diff --git a/doc/standardisation/rfc5587.txt b/doc/standardisation/rfc5587.txt new file mode 100644 index 000000000..1670bc58f --- /dev/null +++ b/doc/standardisation/rfc5587.txt @@ -0,0 +1,899 @@ + + + + + + +Network Working Group N. Williams +Request for Comments: 5587 Sun +Category: Standards Track July 2009 + + + Extended Generic Security Service Mechanism Inquiry APIs + +Abstract + + This document introduces new application programming interfaces + (APIs) to the Generic Security Services API (GSS-API) for extended + mechanism attribute inquiry. These interfaces are primarily intended + to reduce instances of hardcoding of mechanism identifiers in GSS + applications. + + These interfaces include mechanism attributes and attribute sets, a + function for inquiring the attributes of a mechanism, a function for + indicating mechanisms that possess given attributes, and a function + for displaying mechanism attributes. + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (c) 2009 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents in effect on the date of + publication of this document (http://trustee.ietf.org/license-info). + Please review these documents carefully, as they describe your rights + and restrictions with respect to this document. + + + + + + + + + + + + + +Williams Standards Track [Page 1] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + +Table of Contents + + 1. Introduction ....................................................2 + 2. Conventions Used in This Document ...............................2 + 3. New GSS-API Interfaces ..........................................3 + 3.1. Mechanism Attributes and Attribute Sets ....................3 + 3.2. List of Known Mechanism Attributes .........................4 + 3.3. Mechanism Attribute Sets of Existing Mechs .................6 + 3.4. New GSS-API Function Interfaces ............................8 + 3.4.1. Mechanism Attribute Criticality .....................8 + 3.4.2. GSS_Indicate_mechs_by_attrs() .......................9 + 3.4.3. GSS_Inquire_attrs_for_mech() .......................10 + 3.4.4. GSS_Display_mech_attr() ............................10 + 3.4.5. New Major Status Values ............................11 + 3.4.6. C-Bindings .........................................11 + 4. Requirements for Mechanism Designers ...........................13 + 5. IANA Considerations ............................................13 + 6. Security Considerations ........................................13 + 7. References .....................................................13 + 7.1. Normative References ......................................13 + 7.2. Informative References ....................................14 +Appendix A. Typedefs and C Bindings ..................................15 + +1. Introduction + + GSS-API [RFC2743] mechanisms have a number of properties that may be + of interest to applications. The lack of APIs for inquiring about + available mechanisms' properties has meant that many GSS-API + applications must hardcode mechanism Object Identifiers (OIDs). + Ongoing work may result in a variety of new GSS-API mechanisms. + Applications should not have to hardcode their OIDs. + + For example, the Secure Shell version 2 (SSHv2) protocol [RFC4251] + supports the use of GSS-API mechanisms for authentication [RFC4462] + but explicitly prohibits the use of Simple and Protected GSS-API + Negotiation (SPNEGO) [RFC4178]. Future mechanisms that negotiate + mechanisms would have to be forbidden as well, but there is no way to + implement applications that inquire what mechanisms are available and + then programmatically exclude mechanisms "like SPNEGO". + +2. Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + + + + + + +Williams Standards Track [Page 2] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + +3. New GSS-API Interfaces + + We introduce a new concept -- that of mechanism attributes. By + allowing applications to query the set of attributes associated with + individual mechanisms and to find out which mechanisms support a + given set of attributes, we allow applications to select mechanisms + based on their attributes without having to hardcode mechanism OIDs. + + Section 3.1 describes the mechanism attributes concept. Sections + 3.4.2, 3.4.3, and 3.4.4 describe three new interfaces that deal in + mechanisms and attribute sets: + + o GSS_Indicate_mechs_by_attrs() + + o GSS_Inquire_attrs_for_mech() + + o GSS_Display_mech_attr() + +3.1. Mechanism Attributes and Attribute Sets + + An abstraction for the features provided by mechanisms and pseudo- + mechanisms is needed in order to facilitate the programmatic + selection of mechanisms. Pseudo-mechanisms are mechanisms that make + reference to other mechanisms in order to provide their services. + For example, SPNEGO is a pseudo-mechanism, for without other + mechanisms SPNEGO is useless. + + Two data types are needed: one for individual mechanism attributes + and one for mechanism attribute sets. To simplify the mechanism + attribute interfaces, we reuse the 'OID' and 'OID set' data types and + model individual mechanism attribute types as OIDs. + + To this end, we define an open namespace of mechanism attributes and + assign them arcs off of this OID: + + <1.3.6.1.5.5.13> + + Each mechanism has a set of mechanism attributes that it supports as + described in its specification. + + + + + + + + + + + + +Williams Standards Track [Page 3] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + +3.2. List of Known Mechanism Attributes + + +-------------------------+---------+-------------------------+ + | Mech Attr Name | OID Arc | Arc Name | + +-------------------------+---------+-------------------------+ + | GSS_C_MA_MECH_CONCRETE | (1) | concrete-mech | + | GSS_C_MA_MECH_PSEUDO | (2) | pseudo-mech | + | GSS_C_MA_MECH_COMPOSITE | (3) | composite-mech | + | GSS_C_MA_MECH_NEGO | (4) | mech-negotiation-mech | + | GSS_C_MA_MECH_GLUE | (5) | mech-glue | + | GSS_C_MA_NOT_MECH | (6) | not-mech | + | GSS_C_MA_DEPRECATED | (7) | mech-deprecated | + | GSS_C_MA_NOT_DFLT_MECH | (8) | mech-not-default | + | GSS_C_MA_ITOK_FRAMED | (9) | initial-is-framed | + | GSS_C_MA_AUTH_INIT | (10) | auth-init-princ | + | GSS_C_MA_AUTH_TARG | (11) | auth-targ-princ | + | GSS_C_MA_AUTH_INIT_INIT | (12) | auth-init-princ-initial | + | GSS_C_MA_AUTH_TARG_INIT | (13) | auth-targ-princ-initial | + | GSS_C_MA_AUTH_INIT_ANON | (14) | auth-init-princ-anon | + | GSS_C_MA_AUTH_TARG_ANON | (15) | auth-targ-princ-anon | + | GSS_C_MA_DELEG_CRED | (16) | deleg-cred | + | GSS_C_MA_INTEG_PROT | (17) | integ-prot | + | GSS_C_MA_CONF_PROT | (18) | conf-prot | + | GSS_C_MA_MIC | (19) | mic | + | GSS_C_MA_WRAP | (20) | wrap | + | GSS_C_MA_PROT_READY | (21) | prot-ready | + | GSS_C_MA_REPLAY_DET | (22) | replay-detection | + | GSS_C_MA_OOS_DET | (23) | oos-detection | + | GSS_C_MA_CBINDINGS | (24) | channel-bindings | + | GSS_C_MA_PFS | (25) | pfs | + | GSS_C_MA_COMPRESS | (26) | compress | + | GSS_C_MA_CTX_TRANS | (27) | context-transfer | + | | (28...) | | + +-------------------------+---------+-------------------------+ + + Table 1 + + + + + + + + + + + + + + + +Williams Standards Track [Page 4] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + + +-------------------------+-----------------------------------------+ + | Mech Attr Name | Purpose | + +-------------------------+-----------------------------------------+ + | GSS_C_MA_MECH_CONCRETE | Indicates that a mech is neither a | + | | pseudo-mechanism nor a composite | + | | mechanism. | + | GSS_C_MA_MECH_PSEUDO | Indicates that a mech is a | + | | pseudo-mechanism. | + | GSS_C_MA_MECH_COMPOSITE | Indicates that a mech is a composite of | + | | other mechanisms. This is reserved for | + | | a specification of "stackable" | + | | pseudo-mechanisms. | + | GSS_C_MA_MECH_NEGO | Indicates that a mech negotiates other | + | | mechs (e.g., SPNEGO has this | + | | attribute). | + | GSS_C_MA_MECH_GLUE | Indicates that the OID is not for a | + | | mechanism but for the GSS-API itself. | + | GSS_C_MA_NOT_MECH | Indicates that the OID is known, yet it | + | | is also known not to be the OID of any | + | | GSS-API mechanism (or of the GSS-API | + | | itself). | + | GSS_C_MA_DEPRECATED | Indicates that a mech (or its OID) is | + | | deprecated and MUST NOT be used as a | + | | default mechanism. | + | GSS_C_MA_NOT_DFLT_MECH | Indicates that a mech (or its OID) MUST | + | | NOT be used as a default mechanism. | + | GSS_C_MA_ITOK_FRAMED | Indicates that the given mechanism's | + | | initial context tokens are properly | + | | framed as per Section 3.1 of [RFC2743]. | + | GSS_C_MA_AUTH_INIT | Indicates support for authentication of | + | | initiator to acceptor. | + | GSS_C_MA_AUTH_TARG | Indicates support for authentication of | + | | acceptor to initiator. | + | GSS_C_MA_AUTH_INIT_INIT | Indicates support for "initial" | + | | authentication of initiator to | + | | acceptor. "Initial authentication" | + | | refers to the use of passwords, or keys | + | | stored on tokens, for authentication. | + | | Whether a mechanism supports initial | + | | authentication may depend on IETF | + | | consensus (see Security | + | | Considerations). | + | GSS_C_MA_AUTH_TARG_INIT | Indicates support for initial | + | | authentication of acceptor to | + | | initiator. | + | GSS_C_MA_AUTH_INIT_ANON | Indicates support for | + | | GSS_C_NT_ANONYMOUS as an initiator | + | | principal name. | + + + +Williams Standards Track [Page 5] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + + | GSS_C_MA_AUTH_TARG_ANON | Indicates support for | + | | GSS_C_NT_ANONYMOUS as a target | + | | principal name. | + | GSS_C_MA_DELEG_CRED | Indicates support for credential | + | | delegation. | + | GSS_C_MA_INTEG_PROT | Indicates support for per-message | + | | integrity protection. | + | GSS_C_MA_CONF_PROT | Indicates support for per-message | + | | confidentiality protection. | + | GSS_C_MA_MIC | Indicates support for Message Integrity | + | | Code (MIC) tokens. | + | GSS_C_MA_WRAP | Indicates support for WRAP tokens. | + | GSS_C_MA_PROT_READY | Indicates support for per-message | + | | protection prior to full context | + | | establishment. | + | GSS_C_MA_REPLAY_DET | Indicates support for replay detection. | + | GSS_C_MA_OOS_DET | Indicates support for out-of-sequence | + | | detection. | + | GSS_C_MA_CBINDINGS | Indicates support for channel bindings. | + | GSS_C_MA_PFS | Indicates support for Perfect Forward | + | | Security. | + | GSS_C_MA_COMPRESS | Indicates support for compression of | + | | data inputs to GSS_Wrap(). | + | GSS_C_MA_CTX_TRANS | Indicates support for security context | + | | export/import. | + +-------------------------+-----------------------------------------+ + + Table 2 + +3.3. Mechanism Attribute Sets of Existing Mechs + + The Kerberos V mechanism [RFC1964] provides the following mechanism + attributes: + + o GSS_C_MA_MECH_CONCRETE + + o GSS_C_MA_ITOK_FRAMED + + o GSS_C_MA_AUTH_INIT + + o GSS_C_MA_AUTH_TARG + + o GSS_C_MA_DELEG_CRED + + o GSS_C_MA_INTEG_PROT + + o GSS_C_MA_CONF_PROT + + + + +Williams Standards Track [Page 6] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + + o GSS_C_MA_MIC + + o GSS_C_MA_WRAP + + o GSS_C_MA_PROT_READY + + o GSS_C_MA_REPLAY_DET + + o GSS_C_MA_OOS_DET + + o GSS_C_MA_CBINDINGS + + o GSS_C_MA_CTX_TRANS (some implementations, using implementation- + specific exported context token formats) + + The Kerberos V mechanism also has a deprecated OID that has the same + mechanism attributes as above as well as GSS_C_MA_DEPRECATED. + + The mechanism attributes of the Simple Public-Key GSS-API Mechanism + (SPKM) [RFC2025] family of mechanisms will be provided in a separate + document, as SPKM is currently being reviewed for possibly + significant changes due to problems in its specifications. + + The Low Infrastructure Public Key (LIPKEY) mechanism [RFC2847] offers + the following attributes: + + o GSS_C_MA_MECH_CONCRETE + + o GSS_C_MA_ITOK_FRAMED + + o GSS_C_MA_AUTH_INIT_INIT + + o GSS_C_MA_AUTH_TARG (from SPKM-3) + + o GSS_C_MA_AUTH_TARG_ANON (from SPKM-3) + + o GSS_C_MA_INTEG_PROT + + o GSS_C_MA_CONF_PROT + + o GSS_C_MA_REPLAY_DET + + o GSS_C_MA_OOS_DET + + o GSS_C_MA_CTX_TRANS (some implementations, using implementation- + specific exported context token formats) + + + + + +Williams Standards Track [Page 7] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + + (LIPKEY should also provide GSS_C_MA_CBINDINGS, but SPKM-3 + requires clarifications on this point.) + + The SPNEGO mechanism [RFC4178] provides the following attributes: + + o GSS_C_MA_MECH_NEGO + + o GSS_C_MA_ITOK_FRAMED + + All other mechanisms' attributes will be described elsewhere. + +3.4. New GSS-API Function Interfaces + + Several new interfaces are given by which, for example, GSS-API + applications may determine what features are provided by a given + mechanism and what mechanisms provide what features. + + These new interfaces are all OPTIONAL. + + Applications should use GSS_Indicate_mechs_by_attrs() instead of + GSS_Indicate_mechs() wherever possible. + + Applications can use GSS_Indicate_mechs_by_attrs() to determine what, + if any, mechanisms provide a given set of features. + + GSS_Indicate_mechs_by_attrs() can also be used to indicate (as in + GSS_Indicate_mechs()) the set of available mechanisms of each type + (concrete, mechanism negotiation pseudo-mechanism, etc.). + +3.4.1. Mechanism Attribute Criticality + + Mechanism attributes may be added at any time. Not only may + attributes be added to the list of known mechanism attributes at any + time, but the set of mechanism attributes supported by a mechanism + can be changed at any time. + + For example, new attributes might be added to reflect whether a + mechanism's initiator must contact an online infrastructure and/or + whether the acceptor must do so. In this example, the Kerberos V + mechanism would gain a new attribute even though the mechanism itself + is not modified. + + Applications making use of attributes not defined herein would then + have no way of knowing whether a GSS-API implementation and its + mechanisms know about new mechanism attributes. To address this + problem, GSS_Indicate_mechs_by_attrs() and + GSS_Inquire_attrs_for_mech() support a notion of critical mechanism + attributes. Applications can search for mechanisms that understand + + + +Williams Standards Track [Page 8] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + + mechanism attributes that are critical to the application, and the + application may ask what mechanism attributes are understood by a + given mechanism. + +3.4.2. GSS_Indicate_mechs_by_attrs() + + Inputs: + + o desired_mech_attrs SET OF OBJECT IDENTIFIER -- set of GSS_C_MA_* + OIDs that the mechanisms indicated in the mechs output parameter + MUST offer. + + o except_mech_attrs SET OF OBJECT IDENTIFIER -- set of GSS_C_MA_* + OIDs that the mechanisms indicated in the mechs output parameter + MUST NOT offer. + + o critical_mech_attrs SET OF OBJECT IDENTIFIER -- set of GSS_C_MA_* + OIDs that the mechanisms indicated in the mechs output parameter + MUST understand (i.e., mechs must know whether critical attributes + are or are not supported). + + Outputs: + + o major_status INTEGER + + o minor_status INTEGER + + o mechs SET OF OBJECT IDENTIFIER -- set of mechanisms that support + the given desired_mech_attrs but not the except_mech_attrs, and + all of which understand the given critical_mech_attrs (the caller + must release this output with GSS_Release_oid_set()). + + Return major_status codes: + + o GSS_S_COMPLETE indicates success; the output mechs parameter MAY + be the empty set (GSS_C_NO_OID_SET). + + o GSS_S_FAILURE indicates that the request failed for some other + reason. + + GSS_Indicate_mechs_by_attrs() returns the set of OIDs corresponding + to mechanisms that offer at least the desired_mech_attrs but none of + the except_mech_attrs, and that understand all of the attributes + listed in critical_mech_attrs. + + When all three sets of OID input parameters are the empty set, this + function acts as a version of GSS_indicate_mechs() that outputs the + set of all supported mechanisms. + + + +Williams Standards Track [Page 9] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + +3.4.3. GSS_Inquire_attrs_for_mech() + + Inputs: + + o mech OBJECT IDENTIFIER -- mechanism OID + + Outputs: + + o major_status INTEGER + + o minor_status INTEGER + + o mech_attrs SET OF