
}
if ((*mechanisms)->count == 0) {
gss_release_oid_set(minor_status, mechanisms);
*minor_status = 0;
return (GSS_S_NO_CRED);
}
}
*minor_status = 0;
if (name_ret)
*name_ret = (gss_name_t) name;
if (lifetime)
*lifetime = min_lifetime;
if (cred && cred_usage)
*cred_usage = cred->gc_usage;
return (GSS_S_COMPLETE);
}

173
lib/gssapi/mech/gss_inquire_cred_by_mech.3 Normal file
View File

@@ -0,0 +1,173 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_inquire_cred_by_mech.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_INQUIRE_CRED_BY_MECH 3 PRM
.Sh NAME
.Nm gss_inquire_cred_by_mech
.Nd Obtain per-mechanism information about a credential
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_inquire_cred_by_mech
.Fa "OM_uint32 *minor_status"
.Fa "const gss_cred_id_t cred_handle"
.Fa "const gss_OID mech_type"
.Fa "gss_name_t *name"
.Fa "OM_uint32 *initiator_lifetime"
.Fa "OM_uint32 *acceptor_lifetime"
.Fa "gss_cred_usage_t *cred_usage"
.Fc
.Sh DESCRIPTION
Obtains per-mechanism information about a credential.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It cred_handle
A handle that refers to the target credential.
Specify
.Dv GSS_C_NO_CREDENTIAL
to inquire about the default initiator principal.
.It mech_type
The mechanism for which information should be returned.
.It name
The name whose identity the credential asserts.
Storage associated with this name must be freed by the application
after use with a call to
.Fn gss_release_name .
Specify
.Dv NULL
if not required.
.It initiator_lifetime
The number of seconds for which the credential will remain capable of
initiating security contexts under the specified mechanism.
If the credential can no longer be used to initiate contexts,
or if the credential usage for this mechanism is
.Dv GSS_C_ACCEPT ,
this parameter will be set to zero.
If the implementation does not support expiration of initiator
credentials,
the value
.Dv GSS_C_INDEFINITE
will be returned.
Specify
.Dv NULL
if not required.
.It acceptor_lifetime
The number of seconds for which the credential will remain capable of
accepting security contexts under the specified mechanism.
If the credential can no longer be used to accept contexts,
or if the credential usage for this mechanism is
.Dv GSS_C_INITIATE ,
this parameter will be set to zero.
If the implementation does not support expiration of acceptor
credentials,
the value
.Dv GSS_C_INDEFINITE
will be returned.
Specify
.Dv NULL
if not required.
.It cred_usage
How the credential may be used with the specified mechanism.
One of the following:
.Bl -item -offset indent -compact
.It
.Dv GSS_C_INITIATE
.It
.Dv GSS_C_ACCEPT
.It
.Dv GSS_C_BOTH
.El
Specify
.Dv NULL
if not required.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_NO_CRED
The referenced credentials could not be accessed
.It GSS_S_DEFECTIVE_CREDENTIAL
The referenced credentials were invalid
.It GSS_S_CREDENTIALS_EXPIRED
The referenced credentials have expired.
If the lifetime parameter was not passed as
.Dv NULL ,
it will be set to 0.
.El
.Sh SEE ALSO
.Xr gss_release_name 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

82
lib/gssapi/mech/gss_inquire_cred_by_mech.c Normal file
View File

@@ -0,0 +1,82 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_inquire_cred_by_mech.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "cred.h"
#include "name.h"
OM_uint32
gss_inquire_cred_by_mech(OM_uint32 *minor_status,
const gss_cred_id_t cred_handle,
const gss_OID mech_type,
gss_name_t *cred_name,
OM_uint32 *initiator_lifetime,
OM_uint32 *acceptor_lifetime,
gss_cred_usage_t *cred_usage)
{
OM_uint32 major_status;
struct _gss_mech_switch *m;
struct _gss_mechanism_cred *mcp;
gss_cred_id_t mc;
gss_name_t mn;
struct _gss_name *name;
*minor_status = 0;
m = _gss_find_mech_switch(mech_type);
if (!m)
return (GSS_S_NO_CRED);
if (cred_handle != GSS_C_NO_CREDENTIAL) {
struct _gss_cred *cred = (struct _gss_cred *) cred_handle;
SLIST_FOREACH(mcp, &cred->gc_mc, gmc_link)
if (mcp->gmc_mech == m)
break;
if (!mcp)
return (GSS_S_NO_CRED);
mc = mcp->gmc_cred;
} else {
mc = GSS_C_NO_CREDENTIAL;
}
major_status = m->gm_inquire_cred_by_mech(minor_status, mc, mech_type,
&mn, initiator_lifetime, acceptor_lifetime, cred_usage);
if (major_status != GSS_S_COMPLETE)
return (major_status);
name = _gss_make_name(m, mn);
if (!name) {
m->gm_release_name(minor_status, &mn);
return (GSS_S_NO_CRED);
}
*cred_name = (gss_name_t) name;
return (GSS_S_COMPLETE);
}

134
lib/gssapi/mech/gss_inquire_mechs_for_name.3 Normal file
View File

@@ -0,0 +1,134 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_inquire_mechs_for_name.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_INQUIRE_MECHS_FOR_NAME 3 PRM
.Sh NAME
.Nm gss_inquire_mechs_for_name
.Nd List mechanisms that support the specified name-type
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_inquire_mechs_for_name
.Fa "OM_uint32 *minor_status"
.Fa "const gss_name_t input_name"
.Fa "gss_OID_set *mech_types"
.Fc
.Sh DESCRIPTION
Returns the set of mechanisms supported by the GSS-API implementation
that may be able to process the specified name.
.Pp
Each mechanism returned will recognize at least one element within the
name.
It is permissible for this routine to be implemented within a
mechanism-independent GSS-API layer,
using the type information contained within the presented name,
and based on registration information provided by individual mechanism
implementations.
This means that the returned
.Fa mech_types
set may indicate that a particular mechanism will understand the name
when in fact it would refuse to accept the name as input to
.Fn gss_canonicalize_name ,
.Fn gss_init_sec_context ,
.Fn gss_acquire_cred
or
.Fn gss_add_cred
(due to some property of the specific name, as opposed to the name
type).
Thus this routine should be used only as a pre-filter for a call to a
subsequent mechanism-specific routine.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It input_name
The name to which the inquiry relates.
.It mech_types
Set of mechanisms that may support the specified name.
The returned OID set must be freed by the caller after use with a call
to
.Fn gss_release_oid_set .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_BAD_NAME
The
.Fa input_name
parameter was ill-formed
.El
.Sh SEE ALSO
.Xr gss_release_oid_set 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

77
lib/gssapi/mech/gss_inquire_mechs_for_name.c Normal file
View File

@@ -0,0 +1,77 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_inquire_mechs_for_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "name.h"
OM_uint32
gss_inquire_mechs_for_name(OM_uint32 *minor_status,
const gss_name_t input_name,
gss_OID_set *mech_types)
{
OM_uint32 major_status;
struct _gss_name *name = (struct _gss_name *) input_name;
struct _gss_mech_switch *m;
gss_OID_set name_types;
int present;
*minor_status = 0;
major_status = gss_create_empty_oid_set(minor_status, mech_types);
if (major_status)
return (major_status);
/*
* We go through all the loaded mechanisms and see if this
* name's type is supported by the mechanism. If it is, add
* the mechanism to the set.
*/
SLIST_FOREACH(m, &_gss_mechs, gm_link) {
major_status = gss_inquire_names_for_mech(minor_status,
&m->gm_mech_oid, &name_types);
if (major_status) {
gss_release_oid_set(minor_status, mech_types);
return (major_status);
}
gss_test_oid_set_member(minor_status,
&name->gn_type, name_types, &present);
gss_release_oid_set(minor_status, &name_types);
if (present) {
major_status = gss_add_oid_set_member(minor_status,
&m->gm_mech_oid, mech_types);
if (major_status) {
gss_release_oid_set(minor_status, mech_types);
return (major_status);
}
}
}
return (GSS_S_COMPLETE);
}

107
lib/gssapi/mech/gss_inquire_names_for_mech.3 Normal file
View File

@@ -0,0 +1,107 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_inquire_names_for_mech.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_INQUIRE_NAMES_FOR_MECH 3 PRM
.Sh NAME
.Nm gss_inquire_names_for_mech
.Nd List the name-types supported by the specified mechanism
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_inquire_names_for_mech
.Fa "OM_uint32 *minor_status"
.Fa "const gss_OID mechanism"
.Fa "gss_OID_set *name_types"
.Fc
.Sh DESCRIPTION
Returns the set of name-types supported by the specified mechanism.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It mechanism
The mechanism to be interrogated.
.It name_types
Set of name-types supported by the specified mechanism.
The returned OID set must be freed by the application after use with a
call to
.Fn gss_release_oid_set .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.El
.Sh SEE ALSO
.Xr gss_release_oid_set 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

74
lib/gssapi/mech/gss_inquire_names_for_mech.c Normal file
View File

@@ -0,0 +1,74 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_inquire_names_for_mech.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
OM_uint32
gss_inquire_names_for_mech(OM_uint32 *minor_status,
const gss_OID mechanism,
gss_OID_set *name_types)
{
OM_uint32 major_status;
struct _gss_mech_switch *m = _gss_find_mech_switch(mechanism);
*minor_status = 0;
if (!m)
return (GSS_S_BAD_MECH);
/*
* If the implementation can do it, ask it for a list of
* names, otherwise fake it.
*/
if (m->gm_inquire_names_for_mech) {
return (m->gm_inquire_names_for_mech(minor_status,
mechanism, name_types));
} else {
major_status = gss_create_empty_oid_set(minor_status,
name_types);
if (major_status)
return (major_status);
major_status = gss_add_oid_set_member(minor_status,
GSS_C_NT_HOSTBASED_SERVICE, name_types);
if (major_status) {
OM_uint32 ms;
gss_release_oid_set(&ms, name_types);
return (major_status);
}
major_status = gss_add_oid_set_member(minor_status,
GSS_C_NT_USER_NAME, name_types);
if (major_status) {
OM_uint32 ms;
gss_release_oid_set(&ms, name_types);
return (major_status);
}
}
return (GSS_S_COMPLETE);
}

87
lib/gssapi/mech/gss_krb5.c Normal file
View File

@@ -0,0 +1,87 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_krb5.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "context.h"
#include "cred.h"
OM_uint32
gsskrb5_register_acceptor_identity(const char *identity)
{
struct _gss_mech_switch *m;
_gss_load_mech();
SLIST_FOREACH(m, &_gss_mechs, gm_link) {
if (m->gm_krb5_register_acceptor_identity)
m->gm_krb5_register_acceptor_identity(identity);
}
return (GSS_S_COMPLETE);
}
OM_uint32
gss_krb5_copy_ccache(OM_uint32 *minor_status,
gss_cred_id_t cred_handle,
struct krb5_ccache_data *out)
{
struct _gss_mechanism_cred *mcp;
struct _gss_cred *cred = (struct _gss_cred *) cred_handle;
struct _gss_mech_switch *m;
*minor_status = 0;
SLIST_FOREACH(mcp, &cred->gc_mc, gmc_link) {
m = mcp->gmc_mech;
if (m->gm_krb5_copy_ccache)
return (m->gm_krb5_copy_ccache(minor_status,
mcp->gmc_cred, out));
}
return (GSS_S_FAILURE);
}
OM_uint32
gss_krb5_compat_des3_mic(OM_uint32 *minor_status,
gss_ctx_id_t context_handle, int flag)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
struct _gss_mech_switch *m = ctx->gc_mech;
*minor_status = 0;
if (m->gm_krb5_compat_des3_mic)
return (m->gm_krb5_compat_des3_mic(minor_status,
ctx->gc_ctx, flag));
return (GSS_S_FAILURE);
}

301
lib/gssapi/mech/gss_mech_switch.c Normal file
View File

@@ -0,0 +1,301 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_mech_switch.c,v 1.2 2006/02/04 09:40:21 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <dlfcn.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "mech_switch.h"
#include "utils.h"
#ifndef _PATH_GSS_MECH
#define _PATH_GSS_MECH "/etc/gss/mech"
#endif
struct _gss_mech_switch_list _gss_mechs =
SLIST_HEAD_INITIALIZER(&_gss_mechs);
gss_OID_set _gss_mech_oids;
/*
* Convert a string containing an OID in 'dot' form
* (e.g. 1.2.840.113554.1.2.2) to a gss_OID.
*/
static int
_gss_string_to_oid(const char* s, gss_OID oid)
{
int number_count, i, j;
int byte_count;
const char *p, *q;
char *res;
/*
* First figure out how many numbers in the oid, then
* calculate the compiled oid size.
*/
number_count = 0;
for (p = s; p; p = q) {
q = strchr(p, '.');
if (q) q = q + 1;
number_count++;
}
/*
* The first two numbers are in the first byte and each
* subsequent number is encoded in a variable byte sequence.
*/
if (number_count < 2)
return (EINVAL);
/*
* We do this in two passes. The first pass, we just figure
* out the size. Second time around, we actually encode the
* number.
*/
res = 0;
for (i = 0; i < 2; i++) {
byte_count = 0;
for (p = s, j = 0; p; p = q, j++) {
unsigned int number = 0;
/*
* Find the end of this number.
*/
q = strchr(p, '.');
if (q) q = q + 1;
/*
* Read the number of of the string. Don't
* bother with anything except base ten.
*/
while (*p && *p != '.') {
number = 10 * number + (*p - '0');
p++;
}
/*
* Encode the number. The first two numbers
* are packed into the first byte. Subsequent
* numbers are encoded in bytes seven bits at
* a time with the last byte having the high
* bit set.
*/
if (j == 0) {
if (res)
*res = number * 40;
} else if (j == 1) {
if (res) {
*res += number;
res++;
}
byte_count++;
} else if (j >= 2) {
/*
* The number is encoded in seven bit chunks.
*/
unsigned int t;
int bytes;
bytes = 0;
for (t = number; t; t >>= 7)
bytes++;
if (bytes == 0) bytes = 1;
while (bytes) {
if (res) {
int bit = 7*(bytes-1);
*res = (number >> bit) & 0x7f;
if (bytes != 1)
*res |= 0x80;
res++;
}
byte_count++;
bytes--;
}
}
}
if (!res) {
res = malloc(byte_count);
if (!res)
return (ENOMEM);
oid->length = byte_count;
oid->elements = res;
}
}
return (0);
}
#define SYM(name) \
do { \
m->gm_ ## name = dlsym(so, "gss_" #name); \
if (!m->gm_ ## name) { \
fprintf(stderr, "can't find symbol gss_" #name "\n"); \
goto bad; \
} \
} while (0)
#define OPTSYM(name) \
do { \
m->gm_ ## name = dlsym(so, "gss_" #name); \
} while (0)
#define OPTSYM2(symname, ourname) \
do { \
m->ourname = dlsym(so, #symname); \
} while (0)
/*
* Load the mechanisms file (/etc/gss/mech).
*/
void
_gss_load_mech(void)
{
OM_uint32 major_status, minor_status;
FILE *fp;
char buf[256];
char *p;
char *name, *oid, *lib, *kobj;
struct _gss_mech_switch *m;
int count;
char **pp;
void *so;
if (SLIST_FIRST(&_gss_mechs))
return;
major_status = gss_create_empty_oid_set(&minor_status,
&_gss_mech_oids);
if (major_status)
return;
fp = fopen(_PATH_GSS_MECH, "r");
if (!fp) {
perror(_PATH_GSS_MECH);
return;
}
count = 0;
while (fgets(buf, sizeof(buf), fp)) {
if (*buf == '#')
continue;
p = buf;
name = strsep(&p, "\t\n ");
if (p) while (isspace(*p)) p++;
oid = strsep(&p, "\t\n ");
if (p) while (isspace(*p)) p++;
lib = strsep(&p, "\t\n ");
if (p) while (isspace(*p)) p++;
kobj = strsep(&p, "\t\n ");
if (!name || !oid || !lib || !kobj)
continue;
so = dlopen(lib, RTLD_LOCAL);
if (!so) {
fprintf(stderr, "dlopen: %s\n", dlerror());
continue;
}
m = malloc(sizeof(struct _gss_mech_switch));
if (!m)
break;
m->gm_so = so;
if (_gss_string_to_oid(oid, &m->gm_mech_oid)) {
free(m);
continue;
}
major_status = gss_add_oid_set_member(&minor_status,
&m->gm_mech_oid, &_gss_mech_oids);
if (major_status) {
free(m->gm_mech_oid.elements);
free(m);
continue;
}
SYM(acquire_cred);
SYM(release_cred);
SYM(init_sec_context);
SYM(accept_sec_context);
SYM(process_context_token);
SYM(delete_sec_context);
SYM(context_time);
SYM(get_mic);
SYM(verify_mic);
SYM(wrap);
SYM(unwrap);
SYM(display_status);
SYM(indicate_mechs);
SYM(compare_name);
SYM(display_name);
SYM(import_name);
SYM(export_name);
SYM(release_name);
SYM(inquire_cred);
SYM(inquire_context);
SYM(wrap_size_limit);
SYM(add_cred);
SYM(inquire_cred_by_mech);
SYM(export_sec_context);
SYM(import_sec_context);
SYM(inquire_names_for_mech);
SYM(inquire_mechs_for_name);
SYM(canonicalize_name);
SYM(duplicate_name);
OPTSYM2(gsskrb5_register_acceptor_identity,
gm_krb5_register_acceptor_identity);
OPTSYM(krb5_copy_ccache);
OPTSYM(krb5_compat_des3_mic);
SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link);
count++;
continue;
bad:
free(m->gm_mech_oid.elements);
free(m);
dlclose(so);
continue;
}
fclose(fp);
}
struct _gss_mech_switch *
_gss_find_mech_switch(gss_OID mech)
{
struct _gss_mech_switch *m;
_gss_load_mech();
SLIST_FOREACH(m, &_gss_mechs, gm_link) {
if (_gss_oid_equal(&m->gm_mech_oid, mech))
return m;
}
return (0);
}

