From c3905ff7951ff26b8bdb7fd47b442e90ecc0b46b Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 12 Mar 2011 19:29:00 -0800 Subject: [PATCH] glue in some more functions --- lib/gssapi/Makefile.am | 4 +- lib/gssapi/mech/gss_destroy_cred.c | 59 ++++++++++++ lib/gssapi/ntlm/{inquire_cred.c => creds.c} | 67 +++++++++++++- lib/gssapi/ntlm/external.c | 6 +- lib/gssapi/ntlm/inquire_sec_context_by_oid.c | 91 ++++++++++++++++++ lib/gssapi/ntlm/iter_cred.c | 97 ++++++++++++++++++++ lib/gssapi/ntlm/ntlm.h | 3 + lib/gssapi/oid.txt | 3 + lib/krb5/kcm.h | 5 + 9 files changed, 328 insertions(+), 7 deletions(-) create mode 100644 lib/gssapi/mech/gss_destroy_cred.c rename lib/gssapi/ntlm/{inquire_cred.c => creds.c} (64%) create mode 100644 lib/gssapi/ntlm/inquire_sec_context_by_oid.c create mode 100644 lib/gssapi/ntlm/iter_cred.c diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am index 423af02ee..2929f8c3c 100644 --- a/lib/gssapi/Makefile.am +++ b/lib/gssapi/Makefile.am @@ -166,6 +166,7 @@ ntlmsrc = \ ntlm/canonicalize_name.c \ ntlm/compare_name.c \ ntlm/context_time.c \ + ntlm/creds.c \ ntlm/crypto.c \ ntlm/delete_sec_context.c \ ntlm/display_name.c \ @@ -181,10 +182,11 @@ ntlmsrc = \ ntlm/indicate_mechs.c \ ntlm/init_sec_context.c \ ntlm/inquire_context.c \ - ntlm/inquire_cred.c \ ntlm/inquire_cred_by_mech.c \ ntlm/inquire_mechs_for_name.c \ ntlm/inquire_names_for_mech.c \ + ntlm/inquire_sec_context_by_oid.c \ + ntlm/iter_cred.c \ ntlm/process_context_token.c \ ntlm/release_cred.c \ ntlm/release_name.c \ diff --git a/lib/gssapi/mech/gss_destroy_cred.c b/lib/gssapi/mech/gss_destroy_cred.c new file mode 100644 index 000000000..74bb616c2 --- /dev/null +++ b/lib/gssapi/mech/gss_destroy_cred.c @@ -0,0 +1,59 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" +#include + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_destroy_cred(void *status, + gss_cred_id_t *cred_handle) +{ + struct _gss_cred *cred; + struct _gss_mechanism_cred *mc; + OM_uint32 junk; + + if (cred_handle == NULL) + return GSS_S_CALL_INACCESSIBLE_READ; + if (*cred_handle == GSS_C_NO_CREDENTIAL) + return GSS_S_COMPLETE; + + cred = (struct _gss_cred *)*cred_handle; + + while (HEIM_SLIST_FIRST(&cred->gc_mc)) { + mc = HEIM_SLIST_FIRST(&cred->gc_mc); + HEIM_SLIST_REMOVE_HEAD(&cred->gc_mc, gmc_link); + if (mc->gmc_mech->gm_destroy_cred) + mc->gmc_mech->gm_destroy_cred(&junk, &mc->gmc_cred); + else + mc->gmc_mech->gm_release_cred(&junk, &mc->gmc_cred); + free(mc); + } + free(cred); + + return GSS_S_COMPLETE; +} diff --git a/lib/gssapi/ntlm/inquire_cred.c b/lib/gssapi/ntlm/creds.c similarity index 64% rename from lib/gssapi/ntlm/inquire_cred.c rename to lib/gssapi/ntlm/creds.c index 5465590ec..a3f1455b5 100644 --- a/lib/gssapi/ntlm/inquire_cred.c +++ b/lib/gssapi/ntlm/creds.c @@ -3,6 +3,8 @@ * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -33,7 +35,7 @@ #include "ntlm.h" -OM_uint32 GSSAPI_CALLCONV _gss_ntlm_inquire_cred +OM_uint32 _gss_ntlm_inquire_cred (OM_uint32 * minor_status, const gss_cred_id_t cred_handle, gss_name_t * name, @@ -46,8 +48,16 @@ OM_uint32 GSSAPI_CALLCONV _gss_ntlm_inquire_cred *minor_status = 0; - if (name) - *name = GSS_C_NO_NAME; + if (cred_handle == NULL) + return GSS_S_NO_CRED; + + if (name) { + ret = _gss_ntlm_duplicate_name(minor_status, + (gss_name_t)cred_handle, + name); + if (ret) + goto out; + } if (lifetime) *lifetime = GSS_C_INDEFINITE; if (cred_usage) @@ -74,3 +84,54 @@ out: gss_release_oid_set(&junk, mechanisms); return ret; } + +OM_uint32 +_gss_ntlm_destroy_cred(OM_uint32 *minor_status, + gss_cred_id_t *cred_handle) +{ + krb5_error_code ret; + krb5_storage *request, *response; + krb5_data response_data; + krb5_context context; + ntlm_cred cred; + + if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) + return GSS_S_COMPLETE; + + cred = (ntlm_cred)*cred_handle; + + ret = krb5_init_context(&context); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + ret = krb5_kcm_storage_request(context, KCM_OP_DEL_NTLM_CRED, &request); + if (ret) + goto out; + + ret = krb5_store_stringz(request, cred->username); + if (ret) + goto out; + + ret = krb5_store_stringz(request, cred->domain); + if (ret) + goto out; + + ret = krb5_kcm_call(context, request, &response, &response_data); + if (ret) + goto out; + + krb5_storage_free(request); + krb5_storage_free(response); + krb5_data_free(&response_data); + + out: + krb5_free_context(context); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + return _gss_ntlm_release_cred(minor_status, cred_handle); +} diff --git a/lib/gssapi/ntlm/external.c b/lib/gssapi/ntlm/external.c index 66afe2694..64ee6d310 100644 --- a/lib/gssapi/ntlm/external.c +++ b/lib/gssapi/ntlm/external.c @@ -94,6 +94,7 @@ static gssapi_mech_interface_desc ntlm_mech = { _gss_ntlm_inquire_mechs_for_name, _gss_ntlm_canonicalize_name, _gss_ntlm_duplicate_name, + _gss_ntlm_inquire_sec_context_by_oid, NULL, NULL, NULL, @@ -105,9 +106,8 @@ static gssapi_mech_interface_desc ntlm_mech = { NULL, NULL, NULL, - NULL, - NULL, - NULL, + _gss_ntlm_iter_creds_f, + _gss_ntlm_destroy_cred, NULL, NULL, NULL, diff --git a/lib/gssapi/ntlm/inquire_sec_context_by_oid.c b/lib/gssapi/ntlm/inquire_sec_context_by_oid.c new file mode 100644 index 000000000..6d0909b7e --- /dev/null +++ b/lib/gssapi/ntlm/inquire_sec_context_by_oid.c @@ -0,0 +1,91 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ntlm.h" + +OM_uint32 +_gss_ntlm_inquire_sec_context_by_oid(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + ntlm_ctx ctx = (ntlm_ctx)context_handle; + + if (ctx == NULL) { + *minor_status = 0; + return GSS_S_NO_CONTEXT; + } + + if (gss_oid_equal(desired_object, GSS_NTLM_GET_SESSION_KEY_X) /* || + gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY) */) { + gss_buffer_desc value; + + value.length = ctx->sessionkey.length; + value.value = ctx->sessionkey.data; + + return gss_add_buffer_set_member(minor_status, + &value, + data_set); +#if 0 + } else if (gss_oid_equal(desired_object, GSS_C_INQ_WIN2K_PAC_X)) { + if (ctx->pac.length == 0) { + *minor_status = ENOENT; + return GSS_S_FAILURE; + } + + return gss_add_buffer_set_member(minor_status, + &ctx->pac, + data_set); +#endif + } else if (gss_oid_equal(desired_object, GSS_C_NTLM_AVGUEST)) { + gss_buffer_desc