OBJECT IDENTIFIER -- set of mech_attrs OIDs + (GSS_C_MA_*) supported by the mechanism (the caller must release + this output with GSS_Release_oid_set()). + + o known_mech_attrs SET OF OBJECT IDENTIFIER -- set of mech_attrs + OIDs known to the mechanism implementation (the caller must + release this output with GSS_Release_oid_set()). + + Return major_status codes: + + o GSS_S_COMPLETE indicates success; the output mech_attrs parameter + MAY be the empty set (GSS_C_NO_OID_SET). + + o GSS_S_BAD_MECH indicates that the mechanism named by the mech + parameter does not exist or that the mech is GSS_C_NO_OID and no + default mechanism could be determined. + + o GSS_S_FAILURE indicates that the request failed for some other + reason. + + GSS_Inquire_attrs_for_mech() indicates the set of mechanism + attributes supported by a given mechanism. + +3.4.4. GSS_Display_mech_attr() + + Inputs: + + o mech_attr OBJECT IDENTIFIER -- mechanism attribute OID + + Outputs: + + o major_status INTEGER + + o minor_status INTEGER + + + + + +Williams Standards Track [Page 10] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + + o name OCTET STRING, -- name of mechanism attribute (e.g., + GSS_C_MA_*). + + o short_desc OCTET STRING, -- a short description of the mechanism + attribute (the caller must release this output with + GSS_Release_buffer()). + + o long_desc OCTET STRING -- a longer description of the mechanism + attribute (the caller must release this output with + GSS_Release_buffer()). + + Return major_status codes: + + o GSS_S_COMPLETE indicates success. + + o GSS_S_BAD_MECH_ATTR indicates that the mechanism attribute + referenced by the mech_attr parameter is unknown to the + implementation. + + o GSS_S_FAILURE indicates that the request failed for some other + reason. + + This function can be used to obtain human-readable descriptions of + GSS-API mechanism attributes. + +3.4.5. New Major Status Values + + A single, new, major status code is added for + GSS_Display_mech_attr(): + + o GSS_S_BAD_MECH_ATTR, + + roughly corresponding to GSS_S_BAD_MECH but applicable to mechanism + attribute OIDs rather than to mechanism OIDs. + + For the C-bindings of the GSS-API [RFC2744], GSS_S_BAD_MECH_ATTR + shall have a routine error number of 19 (this is shifted to the left + by GSS_C_ROUTINE_ERROR_OFFSET). + +3.4.6. C-Bindings + + Note that there is a bug in the C bindings of the GSS-APIv2u1 + [RFC2744] in that the C 'const' attribute is applied to types that + are pointer typedefs. This is a bug because it declares that the + pointer argument is 'const' rather than that the object pointed by it + is const. To avoid this error, we hereby define new typedefs, which + include const properly: + + + + +Williams Standards Track [Page 11] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + + typedef const gss_buffer_desc * gss_const_buffer_t; + typedef const struct gss_channel_bindings_struct * + gss_const_channel_bindings_t; + typedef const gss_const_ctx_id_t; + typedef const gss_const_cred_id_t; + typedef const gss_const_name_t; + typedef const gss_OID_desc * gss_const_OID; + typedef const gss_OID_set_desc * gss_const_OID_set; + + Figure 1: const typedefs + + Note that only gss_const_OID and gss_const_OID_set are used below. + We include the other const typedefs for convenience since the C + bindings of the GSS-API do use const with pointer typedefs when it + should often instead use the above typedefs instead. + + #define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET) + + OM_uint32 gss_indicate_mechs_by_attrs( + OM_uint32 *minor_status, + gss_const_OID_set desired_mech_attrs, + gss_const_OID_set except_mech_attrs, + gss_const_OID_set critical_mech_attrs, + gss_OID_set *mechs); + + OM_uint32 gss_inquire_attrs_for_mech( + OM_uint32 *minor_status, + gss_const_OID mech, + gss_OID_set *mech_attrs, + gss_OID_set *known_mech_attrs); + + OM_uint32 gss_display_mech_attr( + OM_uint32 *minor_status, + gss_const_OID mech_attr, + gss_buffer_t name, + gss_buffer_t short_desc, + gss_buffer_t long_desc); + + Figure 2: C bindings + + Note that output buffers must be released via gss_release_buffer(). + Output OID sets must be released via gss_release_oid_set(). + + Please see Appendix A for a full set of typedef fragments defined in + this document and the necessary code license. + + + + + + +Williams Standards Track [Page 12] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + +4. Requirements for Mechanism Designers + + All future GSS-API mechanism specifications MUST: + + o list the set of GSS-API mechanism attributes associated with them. + +5. IANA Considerations + + The namespace of programming-language symbols with names beginning + with GSS_C_MA_* is reserved for allocation by IETF Consensus. IANA + allocated a base OID, as an arc of 1.3.6.1.5.5, for the set of + GSS_C_MA_* described herein, and registered all of the GSS_C_MA_* + values described in Section 3.2. + +6. Security Considerations + + This document specifies extensions to a security-related API. It + imposes new requirements on future GSS-API mechanisms, and the + specifications of future protocols that use the GSS-API should make + reference to this document where applicable. The ability to inquire + about specific properties of mechanisms should improve security. + + The semantics of each mechanism attribute may include a security + component. + + Application developers must understand that mechanism attributes may + be added at any time -- both to the set of known mechanism attributes + as well as to existing mechanisms' sets of supported mechanism + attributes. Therefore, application developers using the APIs + described herein must understand what mechanism attributes their + applications depend critically on, and must use the mechanism + attribute criticality features of these APIs. + +7. References + +7.