253
lib/gssapi/mech/gss_names.c Normal file
View File

@@ -0,0 +1,253 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_names.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "name.h"
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x01"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) user_name(1)}. The constant
* GSS_C_NT_USER_NAME should be initialized to point
* to that gss_OID_desc.
*/
static gss_OID_desc GSS_C_NT_USER_NAME_storage =
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"};
gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_storage;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x02"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
* The constant GSS_C_NT_MACHINE_UID_NAME should be
* initialized to point to that gss_OID_desc.
*/
static gss_OID_desc GSS_C_NT_MACHINE_UID_NAME_storage =
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"};
gss_OID GSS_C_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_storage;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x03"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
* The constant GSS_C_NT_STRING_UID_NAME should be
* initialized to point to that gss_OID_desc.
*/
static gss_OID_desc GSS_C_NT_STRING_UID_NAME_storage =
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"};
gss_OID GSS_C_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_storage;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
* corresponding to an object-identifier value of
* {iso(1) org(3) dod(6) internet(1) security(5)
* nametypes(6) gss-host-based-services(2)). The constant
* GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
* to that gss_OID_desc. This is a deprecated OID value, and
* implementations wishing to support hostbased-service names
* should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
* defined below, to identify such names;
* GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
* for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
* parameter, but should not be emitted by GSS-API
* implementations
*/
static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_X_storage =
{6, (void *)"\x2b\x06\x01\x05\x06\x02"};
gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &GSS_C_NT_HOSTBASED_SERVICE_X_storage;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x04"}, corresponding to an
* object-identifier value of {iso(1) member-body(2)
* Unites States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) service_name(4)}. The constant
* GSS_C_NT_HOSTBASED_SERVICE should be initialized
* to point to that gss_OID_desc.
*/
static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_storage =
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"};
gss_OID GSS_C_NT_HOSTBASED_SERVICE = &GSS_C_NT_HOSTBASED_SERVICE_storage;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\01\x05\x06\x03"},
* corresponding to an object identifier value of
* {1(iso), 3(org), 6(dod), 1(internet), 5(security),
* 6(nametypes), 3(gss-anonymous-name)}. The constant
* and GSS_C_NT_ANONYMOUS should be initialized to point
* to that gss_OID_desc.
*/
static gss_OID_desc GSS_C_NT_ANONYMOUS_storage =
{6, (void *)"\x2b\x06\01\x05\x06\x03"};
gss_OID GSS_C_NT_ANONYMOUS = &GSS_C_NT_ANONYMOUS_storage;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
* corresponding to an object-identifier value of
* {1(iso), 3(org), 6(dod), 1(internet), 5(security),
* 6(nametypes), 4(gss-api-exported-name)}. The constant
* GSS_C_NT_EXPORT_NAME should be initialized to point
* to that gss_OID_desc.
*/
static gss_OID_desc GSS_C_NT_EXPORT_NAME_storage =
{6, (void *)"\x2b\x06\x01\x05\x06\x04"};
gss_OID GSS_C_NT_EXPORT_NAME = &GSS_C_NT_EXPORT_NAME_storage;
/*
* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* krb5(2) krb5_name(1)}. The recommended symbolic name for this type
* is "GSS_KRB5_NT_PRINCIPAL_NAME".
*/
static gss_OID_desc GSS_KRB5_NT_PRINCIPAL_NAME_storage =
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"};
gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &GSS_KRB5_NT_PRINCIPAL_NAME_storage;
/*
* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) user_name(1)}. The recommended symbolic name for this
* type is "GSS_KRB5_NT_USER_NAME".
*/
gss_OID GSS_KRB5_NT_USER_NAME = &GSS_C_NT_USER_NAME_storage;
/*
* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) machine_uid_name(2)}. The recommended symbolic name for
* this type is "GSS_KRB5_NT_MACHINE_UID_NAME".
*/
gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_storage;
/*
* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) string_uid_name(3)}. The recommended symbolic name for
* this type is "GSS_KRB5_NT_STRING_UID_NAME".
*/
gss_OID GSS_KRB5_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_storage;
struct _gss_mechanism_name *
_gss_find_mn(struct _gss_name *name, gss_OID mech)
{
OM_uint32 major_status, minor_status;
struct _gss_mech_switch *m;
struct _gss_mechanism_name *mn;
SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
if (_gss_oid_equal(mech, mn->gmn_mech_oid))
break;
}
if (!mn) {
/*
* If this name is canonical (i.e. there is only an
* MN but it is from a different mech), give up now.
*/
if (!name->gn_value.value)
return (0);
m = _gss_find_mech_switch(mech);
if (!m)
return (0);
mn = malloc(sizeof(struct _gss_mechanism_name));
if (!mn)
return (0);
major_status = m->gm_import_name(&minor_status,
&name->gn_value,
(name->gn_type.elements
? &name->gn_type : GSS_C_NO_OID),
&mn->gmn_name);
if (major_status) {
free(mn);
return (0);
}
mn->gmn_mech = m;
mn->gmn_mech_oid = &m->gm_mech_oid;
SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
}
return (mn);
}
/*
* Make a name from an MN.
*/
struct _gss_name *
_gss_make_name(struct _gss_mech_switch *m, gss_name_t new_mn)
{
OM_uint32 minor_status;
struct _gss_name *name;
struct _gss_mechanism_name *mn;
name = malloc(sizeof(struct _gss_name));
if (!name)
return (0);
memset(name, 0, sizeof(struct _gss_name));
mn = malloc(sizeof(struct _gss_mechanism_name));
if (!mn) {
free(name);
return (0);
}
SLIST_INIT(&name->gn_mn);
mn->gmn_mech = m;
mn->gmn_mech_oid = &m->gm_mech_oid;
mn->gmn_name = new_mn;
SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
return (name);
}

136
lib/gssapi/mech/gss_process_context_token.3 Normal file
View File

@@ -0,0 +1,136 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_process_context_token.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_PROCESS_CONTEXT_TOKEN 3 PRM
.Sh NAME
.Nm gss_process_context_token
.Nd Process a token on a security context from a peer application
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_process_context_token
.Fa "OM_uint32 *minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "const gss_buffer_t token_buffer"
.Fc
.Sh DESCRIPTION
Provides a way to pass an asynchronous token to the security service.
Most context-level tokens are emitted and processed synchronously by
.Fn gss_init_sec_context
and
.Fn gss_accept_sec_context ,
and the application is informed as to whether further tokens are
expected by the
.Dv GSS_C_CONTINUE_NEEDED
major status bit.
Occasionally,
a mechanism may need to emit a context-level token at a point when the
peer entity is not expecting a token.
For example,
the initiator's final call to
.Fn gss_init_sec_context
may emit a token and return a status of
.Dv GSS_S_COMPLETE ,
but the acceptor's call to
.Fn gss_accept_sec_context
may fail.
The acceptor's mechanism may wish to send a token containing an error
indication to the initiator,
but the initiator is not expecting a token at this point,
believing that the context is fully established.
.Fn gss_process_context_token
provides a way to pass such a token to the mechanism at any time.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It context_handle
Context handle of context on which token is to be processed.
.It token_buffer
Token to process.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_DEFECTIVE_TOKEN
Indicates that consistency checks performed on the token failed
.It GSS_S_NO_CONTEXT
The
.Fa context_handle
did not refer to a valid context
.El
.Sh SEE ALSO
.Xr gss_init_sec_context 3 ,
.Xr gss_accept_sec_context 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

44
lib/gssapi/mech/gss_process_context_token.c Normal file
View File

@@ -0,0 +1,44 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_process_context_token.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "context.h"
OM_uint32
gss_process_context_token(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t token_buffer)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
struct _gss_mech_switch *m = ctx->gc_mech;
return (m->gm_process_context_token(minor_status, ctx->gc_ctx,
token_buffer));
}

111
lib/gssapi/mech/gss_release_buffer.3 Normal file
View File

@@ -0,0 +1,111 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_release_buffer.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_RELEASE_BUFFER 3 PRM
.Sh NAME
.Nm gss_release_buffer
.Nd Discard a buffer
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_release_buffer
.Fa "OM_uint32 *minor_status"
.Fa "gss_buffer_t buffer"
.Fc
.Sh DESCRIPTION
Free storage associated with a buffer.
The storage must have been allocated by a GSS-API routine.
In addition to freeing the associated storage,
the routine will zero the length field in the descriptor to which the
buffer parameter refers,
and implementations are encouraged to additionally set the pointer
field in the descriptor to
.Dv NULL .
Any buffer object returned by a GSS-API routine may be passed to
.Fn gss_release_buffer
(even if there is no storage associated with the buffer).
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It buffer
The storage associated with the buffer will be deleted.
The gss_buffer_desc object will not be freed,
but its length field will be zeroed.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.El
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

43
lib/gssapi/mech/gss_release_buffer.c Normal file
View File

@@ -0,0 +1,43 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_release_buffer.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
OM_uint32
gss_release_buffer(OM_uint32 *minor_status,
gss_buffer_t buffer)
{
*minor_status = 0;
if (buffer->value)
free(buffer->value);
buffer->length = 0;
buffer->value = 0;
return (GSS_S_COMPLETE);
}

108
lib/gssapi/mech/gss_release_cred.3 Normal file
View File

@@ -0,0 +1,108 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_release_cred.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_RELEASE_CRED 3 PRM
.Sh NAME
.Nm gss_release_cred
.Nd Discard a credential handle
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_release_cred
.Fa "OM_uint32 *minor_status"
.Fa "gss_cred_id_t *cred_handle"
.Fc
.Sh DESCRIPTION
Informs GSS-API that the specified credential handle is no longer
required by the application,
and frees associated resources.
Implementations are encouraged to set the cred_handle to
.Dv GSS_C_NO_CREDENTIAL
on successful completion of this call.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It cred_handle
Opaque handle identifying credential to be released.
If GSS_C_NO_CREDENTIAL is supplied,
the routine will complete successfully, but will do nothing.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_NO_CRED
Credentials could not be accessed
.El
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

56
lib/gssapi/mech/gss_release_cred.c Normal file
View File

@@ -0,0 +1,56 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_release_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "cred.h"
OM_uint32
gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
{
struct _gss_cred *cred = (struct _gss_cred *) *cred_handle;
struct _gss_mechanism_cred *mc;
if (*cred_handle == GSS_C_NO_CREDENTIAL)
return (GSS_S_COMPLETE);
while (SLIST_FIRST(&cred->gc_mc)) {
mc = SLIST_FIRST(&cred->gc_mc);
SLIST_REMOVE_HEAD(&cred->gc_mc, gmc_link);
mc->gmc_mech->gm_release_cred(minor_status, &mc->gmc_cred);
free(mc);
}
free(cred);
*minor_status = 0;
*cred_handle = 0;
return (GSS_S_COMPLETE);
}

104
lib/gssapi/mech/gss_release_name.3 Normal file
View File

@@ -0,0 +1,104 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_release_name.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_RELEASE_NAME 3 PRM
.Sh NAME
.Nm gss_release_name
.Nd Discard an internal-form name
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_release_name
.Fa "OM_uint32 *minor_status"
.Fa "gss_name_t *name"
.Fc
.Sh DESCRIPTION
Free GSS-API allocated storage associated with an internal-form name.
Implementations are encouraged to set the name to
.Dv GSS_C_NO_NAME
on successful completion of this call.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It name
The name to be deleted.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_BAD_NAME
The name parameter did not contain a valid name
.El
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

59
lib/gssapi/mech/gss_release_name.c Normal file
View File

@@ -0,0 +1,59 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_release_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "mech_switch.h"
#include "name.h"
OM_uint32
gss_release_name(OM_uint32 *minor_status,
gss_name_t *input_name)
{
struct _gss_name *name = (struct _gss_name *) *input_name;
struct _gss_mech_switch *m;
*minor_status = 0;
if (name) {
if (name->gn_type.elements)
free(name->gn_type.elements);
while (SLIST_FIRST(&name->gn_mn)) {
struct _gss_mechanism_name *mn;
mn = SLIST_FIRST(&name->gn_mn);
SLIST_REMOVE_HEAD(&name->gn_mn, gmn_link);
mn->gmn_mech->gm_release_name(minor_status,
&mn->gmn_name);
free(mn);
}
gss_release_buffer(minor_status, &name->gn_value);
*input_name = 0;
}
return (GSS_S_COMPLETE);
}

109
lib/gssapi/mech/gss_release_oid_set.3 Normal file
View File

@@ -0,0 +1,109 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_release_oid_set.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_RELEASE_OID_SET 3 PRM
.Sh NAME
.Nm gss_release_oid_set
.Nd Discard a set of object identifiers
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_release_oid_set
.Fa "OM_uint32 *minor_status"
.Fa "gss_OID_set *set"
.Fc
.Sh DESCRIPTION
Free storage associated with a GSS-API generated gss_OID_set object.
The set parameter must refer to an OID-set that was returned from a
GSS-API routine.
.Fn gss_release_oid_set
will free the storage associated with each individual member OID,
the OID set's elements array,
and the gss_OID_set_desc itself.
.Pp
Implementations are encouraged to set the gss_OID_set parameter to
.Dv GSS_C_NO_OID_SET
on successful completion of this routine.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It set
The storage associated with the gss_OID_set will be deleted.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.El
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

46
lib/gssapi/mech/gss_release_oid_set.c Normal file
View File

@@ -0,0 +1,46 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_release_oid_set.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
OM_uint32
gss_release_oid_set(OM_uint32 *minor_status,
gss_OID_set *set)
{
*minor_status = 0;
if (*set) {
if ((*set)->elements)
free((*set)->elements);
free(*set);
*set = 0;
}
return (GSS_S_COMPLETE);
}

45
lib/gssapi/mech/gss_seal.c Normal file
View File

@@ -0,0 +1,45 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_seal.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
OM_uint32
gss_seal(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,
int qop_req,
gss_buffer_t input_message_buffer,
int *conf_state,
gss_buffer_t output_message_buffer)
{
return (gss_wrap(minor_status,
context_handle, conf_req_flag, qop_req,
input_message_buffer, conf_state,
output_message_buffer));
}

41
lib/gssapi/mech/gss_sign.c Normal file
View File

@@ -0,0 +1,41 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_sign.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
OM_uint32
gss_sign(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int qop_req,
gss_buffer_t message_buffer,
gss_buffer_t message_token)
{
return gss_get_mic(minor_status,
context_handle, qop_req, message_buffer, message_token);
}

116
lib/gssapi/mech/gss_test_oid_set_member.3 Normal file
View File

@@ -0,0 +1,116 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_test_oid_set_member.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_TEST_OID_SET_MEMBER 3 PRM
.Sh NAME
.Nm gss_test_oid_set_member
.Nd Determines whether an object identifier is a member of a set
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_test_oid_set_member
.Fa "OM_uint32 *minor_status"
.Fa "const gss_OID member"
.Fa "const gss_OID_set set"
.Fa "int *present"
.Fc
.Sh DESCRIPTION
Interrogate an Object Identifier set to determine whether a specified
Object Identifier is a member.
This routine is intended to be used with OID sets returned by
.Fn gss_indicate_mechs ,
.Fn gss_acquire_cred ,
and
.Fn gss_inquire_cred ,
but will also work with user-generated sets.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It member
The object identifier whose presence is to be tested.
.It set
The Object Identifier set.
.It present
Non-zero if the specified OID is a member of the set, zero if not.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.El
.Sh SEE ALSO
.Xr gss_indicate_mechs 3 ,
.Xr gss_acquire_cred 3 ,
.Xr gss_inquire_cred 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

56
lib/gssapi/mech/gss_test_oid_set_member.c Normal file
View File

@@ -0,0 +1,56 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_test_oid_set_member.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
static int
_gss_oid_equal(const gss_OID oid1, const gss_OID oid2)
{
if (oid1->length != oid2->length)
return (0);
if (memcmp(oid1->elements, oid2->elements, oid1->length))
return (0);
return (1);
}
OM_uint32
gss_test_oid_set_member(OM_uint32 *minor_status,
const gss_OID member,
const gss_OID_set set,
int *present)
{
int i;
*present = 0;
for (i = 0; i < set->count; i++)
if (_gss_oid_equal(member, &set->elements[i]))
*present = 1;
*minor_status = 0;
return (GSS_S_COMPLETE);
}

43
lib/gssapi/mech/gss_unseal.c Normal file
View File

@@ -0,0 +1,43 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_unseal.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
OM_uint32
gss_unseal(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
int *qop_state)
{
return (gss_unwrap(minor_status,
context_handle, input_message_buffer,
output_message_buffer, conf_state, qop_state));
}