value; + uint32_t num; + + if (ctx->kcmflags & KCM_NTLM_FLAG_AV_GUEST) + num = 1; + else + num = 0; + + value.length = sizeof(num); + value.value = # + + return gss_add_buffer_set_member(minor_status, + &value, + data_set); + } else { + *minor_status = 0; + return GSS_S_FAILURE; + } +} diff --git a/lib/gssapi/ntlm/iter_cred.c b/lib/gssapi/ntlm/iter_cred.c new file mode 100644 index 000000000..060d5289a --- /dev/null +++ b/lib/gssapi/ntlm/iter_cred.c @@ -0,0 +1,97 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ntlm.h" + +void +_gss_ntlm_iter_creds_f(OM_uint32 flags, + void *userctx , + void (*cred_iter)(void *, gss_OID, gss_cred_id_t)) +{ + krb5_error_code ret; + krb5_context context = NULL; + krb5_storage *request, *response; + krb5_data response_data; + + ret = krb5_init_context(&context); + if (ret) + goto done; + + ret = krb5_kcm_storage_request(context, KCM_OP_GET_NTLM_USER_LIST, &request); + if (ret) + goto done; + + ret = krb5_kcm_call(context, request, &response, &response_data); + krb5_storage_free(request); + if (ret) + goto done; + + while (1) { + uint32_t morep; + char *user = NULL, *domain = NULL; + ntlm_cred dn; + + ret = krb5_ret_uint32(response, &morep); + if (ret) goto out; + + if (!morep) goto out; + + ret = krb5_ret_stringz(response, &user); + if (ret) goto out; + ret = krb5_ret_stringz(response, &domain); + if (ret) { + free(user); + goto out; + } + + dn = calloc(1, sizeof(*dn)); + if (dn == NULL) { + free(user); + free(domain); + goto out; + } + dn->username = user; + dn->domain = domain; + + cred_iter(userctx, GSS_NTLM_MECHANISM, (gss_cred_id_t)dn); + } + out: + krb5_storage_free(response); + krb5_data_free(&response_data); + done: + if (context) + krb5_free_context(context); + (*cred_iter)(userctx, NULL, NULL); +} diff --git a/lib/gssapi/ntlm/ntlm.h b/lib/gssapi/ntlm/ntlm.h index ae5fb2211..0cced40f1 100644 --- a/lib/gssapi/ntlm/ntlm.h +++ b/lib/gssapi/ntlm/ntlm.h @@ -49,8 +49,10 @@ #include #include #include +#include #include +#include #include #include @@ -109,6 +111,7 @@ typedef struct { void *ictx; ntlm_cred client; OM_uint32 gssflags; + uint32_t kcmflags; uint32_t flags; uint32_t status; #define STATUS_OPEN 1 diff --git a/lib/gssapi/oid.txt b/lib/gssapi/oid.txt index 267e0b79c..b0fed0213 100644 --- a/lib/gssapi/oid.txt +++ b/lib/gssapi/oid.txt @@ -49,6 +49,9 @@ oid base GSS_NETLOGON_SET_SESSION_KEY_X 1.2.752.43.14.3 oid base GSS_NETLOGON_SET_SIGN_ALGORITHM_X 1.2.752.43.14.4 oid base GSS_NETLOGON_NT_NETBIOS_DNS_NAME 1.2.752.43.14.5 +#/* GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X.128 */ +oid base GSS_C_INQ_WIN2K_PAC_X 1.2.752.43.13.3.128 + #/* # * "Standard" mechs # */ diff --git a/lib/krb5/kcm.h b/lib/krb5/kcm.h index 6c4b2c31f..27197fec3 100644 --- a/lib/krb5/kcm.h +++ b/lib/krb5/kcm.h @@ -81,5 +81,10 @@ typedef enum kcm_operation { #define _PATH_KCM_SOCKET "/var/run/.kcm_socket" #define _PATH_KCM_DOOR "/var/run/.kcm_door" +#define KCM_NTLM_FLAG_SESSIONKEY 1 +#define KCM_NTLM_FLAG_NTLM2_SESSION 2 +#define KCM_NTLM_FLAG_KEYEX 4 +#define KCM_NTLM_FLAG_AV_GUEST 8 + #endif /* __KCM_H__ */