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2743] Linn, J., "Generic Security Service Application Program + Interface Version 2, Update 1", RFC 2743, January 2000. + + [RFC2744] Wray, J., "Generic Security Service API Version 2 : + C-bindings", RFC 2744, January 2000. + + + + + + +Williams Standards Track [Page 13] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + +7.2. Informative References + + [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", + RFC 1964, June 1996. + + [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism + (SPKM)", RFC 2025, October 1996. + + [RFC2847] Eisler, M., "LIPKEY - A Low Infrastructure Public Key + Mechanism Using SPKM", RFC 2847, June 2000. + + [RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The + Simple and Protected Generic Security Service Application + Program Interface (GSS-API) Negotiation Mechanism", + RFC 4178, October 2005. + + [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) + Protocol Architecture", RFC 4251, January 2006. + + [RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch, + "Generic Security Service Application Program Interface + (GSS-API) Authentication and Key Exchange for the Secure + Shell (SSH) Protocol", RFC 4462, May 2006. + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Williams Standards Track [Page 14] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + +Appendix A. Typedefs and C Bindings + + This appendix contains the full set of code fragments defined in this + document. + + Copyright (c) 2009 IETF Trust and the persons identified as authors + of the code. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + - Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + - Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + + - Neither the name of Internet Society, IETF or IETF Trust, nor the + names of specific contributors, may be used to endorse or promote + products derived from this software without specific prior written + permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + typedef const gss_buffer_desc * gss_const_buffer_t; + typedef const struct gss_channel_bindings_struct * + gss_const_channel_bindings_t; + typedef const gss_const_ctx_id_t; + typedef const gss_const_cred_id_t; + typedef const gss_const_name_t; + typedef const gss_OID_desc * gss_const_OID; + typedef const gss_OID_set_desc * gss_const_OID_set; + + + + + + + +Williams Standards Track [Page 15] + +RFC 5587 Extended GSS Mech Inquiry July 2009 + + + #define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET) + + OM_uint32 gss_indicate_mechs_by_attrs( + OM_uint32 *minor_status, + gss_const_OID_set desired_mech_attrs, + gss_const_OID_set except_mech_attrs, + gss_const_OID_set critical_mech_attrs, + gss_OID_set *mechs); + + OM_uint32 gss_inquire_attrs_for_mech( + OM_uint32 *minor_status, + gss_const_OID mech, + gss_OID_set *mech_attrs, + gss_OID_set *known_mech_attrs); + + OM_uint32 gss_display_mech_attr( + OM_uint32 *minor_status, + gss_const_OID mech_attr, + gss_buffer_t name, + gss_buffer_t short_desc, + gss_buffer_t long_desc); + +Author's Address + + Nicolas Williams + Sun Microsystems + 5300 Riata Trace Ct + Austin, TX 78727 + US + + EMail: Nicolas.Williams@sun.com + + + + + + + + + + + + + + + + + + + + +Williams Standards Track [Page 16] + diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am index 142562ed6..c74906103 100644 --- a/lib/gssapi/Makefile.am +++ b/lib/gssapi/Makefile.am @@ -111,7 +111,9 @@ mechsrc = \ mech/gss_inquire_names_for_mech.c \ mech/gss_krb5.c \ mech/gss_mech_switch.c \ + mech/gss_mo.c \ mech/gss_names.c \ + mech/gss_oid.c \ mech/gss_oid_equal.c \ mech/gss_oid_to_str.c \ mech/gss_process_context_token.c \ @@ -218,10 +220,12 @@ noinst_HEADERS = \ ntlm/ntlm-private.h \ spnego/spnego-private.h \ krb5/gsskrb5-private.h + nobase_include_HEADERS = \ gssapi/gssapi.h \ gssapi/gssapi_krb5.h \ gssapi/gssapi_ntlm.h \ + gssapi/gssapi_oid.h \ gssapi/gssapi_spnego.h gssapidir = $(includedir)/gssapi @@ -281,7 +285,7 @@ test_cfx_SOURCES = krb5/test_cfx.c check_PROGRAMS = test_acquire_cred $(TESTS) -bin_PROGRAMS = gss +bin_PROGRAMS = gsstool noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_context_SOURCES = test_context.c test_common.c test_common.h @@ -298,10 +302,10 @@ LDADD = libgssapi.la \ # gss -dist_gss_SOURCES = gss.c -nodist_gss_SOURCES = gss-commands.c gss-commands.h +dist_gsstool_SOURCES = gsstool.c +nodist_gsstool_SOURCES = gss-commands.c gss-commands.h -gss_LDADD = libgssapi.la \ +gsstool_LDADD = libgssapi.la \ $(top_builddir)/lib/sl/libsl.la \ $(top_builddir)/lib/krb5/libkrb5.la \ $(LIB_readline) \ @@ -310,7 +314,7 @@ gss_LDADD = libgssapi.la \ gss-commands.c gss-commands.h: gss-commands.in $(SLC) $(srcdir)/gss-commands.in -$(gss_OBJECTS): gss-commands.h +$(gsstool_OBJECTS): gss-commands.h EXTRA_DIST = \ $(man_MANS) \ @@ -323,6 +327,11 @@ EXTRA_DIST = \ $(libgssapi_la_OBJECTS): gkrb5_err.h gssapi_asn1.h gssapi_asn1-priv.h $(libgssapi_la_OBJECTS): spnego_asn1.h spnego_asn1-priv.h +$(libgssapi_la_OBJECTS): $(srcdir)/gssapi/gssapi_oid.h gkrb5_err.h gkrb5_err.c: $(srcdir)/krb5/gkrb5_err.et $(COMPILE_ET) $(srcdir)/krb5/gkrb5_err.et + +$(srcdir)/gssapi/gssapi_oid.h $(srcdir)/mech/gss_oid.c: + perl $(srcdir)/gen-oid.pl -b base -h $(srcdir)/oid.txt > $(srcdir)/gssapi/gssapi_oid.h + perl $(srcdir)/gen-oid.pl -b base $(srcdir)/oid.txt > $(srcdir)/mech/gss_oid.c diff --git a/lib/gssapi/gen-oid.pl b/lib/gssapi/gen-oid.pl new file mode 100644 index 000000000..74a11a949 --- /dev/null +++ b/lib/gssapi/gen-oid.pl @@ -0,0 +1,110 @@ +#!