191
lib/gssapi/mech/gss_unwrap.3 Normal file
View File

@@ -0,0 +1,191 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_unwrap.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_UNWRAP 3 PRM
.Sh NAME
.Nm gss_unwrap ,
.Nm gss_unseal
.Nd Convert a message previously protected by
.Xr gss_wrap 3
back to a usable form
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_unwrap
.Fa "OM_uint32 *minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "const gss_buffer_t input_message_buffer"
.Fa "gss_buffer_t output_message_buffer"
.Fa "int *conf_state"
.Fa "gss_qop_t *qop_state"
.Fc
.Ft OM_uint32
.Fo gss_unseal
.Fa "OM_uint32 *minor_status"
.Fa "gss_ctx_id_t context_handle"
.Fa "gss_buffer_t input_message_buffer"
.Fa "gss_buffer_t output_message_buffer"
.Fa "int *conf_state"
.Fa "gss_qop_t *qop_state"
.Fc
.Sh DESCRIPTION
Converts a message previously protected by
.Xr gss_wrap 3
back to a usable form,
verifying the embedded MIC.
The
.Dv conf_state
parameter indicates whether the message was encrypted;
the
.Dv qop_state
parameter indicates the strength of protection that was used to provide the
confidentiality and integrity services.
.Pp
Since some application-level protocols may wish to use tokens emitted
by
.Xr gss_wrap 3
to provide "secure framing",
implementations must support the wrapping and unwrapping of
zero-length messages.
.Pp
The
.Fn gss_unseal
routine is an obsolete variant of
.Fn gss_unwrap .
It is
provided for backwards
compatibility with applications using the GSS-API V1 interface.
A distinct entrypoint (as opposed to #define) is provided,
both to allow GSS-API V1 applications to link
and to retain the slight parameter type differences between the
obsolete versions of this routine and its current form.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It context_handle
Identifies the context on which the message arrived.
.It input_message_buffer
Protected message.
.It output_message_buffer
Buffer to receive unwrapped message.
Storage associated with this buffer must
be freed by the application after use use
with a call to
.Xr gss_release_buffer 3 .
.It conf_state
.Bl -tag -width "Non-zero"
.It Non-zero
Confidentiality and integrity protection were used.
.It Zero
Integrity service only was used.
.El
.Pp
Specify NULL if not required.
.It qop_state
Quality of protection provided. Specify NULL if not required.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion.
.It GSS_S_DEFECTIVE_TOKEN
The token failed consistency checks.
.It GSS_S_BAD_SIG
The MIC was incorrect
.It GSS_S_DUPLICATE_TOKEN
The token was valid, and contained a correct
MIC for the message, but it had already been
processed.
.It GSS_S_OLD_TOKEN
The token was valid, and contained a correct MIC
for the message, but it is too old to check for
duplication.
.It GSS_S_UNSEQ_TOKEN
The token was valid, and contained a correct MIC
for the message, but has been verified out of
sequence; a later token has already been
received.
.It GSS_S_GAP_TOKEN
The token was valid, and contained a correct MIC
for the message, but has been verified out of
sequence; an earlier expected token has not yet
been received.
.It GSS_S_CONTEXT_EXPIRED
The context has already expired.
.It GSS_S_NO_CONTEXT
The context_handle parameter did not identify a valid context.
.El
.Sh SEE ALSO
.Xr gss_wrap 3 ,
.Xr gss_release_buffer 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

48
lib/gssapi/mech/gss_unwrap.c Normal file
View File

@@ -0,0 +1,48 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_unwrap.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "context.h"
OM_uint32
gss_unwrap(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
gss_qop_t *qop_state)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
struct _gss_mech_switch *m = ctx->gc_mech;
return (m->gm_unwrap(minor_status, ctx->gc_ctx,
input_message_buffer, output_message_buffer,
conf_state, qop_state));
}

79
lib/gssapi/mech/gss_utils.c Normal file
View File

@@ -0,0 +1,79 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_utils.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <errno.h>
#include "utils.h"
int
_gss_oid_equal(const gss_OID oid1, const gss_OID oid2)
{
if (oid1->length != oid2->length)
return (0);
if (memcmp(oid1->elements, oid2->elements, oid1->length))
return (0);
return (1);
}
OM_uint32
_gss_copy_oid(OM_uint32 *minor_status,
const gss_OID from_oid, gss_OID to_oid)
{
size_t len = from_oid->length;
*minor_status = 0;
to_oid->elements = malloc(len);
if (!to_oid->elements) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
to_oid->length = len;
memcpy(to_oid->elements, from_oid->elements, len);
return (GSS_S_COMPLETE);
}
OM_uint32
_gss_copy_buffer(OM_uint32 *minor_status,
const gss_buffer_t from_buf, gss_buffer_t to_buf)
{
size_t len = from_buf->length;
*minor_status = 0;
to_buf->value = malloc(len);
if (!to_buf->value) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
to_buf->length = len;
memcpy(to_buf->value, from_buf->value, len);
return (GSS_S_COMPLETE);
}

41
lib/gssapi/mech/gss_verify.c Normal file
View File

@@ -0,0 +1,41 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_verify.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
OM_uint32
gss_verify(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t message_buffer,
gss_buffer_t token_buffer,
int *qop_state)
{
return (gss_verify_mic(minor_status,
context_handle, message_buffer, token_buffer, qop_state));
}

172
lib/gssapi/mech/gss_verify_mic.3 Normal file
View File

@@ -0,0 +1,172 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_verify_mic.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_VERIFY_MIC 3 PRM
.Sh NAME
.Nm gss_verify_mic ,
.Nm gss_verify
.Nd Check a MIC against a message; verify integrity of a received message
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_verify_mic
.Fa "OM_uint32 *minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "const gss_buffer_t message_buffer"
.Fa "const gss_buffer_t token_buffer"
.Fa "gss_qop_t *qop_state"
.Fc
.Ft OM_uint32
.Fo gss_verify
.Fa "OM_uint32 *minor_status"
.Fa "gss_ctx_id_t context_handle"
.Fa "gss_buffer_t message_buffer"
.Fa "gss_buffer_t token_buffer"
.Fa "gss_qop_t *qop_state"
.Fc
.Sh DESCRIPTION
Verifies that a cryptographic MIC,
contained in the token parameter,
fits the supplied message.
The
.Fa qop_state
parameter allows a message recipient to determine the strength of
protection that was applied to the message.
.Pp
Since some application-level protocols may wish to use tokens emitted
by
.Fn gss_wrap
to provide "secure framing",
implementations must support the calculation and verification of MICs
over zero-length messages.
.Pp
The
.Fn gss_verify
routine is an obsolete variant of
.Fn gss_verify_mic .
It is provided for backwards
compatibility with applications using the GSS-API V1 interface.
A distinct entrypoint (as opposed to #define) is provided,
both to allow GSS-API V1 applications to link
and to retain the slight parameter type differences between the
obsolete versions of this routine and its current form.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It context_handle
Identifies the context on which the message arrived.
.It message_buffer
Message to be verified.
.It token_buffer
Token associated with message.
.It qop_state
Quality of protection gained from MIC.
Specify
.Dv NULL
if not required.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion
.It GSS_S_DEFECTIVE_TOKEN
The token failed consistency checks
.It GSS_S_BAD_SIG
The MIC was incorrect
.It GSS_S_DUPLICATE_TOKEN
The token was valid,
and contained a correct MIC for the message,
but it had already been processed
.It GSS_S_OLD_TOKEN
The token was valid,
and contained a correct MIC for the message,
but it is too old to check for duplication
.It GSS_S_UNSEQ_TOKEN
The token was valid,
and contained a correct MIC for the message,
but has been verified out of sequence;
a later token has already been received.
.It GSS_S_GAP_TOKEN
The token was valid,
and contained a correct MIC for the message,
but has been verified out of sequence;
an earlier expected token has not yet been received
.It GSS_S_CONTEXT_EXPIRED
The context has already expired
.It GSS_S_NO_CONTEXT
The context_handle parameter did not identify a valid context
.El
.Sh SEE ALSO
.Xr gss_wrap 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.El
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

46
lib/gssapi/mech/gss_verify_mic.c Normal file
View File

@@ -0,0 +1,46 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_verify_mic.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "context.h"
OM_uint32
gss_verify_mic(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t *qop_state)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
struct _gss_mech_switch *m = ctx->gc_mech;
return (m->gm_verify_mic(minor_status, ctx->gc_ctx,
message_buffer, token_buffer, qop_state));
}

178
lib/gssapi/mech/gss_wrap.3 Normal file
View File

@@ -0,0 +1,178 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_wrap.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_WRAP 3 PRM
.Sh NAME
.Nm gss_wrap ,
.Nm gss_seal
.Nd Attach a cryptographic MIC and optionally encrypt a message
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_wrap
.Fa "OM_uint32 *minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "int conf_req_flag"
.Fa "gss_qop_t qop_req"
.Fa "const gss_buffer_t input_message_buffer"
.Fa "int *conf_state"
.Fa "gss_buffer_t output_message_buffer"
.Fc
.Ft OM_uint32
.Fo gss_seal
.Fa "OM_uint32 *minor_status"
.Fa "gss_ctx_id_t context_handle"
.Fa "int conf_req_flag"
.Fa "gss_qop_t qop_req"
.Fa "gss_buffer_t input_message_buffer"
.Fa "int *conf_state"
.Fa "gss_buffer_t output_message_buffer"
.Fc
.Sh DESCRIPTION
Attaches a cryptographic MIC and optionally encrypts the specified
.Dv input_message .
The output_message contains both the MIC and the message.
The
.Dv qop_req
parameter allows a choice between several cryptographic algorithms,
if supported by the chosen mechanism.
.Pp
Since some application-level protocols may wish to use tokens emitted
by
.Fn gss_wrap
to provide "secure framing",
implementations must support the wrapping of zero-length messages.
.Pp
The
.Fn gss_seal
routine is an obsolete variant of
.Fn gss_wrap .
It is
provided for backwards
compatibility with applications using the GSS-API V1 interface.
A distinct entrypoint (as opposed to #define) is provided,
both to allow GSS-API V1 applications to link
and to retain the slight parameter type differences between the
obsolete versions of this routine and its current form.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It context_handle
Identifies the context on which the message will be sent.
.It conf_req_flag
.Bl -tag -width "Non-zero"
.It Non-zero
Both confidentiality and integrity services are requested.
.It Zero
Only integrity service is requested.
.El
.It qop_req
Specifies required quality of protection.
A mechanism-specific default may be requested by setting qop_req to
.Dv GSS_C_QOP_DEFAULT .
If an unsupported protection strength is requested,
.Fn gss_wrap
will return a major_status of
.Dv GSS_S_BAD_QOP .
.It input_message_buffer
Message to be protected.
.It conf_state
.Bl -tag -width "Non-zero"
.It Non-zero
Confidentiality, data origin authentication and integrity services
have been applied.
.It Zero
Integrity and data origin services only has been applied.
.El
.It output_message_buffer
Buffer to receive protected message.
Storage associated with this buffer must
be freed by the application after use use
with a call to
.Xr gss_release_buffer 3 .
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion.
.It GSS_S_CONTEXT_EXPIRED
The context has already expired
.It GSS_S_NO_CONTEXT
The context_handle parameter did not identify a valid context.
.It GSS_S_BAD_QOP
The specified QOP is not supported by the mechanism.
.El
.Sh SEE ALSO
.Xr gss_unwrap 3 ,
.Xr gss_release_buffer 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

49
lib/gssapi/mech/gss_wrap.c Normal file
View File

@@ -0,0 +1,49 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_wrap.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "context.h"
OM_uint32
gss_wrap(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
int *conf_state,
gss_buffer_t output_message_buffer)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
struct _gss_mech_switch *m = ctx->gc_mech;
return (m->gm_wrap(minor_status, ctx->gc_ctx,
conf_req_flag, qop_req, input_message_buffer,
conf_state, output_message_buffer));
}

163
lib/gssapi/mech/gss_wrap_size_limit.3 Normal file
View File

@@ -0,0 +1,163 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gss_wrap_size_limit.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.\" The following commands are required for all man pages.
.Dd November 12, 2005
.Os
.Dt GSS_WRAP_SIZE_LIMIT 3 PRM
.Sh NAME
.Nm gss_wrap_size_limit
.Nd Determine maximum message sizes
.\" This next command is for sections 2 and 3 only.
.\" .Sh LIBRARY
.Sh SYNOPSIS
.In "gssapi/gssapi.h"
.Ft OM_uint32
.Fo gss_wrap_size_limit
.Fa "OM_uint32 *minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "int conf_req_flag"
.Fa "gss_qop_t qop_req"
.Fa "OM_uint32 req_output_size"
.Fa "OM_uint32 *max_input_size"
.Fc
.Sh DESCRIPTION
Allows an application to determine the maximum message size that,
if presented to
.Xr gss_wrap 3
with the same
.Dv conf_req_flag
and
.Dv qop_req
parameters,
will result in an output token containing no more than
.Dv req_output_size
bytes.
.Pp
This call is intended for use by applications that
communicate over protocols that impose a maximum message size.
It enables the application to fragment messages prior to applying protection.
.Pp
GSS-API implementations are recommended but not required to detect
invalid QOP values when
.Fn gss_wrap_size_limit
is called.
This routine guarantees only a maximum message size,
not the availability of specific QOP values for message protection.
.Pp
Successful completion of this call does not guarantee that
.Xr gss_wrap 3
will be able to protect a message of length max_input_size bytes,
since this ability may depend on the availability of system resources
at the time that
.Xr gss_wrap 3
is called.
However, if the implementation itself imposes an upper limit on
the length of messages that may be processed by gss_wrap,
the implementation should not return a value via
.Dv max_input_bytes
that is greater than this length.
.Sh PARAMETERS
.Bl -tag
.It minor_status
Mechanism specific status code.
.It context_handle
A handle that refers to the security over which the messages will be sent.
.It conf_req_flag
Indicates whether
.Xr gss_wrap 3
will be asked to apply confidentiality protection
in addition to integrity protection.
.It qop_req
Indicates the level of protection that
.Xr gss_wrap 3
will be asked to provide.
.It req_output_size
The desired maximum size for tokens emitted by
.Xr gss_wrap 3 .
.It max_input_size
The maximum input message size that may be presented to
.Xr gss_wrap 3
in order to guarantee that the emitted token shall
be no larger than
.Dv req_output_size
bytes.
.El
.Sh RETURN VALUES
.Bl -tag
.It GSS_S_COMPLETE
Successful completion.
.It GSS_S_NO_CONTEXT
The referenced context could not be accessed.
.It GSS_S_CONTEXT_EXPIRED
The context has expired.
.It GSS_S_BAD_QOP
The specified QOP is not supported by the mechanism.
.El
.Sh SEE ALSO
.Xr gss_wrap 3
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.\" .Sh HISTORY
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

47
lib/gssapi/mech/gss_wrap_size_limit.c Normal file
View File

@@ -0,0 +1,47 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_wrap_size_limit.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <gssapi/gssapi.h>
#include "mech_switch.h"
#include "context.h"
OM_uint32
gss_wrap_size_limit(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
OM_uint32 *max_input_size)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
struct _gss_mech_switch *m = ctx->gc_mech;
return (m->gm_wrap_size_limit(minor_status, ctx->gc_ctx,
conf_req_flag, qop_req, req_output_size, max_input_size));
}

261
lib/gssapi/mech/gssapi.3 Normal file
View File

@@ -0,0 +1,261 @@
.\" -*- nroff -*-
.\"
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/gssapi.3,v 1.2 2006/01/25 10:06:28 dfr Exp $
.\"
.Dd November 30, 2005
.Dt GSSAPI 3
.Os
.Sh NAME
.Nm gssapi
.Nd "Generic Security Services API"
.Sh LIBRARY
GSS-API Library (libgssapi, -lgssapi)
.Sh SYNOPSIS
.In gssapi/gssapi.h
.Sh DESCRIPTION
The Generic Security Service Application Programming Interface
provides security services to its callers,
and is intended for implementation atop a variety of underlying
cryptographic mechanisms.
Typically, GSS-API callers will be application protocols into which
security enhancements are integrated through invocation of services
provided by the GSS-API.
The GSS-API allows a caller application to authenticate a principal
identity associated with a peer application, to delegate rights to a
peer,
and to apply security services such as confidentiality and integrity
on a per-message basis.
.Pp
There are four stages to using the GSS-API:
.Pp
.Bl -tag -width "a)"
.It a)
The application acquires a set of credentials with which it may prove
its identity to other processes.
The application's credentials vouch for its global identity,
which may or may not be related to any local username under which it
may be running.
.It b)
A pair of communicating applications establish a joint security
context using their credentials.
The security context is a pair of GSS-API data structures that contain
shared state information, which is required in order that per-message
security services may be provided.
Examples of state that might be shared between applications as part of
a security context are cryptographic keys,
and message sequence numbers.
As part of the establishment of a security context,
the context initiator is authenticated to the responder,
and may require that the responder is authenticated in turn.
The initiator may optionally give the responder the right to initiate
further security contexts,
acting as an agent or delegate of the initiator.
This transfer of rights is termed delegation,
and is achieved by creating a set of credentials,
similar to those used by the initiating application,
but which may be used by the responder.
.Pp
To establish and maintain the shared information that makes up the
security context,
certain GSS-API calls will return a token data structure,
which is an opaque data type that may contain cryptographically
protected data.
The caller of such a GSS-API routine is responsible for transferring
the token to the peer application,
encapsulated if necessary in an application protocol.
On receipt of such a token, the peer application should pass it to a
corresponding GSS-API routine which will decode the token and extract
the information,
updating the security context state information accordingly.
.It c)
Per-message services are invoked to apply either:
.Pp
integrity and data origin authentication, or confidentiality,
integrity and data origin authentication to application data,
which are treated by GSS-API as arbitrary octet-strings.
An application transmitting a message that it wishes to protect will
call the appropriate GSS-API routine (gss_get_mic or gss_wrap) to
apply protection,
specifying the appropriate security context,
and send the resulting token to the receiving application.
The receiver will pass the received token (and, in the case of data
protected by gss_get_mic, the accompanying message-data) to the
corresponding decoding routine (gss_verify_mic or gss_unwrap) to
remove the protection and validate the data.
.It d)
At the completion of a communications session (which may extend across
several transport connections),
each application calls a GSS-API routine to delete the security
context.
Multiple contexts may also be used (either successively or
simultaneously) within a single communications association, at the
option of the applications.
.El
.Sh GSS-API ROUTINES
This section lists the routines that make up the GSS-API,
and offers a brief description of the purpose of each routine.
.Pp
GSS-API Credential-management Routines:
.Bl -tag -width "gss_inquire_cred_by_mech"
.It gss_acquire_cred
Assume a global identity; Obtain a GSS-API credential handle for
pre-existing credentials.
.It gss_add_cred
Construct credentials incrementally
.It gss_inquire_cred
Obtain information about a credential
.It gss_inquire_cred_by_mech
Obtain per-mechanism information about a credential.
.It gss_release_cred
Discard a credential handle.
.El
.Pp
GSS-API Context-Level Routines:
.Bl -tag -width "gss_inquire_cred_by_mech"
.It gss_init_sec_context
Initiate a security context with a peer application
.It gss_accept_sec_context
Accept a security context initiated by a peer application
.It gss_delete_sec_context
Discard a security context
.It gss_process_context_token
Process a token on a security context from a peer application
.It gss_context_time
Determine for how long a context will remain valid
.It gss_inquire_context
Obtain information about a security context
.It gss_wrap_size_limit
Determine token-size limit for
.Xr gss_wrap 3
on a context
.It gss_export_sec_context
Transfer a security context to another process
.It gss_import_sec_context
Import a transferred context
.El
.Pp
GSS-API Per-message Routines:
.Bl -tag -width "gss_inquire_cred_by_mech"
.It gss_get_mic
Calculate a cryptographic message integrity code (MIC) for a message;
integrity service
.It gss_verify_mic
Check a MIC against a message;
verify integrity of a received message
.It gss_wrap
Attach a MIC to a message, and optionally encrypt the message content;
confidentiality service
.It gss_unwrap
Verify a message with attached MIC, and decrypt message content if
necessary.
.El
.Pp
GSS-API Name manipulation Routines:
.Bl -tag -width "gss_inquire_cred_by_mech"
.It gss_import_name
Convert a contiguous string name to internal-form
.It gss_display_name
Convert internal-form name to text
.It gss_compare_name
Compare two internal-form names
.It gss_release_name
Discard an internal-form name
.It gss_inquire_names_for_mech
List the name-types supported by the specified mechanism
.It gss_inquire_mechs_for_name
List mechanisms that support the specified name-type
.It gss_canonicalize_name
Convert an internal name to an MN
.It gss_export_name
Convert an MN to export form
.It gss_duplicate_name
Create a copy of an internal name
.El
.Pp
GSS-API Miscellaneous Routines
.Bl -tag -width "gss_inquire_cred_by_mech"
.It gss_add_oid_set_member
Add an object identifier to a set
.It gss_display_status
Convert a GSS-API status code to text
.It gss_indicate_mechs
Determine available underlying authentication mechanisms
.It gss_release_buffer
Discard a buffer
.It gss_release_oid_set
Discard a set of object identifiers
.It gss_create_empty_oid_set
Create a set containing no object identifiers
.It gss_test_oid_set_member
Determines whether an object identifier is a member of a set.
.El
.Pp
Individual GSS-API implementations may augment these routines by
providing additional mechanism-specific routines if required
functionality is not available from the generic forms.
Applications are encouraged to use the generic routines wherever
possible on portability grounds.
.Sh STANDARDS
.Bl -tag
.It RFC 2743
Generic Security Service Application Program Interface Version 2, Update 1
.It RFC 2744
Generic Security Service API Version 2 : C-bindings
.El
.Sh HISTORY
The
.Nm
manual page first appeared in
.Fx 7.0 .
.Sh AUTHORS
John Wray, Iris Associates
.Sh COPYRIGHT
Copyright (C) The Internet Society (2000). All Rights Reserved.
.Pp
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
.Pp
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
.Pp
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

94
lib/gssapi/mech/mech.5 Normal file
View File

@@ -0,0 +1,94 @@
.\" Copyright (c) 2005 Doug Rabson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libgssapi/mech.5,v 1.1 2005/12/29 14:40:20 dfr Exp $
.Dd November 14, 2005
.Dt MECH 5
.Os
.Sh NAME
.Nm mech ,
.Nm qop
.Nd "GSS-API Mechanism and QOP files"
.Sh SYNOPSIS
.Pa "/etc/gss/mech"
.Pa "/etc/gss/qop"
.Sh DESCRIPTION
The
.Pa "/etc/gss/mech"
file contains a list of installed GSS-API security mechanisms.
Each line of the file either contains a comment if the first character
is '#' or it contains five fields with the following meanings:
.Bl -tag
.It Name
The name of this GSS-API mechanism.
.It Object identifier
The OID for this mechanism.
.It Library
A shared library containing the implementation of this mechanism.
.It Kernel module (optional)
A kernel module containing the implementation of this mechanism (not
yet supported in FreeBSD).
.It Library options (optional)
Optionsal parameters interpreted by the mechanism. Library options
must be enclosed in brackets ([ ]) to differentiate them from the
optional kernel module entry.
.El
.Pp
The
.Pa "/etc/gss/qop"
file contains a list of Quality of Protection values for use with
GSS-API.
Each line of the file either contains a comment if the first character
is '#' or it contains three fields with the following meanings:
.Bl -tag
.It QOP string
The name of this Quality of Protection algorithm.
.It QOP value
The numeric value used to select this algorithm for use with GSS-API
functions such as
.Xr gss_get_mic 3 .
.It Mechanism name
The GSS-API mechanism name that corresponds to this algorithm.
.El
.Sh EXAMPLES
This is a typical entry from
.Pa "/etc/gss/mech" :
.Bd -literal
kerberosv5 1.2.840.113554.1.2.2 /usr/lib/libgssapi_krb5.so.8 -
.Ed
.Pp
This is a typical entry from
.Pa "/etc/gss/qop" :
.Bd -literal
GSS_KRB5_CONF_C_QOP_DES 0x0100 kerberosv5
.Ed
.Sh HISTORY
The
.Nm
manual page example first appeared in
.Fx 7.0 .
.Sh AUTHORS
This
manual page was written by
.An Doug Rabson Aq dfr@FreeBSD.org .

327
lib/gssapi/mech/mech_switch.h Normal file
View File

@@ -0,0 +1,327 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/mech_switch.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <sys/queue.h>
typedef OM_uint32 _gss_acquire_cred_t
(OM_uint32 *, /* minor_status */
const gss_name_t, /* desired_name */
OM_uint32, /* time_req */
const gss_OID_set, /* desired_mechs */
gss_cred_usage_t, /* cred_usage */
gss_cred_id_t *, /* output_cred_handle */
gss_OID_set *, /* actual_mechs */
OM_uint32 * /* time_rec */
);
typedef OM_uint32 _gss_release_cred_t
(OM_uint32 *, /* minor_status */
gss_cred_id_t * /* cred_handle */
);
typedef OM_uint32 _gss_init_sec_context_t
(OM_uint32 *, /* minor_status */
const gss_cred_id_t, /* initiator_cred_handle */
gss_ctx_id_t *, /* context_handle */
const gss_name_t, /* target_name */
const gss_OID, /* mech_type */
OM_uint32, /* req_flags */
OM_uint32, /* time_req */
const gss_channel_bindings_t,
/* input_chan_bindings */
const gss_buffer_t, /* input_token */
gss_OID *, /* actual_mech_type */
gss_buffer_t, /* output_token */
OM_uint32 *, /* ret_flags */
OM_uint32 * /* time_rec */
);
typedef OM_uint32 _gss_accept_sec_context_t
(OM_uint32 *, /* minor_status */
gss_ctx_id_t *, /* context_handle */
const gss_cred_id_t, /* acceptor_cred_handle */
const gss_buffer_t, /* input_token_buffer */
const gss_channel_bindings_t,
/* input_chan_bindings */
gss_name_t *, /* src_name */
gss_OID *, /* mech_type */
gss_buffer_t, /* output_token */
OM_uint32 *, /* ret_flags */
OM_uint32 *, /* time_rec */
gss_cred_id_t * /* delegated_cred_handle */
);
typedef OM_uint32 _gss_process_context_token_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
const gss_buffer_t /* token_buffer */
);
typedef OM_uint32 _gss_delete_sec_context_t
(OM_uint32 *, /* minor_status */
gss_ctx_id_t *, /* context_handle */
gss_buffer_t /* output_token */
);
typedef OM_uint32 _gss_context_time_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
OM_uint32 * /* time_rec */
);
typedef OM_uint32 _gss_get_mic_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
gss_qop_t, /* qop_req */
const gss_buffer_t, /* message_buffer */
gss_buffer_t /* message_token */
);
typedef OM_uint32 _gss_verify_mic_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
const gss_buffer_t, /* message_buffer */
const gss_buffer_t, /* token_buffer */
gss_qop_t * /* qop_state */
);
typedef OM_uint32 _gss_wrap_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
int, /* conf_req_flag */
gss_qop_t, /* qop_req */
const gss_buffer_t, /* input_message_buffer */
int *, /* conf_state */
gss_buffer_t /* output_message_buffer */
);
typedef OM_uint32 _gss_unwrap_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
const gss_buffer_t, /* input_message_buffer */
gss_buffer_t, /* output_message_buffer */
int *, /* conf_state */
gss_qop_t * /* qop_state */
);
typedef OM_uint32 _gss_display_status_t
(OM_uint32 *, /* minor_status */
OM_uint32, /* status_value */
int, /* status_type */
const gss_OID, /* mech_type */
OM_uint32 *, /* message_context */
gss_buffer_t /* status_string */
);
typedef OM_uint32 _gss_indicate_mechs_t
(OM_uint32 *, /* minor_status */
gss_OID_set * /* mech_set */
);
typedef OM_uint32 _gss_compare_name_t
(OM_uint32 *, /* minor_status */
const gss_name_t, /* name1 */
const gss_name_t, /* name2 */
int * /* name_equal */
);
typedef OM_uint32 _gss_display_name_t
(OM_uint32 *, /* minor_status */
const gss_name_t, /* input_name */
gss_buffer_t, /* output_name_buffer */
gss_OID * /* output_name_type */
);
typedef OM_uint32 _gss_import_name_t
(OM_uint32 *, /* minor_status */
const gss_buffer_t, /* input_name_buffer */
const gss_OID, /* input_name_type */
gss_name_t * /* output_name */
);
typedef OM_uint32 _gss_export_name_t
(OM_uint32 *, /* minor_status */
const gss_name_t, /* input_name */
gss_buffer_t /* exported_name */
);
typedef OM_uint32 _gss_release_name_t
(OM_uint32 *, /* minor_status */
gss_name_t * /* input_name */
);
typedef OM_uint32 _gss_inquire_cred_t
(OM_uint32 *, /* minor_status */
const gss_cred_id_t, /* cred_handle */
gss_name_t *, /* name */
OM_uint32 *, /* lifetime */
gss_cred_usage_t *, /* cred_usage */
gss_OID_set * /* mechanisms */
);
typedef OM_uint32 _gss_inquire_context_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
gss_name_t *, /* src_name */
gss_name_t *, /* targ_name */
OM_uint32 *, /* lifetime_rec */
gss_OID *, /* mech_type */
OM_uint32 *, /* ctx_flags */
int *, /* locally_initiated */
int * /* open */
);
typedef OM_uint32 _gss_wrap_size_limit_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
int, /* conf_req_flag */
gss_qop_t, /* qop_req */
OM_uint32, /* req_output_size */
OM_uint32 * /* max_input_size */
);
typedef OM_uint32 _gss_add_cred_t (
OM_uint32 *, /* minor_status */
const gss_cred_id_t, /* input_cred_handle */
const gss_name_t, /* desired_name */
const gss_OID, /* desired_mech */
gss_cred_usage_t, /* cred_usage */
OM_uint32, /* initiator_time_req */
OM_uint32, /* acceptor_time_req */
gss_cred_id_t *, /* output_cred_handle */
gss_OID_set *, /* actual_mechs */
OM_uint32 *, /* initiator_time_rec */
OM_uint32 * /* acceptor_time_rec */
);
typedef OM_uint32 _gss_inquire_cred_by_mech_t (
OM_uint32 *, /* minor_status */
const gss_cred_id_t, /* cred_handle */
const gss_OID, /* mech_type */
gss_name_t *, /* name */
OM_uint32 *, /* initiator_lifetime */
OM_uint32 *, /* acceptor_lifetime */
gss_cred_usage_t * /* cred_usage */
);
typedef OM_uint32 _gss_export_sec_context_t (
OM_uint32 *, /* minor_status */
gss_ctx_id_t *, /* context_handle */
gss_buffer_t /* interprocess_token */
);
typedef OM_uint32 _gss_import_sec_context_t (
OM_uint32 *, /* minor_status */
const gss_buffer_t, /* interprocess_token */
gss_ctx_id_t * /* context_handle */
);
typedef OM_uint32 _gss_inquire_names_for_mech_t (
OM_uint32 *, /* minor_status */
const gss_OID, /* mechanism */
gss_OID_set * /* name_types */
);
typedef OM_uint32 _gss_inquire_mechs_for_name_t (
OM_uint32 *, /* minor_status */
const gss_name_t, /* input_name */
gss_OID_set * /* mech_types */
);
typedef OM_uint32 _gss_canonicalize_name_t (
OM_uint32 *, /* minor_status */
const gss_name_t, /* input_name */
const gss_OID, /* mech_type */
gss_name_t * /* output_name */
);
typedef OM_uint32 _gss_duplicate_name_t (
OM_uint32 *, /* minor_status */
const gss_name_t, /* src_name */
gss_name_t * /* dest_name */
);
typedef OM_uint32 _gsskrb5_register_acceptor_identity (
const char * /* identity */
);
typedef OM_uint32 _gss_krb5_copy_ccache (
OM_uint32 *, /* minor_status */
gss_cred_id_t, /* cred_handle */
struct krb5_ccache_data * /* out */
);
typedef OM_uint32 _gss_krb5_compat_des3_mic (
OM_uint32 *, /* minor_status */
gss_ctx_id_t, /* context_handle */
int /* flag */
);
struct _gss_mech_switch {
SLIST_ENTRY(_gss_mech_switch) gm_link;
gss_OID_desc gm_mech_oid;
void *gm_so;
_gss_acquire_cred_t *gm_acquire_cred;
_gss_release_cred_t *gm_release_cred;
_gss_init_sec_context_t *gm_init_sec_context;
_gss_accept_sec_context_t *gm_accept_sec_context;
_gss_process_context_token_t *gm_process_context_token;
_gss_delete_sec_context_t *gm_delete_sec_context;
_gss_context_time_t *gm_context_time;
_gss_get_mic_t *gm_get_mic;
_gss_verify_mic_t *gm_verify_mic;
_gss_wrap_t *gm_wrap;
_gss_unwrap_t *gm_unwrap;
_gss_display_status_t *gm_display_status;
_gss_indicate_mechs_t *gm_indicate_mechs;
_gss_compare_name_t *gm_compare_name;
_gss_display_name_t *gm_display_name;
_gss_import_name_t *gm_import_name;
_gss_export_name_t *gm_export_name;
_gss_release_name_t *gm_release_name;
_gss_inquire_cred_t *gm_inquire_cred;
_gss_inquire_context_t *gm_inquire_context;
_gss_wrap_size_limit_t *gm_wrap_size_limit;
_gss_add_cred_t *gm_add_cred;
_gss_inquire_cred_by_mech_t *gm_inquire_cred_by_mech;
_gss_export_sec_context_t *gm_export_sec_context;
_gss_import_sec_context_t *gm_import_sec_context;
_gss_inquire_names_for_mech_t *gm_inquire_names_for_mech;
_gss_inquire_mechs_for_name_t *gm_inquire_mechs_for_name;
_gss_canonicalize_name_t *gm_canonicalize_name;
_gss_duplicate_name_t *gm_duplicate_name;
_gsskrb5_register_acceptor_identity *gm_krb5_register_acceptor_identity;
_gss_krb5_copy_ccache *gm_krb5_copy_ccache;
_gss_krb5_compat_des3_mic *gm_krb5_compat_des3_mic;
};
SLIST_HEAD(_gss_mech_switch_list, _gss_mech_switch);
extern struct _gss_mech_switch_list _gss_mechs;
extern gss_OID_set _gss_mech_oids;
extern void _gss_load_mech(void);
extern struct _gss_mech_switch *_gss_find_mech_switch(gss_OID);

48
lib/gssapi/mech/name.h Normal file
View File

@@ -0,0 +1,48 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/name.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include <sys/queue.h>
struct _gss_mechanism_name {
SLIST_ENTRY(_gss_mechanism_name) gmn_link;
struct _gss_mech_switch *gmn_mech; /* mechanism ops for MN */
gss_OID gmn_mech_oid; /* mechanism oid for MN */
gss_name_t gmn_name; /* underlying MN */
};
SLIST_HEAD(_gss_mechanism_name_list, _gss_mechanism_name);
struct _gss_name {
gss_OID_desc gn_type; /* type of name */
gss_buffer_desc gn_value; /* value (as imported) */
struct _gss_mechanism_name_list gn_mn; /* list of MNs */
};
extern struct _gss_mechanism_name *
_gss_find_mn(struct _gss_name *name, gss_OID mech);
struct _gss_name *
_gss_make_name(struct _gss_mech_switch *m, gss_name_t new_mn);

34
lib/gssapi/mech/spnego.h Normal file
View File

@@ -0,0 +1,34 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/spnego.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
typedef xder_OID MechType;
typedef struct {
size_t MechTypeList_len;
MechType *MechTypeList_val;
} MechTypeList;

32
lib/gssapi/mech/utils.h Normal file
View File

@@ -0,0 +1,32 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/utils.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
extern int _gss_oid_equal(const gss_OID, const gss_OID);
extern OM_uint32 _gss_copy_oid(OM_uint32 *, const gss_OID, gss_OID);
extern OM_uint32 _gss_copy_buffer(OM_uint32 *minor_status,
const gss_buffer_t from_buf, gss_buffer_t to_buf);

1
lib/gssapi/spnego/.cvsignore Normal file
View File

@@ -0,0 +1 @@
Makefile.in

8
lib/gssapi/spnego/ChangeLog Normal file
View File

@@ -0,0 +1,8 @@
2005-01-11 Luke Howard <lukeh@padl.com>
* spnego.asn1: s/request_mic/request-mic
2005-01-10 Luke Howard <lukeh@padl.com>
* initial revision

47
lib/gssapi/spnego/Makefile.am Normal file
View File

@@ -0,0 +1,47 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += -I$(srcdir)/../mechglue \
-I${srcdir}/../krb5 \
-I${srcdir}/../asn1/include \
$(INCLUDE_des) \
$(INCLUDE_krb4)
gssdir = $(libdir)/gss
spnego_files = \
asn1_ContextFlags.x \
asn1_MechType.x \
asn1_MechTypeList.x \
asn1_NegotiationToken.x \
asn1_NegHints.x \
asn1_NegTokenInit.x \
asn1_NegTokenResp.x
BUILT_SOURCES = $(spnego_files:.x=.c)
gss_LTLIBRARIES = libmech_spnego.la
libmech_spnego_la_LDFLAGS = -version-info 1:0:0
libmech_spnego_la_LIBADD = ../mechglue/libgssapi.la ../asn1/libasn1.la ../roken/libroken.la
include_HEADERS = gssapi_spnego.h
libmech_spnego_la_SOURCES = \
$(BUILT_SOURCES) \
accept_sec_context.c \
compat.c \
context_stubs.c \
cred_stubs.c \
external.c \
init_sec_context.c
CLEANFILES = $(BUILT_SOURCES) $(spnego_files) spnego_asn1.h asn1_files
$(spnego_files) spnego_asn1.h: asn1_files
asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego.asn1
../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego.asn1 spnego_asn1
$(libmech_spnego_la_OBJECTS): spnego_asn1.h