/usr/bin/perl + +require 'getopts.pl'; + +my $output; +my $CFILE, $HFILE; +my $onlybase; +my $header = 0; + +Getopts('b:h') || die "foo"; + +if($opt_b) { + $onlybase = $opt_b; +} + +$header = 1 if ($opt_h); + +if ($header) { + printf "#ifndef GSSAPI_GSSAPI_OID\n"; + printf "#define GSSAPI_GSSAPI_OID 1\n\n"; +} else { + printf "#include \"gssapi.h\"\n\n"; + printf "#include \"gssapi_mech.h\"\n\n"; +} + +my %tables; +my %types; + +while(<>) { + + if (/^\w*#(.*)/) { + my $comment = $1; + + if ($header) { + printf("$comment\n"); + } + + } elsif (/^oid\s+([\w\.]+)\s+(\w+)\s+([\w\.]+)/) { + my ($base, $name, $oid) = ($1, $2, $3); + + next if (defined $onlybase and $onlybase ne $base); + + my $store = "__" . lc($name) . "_oid_desc"; + + # encode oid + + my @array = split(/\./, $oid); + my $length = 0; + my $data = ""; + + my $num; + + $n = $#array; + while ($n > 1) { + $num = $array[$n]; + + my $p = int($num % 128); + $data = sprintf("\\x%02x", $p) . $data; + + $num = int($num / 128); + + $length += 1; + + while ($num > 0) { + $p = int($num % 128) + 128; + $num = int($num / 128); + $data = sprintf("\\x%02x", $p) . $data; + $length += 1; + } + $n--; + } + $num = int($array[0] * 40 + $array[1]); + + $data = sprintf("\\x%x", $num) . $data; + $length += 1; + + if ($header) { + printf "extern gss_OID_desc $store;\n"; + printf "#define $name (&$store)\n\n"; + } else { + printf "/* $name - $oid */\n"; + printf "gss_OID_desc $store = { $length, \"$data\" };\n\n"; + } + } elsif (/^desc\s+([\w]+)\s+(\w+)\s+(\"[^\"]*\")\s+(\"[^\"]*\")/) { + my ($type, $oid, $short, $long) = ($1, $2, $3, $4); + my $object = { type=> $type, oid => $oid, short => $short, long => $long }; + + $tables{$oid} = \$object; + $types{$type} = 1; + } + +} + +foreach my $k (keys %types) { + if (!$header) { + print "struct _gss_oid_name_table _gss_ont_" . $k . "[] = {\n"; + foreach my $m (values %tables) { + if ($$m->{type} eq $k) { + printf " { %s, \"%s\", %s, %s },\n", $$m->{oid}, $$m->{oid}, $$m->{short}, $$m->{long}; + } + } + printf " { NULL }\n"; + printf "};\n\n"; + + } +} + +if ($header) { + printf "#endif /* GSSAPI_GSSAPI_OID */\n"; +} diff --git a/lib/gssapi/gss-commands.in b/lib/gssapi/gss-commands.in index 005d549df..a2fc2288e 100644 --- a/lib/gssapi/gss-commands.in +++ b/lib/gssapi/gss-commands.in @@ -36,6 +36,19 @@ command = { name = "supported-mechanisms" help = "Print the supported mechanisms" } +command = { + name = "attrs-for-mech" + help = "Print the attributes for mechs" + option = { + long = "all" + type = "flag" + } + option = { + long = "mech" + type = "string" + argument = "mechanism" + } +} command = { name = "help" name = "?" diff --git a/lib/gssapi/gssapi/gssapi.h b/lib/gssapi/gssapi/gssapi.h index fa53a8a74..12833ebe1 100644 --- a/lib/gssapi/gssapi/gssapi.h +++ b/lib/gssapi/gssapi/gssapi.h @@ -90,29 +90,35 @@ typedef uint32_t gss_uint32; struct gss_name_t_desc_struct; typedef struct gss_name_t_desc_struct *gss_name_t; +typedef const struct gss_name_t_desc_struct *gss_const_name_t; struct gss_ctx_id_t_desc_struct; typedef struct gss_ctx_id_t_desc_struct *gss_ctx_id_t; +typedef const struct gss_ctx_id_t_desc_struct gss_const_ctx_id_t; typedef struct gss_OID_desc_struct { OM_uint32 length; void *elements; } gss_OID_desc, *gss_OID; +typedef const gss_OID_desc * gss_const_OID; typedef struct gss_OID_set_desc_struct { size_t count; gss_OID elements; } gss_OID_set_desc, *gss_OID_set; +typedef const gss_OID_set_desc * gss_const_OID_set; typedef int gss_cred_usage_t; struct gss_cred_id_t_desc_struct; typedef struct gss_cred_id_t_desc_struct *gss_cred_id_t; +typedef const struct gss_cred_id_t_desc_struct *gss_const_cred_id_t; typedef struct gss_buffer_desc_struct { size_t length; void *value; } gss_buffer_desc, *gss_buffer_t; +typedef const gss_buffer_desc * gss_const_buffer_t; typedef struct gss_channel_bindings_struct { OM_uint32 initiator_addrtype; @@ -121,6 +127,7 @@ typedef struct gss_channel_bindings_struct { gss_buffer_desc acceptor_address; gss_buffer_desc application_data; } *gss_channel_bindings_t; +typedef const struct gss_channel_bindings_struct *gss_const_channel_bindings_t; /* GGF extension data types */ typedef struct gss_buffer_set_desc_struct { @@ -138,6 +145,8 @@ typedef struct gss_iov_buffer_desc_struct { */ typedef OM_uint32 gss_qop_t; + + /* * Flag bits for context-level services. */ @@ -261,6 +270,8 @@ typedef OM_uint32 gss_qop_t; GSSAPI_CPP_START +#include + /* * The implementation must reserve static storage for a * gss_OID_desc object containing the value @@ -363,14 +374,6 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_anonymous_oid_desc; extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc; #define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc) -/* - * Digest mechanism - */ - -extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc; -#define GSS_SASL_DIGEST_MD5_MECHANISM (&__gss_sasl_digest_md5_mechanism_oid_desc) - - /* Major status codes */ #define GSS_S_COMPLETE 0 @@ -438,6 +441,7 @@ extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc #define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET) /* * Supplementary info bits: @@ -756,7 +760,7 @@ gss_set_cred_option (OM_uint32 *minor_status, const gss_buffer_t value); GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL -gss_oid_equal(const gss_OID a, const gss_OID b); +gss_oid_equal(gss_const_OID a, gss_const_OID b); GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_create_empty_buffer_set @@ -929,6 +933,69 @@ gss_import_cred(OM_uint32 * /* minor_status */, gss_buffer_t /* cred_token */, gss_cred_id_t * /* cred_handle */); +/* + * mech option + */ + +GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL +gss_mo_set(gss_const_OID mech, gss_const_OID option, + int enable, gss_buffer_t value); + +GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL +gss_mo_get(gss_const_OID mech, gss_const_OID option, gss_buffer_t value); + +GSSAPI_LIB_FUNCTION void GSSAPI_LIB_CALL +gss_mo_list(gss_const_OID mech, gss_OID_set *options); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_mo_name(gss_const_OID mech, gss_const_OID options, gss_buffer_t name); + +/* + * SASL glue functions and mech inquire + */ + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_inquire_saslname_for_mech(OM_uint32 *minor_status, + const gss_OID desired_mech, + gss_buffer_t sasl_mech_name, + gss_buffer_t mech_name, + gss_buffer_t mech_description); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_inquire_mech_for_saslname(OM_uint32 *minor_status, + const gss_buffer_t sasl_mech_name, + gss_OID *mech_type); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_indicate_mechs_by_attrs(OM_uint32 * minor_status, + gss_const_OID_set desired_mech_attrs, + gss_const_OID_set except_mech_attrs, + gss_const_OID_set critical_mech_attrs, + gss_OID_set *mechs); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_inquire_attrs_for_mech(OM_uint32 * minor_status, + gss_const_OID mech, + gss_OID_set *mech_attr, + gss_OID_set *known_mech_attrs); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_display_mech_attr(OM_uint32 * minor_status, + gss_const_OID mech_attr, + gss_buffer_t name, + gss_buffer_t short_desc, + gss_buffer_t long_desc); + + +/* + * + */ + +GSSAPI_LIB_FUNCTION const char * GSSAPI_LIB_CALL +gss_oid_to_name(gss_const_OID oid); + +GSSAPI_LIB_FUNCTION gss_OID GSSAPI_LIB_CALL +gss_name_to_oid(const char *name); GSSAPI_CPP_END diff --git a/lib/gssapi/gssapi/gssapi_krb5.h b/lib/gssapi/gssapi/gssapi_krb5.h index 28f9c3777..2f605f5ee 100644 --- a/lib/gssapi/gssapi/gssapi_krb5.h +++ b/lib/gssapi/gssapi/gssapi_krb5.h @@ -68,79 +68,6 @@ extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc; #define gss_mech_krb5 GSS_KRB5_MECHANISM #define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME -/* Extensions set contexts options */ -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_copy_ccache_x_oid_desc; -#define GSS_KRB5_COPY_CCACHE_X (&__gss_krb5_copy_ccache_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_compat_des3_mic_x_oid_desc; -#define GSS_KRB5_COMPAT_DES3_MIC_X (&__gss_krb5_compat_des3_mic_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_register_acceptor_identity_x_oid_desc; -#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X (&__gss_krb5_register_acceptor_identity_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_set_dns_canonicalize_x_oid_desc; -#define GSS_KRB5_SET_DNS_CANONICALIZE_X (&__gss_krb5_set_dns_canonicalize_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_send_to_kdc_x_oid_desc; -#define GSS_KRB5_SEND_TO_KDC_X (&__gss_krb5_send_to_kdc_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_set_default_realm_x_oid_desc; -#define GSS_KRB5_SET_DEFAULT_REALM_X (&__gss_krb5_set_default_realm_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_ccache_name_x_oid_desc; -#define GSS_KRB5_CCACHE_NAME_X (&__gss_krb5_ccache_name_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_set_time_offset_x_oid_desc; -#define GSS_KRB5_SET_TIME_OFFSET_X (&__gss_krb5_set_time_offset_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_time_offset_x_oid_desc; -#define GSS_KRB5_GET_TIME_OFFSET_X (&__gss_krb5_get_time_offset_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_plugin_register_x_oid_desc; -#define GSS_KRB5_PLUGIN_REGISTER_X (&__gss_krb5_plugin_register_x_oid_desc) - -/* Extensions inquire context */ -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_tkt_flags_x_oid_desc; -#define GSS_KRB5_GET_TKT_FLAGS_X (&__gss_krb5_get_tkt_flags_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc; -#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X (&__gss_krb5_extract_authz_data_from_sec_context_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_peer_has_updated_spnego_oid_desc; -#define GSS_C_PEER_HAS_UPDATED_SPNEGO (&__gss_c_peer_has_updated_spnego_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_export_lucid_context_x_oid_desc; -#define GSS_KRB5_EXPORT_LUCID_CONTEXT_X (&__gss_krb5_export_lucid_context_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_export_lucid_context_v1_x_oid_desc; -#define GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X (&__gss_krb5_export_lucid_context_v1_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_subkey_x_oid_desc; -#define GSS_KRB5_GET_SUBKEY_X (&__gss_krb5_get_subkey_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_initiator_subkey_x_oid_desc; -#define GSS_KRB5_GET_INITIATOR_SUBKEY_X (&__gss_krb5_get_initiator_subkey_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_acceptor_subkey_x_oid_desc; -#define