873
lib/gssapi/spnego/accept_sec_context.c Normal file
View File

@@ -0,0 +1,873 @@
/*
* Copyright (c) 1997 - 2004 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* Portions Copyright (c) 2004 PADL Software Pty Ltd.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "spnego_locl.h"
RCSID("$Id$");
OM_uint32
_gss_spnego_encode_response(OM_uint32 *minor_status,
const NegTokenResp *resp,
gss_buffer_t data,
u_char **ret_buf)
{
OM_uint32 ret;
u_char *buf;
size_t buf_size, buf_len;
buf_size = 1024;
buf = malloc(buf_size);
if (buf == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
do {
ret = encode_NegTokenResp(buf + buf_size - 1,
buf_size,
resp, &buf_len);
if (ret == 0) {
size_t tmp;
ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
buf_size - buf_len,
buf_len,
CONTEXT,
CONS,
1,
&tmp);
if (ret == 0)
buf_len += tmp;
}
if (ret) {
if (ret == ASN1_OVERFLOW) {
u_char *tmp;
buf_size *= 2;
tmp = realloc (buf, buf_size);
if (tmp == NULL) {
*minor_status = ENOMEM;
free(buf);
return GSS_S_FAILURE;
}
buf = tmp;
} else {
*minor_status = ret;
free(buf);
return GSS_S_FAILURE;
}
}
} while (ret == ASN1_OVERFLOW);
data->value = buf + buf_size - buf_len;
data->length = buf_len;
*ret_buf = buf;
return GSS_S_COMPLETE;
}
static OM_uint32
send_reject (OM_uint32 *minor_status,
gss_buffer_t output_token)
{
NegTokenResp resp;
gss_buffer_desc data;
u_char *buf;
OM_uint32 ret;
ALLOC(resp.negResult, 1);
if (resp.negResult == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
*(resp.negResult) = reject;
resp.supportedMech = NULL;
resp.responseToken = NULL;
resp.mechListMIC = NULL;
ret = _gss_spnego_encode_response (minor_status, &resp, &data, &buf);
free_NegTokenResp(&resp);
if (ret != GSS_S_COMPLETE)
return ret;
output_token->value = malloc(data.length);
if (output_token->value == NULL) {
*minor_status = ENOMEM;
ret = GSS_S_FAILURE;
} else {
output_token->length = data.length;
memcpy(output_token->value, data.value, output_token->length);
}
free(buf);
if (ret != GSS_S_COMPLETE)
return ret;
return GSS_S_BAD_MECH;
}
OM_uint32
_gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
int includeMSCompatOID,
const gss_cred_id_t cred_handle,
MechTypeList *mechtypelist,
gss_OID *preferred_mech)
{
OM_uint32 ret;
gss_OID_set supported_mechs = GSS_C_NO_OID_SET;
int i, count;
if (cred_handle != GSS_C_NO_CREDENTIAL) {
ret = gss_inquire_cred(minor_status,
cred_handle->negotiated_cred_id,
NULL,
NULL,
NULL,
&supported_mechs);
} else {
ret = gss_indicate_mechs(minor_status, &supported_mechs);
}
if (ret != GSS_S_COMPLETE) {
return ret;
}
if (supported_mechs->count == 0) {
*minor_status = ENOENT;
gss_release_oid_set(minor_status, &supported_mechs);
return GSS_S_FAILURE;
}
count = supported_mechs->count;
if (includeMSCompatOID)
count++;
mechtypelist->len = 0;
mechtypelist->val = calloc(count, sizeof(MechType));
if (mechtypelist->val == NULL) {
*minor_status = ENOMEM;
gss_release_oid_set(minor_status, &supported_mechs);
return GSS_S_FAILURE;
}
for (i = 0; i < supported_mechs->count; i++) {
ret = _gss_spnego_add_mech_type(&supported_mechs->elements[i],
includeMSCompatOID,
mechtypelist);
if (ret != 0) {
*minor_status = ENOMEM;
ret = GSS_S_FAILURE;
break;
}
}
if (ret == GSS_S_COMPLETE && preferred_mech != NULL) {
ret = gss_duplicate_oid(minor_status,
&supported_mechs->elements[0],
preferred_mech);
}
if (ret != GSS_S_COMPLETE) {
free_MechTypeList(mechtypelist);
mechtypelist->len = 0;
mechtypelist->val = NULL;
}
gss_release_oid_set(minor_status, &supported_mechs);
return ret;
}
static OM_uint32
send_supported_mechs (OM_uint32 *minor_status,
gss_buffer_t output_token)
{
NegTokenInit ni;
char hostname[MAXHOSTNAMELEN], *p;
gss_buffer_desc name_buf;
gss_OID name_type;
gss_name_t target_princ;
gss_name_t canon_princ;
OM_uint32 ret, minor;
u_char *buf;
size_t buf_size, buf_len;
gss_buffer_desc data;
memset(&ni, 0, sizeof(ni));
ni.reqFlags = NULL;
ni.mechToken = NULL;
ni.negHints = NULL;
ni.mechListMIC = NULL;
ret = _gss_spnego_indicate_mechtypelist(minor_status, 1,
GSS_C_NO_CREDENTIAL,
&ni.mechTypes, NULL);
if (ret != GSS_S_COMPLETE) {
return ret;
}
memset(&target_princ, 0, sizeof(target_princ));
if (gethostname(hostname, sizeof(hostname) - 1) != 0) {
*minor_status = errno;
free_NegTokenInit(&ni);
return GSS_S_FAILURE;
}
/* Send the constructed SAM name for this host */
for (p = hostname; *p != '\0' && *p != '.'; p++) {
*p = toupper(*p);
}
*p++ = '$';
*p = '\0';
name_buf.length = strlen(hostname);
name_buf.value = hostname;
ret = gss_import_name(minor_status, &name_buf,
GSS_C_NO_OID,
&target_princ);
if (ret != GSS_S_COMPLETE) {
return ret;
}
name_buf.length = 0;
name_buf.value = NULL;
/* Canonicalize the name using the preferred mechanism */
ret = gss_canonicalize_name(minor_status,
target_princ,
GSS_C_NO_OID,
&canon_princ);
if (ret != GSS_S_COMPLETE) {
gss_release_name(&minor, &target_princ);
return ret;
}
ret = gss_display_name(minor_status, canon_princ,
&name_buf, &name_type);
if (ret != GSS_S_COMPLETE) {
gss_release_name(&minor, &canon_princ);
gss_release_name(&minor, &target_princ);
return ret;
}
gss_release_name(&minor, &canon_princ);
gss_release_name(&minor, &target_princ);
ALLOC(ni.negHints, 1);
if (ni.negHints == NULL) {
*minor_status = ENOMEM;
gss_release_buffer(&minor, &name_buf);
free_NegTokenInit(&ni);
return GSS_S_FAILURE;
}
ALLOC(ni.negHints->hintName, 1);
if (ni.negHints->hintName == NULL) {
*minor_status = ENOMEM;
gss_release_buffer(&minor, &name_buf);
free_NegTokenInit(&ni);
return GSS_S_FAILURE;
}
*(ni.negHints->hintName) = name_buf.value;
name_buf.value = NULL;
ni.negHints->hintAddress = NULL;
buf_size = 1024;
buf = malloc(buf_size);
if (buf == NULL) {
free_NegTokenInit(&ni);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
do {
ret = encode_NegTokenInit(buf + buf_size - 1,
buf_size,
&ni, &buf_len);
if (ret == 0) {
size_t tmp;
ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
buf_size - buf_len,
buf_len,
CONTEXT,
CONS,
0,
&tmp);
if (ret == 0)
buf_len += tmp;
}
if (ret) {
if (ret == ASN1_OVERFLOW) {
u_char *tmp;
buf_size *= 2;
tmp = realloc (buf, buf_size);
if (tmp == NULL) {
*minor_status = ENOMEM;
free(buf);
free_NegTokenInit(&ni);
return GSS_S_FAILURE;
}
buf = tmp;
} else {
*minor_status = ret;
free(buf);
free_NegTokenInit(&ni);
return GSS_S_FAILURE;
}
}
} while (ret == ASN1_OVERFLOW);
data.value = buf + buf_size - buf_len;
data.length = buf_len;
ret = gss_encapsulate_token(&data,
GSS_SPNEGO_MECHANISM,
output_token);
free (buf);
free_NegTokenInit (&ni);
if (ret != GSS_S_COMPLETE)
return ret;
*minor_status = 0;
return GSS_S_CONTINUE_NEEDED;
}
static OM_uint32
send_accept (OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t mech_token,
int initial_response,
gss_buffer_t mech_buf,
gss_buffer_t output_token)
{
NegTokenResp resp;
gss_buffer_desc data;
u_char *buf;
OM_uint32 ret;
gss_buffer_desc mech_mic_buf;
memset(&resp, 0, sizeof(resp));
ALLOC(resp.negResult, 1);
if (resp.negResult == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
if (context_handle->open) {
if (mech_token != GSS_C_NO_BUFFER
&& mech_token->length != 0
&& mech_buf != GSS_C_NO_BUFFER)
*(resp.negResult) = accept_incomplete;
else
*(resp.negResult) = accept_completed;
} else {
if (initial_response && context_handle->require_mic)
*(resp.negResult) = request_mic;
else
*(resp.negResult) = accept_incomplete;
}
if (initial_response) {
ALLOC(resp.supportedMech, 1);
if (resp.supportedMech == NULL) {
free_NegTokenResp(&resp);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
ret = der_get_oid(context_handle->preferred_mech_type->elements,
context_handle->preferred_mech_type->length,
resp.supportedMech,
NULL);
if (ret) {
free_NegTokenResp(&resp);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
} else {
resp.supportedMech = NULL;
}
if (mech_token != GSS_C_NO_BUFFER && mech_token->length != 0) {
ALLOC(resp.responseToken, 1);
if (resp.responseToken == NULL) {
free_NegTokenResp(&resp);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
resp.responseToken->length = mech_token->length;
resp.responseToken->data = mech_token->value;
mech_token->length = 0;
mech_token->value = NULL;
} else {
resp.responseToken = NULL;
}
if (mech_buf != GSS_C_NO_BUFFER) {
ALLOC(resp.mechListMIC, 1);
if (resp.mechListMIC == NULL) {
free_NegTokenResp(&resp);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
ret = gss_get_mic(minor_status,
context_handle->negotiated_ctx_id,
0,
mech_buf,
&mech_mic_buf);
if (ret != GSS_S_COMPLETE) {
free_NegTokenResp(&resp);
return ret;
}
resp.mechListMIC->length = mech_mic_buf.length;
resp.mechListMIC->data = mech_mic_buf.value;
} else
resp.mechListMIC = NULL;
ret = _gss_spnego_encode_response (minor_status, &resp, &data, &buf);
if (ret != GSS_S_COMPLETE) {
free_NegTokenResp(&resp);
return ret;
}
/*
* The response should not be encapsulated, because
* it is a SubsequentContextToken (note though RFC 1964
* specifies encapsulation for all _Kerberos_ tokens).
*/
output_token->value = malloc(data.length);
if (output_token->value == NULL) {
*minor_status = ENOMEM;
ret = GSS_S_FAILURE;
} else {
output_token->length = data.length;
memcpy(output_token->value, data.value, output_token->length);
}
free(buf);
if (ret != GSS_S_COMPLETE) {
free_NegTokenResp(&resp);
return ret;
}
ret = (*(resp.negResult) == accept_completed) ? GSS_S_COMPLETE :
GSS_S_CONTINUE_NEEDED;
free_NegTokenResp(&resp);
return ret;
}
static OM_uint32
verify_mechlist_mic
(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t mech_buf,
heim_octet_string *mechListMIC
)
{
OM_uint32 ret;
gss_buffer_desc mic_buf;
if (context_handle->verified_mic) {
/* This doesn't make sense, we've already verified it? */
*minor_status = 0;
return GSS_S_DUPLICATE_TOKEN;
}
if (mechListMIC == NULL) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
mic_buf.length = mechListMIC->length;
mic_buf.value = mechListMIC->data;
ret = gss_verify_mic(minor_status,
context_handle->negotiated_ctx_id,
mech_buf,
&mic_buf,
NULL);
if (ret != GSS_S_COMPLETE)
ret = GSS_S_DEFECTIVE_TOKEN;
return ret;
}
OM_uint32
gss_spnego_accept_sec_context
(OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
const gss_cred_id_t acceptor_cred_handle,
const gss_buffer_t input_token_buffer,
const gss_channel_bindings_t input_chan_bindings,
gss_name_t * src_name,
gss_OID * mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec,
gss_cred_id_t *delegated_cred_handle
)
{
OM_uint32 ret, ret2, minor;
NegTokenInit ni;
NegTokenResp na;
size_t ni_len, na_len;
int i;
gss_buffer_desc data;
size_t len, taglen;
int initialToken;
unsigned int negResult = accept_incomplete;
gss_buffer_t mech_input_token = GSS_C_NO_BUFFER;
gss_buffer_t mech_output_token = GSS_C_NO_BUFFER;
gss_ctx_id_t ctx;
gss_buffer_desc mech_buf;
gss_OID preferred_mech_type = GSS_C_NO_OID;
*minor_status = 0;
output_token->length = 0;
output_token->value = NULL;
if (src_name != NULL)
*src_name = GSS_C_NO_NAME;
if (mech_type != NULL)
*mech_type = GSS_C_NO_OID;
if (ret_flags != NULL)
*ret_flags = 0;
if (time_rec != NULL)
*time_rec = 0;
if (delegated_cred_handle != NULL)
*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
mech_buf.value = NULL;
if (*context_handle == GSS_C_NO_CONTEXT) {
ret = _gss_spnego_alloc_sec_context(minor_status,
context_handle);
if (ret != GSS_S_COMPLETE)
return ret;
if (input_token_buffer->length == 0) {
return send_supported_mechs (minor_status,
output_token);
}
}
ctx = *context_handle;
/*
* The GSS-API encapsulation is only present on the initial
* context token (negTokenInit).
*/
ret = gss_decapsulate_token (input_token_buffer,
GSS_SPNEGO_MECHANISM,
&data);
initialToken = (ret == GSS_S_COMPLETE);
if (!initialToken) {
data.value = input_token_buffer->value;
data.length = input_token_buffer->length;
}
ret = der_match_tag_and_length(data.value, data.length,
CONTEXT, CONS,
initialToken ? 0 : 1,
&len, &taglen);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
if (len > data.length - taglen) {
*minor_status = ASN1_OVERRUN;
return GSS_S_FAILURE;
}
if (initialToken) {
ret = decode_NegTokenInit((const char *)data.value + taglen, len,
&ni, &ni_len);
} else {
ret = decode_NegTokenResp((const char *)data.value + taglen, len,
&na, &na_len);
}
if (ret) {
*minor_status = ret;
return GSS_S_DEFECTIVE_TOKEN;
}
if (!initialToken && na.negResult != NULL) {
negResult = *(na.negResult);
}
if (negResult == reject || negResult == request_mic) {
/* request_mic should only be sent by acceptor */
free_NegTokenResp(&na);
return GSS_S_DEFECTIVE_TOKEN;
}
if (initialToken) {
for (i = 0; i < ni.mechTypes.len; ++i) {
/* Call glue layer to find first mech we support */
ret = _gss_spnego_select_mech(minor_status, &ni.mechTypes.val[i],
&preferred_mech_type);
if (ret == 0)
break;
}
if (preferred_mech_type == GSS_C_NO_OID) {
free_NegTokenInit(&ni);
return GSS_S_BAD_MECH;
}
}
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (initialToken) {
ctx->preferred_mech_type = preferred_mech_type;
ctx->initiator_mech_types.len = ni.mechTypes.len;
ctx->initiator_mech_types.val = ni.mechTypes.val;
ni.mechTypes.len = 0;
ni.mechTypes.val = NULL;
}
{
gss_buffer_desc ibuf, obuf;
OM_uint32 minor;
int require_mic, verify_mic, get_mic;
int require_response;
heim_octet_string *mic;
if (initialToken) {
if (ni.mechToken != NULL) {
ibuf.length = ni.mechToken->length;
ibuf.value = ni.mechToken->data;
mech_input_token = &ibuf;
}
} else {
if (na.responseToken != NULL) {
ibuf.length = na.responseToken->length;
ibuf.value = na.responseToken->data;
mech_input_token = &ibuf;
}
}
if (mech_input_token != GSS_C_NO_BUFFER) {
gss_cred_id_t mech_cred;
gss_cred_id_t mech_delegated_cred;
gss_cred_id_t *mech_delegated_cred_p;
if (acceptor_cred_handle != GSS_C_NO_CREDENTIAL)
mech_cred = acceptor_cred_handle->negotiated_cred_id;
else
mech_cred = GSS_C_NO_CREDENTIAL;
if (delegated_cred_handle != NULL) {
mech_delegated_cred = GSS_C_NO_CREDENTIAL;
mech_delegated_cred_p = &mech_delegated_cred;
} else {
mech_delegated_cred_p = NULL;
}
if (ctx->mech_src_name != GSS_C_NO_NAME)
gss_release_name(&minor, &ctx->mech_src_name);
if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL)
_gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
ret = gss_accept_sec_context(&minor,
&ctx->negotiated_ctx_id,
mech_cred,
mech_input_token,
input_chan_bindings,
&ctx->mech_src_name,
&ctx->negotiated_mech_type,
&obuf,
&ctx->mech_flags,
&ctx->mech_time_rec,
mech_delegated_cred_p);
if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
if (mech_delegated_cred_p != NULL &&
mech_delegated_cred != GSS_C_NO_CREDENTIAL) {
ret2 = _gss_spnego_alloc_cred(minor_status,
mech_delegated_cred,
&ctx->delegated_cred_id);
if (ret2 != GSS_S_COMPLETE)
ret = ret2;
}
mech_output_token = &obuf;
}
if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) {
if (initialToken)
free_NegTokenInit(&ni);
else
free_NegTokenResp(&na);
send_reject (minor_status, output_token);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return ret;
}
if (ret == GSS_S_COMPLETE)
ctx->open = 1;
} else
ret = GSS_S_COMPLETE;
ret2 = _gss_spnego_require_mechlist_mic(minor_status,
ctx,
&require_mic);
if (ret2)
goto out;
ctx->require_mic = require_mic;
mic = initialToken ? ni.mechListMIC : na.mechListMIC;
if (mic != NULL)
require_mic = TRUE;
if (ctx->open && require_mic) {
if (mech_input_token == GSS_C_NO_BUFFER) { /* Even/One */
verify_mic = TRUE;
get_mic = FALSE;
} else if (mech_output_token != GSS_C_NO_BUFFER &&
mech_output_token->length == 0) { /* Odd */
get_mic = verify_mic = TRUE;
} else { /* Even/One */
verify_mic = FALSE;
get_mic = TRUE;
}
if (verify_mic || get_mic) {
krb5_error_code kret;
size_t buf_len;
ASN1_MALLOC_ENCODE(MechTypeList, mech_buf.value, mech_buf.length,
&ctx->initiator_mech_types, &buf_len, kret);
if (kret) {
ret2 = GSS_S_FAILURE;
*minor_status = kret;
goto out;
}
if (mech_buf.length != buf_len)
abort();
}
if (verify_mic) {
ret2 = verify_mechlist_mic(minor_status, ctx, &mech_buf, mic);
if (ret2) {
if (get_mic)
send_reject (minor_status, output_token);
goto out;
}
ctx->verified_mic = 1;
}
} else
verify_mic = get_mic = FALSE;
if (ctx->mech_flags & GSS_C_DCE_STYLE)
require_response = (negResult != accept_completed);
else
require_response = 0;
/*
* Check whether we need to send a result: there should be only
* one accept_completed response sent in the entire negotiation
*/
if ((mech_output_token != GSS_C_NO_BUFFER &&
mech_output_token->length != 0)
|| require_response
|| get_mic) {
ret2 = send_accept (minor_status,
ctx,
mech_output_token,
initialToken,
get_mic ? &mech_buf : NULL,
output_token);
if (ret2)
goto out;
}
out:
if (ret2 != GSS_S_COMPLETE)
ret = ret2;
if (mech_output_token != NULL)
gss_release_buffer(&minor, mech_output_token);
if (mech_buf.value != NULL)
free(mech_buf.value);
if (initialToken)
free_NegTokenInit(&ni);
else
free_NegTokenResp(&na);
}
if (ret == GSS_S_COMPLETE) {
if (src_name != NULL) {
ret2 = gss_duplicate_name(minor_status,
ctx->mech_src_name,
src_name);
if (ret2 != GSS_S_COMPLETE)
ret = ret2;
}
if (delegated_cred_handle != NULL) {
*delegated_cred_handle = ctx->delegated_cred_id;
ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
}
}
if (mech_type != NULL)
*mech_type = ctx->negotiated_mech_type;
if (ret_flags != NULL)
*ret_flags = ctx->mech_flags;
if (time_rec != NULL)
*time_rec = ctx->mech_time_rec;
if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return ret;
}
_gss_spnego_delete_sec_context(&minor, context_handle,
GSS_C_NO_BUFFER);
return ret;
}

289
lib/gssapi/spnego/compat.c Normal file
View File

@@ -0,0 +1,289 @@
/*
* Copyright (c) 2004, PADL Software Pty Ltd.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of PADL Software nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "spnego_locl.h"
RCSID("$Id$");
/*
* Apparently Microsoft got the OID wrong, and used
* 1.2.840.48018.1.2.2 instead. We need both this and
* the correct Kerberos OID here in order to deal with
* this. Because this is manifest in SPNEGO only I'd
* prefer to deal with this here rather than inside the
* Kerberos mechanism.
*/
static gss_OID_desc gss_mskrb_mechanism_oid_desc =
{9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"};
static gss_OID_desc gss_krb5_mechanism_oid_desc =
{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
/*
* Allocate a SPNEGO context handle
*/
OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 * minor_status,
gss_ctx_id_t *context_handle)
{
gss_ctx_id_t ctx;
ctx = malloc(sizeof(gss_ctx_id_t_desc));
if (ctx == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
ctx->initiator_mech_types.len = 0;
ctx->initiator_mech_types.val = NULL;
ctx->preferred_mech_type = NULL;
ctx->negotiated_mech_type = NULL;
ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT;
/*
* Cache these so we can return them before returning
* GSS_S_COMPLETE, even if the mechanism has itself
* completed earlier
*/
ctx->mech_flags = 0;
ctx->mech_time_rec = 0;
ctx->mech_src_name = GSS_C_NO_NAME;
ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
ctx->open = 0;
ctx->local = 0;
ctx->require_mic = 0;
ctx->verified_mic = 0;
HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
*context_handle = ctx;
return GSS_S_COMPLETE;
}
/*
* Free a SPNEGO context handle. The caller must have acquired
* the lock before this is called.
*/
OM_uint32 _gss_spnego_delete_sec_context
(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t output_token
)
{
gss_ctx_id_t ctx;
OM_uint32 ret, minor;
*minor_status = 0;
if (context_handle == NULL) {
return GSS_S_NO_CONTEXT;
}
if (output_token != GSS_C_NO_BUFFER) {
output_token->length = 0;
output_token->value = NULL;
}
ctx = *context_handle;
if (ctx == NULL) {
return GSS_S_NO_CONTEXT;
}
if (ctx->initiator_mech_types.val != NULL)
free_MechTypeList(&ctx->initiator_mech_types);
_gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
gss_release_oid(&minor, &ctx->preferred_mech_type);
gss_release_oid(&minor, &ctx->negotiated_mech_type);
gss_release_name(&minor, &ctx->mech_src_name);
if (ctx->negotiated_ctx_id != GSS_C_NO_CONTEXT) {
ret = gss_delete_sec_context(minor_status,
&ctx->negotiated_ctx_id,
output_token);
ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT;
} else {
ret = GSS_S_COMPLETE;
}
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
free(ctx);
*context_handle = NULL;
return ret;
}
/*
* For compatability with the Windows SPNEGO implementation, the
* default is to ignore the mechListMIC unless CFX is used and
* a non-preferred mechanism was negotiated
*/
OM_uint32
_gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
gss_ctx_id_t ctx,
int *require_mic)
{
gss_buffer_set_t buffer_set = GSS_C_NO_BUFFER_SET;
OM_uint32 minor;
*minor_status = 0;
*require_mic = 0;
if (ctx == GSS_C_NO_CONTEXT) {
return GSS_S_COMPLETE;
}
if (ctx->require_mic) {
/* Acceptor requested it: mandatory to honour */
*require_mic = 1;
return GSS_S_COMPLETE;
}
/*
* Check whether peer indicated implicit support for updated SPNEGO
* (eg. in the Kerberos case by using CFX)
*/
if (gss_inquire_sec_context_by_oid(&minor, ctx->negotiated_ctx_id,
GSS_C_PEER_HAS_UPDATED_SPNEGO,
&buffer_set) == GSS_S_COMPLETE) {
*require_mic = 1;
gss_release_buffer_set(&minor, &buffer_set);
}
/* Safe-to-omit MIC rules follow */
if (*require_mic) {
if (gss_oid_equal(ctx->negotiated_mech_type, ctx->preferred_mech_type)) {
*require_mic = 0;
} else if (gss_oid_equal(ctx->negotiated_mech_type, &gss_krb5_mechanism_oid_desc) &&
gss_oid_equal(ctx->preferred_mech_type, &gss_mskrb_mechanism_oid_desc)) {
*require_mic = 0;
}
}
return GSS_S_COMPLETE;
}
OM_uint32 gss_spnego_internal_release_oid(OM_uint32 *minor_status, gss_OID *OID)
{
*minor_status = 0;
if (*OID == GSS_SPNEGO_MECHANISM ||
*OID == &gss_mskrb_mechanism_oid_desc ||
*OID == &gss_krb5_mechanism_oid_desc) {
*OID = GSS_C_NO_OID;
return GSS_S_COMPLETE;
}
return GSS_S_FAILURE;
}
int _gss_spnego_add_mech_type(gss_OID mech_type,
int includeMSCompatOID,
MechTypeList *mechtypelist)
{
int ret;
if (gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM))
return 0;
if (includeMSCompatOID &&
gss_oid_equal(mech_type, &gss_krb5_mechanism_oid_desc)) {
ret = der_get_oid(gss_mskrb_mechanism_oid_desc.elements,
gss_mskrb_mechanism_oid_desc.length,
&mechtypelist->val[mechtypelist->len],
NULL);
if (ret)
return ret;
mechtypelist->len++;
}
ret = der_get_oid(mech_type->elements,
mech_type->length,
&mechtypelist->val[mechtypelist->len],
NULL);
if (ret)
return ret;
mechtypelist->len++;
return 0;
}
OM_uint32
_gss_spnego_select_mech(OM_uint32 *minor_status,
MechType *mechType,
gss_OID *mech_p)
{
char mechbuf[64];
size_t mech_len;
gss_OID_desc oid;
OM_uint32 ret;
gss_mechanism mech;
ret = der_put_oid (mechbuf + sizeof(mechbuf) - 1,
sizeof(mechbuf),
mechType,
&mech_len);
if (ret) {
return GSS_S_DEFECTIVE_TOKEN;
}
oid.length = mech_len;
oid.elements = mechbuf + sizeof(mechbuf) - mech_len;
if (gss_oid_equal(&oid, GSS_SPNEGO_MECHANISM)) {
return GSS_S_BAD_MECH;
}
*minor_status = 0;
/* Translate broken MS Kebreros OID */
if (gss_oid_equal(&oid, &gss_mskrb_mechanism_oid_desc)) {
mech = __gss_get_mechanism(&gss_krb5_mechanism_oid_desc);
if (mech == NULL)
return GSS_S_BAD_MECH;
*mech_p = &gss_mskrb_mechanism_oid_desc;
} else {
mech = __gss_get_mechanism(&oid);
if (mech == NULL)
return GSS_S_BAD_MECH;
*mech_p = &mech->mech_type;
}
return GSS_S_COMPLETE;
}

697
lib/gssapi/spnego/context_stubs.c Normal file
View File

@@ -0,0 +1,697 @@
/*
* Copyright (c) 2004, PADL Software Pty Ltd.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of PADL Software nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "spnego_locl.h"
RCSID("$Id$");
OM_uint32 gss_spnego_process_context_token
(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t token_buffer
)
{
OM_uint32 ret;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
ret = gss_process_context_token(minor_status,
context_handle->negotiated_ctx_id,
token_buffer);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return ret;
}
context_handle->negotiated_ctx_id = GSS_C_NO_CONTEXT;
return _gss_spnego_delete_sec_context(minor_status,
(gss_ctx_id_t *)&context_handle,
GSS_C_NO_BUFFER);
}
OM_uint32 gss_spnego_delete_sec_context
(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t output_token
)
{
if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT)
return GSS_S_NO_CONTEXT;
HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex);
return _gss_spnego_delete_sec_context(minor_status,
context_handle,
output_token);
}
OM_uint32 gss_spnego_context_time
(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
OM_uint32 *time_rec
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_context_time(minor_status,
context_handle->negotiated_ctx_id,
time_rec);
}
OM_uint32 gss_spnego_get_mic
(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_get_mic(minor_status, context_handle->negotiated_ctx_id,
qop_req, message_buffer, message_token);
}
OM_uint32 gss_spnego_verify_mic
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_verify_mic(minor_status,
context_handle->negotiated_ctx_id,
message_buffer,
token_buffer,
qop_state);
}
OM_uint32 gss_spnego_wrap
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
int * conf_state,
gss_buffer_t output_message_buffer
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_wrap(minor_status,
context_handle->negotiated_ctx_id,
conf_req_flag,
qop_req,
input_message_buffer,
conf_state,
output_message_buffer);
}
OM_uint32 gss_spnego_unwrap
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int * conf_state,
gss_qop_t * qop_state
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_unwrap(minor_status,
context_handle->negotiated_ctx_id,
input_message_buffer,
output_message_buffer,
conf_state,
qop_state);
}
#if 0
OM_uint32 gss_spnego_display_status
(OM_uint32 * minor_status,
OM_uint32 status_value,
int status_type,
const gss_OID mech_type,
OM_uint32 * message_context,
gss_buffer_t status_string
)
{
return GSS_S_FAILURE;
}
#endif
OM_uint32 gss_spnego_indicate_mechs
(OM_uint32 * minor_status,
gss_OID_set * mech_set
)
{
OM_uint32 ret;
ret = gss_create_empty_oid_set(minor_status, mech_set);
if (ret)
return ret;
ret = gss_add_oid_set_member(minor_status, GSS_SPNEGO_MECHANISM, mech_set);
if (ret) {
gss_release_oid_set(NULL, mech_set);
return ret;
}
return GSS_S_COMPLETE;
}
OM_uint32 gss_spnego_compare_name
(OM_uint32 *minor_status,
const gss_name_t name1,
const gss_name_t name2,
int * name_equal
)
{
return gss_compare_name(minor_status, name1, name2, name_equal);
}
OM_uint32 gss_spnego_display_name
(OM_uint32 * minor_status,
const gss_name_t input_name,
gss_buffer_t output_name_buffer,
gss_OID * output_name_type
)
{
return gss_display_name(minor_status, input_name,
output_name_buffer, output_name_type);
}
OM_uint32 gss_spnego_import_name
(OM_uint32 * minor_status,
const gss_buffer_t input_name_buffer,
const gss_OID input_name_type,
gss_name_t * output_name
)
{
return gss_import_name(minor_status, input_name_buffer,
input_name_type, output_name);
}
OM_uint32 gss_spnego_export_name
(OM_uint32 * minor_status,
const gss_name_t input_name,
gss_buffer_t exported_name
)
{
return gss_export_name(minor_status, input_name,
exported_name);
}
OM_uint32 gss_spnego_release_name
(OM_uint32 * minor_status,
gss_name_t * input_name
)
{
return gss_release_name(minor_status, input_name);
}
OM_uint32 gss_spnego_inquire_context (
OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
gss_name_t * src_name,
gss_name_t * targ_name,
OM_uint32 * lifetime_rec,
gss_OID * mech_type,
OM_uint32 * ctx_flags,
int * locally_initiated,
int * open_context
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_inquire_context(minor_status,
context_handle->negotiated_ctx_id,
src_name,
targ_name,
lifetime_rec,
mech_type,
ctx_flags,
locally_initiated,
open_context);
}
OM_uint32 gss_spnego_wrap_size_limit (
OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
OM_uint32 * max_input_size
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_wrap_size_limit(minor_status,
context_handle->negotiated_ctx_id,
conf_req_flag,
qop_req,
req_output_size,
max_input_size);
}
OM_uint32 gss_spnego_export_sec_context (
OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
gss_buffer_t interprocess_token
)
{
gss_ctx_id_t ctx;
OM_uint32 ret;
*minor_status = 0;
if (context_handle == NULL) {
return GSS_S_NO_CONTEXT;
}
ctx = *context_handle;
if (ctx == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_NO_CONTEXT;
}
ret = gss_export_sec_context(minor_status,
&ctx->negotiated_ctx_id,
interprocess_token);
if (ret == GSS_S_COMPLETE) {
ret = _gss_spnego_delete_sec_context(minor_status,
&ctx,
GSS_C_NO_BUFFER);
if (ret == GSS_S_COMPLETE) {
*context_handle = GSS_C_NO_CONTEXT;
return GSS_S_COMPLETE;
}
}
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return ret;
}
OM_uint32 gss_spnego_import_sec_context (
OM_uint32 * minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle
)
{
OM_uint32 ret, minor;
gss_ctx_id_t ctx;
ret = _gss_spnego_alloc_sec_context(minor_status, &ctx);
if (ret != GSS_S_COMPLETE) {
return ret;
}
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = gss_import_sec_context(minor_status,
interprocess_token,
&ctx->negotiated_ctx_id);
if (ret != GSS_S_COMPLETE) {
_gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
return ret;
}
ctx->open = 1;
/* don't bother filling in the rest of the fields */
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_COMPLETE;
}
OM_uint32 gss_spnego_inquire_names_for_mech (
OM_uint32 * minor_status,
const gss_OID mechanism,
gss_OID_set * name_types
)
{
return gss_create_empty_oid_set(minor_status, name_types);
}
OM_uint32 gss_spnego_canonicalize_name (
OM_uint32 * minor_status,
const gss_name_t input_name,
const gss_OID mech_type,
gss_name_t * output_name
)
{
return gss_canonicalize_name(minor_status,
input_name,
mech_type,
output_name);
}
OM_uint32 gss_spnego_duplicate_name (
OM_uint32 * minor_status,
const gss_name_t src_name,
gss_name_t * dest_name
)
{
return gss_duplicate_name(minor_status, src_name, dest_name);
}
OM_uint32 gss_spnego_sign
(OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
int qop_req,
gss_buffer_t message_buffer,
gss_buffer_t message_token
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_sign(minor_status,
context_handle->negotiated_ctx_id,
qop_req,
message_buffer,
message_token);
}
OM_uint32 gss_spnego_verify
(OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t message_buffer,
gss_buffer_t token_buffer,
int * qop_state
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_verify(minor_status,
context_handle->negotiated_ctx_id,
message_buffer,
token_buffer,
qop_state);
}
OM_uint32 gss_spnego_seal
(OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,
int qop_req,
gss_buffer_t input_message_buffer,
int * conf_state,
gss_buffer_t output_message_buffer
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_seal(minor_status,
context_handle->negotiated_ctx_id,
conf_req_flag,
qop_req,
input_message_buffer,
conf_state,
output_message_buffer);
}
OM_uint32 gss_spnego_unseal
(OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int * conf_state,
int * qop_state
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_unseal(minor_status,
context_handle->negotiated_ctx_id,
input_message_buffer,
output_message_buffer,
conf_state,
qop_state);
}
OM_uint32 gss_spnego_unwrap_ex
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t token_header_buffer,
const gss_buffer_t associated_data_buffer,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int * conf_state,
gss_qop_t * qop_state)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_unwrap_ex(minor_status,
context_handle->negotiated_ctx_id,
token_header_buffer,
associated_data_buffer,
input_message_buffer,
output_message_buffer,
conf_state,
qop_state);
}
OM_uint32 gss_spnego_wrap_ex
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t associated_data_buffer,
const gss_buffer_t input_message_buffer,
int * conf_state,
gss_buffer_t output_token_buffer,
gss_buffer_t output_message_buffer
)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if ((context_handle->mech_flags & GSS_C_DCE_STYLE) == 0 &&
associated_data_buffer->length != input_message_buffer->length) {
*minor_status = EINVAL;
return GSS_S_BAD_QOP;
}
return gss_wrap_ex(minor_status,
context_handle->negotiated_ctx_id,
conf_req_flag,
qop_req,
associated_data_buffer,
input_message_buffer,
conf_state,
output_token_buffer,
output_message_buffer);
}
OM_uint32 gss_spnego_complete_auth_token
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
gss_buffer_t input_message_buffer)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_complete_auth_token(minor_status,
context_handle->negotiated_ctx_id,
input_message_buffer);
}
OM_uint32 gss_spnego_inquire_sec_context_by_oid
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set)
{
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if (context_handle->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_inquire_sec_context_by_oid(minor_status,
context_handle->negotiated_ctx_id,
desired_object,
data_set);
}
OM_uint32 gss_spnego_set_sec_context_option
(OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
const gss_OID desired_object,
const gss_buffer_t value)
{
*minor_status = 0;
if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
if ((*context_handle)->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
}
return gss_set_sec_context_option(minor_status,
&(*context_handle)->negotiated_ctx_id,
desired_object,
value);
}

277
lib/gssapi/spnego/cred_stubs.c Normal file
View File

@@ -0,0 +1,277 @@
/*
* Copyright (c) 2004, PADL Software Pty Ltd.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of PADL Software nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "spnego_locl.h"
RCSID("$Id$");
OM_uint32
_gss_spnego_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
{
OM_uint32 ret;
*minor_status = 0;
if (*cred_handle == GSS_C_NO_CREDENTIAL) {
return GSS_S_COMPLETE;
}
ret = gss_release_cred(minor_status, &(*cred_handle)->negotiated_cred_id);
free(*cred_handle);
*cred_handle = GSS_C_NO_CREDENTIAL;
return ret;
}
OM_uint32
_gss_spnego_alloc_cred(OM_uint32 *minor_status,
gss_cred_id_t mech_cred_handle,
gss_cred_id_t *cred_handle)
{
if (*cred_handle != GSS_C_NO_CREDENTIAL) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
*cred_handle = (gss_cred_id_t)malloc(sizeof(*cred_handle));
if (*cred_handle == GSS_C_NO_CREDENTIAL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
(*cred_handle)->negotiated_cred_id = mech_cred_handle;
return GSS_S_COMPLETE;
}
/*
* For now, just a simple wrapper that avoids recursion. When
* we support gss_{get,set}_neg_mechs() we will need to expose
* more functionality.
*/
OM_uint32 gss_spnego_acquire_cred
(OM_uint32 *minor_status,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_cred_id_t * output_cred_handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
)
{
OM_uint32 ret, tmp;
gss_OID_set_desc actual_desired_mechs;
int i, j;
gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL;
*output_cred_handle = GSS_C_NO_CREDENTIAL;
/* Remove ourselves from this list */
actual_desired_mechs.count = desired_mechs->count;
actual_desired_mechs.elements = malloc(actual_desired_mechs.count *
sizeof(gss_OID_desc));
if (actual_desired_mechs.elements == NULL) {
*minor_status = ENOMEM;
ret = GSS_S_FAILURE;
goto out;
}
for (i = 0, j = 0; i < desired_mechs->count; i++) {
if (gss_oid_equal(&desired_mechs->elements[i],
GSS_SPNEGO_MECHANISM))
continue;
actual_desired_mechs.elements[j].length =
desired_mechs->elements[i].length;
actual_desired_mechs.elements[j].elements =
desired_mechs->elements[i].elements;
j++;
}
actual_desired_mechs.count = j;
ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL,
&cred_handle);
if (ret != GSS_S_COMPLETE)
goto out;
ret = gss_acquire_cred(minor_status, desired_name,
time_req, &actual_desired_mechs,
cred_usage,
&cred_handle->negotiated_cred_id,
actual_mechs, time_rec);
if (ret != GSS_S_COMPLETE)
goto out;
*output_cred_handle = (gss_cred_id_t)cred_handle;
out:
if (actual_desired_mechs.elements != NULL) {
free(actual_desired_mechs.elements);
}
if (ret != GSS_S_COMPLETE) {
_gss_spnego_release_cred(&tmp, &cred_handle);
}
return ret;
}
OM_uint32 gss_spnego_release_cred
(OM_uint32 *minor_status,
gss_cred_id_t *cred_handle
)
{
return _gss_spnego_release_cred(minor_status, cred_handle);
}
OM_uint32 gss_spnego_inquire_cred
(OM_uint32 * minor_status,
const gss_cred_id_t cred_handle,
gss_name_t * name,
OM_uint32 * lifetime,
gss_cred_usage_t * cred_usage,
gss_OID_set * mechanisms
)
{
OM_uint32 ret;
if (cred_handle == GSS_C_NO_CREDENTIAL) {
*minor_status = 0;
return GSS_S_NO_CRED;
}
ret = gss_inquire_cred(minor_status,
cred_handle->negotiated_cred_id,
name,
lifetime,
cred_usage,
mechanisms);
return ret;
}
OM_uint32 gss_spnego_add_cred (
OM_uint32 * minor_status,
const gss_cred_id_t input_cred_handle,
const gss_name_t desired_name,
const gss_OID desired_mech,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
OM_uint32 acceptor_time_req,
gss_cred_id_t * output_cred_handle,
gss_OID_set * actual_mechs,
OM_uint32 * initiator_time_rec,
OM_uint32 * acceptor_time_rec
)
{
gss_cred_id_t spnego_output_cred_handle = GSS_C_NO_CREDENTIAL;
OM_uint32 ret, tmp;
*output_cred_handle = GSS_C_NO_CREDENTIAL;
ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL,
&spnego_output_cred_handle);
if (ret)
return ret;
ret = gss_add_cred(minor_status,
input_cred_handle->negotiated_cred_id,
desired_name,
desired_mech,
cred_usage,
initiator_time_req,
acceptor_time_req,
&spnego_output_cred_handle->negotiated_cred_id,
actual_mechs,
initiator_time_rec,
acceptor_time_rec);
if (ret) {
_gss_spnego_release_cred(&tmp, &spnego_output_cred_handle);
return ret;
}
*output_cred_handle = spnego_output_cred_handle;
return GSS_S_COMPLETE;
}
OM_uint32 gss_spnego_inquire_cred_by_mech (
OM_uint32 * minor_status,
const gss_cred_id_t cred_handle,
const gss_OID mech_type,
gss_name_t * name,
OM_uint32 * initiator_lifetime,
OM_uint32 * acceptor_lifetime,
gss_cred_usage_t * cred_usage
)
{
OM_uint32 ret;
if (cred_handle == GSS_C_NO_CREDENTIAL) {
*minor_status = 0;
return GSS_S_NO_CRED;
}
ret = gss_inquire_cred_by_mech(minor_status,
cred_handle->negotiated_cred_id,
mech_type,
name,
initiator_lifetime,
acceptor_lifetime,
cred_usage);
return ret;
}
OM_uint32 gss_spnego_inquire_cred_by_oid
(OM_uint32 * minor_status,
const gss_cred_id_t cred_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set)
{
OM_uint32 ret;
if (cred_handle == GSS_C_NO_CREDENTIAL) {
*minor_status = 0;
return GSS_S_NO_CRED;
}
ret = gss_inquire_cred_by_oid(minor_status,
cred_handle->negotiated_cred_id,
desired_object,
data_set);
return ret;
}

8
lib/gssapi/spnego/exports Normal file
View File

@@ -0,0 +1,8 @@
#ident $Id$
GSSAPI_2.0 {
global:
gss_spnego_initialize;
GSS_SPNEGO_MECHANISM;
local:
*;
};

99
lib/gssapi/spnego/external.c Normal file
View File

@@ -0,0 +1,99 @@
/*
* Copyright (c) 2004, PADL Software Pty Ltd.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of PADL Software nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "spnego_locl.h"
RCSID("$Id$");
/*
* RFC2478, SPNEGO:
* The security mechanism of the initial
* negotiation token is identified by the Object Identifier
* iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
*/
static struct gss_config spnego_mech = {
{6, (void *)"\x2b\x06\x01\x05\x05\x02"},
NULL,
gss_spnego_acquire_cred,
gss_spnego_release_cred,
gss_spnego_init_sec_context,
gss_spnego_accept_sec_context,
gss_spnego_process_context_token,
gss_spnego_delete_sec_context,
gss_spnego_context_time,
gss_spnego_sign,
gss_spnego_verify,
gss_spnego_seal,
gss_spnego_unseal,
NULL, /*gss_spnego_display_status,*/
gss_spnego_indicate_mechs,
gss_spnego_compare_name,
gss_spnego_display_name,
gss_spnego_import_name,
gss_spnego_release_name,
gss_spnego_inquire_cred,
gss_spnego_add_cred,
gss_spnego_export_sec_context,
gss_spnego_import_sec_context,
gss_spnego_inquire_cred_by_mech,
gss_spnego_inquire_names_for_mech,
gss_spnego_inquire_context,
gss_spnego_internal_release_oid,
gss_spnego_wrap_size_limit,
NULL, /*gss_spnego_pname_to_uid,*/
gss_spnego_duplicate_name,
NULL, /*gss_spnego_set_allowable_enctypes */
gss_spnego_verify_mic,
gss_spnego_get_mic,
gss_spnego_wrap,
gss_spnego_unwrap,
gss_spnego_canonicalize_name,
gss_spnego_export_name,
gss_spnego_wrap_ex,
gss_spnego_unwrap_ex,
gss_spnego_complete_auth_token,
NULL, /*gss_spnego_set_neg_mechs*/
NULL, /*gss_spnego_get_neg_mechs*/
gss_spnego_inquire_sec_context_by_oid,
gss_spnego_inquire_cred_by_oid,
gss_spnego_set_sec_context_option,
NULL /*gss_spnego_userok*/
};
gss_OID GSS_SPNEGO_MECHANISM = &spnego_mech.mech_type;
gss_mechanism gss_spnego_initialize(void)
{
return &spnego_mech;
}

58
lib/gssapi/spnego/gssapi_spnego.h Normal file
View File

@@ -0,0 +1,58 @@
/*
* Copyright (c) 1997 - 2004 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifndef GSSAPI_SPNEGO_H_
#define GSSAPI_SPNEGO_H_
#include <gssapi.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
* RFC2478, SPNEGO:
* The security mechanism of the initial
* negotiation token is identified by the Object Identifier
* iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
*/
extern gss_OID GSS_SPNEGO_MECHANISM;
#define gss_mech_spnego GSS_SPNEGO_MECHANISM
#ifdef __cplusplus
}
#endif
#endif /* GSSAPI_SPNEGO_H_ */

576
lib/gssapi/spnego/init_sec_context.c Normal file
View File

@@ -0,0 +1,576 @@
/*
* Copyright (c) 1997 - 2004 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* Portions Copyright (c) 2004 PADL Software Pty Ltd.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "spnego_locl.h"
RCSID("$Id$");
/*
* Send a reply. Note that we only need to send a reply if we
* need to send a MIC or a mechanism token. Otherwise, we can
* return an empty buffer.
*
* The return value of this will be returned to the API, so it
* must return GSS_S_CONTINUE_NEEDED if a token was generated.
*/
static OM_uint32
spnego_reply_internal(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
const gss_buffer_t mech_buf,
gss_buffer_t mech_token,
gss_buffer_t output_token)
{
NegTokenResp resp;
gss_buffer_desc mic_buf;
OM_uint32 ret;
gss_buffer_desc data;
u_char *buf;
if (mech_buf == GSS_C_NO_BUFFER && mech_token->length == 0) {
output_token->length = 0;
output_token->value = NULL;
return context_handle->open ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
memset(&resp, 0, sizeof(resp));
ALLOC(resp.negResult, 1);
if (resp.negResult == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
resp.supportedMech = NULL;
output_token->length = 0;
output_token->value = NULL;
if (mech_token->length == 0) {
resp.responseToken = NULL;
*(resp.negResult) = accept_completed;
} else {
ALLOC(resp.responseToken, 1);
if (resp.responseToken == NULL) {
free_NegTokenResp(&resp);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
resp.responseToken->length = mech_token->length;
resp.responseToken->data = mech_token->value;
mech_token->length = 0;
mech_token->value = NULL;
*(resp.negResult) = accept_incomplete;
}
if (mech_buf != GSS_C_NO_BUFFER) {
ALLOC(resp.mechListMIC, 1);
if (resp.mechListMIC == NULL) {
free_NegTokenResp(&resp);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
ret = gss_get_mic(minor_status,
context_handle->negotiated_ctx_id,
0,
mech_buf,
&mic_buf);
if (ret) {
free_NegTokenResp(&resp);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
resp.mechListMIC->length = mic_buf.length;
resp.mechListMIC->data = mic_buf.value;
} else {
resp.mechListMIC = NULL;
}
ret = _gss_spnego_encode_response (minor_status, &resp,
&data, &buf);
if (ret) {
free_NegTokenResp(&resp);
return ret;
}
output_token->value = malloc(data.length);
if (output_token->value == NULL) {
*minor_status = ENOMEM;
ret = GSS_S_FAILURE;
} else {
output_token->length = data.length;
memcpy(output_token->value, data.value, output_token->length);
}
free(buf);
if (*(resp.negResult) == accept_completed)
ret = GSS_S_COMPLETE;
else
ret = GSS_S_CONTINUE_NEEDED;
free_NegTokenResp(&resp);
return ret;
}
static OM_uint32
spnego_initial
(OM_uint32 * minor_status,
const gss_cred_id_t initiator_cred_handle,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID * actual_mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec
)
{
NegTokenInit ni;
int ret;
OM_uint32 sub, minor;
gss_buffer_desc mech_token;
u_char *buf;
size_t buf_size, buf_len;
gss_buffer_desc data;
size_t ni_len;
gss_ctx_id_t ctx;
memset (&ni, 0, sizeof(ni));
*context_handle = GSS_C_NO_CONTEXT;
*minor_status = 0;
sub = _gss_spnego_alloc_sec_context(&minor, &ctx);
if (GSS_ERROR(sub)) {
*minor_status = minor;
return sub;
}
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ctx->local = 1;
sub = _gss_spnego_indicate_mechtypelist(&minor, 0,
initiator_cred_handle,
&ni.mechTypes,
&ctx->preferred_mech_type);
if (GSS_ERROR(sub)) {
*minor_status = minor;
_gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
return sub;
}
ni.reqFlags = NULL;
/*
* If we have a credential handle, use it to select the mechanism
* that we will use
*/
/* generate optimistic token */
sub = gss_init_sec_context(&minor,
initiator_cred_handle ?
initiator_cred_handle->negotiated_cred_id :
GSS_C_NO_CREDENTIAL,
&ctx->negotiated_ctx_id,
target_name,
GSS_C_NO_OID,
req_flags,
time_req,
input_chan_bindings,
input_token,
&ctx->negotiated_mech_type,
&mech_token,
&ctx->mech_flags,
&ctx->mech_time_rec);
if (GSS_ERROR(sub)) {
free_NegTokenInit(&ni);
*minor_status = minor;
_gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
return sub;
}
if (mech_token.length != 0) {
ALLOC(ni.mechToken, 1);
if (ni.mechToken == NULL) {
free_NegTokenInit(&ni);
gss_release_buffer(&minor, &mech_token);
_gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
ni.mechToken->length = mech_token.length;
ni.mechToken->data = malloc(mech_token.length);
if (ni.mechToken->data == NULL && mech_token.length != 0) {
free_NegTokenInit(&ni);
gss_release_buffer(&minor, &mech_token);
*minor_status = ENOMEM;
_gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
return GSS_S_FAILURE;
}
memcpy(ni.mechToken->data, mech_token.value, mech_token.length);
gss_release_buffer(&minor, &mech_token);
} else
ni.mechToken = NULL;
ni.mechListMIC = NULL;
ni_len = length_NegTokenInit(&ni);
buf_size = 1 + length_len(ni_len) + ni_len;
buf = malloc(buf_size);
if (buf == NULL) {
free_NegTokenInit(&ni);
*minor_status = ENOMEM;
_gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
return GSS_S_FAILURE;
}
ret = encode_NegTokenInit(buf + buf_size - 1,
ni_len,
&ni, &buf_len);
if (ret == 0 && ni_len != buf_len)
abort();
if (ret == 0) {
size_t tmp;
ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
buf_size - buf_len,
buf_len,
CONTEXT,
CONS,
0,
&tmp);
if (ret == 0 && tmp + buf_len != buf_size)
abort();
}
if (ret) {
*minor_status = ret;
free(buf);
free_NegTokenInit(&ni);
_gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
return GSS_S_FAILURE;
}
data.value = buf;
data.length = buf_size;
ctx->initiator_mech_types.len = ni.mechTypes.len;
ctx->initiator_mech_types.val = ni.mechTypes.val;
ni.mechTypes.len = 0;
ni.mechTypes.val = NULL;
free_NegTokenInit(&ni);
sub = gss_encapsulate_token(&data,
GSS_SPNEGO_MECHANISM,
output_token);
free (buf);
if (sub) {
_gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
return sub;
}
if (actual_mech_type)
*actual_mech_type = ctx->negotiated_mech_type;
if (ret_flags)
*ret_flags = ctx->mech_flags;
if (time_rec)
*time_rec = ctx->mech_time_rec;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
*context_handle = ctx;
return GSS_S_CONTINUE_NEEDED;
}
static OM_uint32
spnego_reply
(OM_uint32 * minor_status,
const gss_cred_id_t initiator_cred_handle,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID * actual_mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec
)
{
OM_uint32 ret, minor;
gss_buffer_desc indata;
NegTokenResp resp;
u_char oidbuf[17];
size_t oidlen;
size_t len, taglen;
gss_OID_desc mech;
int require_mic;
size_t buf_len;
gss_buffer_desc mic_buf, mech_buf;
gss_buffer_desc mech_output_token;
gss_ctx_id_t ctx;
*minor_status = 0;
ctx = *context_handle;
output_token->length = 0;
output_token->value = NULL;
mech_output_token.length = 0;
mech_output_token.value = NULL;
mech_buf.value = NULL;
mech_buf.length = 0;
ret = der_match_tag_and_length(input_token->value, input_token->length,
CONTEXT, CONS, 1, &len, &taglen);
if (ret)
return ret;
if (len > indata.length - taglen)
return ASN1_OVERRUN;
ret = decode_NegTokenResp((const char *)input_token->value + taglen,
len, &resp, NULL);
if (ret) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
if (resp.negResult == NULL
|| *(resp.negResult) == reject
|| resp.supportedMech == NULL) {
free_NegTokenResp(&resp);
return GSS_S_BAD_MECH;
}
ret = der_put_oid(oidbuf + sizeof(oidbuf) - 1,
sizeof(oidbuf),
resp.supportedMech,
&oidlen);
if (ret || (oidlen == GSS_SPNEGO_MECHANISM->length &&
memcmp(oidbuf + sizeof(oidbuf) - oidlen,
GSS_SPNEGO_MECHANISM->elements,
oidlen) == 0)) {
/* Avoid recursively embedded SPNEGO */
free_NegTokenResp(&resp);
return GSS_S_BAD_MECH;
}
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (resp.responseToken != NULL) {
gss_buffer_desc mech_input_token;
mech_input_token.length = resp.responseToken->length;
mech_input_token.value = resp.responseToken->data;
mech.length = oidlen;
mech.elements = oidbuf + sizeof(oidbuf) - oidlen;
/* Fall through as if the negotiated mechanism was requested explicitly */
ret = gss_init_sec_context(&minor,
initiator_cred_handle ?
initiator_cred_handle->negotiated_cred_id :
GSS_C_NO_CREDENTIAL,
&ctx->negotiated_ctx_id,
target_name,
&mech,
req_flags,
time_req,
input_chan_bindings,
&mech_input_token,
&ctx->negotiated_mech_type,
&mech_output_token,
&ctx->mech_flags,
&ctx->mech_time_rec);
if (GSS_ERROR(ret)) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
free_NegTokenResp(&resp);
*minor_status = minor;
return ret;
}
if (ret == GSS_S_COMPLETE) {
ctx->open = 1;
}
}
if (*(resp.negResult) == request_mic) {
ctx->require_mic = 1;
}
if (ctx->open) {
/*
* Verify the mechListMIC if one was provided or CFX was
* used and a non-preferred mechanism was selected
*/
if (resp.mechListMIC != NULL) {
require_mic = TRUE;
} else {
ret = _gss_spnego_require_mechlist_mic(minor_status, ctx,
&require_mic);
if (ret) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
free_NegTokenResp(&resp);
gss_release_buffer(&minor, &mech_output_token);
return ret;
}
}
} else {
require_mic = FALSE;
}
if (require_mic) {
ASN1_MALLOC_ENCODE(MechTypeList, mech_buf.value, mech_buf.length,
&ctx->initiator_mech_types, &buf_len, ret);
if (ret) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
free_NegTokenResp(&resp);
gss_release_buffer(&minor, &mech_output_token);
*minor_status = ret;
return GSS_S_FAILURE;
}
if (mech_buf.length != buf_len)
abort();
if (resp.mechListMIC == NULL) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
free(mech_buf.value);
free_NegTokenResp(&resp);
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
mic_buf.length = resp.mechListMIC->length;
mic_buf.value = resp.mechListMIC->data;
if (mech_output_token.length == 0) {
ret = gss_verify_mic(minor_status,
ctx->negotiated_ctx_id,
&mech_buf,
&mic_buf,
NULL);
if (ret) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
free(mech_buf.value);
gss_release_buffer(&minor, &mech_output_token);
free_NegTokenResp(&resp);
return GSS_S_DEFECTIVE_TOKEN;
}
ctx->verified_mic = 1;
}
}
ret = spnego_reply_internal(minor_status, ctx,
require_mic ? &mech_buf : NULL,
&mech_output_token,
output_token);
if (mech_buf.value != NULL)
free(mech_buf.value);
free_NegTokenResp(&resp);
gss_release_buffer(&minor, &mech_output_token);
if (actual_mech_type)
*actual_mech_type = ctx->negotiated_mech_type;
if (ret_flags)
*ret_flags = ctx->mech_flags;
if (time_rec)
*time_rec = ctx->mech_time_rec;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return ret;
}
OM_uint32 gss_spnego_init_sec_context
(OM_uint32 * minor_status,
const gss_cred_id_t initiator_cred_handle,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID * actual_mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec
)
{
if (*context_handle == GSS_C_NO_CONTEXT)
return spnego_initial (minor_status,
initiator_cred_handle,
context_handle,
target_name,
mech_type,
req_flags,
time_req,
input_chan_bindings,
input_token,
actual_mech_type,
output_token,
ret_flags,
time_rec);
else
return spnego_reply (minor_status,
initiator_cred_handle,
context_handle,
target_name,
mech_type,
req_flags,
time_req,
input_chan_bindings,
input_token,
actual_mech_type,
output_token,
ret_flags,
time_rec);
}

51
lib/gssapi/spnego/spnego.asn1 Normal file
View File

@@ -0,0 +1,51 @@
-- $Id$
SPNEGO DEFINITIONS ::=
BEGIN
MechType::= OBJECT IDENTIFIER
MechTypeList ::= SEQUENCE OF MechType
ContextFlags ::= BIT STRING {
delegFlag (0),
mutualFlag (1),
replayFlag (2),
sequenceFlag (3),
anonFlag (4),
confFlag (5),
integFlag (6)
}
NegHints ::= SEQUENCE {
hintName [0] GeneralString OPTIONAL,
hintAddress [1] OCTET STRING OPTIONAL
}
NegTokenInit ::= SEQUENCE {
mechTypes [0] MechTypeList,
reqFlags [1] ContextFlags OPTIONAL,
mechToken [2] OCTET STRING OPTIONAL,
negHints [3] NegHints OPTIONAL,
mechListMIC [4] OCTET STRING OPTIONAL
}
-- NB: negResult is not OPTIONAL in the new SPNEGO spec but
-- Windows clients do not always send it
NegTokenResp ::= SEQUENCE {
negResult [0] ENUMERATED {
accept_completed (0),
accept_incomplete (1),
reject (2),
request-mic (3) } OPTIONAL,
supportedMech [1] MechType OPTIONAL,
responseToken [2] OCTET STRING OPTIONAL,
mechListMIC [3] OCTET STRING OPTIONAL
}
NegotiationToken ::= CHOICE {
negTokenInit[0] NegTokenInit,
negTokenResp[1] NegTokenResp
}
END

458
lib/gssapi/spnego/spnego_locl.h Normal file
View File

@@ -0,0 +1,458 @@
/*
* Copyright (c) 2004, PADL Software Pty Ltd.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of PADL Software nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifndef SPNEGO_LOCL_H
#define SPNEGO_LOCL_H
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifdef HAVE_PTHREAD_H
#include <pthread.h>
#endif
#include <krb5_locl.h>
#include <gssapi_spnego.h>
#include <assert.h>
#include <der.h>
#include <mechglue.h>
#include "spnego_asn1.h"
gss_mechanism gss_spnego_initialize(void);
typedef struct gss_cred_id_t_desc_struct {
gss_cred_id_t negotiated_cred_id;
} gss_cred_id_t_desc;
typedef struct gss_ctx_id_t_desc_struct {
MechTypeList initiator_mech_types;
gss_OID preferred_mech_type;
gss_OID negotiated_mech_type;
gss_ctx_id_t negotiated_ctx_id;
OM_uint32 mech_flags;
OM_uint32 mech_time_rec;
gss_name_t mech_src_name;
gss_cred_id_t delegated_cred_id;
int open : 1;
int local : 1;
int require_mic : 1;
int verified_mic : 1;
HEIMDAL_MUTEX ctx_id_mutex;
} gss_ctx_id_t_desc;
OM_uint32
_gss_spnego_encode_response(OM_uint32 *, const NegTokenResp *,
gss_buffer_t, u_char **);
OM_uint32
_gss_spnego_indicate_mechtypelist (OM_uint32 *, int,
const gss_cred_id_t cred_handle,
MechTypeList *,
gss_OID *preferred_mech);
OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 *,
gss_ctx_id_t *);
/*
* NB: caller must acquire ctx_id_mutex before
* calling _gss_spnego_delete_sec_context()
*/
OM_uint32 _gss_spnego_delete_sec_context (OM_uint32 *, gss_ctx_id_t *, gss_buffer_t);
OM_uint32 _gss_spnego_require_mechlist_mic(OM_uint32 *, gss_ctx_id_t, int *);
OM_uint32 gss_spnego_internal_release_oid(OM_uint32 *minor_status, gss_OID *OID);
int _gss_spnego_add_mech_type(gss_OID, int, MechTypeList *);
OM_uint32 _gss_spnego_select_mech(OM_uint32 *, MechType *, gss_OID *);
OM_uint32 _gss_spnego_alloc_cred(OM_uint32 *, gss_cred_id_t, gss_cred_id_t *);
OM_uint32 _gss_spnego_release_cred(OM_uint32 *, gss_cred_id_t *);
/*
* Finally, function prototypes for the GSS-API routines.
*/
OM_uint32 gss_spnego_acquire_cred
(OM_uint32 * /*minor_status*/,
const gss_name_t /*desired_name*/,
OM_uint32 /*time_req*/,
const gss_OID_set /*desired_mechs*/,
gss_cred_usage_t /*cred_usage*/,
gss_cred_id_t * /*output_cred_handle*/,
gss_OID_set * /*actual_mechs*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_spnego_release_cred
(OM_uint32 * /*minor_status*/,
gss_cred_id_t * /*cred_handle*/
);
OM_uint32 gss_spnego_init_sec_context
(OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*initiator_cred_handle*/,
gss_ctx_id_t * /*context_handle*/,
const gss_name_t /*target_name*/,
const gss_OID /*mech_type*/,
OM_uint32 /*req_flags*/,
OM_uint32 /*time_req*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
const gss_buffer_t /*input_token*/,
gss_OID * /*actual_mech_type*/,
gss_buffer_t /*output_token*/,
OM_uint32 * /*ret_flags*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_spnego_accept_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
const gss_cred_id_t /*acceptor_cred_handle*/,
const gss_buffer_t /*input_token_buffer*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
gss_name_t * /*src_name*/,
gss_OID * /*mech_type*/,
gss_buffer_t /*output_token*/,
OM_uint32 * /*ret_flags*/,
OM_uint32 * /*time_rec*/,
gss_cred_id_t * /*delegated_cred_handle*/
);
OM_uint32 gss_spnego_process_context_token
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*token_buffer*/
);
OM_uint32 gss_spnego_delete_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t /*output_token*/
);
OM_uint32 gss_spnego_context_time
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_spnego_get_mic
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/
);
OM_uint32 gss_spnego_verify_mic
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*message_buffer*/,
const gss_buffer_t /*token_buffer*/,
gss_qop_t * /*qop_state*/
);
OM_uint32 gss_spnego_wrap
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/
);
OM_uint32 gss_spnego_unwrap
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
gss_qop_t * /*qop_state*/
);
OM_uint32 gss_spnego_display_status
(OM_uint32 * /*minor_status*/,
OM_uint32 /*status_value*/,
int /*status_type*/,
const gss_OID /*mech_type*/,
OM_uint32 * /*message_context*/,
gss_buffer_t /*status_string*/
);
OM_uint32 gss_spnego_indicate_mechs
(OM_uint32 * /*minor_status*/,
gss_OID_set * /*mech_set*/
);
OM_uint32 gss_spnego_compare_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*name1*/,
const gss_name_t /*name2*/,
int * /*name_equal*/
);
OM_uint32 gss_spnego_display_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t /*output_name_buffer*/,
gss_OID * /*output_name_type*/
);
OM_uint32 gss_spnego_import_name
(OM_uint32 * /*minor_status*/,
const gss_buffer_t /*input_name_buffer*/,
const gss_OID /*input_name_type*/,
gss_name_t * /*output_name*/
);
OM_uint32 gss_spnego_export_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t /*exported_name*/
);
OM_uint32 gss_spnego_release_name
(OM_uint32 * /*minor_status*/,
gss_name_t * /*input_name*/
);
OM_uint32 gss_spnego_release_buffer
(OM_uint32 * /*minor_status*/,
gss_buffer_t /*buffer*/
);
OM_uint32 gss_spnego_release_oid_set
(OM_uint32 * /*minor_status*/,
gss_OID_set * /*set*/
);
OM_uint32 gss_spnego_inquire_cred
(OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
gss_name_t * /*name*/,
OM_uint32 * /*lifetime*/,
gss_cred_usage_t * /*cred_usage*/,
gss_OID_set * /*mechanisms*/
);
OM_uint32 gss_spnego_inquire_context (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_name_t * /*src_name*/,
gss_name_t * /*targ_name*/,
OM_uint32 * /*lifetime_rec*/,
gss_OID * /*mech_type*/,
OM_uint32 * /*ctx_flags*/,
int * /*locally_initiated*/,
int * /*open_context*/
);
OM_uint32 gss_spnego_wrap_size_limit (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
OM_uint32 /*req_output_size*/,
OM_uint32 * /*max_input_size*/
);
OM_uint32 gss_spnego_add_cred (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*input_cred_handle*/,
const gss_name_t /*desired_name*/,
const gss_OID /*desired_mech*/,
gss_cred_usage_t /*cred_usage*/,
OM_uint32 /*initiator_time_req*/,
OM_uint32 /*acceptor_time_req*/,
gss_cred_id_t * /*output_cred_handle*/,
gss_OID_set * /*actual_mechs*/,
OM_uint32 * /*initiator_time_rec*/,
OM_uint32 * /*acceptor_time_rec*/
);
OM_uint32 gss_spnego_inquire_cred_by_mech (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
const gss_OID /*mech_type*/,
gss_name_t * /*name*/,
OM_uint32 * /*initiator_lifetime*/,
OM_uint32 * /*acceptor_lifetime*/,
gss_cred_usage_t * /*cred_usage*/
);
OM_uint32 gss_spnego_export_sec_context (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t /*interprocess_token*/
);
OM_uint32 gss_spnego_import_sec_context (
OM_uint32 * /*minor_status*/,
const gss_buffer_t /*interprocess_token*/,
gss_ctx_id_t * /*context_handle*/
);
OM_uint32 gss_spnego_create_empty_oid_set (
OM_uint32 * /*minor_status*/,
gss_OID_set * /*oid_set*/
);
OM_uint32 gss_spnego_add_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member_oid*/,
gss_OID_set * /*oid_set*/
);
OM_uint32 gss_spnego_test_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member*/,
const gss_OID_set /*set*/,
int * /*present*/
);
OM_uint32 gss_spnego_inquire_names_for_mech (
OM_uint32 * /*minor_status*/,
const gss_OID /*mechanism*/,
gss_OID_set * /*name_types*/
);
OM_uint32 gss_spnego_inquire_mechs_for_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_OID_set * /*mech_types*/
);
OM_uint32 gss_spnego_duplicate_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*src_name*/,
gss_name_t * /*dest_name*/
);
OM_uint32 gss_spnego_canonicalize_name (
OM_uint32 * minor_status,
const gss_name_t src_name,
const gss_OID mech_type,
gss_name_t * dest_name
);
/*
* The following routines are obsolete variants of gss_get_mic,
* gss_verify_mic, gss_wrap and gss_unwrap. They should be
* provided by GSSAPI V2 implementations for backwards
* compatibility with V1 applications. Distinct entrypoints
* (as opposed to #defines) should be provided, both to allow
* GSSAPI V1 applications to link against GSSAPI V2 implementations,
* and to retain the slight parameter type differences between the
* obsolete versions of these routines and their current forms.
*/
OM_uint32 gss_spnego_sign
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*qop_req*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/
);
OM_uint32 gss_spnego_verify
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*token_buffer*/,
int * /*qop_state*/
);
OM_uint32 gss_spnego_seal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
int /*qop_req*/,
gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/
);
OM_uint32 gss_spnego_unseal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
int * /*qop_state*/
);
OM_uint32 gss_spnego_unwrap_ex
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*token_header_buffer*/,
const gss_buffer_t /*associated_data_buffer*/,
const gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
gss_qop_t * /*qop_state*/);
OM_uint32 gss_spnego_wrap_ex
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*associated_data_buffer*/,
const gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_token_buffer*/,
gss_buffer_t /*output_message_buffer*/
);
OM_uint32 gss_spnego_complete_auth_token
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*input_message_buffer*/);
OM_uint32 gss_spnego_inquire_sec_context_by_oid
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_OID /*desired_object*/,
gss_buffer_set_t */*data_set*/);
OM_uint32 gss_spnego_inquire_cred_by_oid
(OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
const gss_OID /*desired_object*/,
gss_buffer_set_t */*data_set*/);
OM_uint32 gss_spnego_set_sec_context_option
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*cred_handle*/,
const gss_OID /*desired_object*/,
const gss_buffer_t /*value*/);
#endif /* SPNEGO_LOCL_H */