GSS_KRB5_GET_ACCEPTOR_SUBKEY_X (&__gss_krb5_get_acceptor_subkey_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_authtime_x_oid_desc; -#define GSS_KRB5_GET_AUTHTIME_X (&__gss_krb5_get_authtime_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_service_keyblock_x_oid_desc; -#define GSS_KRB5_GET_SERVICE_KEYBLOCK_X (&__gss_krb5_get_service_keyblock_x_oid_desc) - -/* Extensions creds */ - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_import_cred_x_oid_desc; -#define GSS_KRB5_IMPORT_CRED_X (&__gss_krb5_import_cred_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_set_allowable_enctypes_x_oid_desc; -#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X (&__gss_krb5_set_allowable_enctypes_x_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_cred_no_ci_flags_x_oid_desc; -#define GSS_KRB5_CRED_NO_CI_FLAGS_X (&__gss_krb5_cred_no_ci_flags_x_oid_desc) - /* * kerberos mechanism specific functions */ diff --git a/lib/gssapi/gssapi/gssapi_ntlm.h b/lib/gssapi/gssapi/gssapi_ntlm.h index b44641a23..e37c003c7 100644 --- a/lib/gssapi/gssapi/gssapi_ntlm.h +++ b/lib/gssapi/gssapi/gssapi_ntlm.h @@ -38,11 +38,4 @@ #include -GSSAPI_CPP_START - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_ntlm_mechanism_oid_desc; -#define GSS_NTLM_MECHANISM (&__gss_ntlm_mechanism_oid_desc) - -GSSAPI_CPP_END - #endif /* GSSAPI_NTLM_H_ */ diff --git a/lib/gssapi/gssapi/gssapi_oid.h b/lib/gssapi/gssapi/gssapi_oid.h new file mode 100644 index 000000000..a9cb5cdef --- /dev/null +++ b/lib/gssapi/gssapi/gssapi_oid.h @@ -0,0 +1,220 @@ +#ifndef GSSAPI_GSSAPI_OID +#define GSSAPI_GSSAPI_OID 1 + + /* contact Love Hörnquist Åstrand for new oid arcs */ + /* + * 1.2.752.43.13 Heimdal GSS-API Extentions + */ +extern gss_OID_desc __gss_krb5_copy_ccache_x_oid_desc; +#define GSS_KRB5_COPY_CCACHE_X (&__gss_krb5_copy_ccache_x_oid_desc) + +extern gss_OID_desc __gss_krb5_get_tkt_flags_x_oid_desc; +#define GSS_KRB5_GET_TKT_FLAGS_X (&__gss_krb5_get_tkt_flags_x_oid_desc) + +extern gss_OID_desc __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc; +#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X (&__gss_krb5_extract_authz_data_from_sec_context_x_oid_desc) + +extern gss_OID_desc __gss_krb5_compat_des3_mic_x_oid_desc; +#define GSS_KRB5_COMPAT_DES3_MIC_X (&__gss_krb5_compat_des3_mic_x_oid_desc) + +extern gss_OID_desc __gss_krb5_register_acceptor_identity_x_oid_desc; +#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X (&__gss_krb5_register_acceptor_identity_x_oid_desc) + +extern gss_OID_desc __gss_krb5_export_lucid_context_x_oid_desc; +#define GSS_KRB5_EXPORT_LUCID_CONTEXT_X (&__gss_krb5_export_lucid_context_x_oid_desc) + +extern gss_OID_desc __gss_krb5_export_lucid_context_v1_x_oid_desc; +#define GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X (&__gss_krb5_export_lucid_context_v1_x_oid_desc) + +extern gss_OID_desc __gss_krb5_set_dns_canonicalize_x_oid_desc; +#define GSS_KRB5_SET_DNS_CANONICALIZE_X (&__gss_krb5_set_dns_canonicalize_x_oid_desc) + +extern gss_OID_desc __gss_krb5_get_subkey_x_oid_desc; +#define GSS_KRB5_GET_SUBKEY_X (&__gss_krb5_get_subkey_x_oid_desc) + +extern gss_OID_desc __gss_krb5_get_initiator_subkey_x_oid_desc; +#define GSS_KRB5_GET_INITIATOR_SUBKEY_X (&__gss_krb5_get_initiator_subkey_x_oid_desc) + +extern gss_OID_desc __gss_krb5_get_acceptor_subkey_x_oid_desc; +#define GSS_KRB5_GET_ACCEPTOR_SUBKEY_X (&__gss_krb5_get_acceptor_subkey_x_oid_desc) + +extern gss_OID_desc __gss_krb5_send_to_kdc_x_oid_desc; +#define GSS_KRB5_SEND_TO_KDC_X (&__gss_krb5_send_to_kdc_x_oid_desc) + +extern gss_OID_desc __gss_krb5_get_authtime_x_oid_desc; +#define GSS_KRB5_GET_AUTHTIME_X (&__gss_krb5_get_authtime_x_oid_desc) + +extern gss_OID_desc __gss_krb5_get_service_keyblock_x_oid_desc; +#define GSS_KRB5_GET_SERVICE_KEYBLOCK_X (&__gss_krb5_get_service_keyblock_x_oid_desc) + +extern gss_OID_desc __gss_krb5_set_allowable_enctypes_x_oid_desc; +#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X (&__gss_krb5_set_allowable_enctypes_x_oid_desc) + +extern gss_OID_desc __gss_krb5_set_default_realm_x_oid_desc; +#define GSS_KRB5_SET_DEFAULT_REALM_X (&__gss_krb5_set_default_realm_x_oid_desc) + +extern gss_OID_desc __gss_krb5_ccache_name_x_oid_desc; +#define GSS_KRB5_CCACHE_NAME_X (&__gss_krb5_ccache_name_x_oid_desc) + +extern gss_OID_desc __gss_krb5_set_time_offset_x_oid_desc; +#define GSS_KRB5_SET_TIME_OFFSET_X (&__gss_krb5_set_time_offset_x_oid_desc) + +extern gss_OID_desc __gss_krb5_get_time_offset_x_oid_desc; +#define GSS_KRB5_GET_TIME_OFFSET_X (&__gss_krb5_get_time_offset_x_oid_desc) + +extern gss_OID_desc __gss_krb5_plugin_register_x_oid_desc; +#define GSS_KRB5_PLUGIN_REGISTER_X (&__gss_krb5_plugin_register_x_oid_desc) + +extern gss_OID_desc __gss_ntlm_get_session_key_x_oid_desc; +#define GSS_NTLM_GET_SESSION_KEY_X (&__gss_ntlm_get_session_key_x_oid_desc) + +extern gss_OID_desc __gss_c_nt_ntlm_oid_desc; +#define GSS_C_NT_NTLM (&__gss_c_nt_ntlm_oid_desc) + +extern gss_OID_desc __gss_c_nt_dn_oid_desc; +#define GSS_C_NT_DN (&__gss_c_nt_dn_oid_desc) + +extern gss_OID_desc __gss_krb5_nt_principal_name_referral_oid_desc; +#define GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL (&__gss_krb5_nt_principal_name_referral_oid_desc) + +extern gss_OID_desc __gss_c_ntlm_avguest_oid_desc; +#define GSS_C_NTLM_AVGUEST (&__gss_c_ntlm_avguest_oid_desc) + +extern gss_OID_desc __gss_c_ntlm_v1_oid_desc; +#define GSS_C_NTLM_V1 (&__gss_c_ntlm_v1_oid_desc) + +extern gss_OID_desc __gss_c_ntlm_v2_oid_desc; +#define GSS_C_NTLM_V2 (&__gss_c_ntlm_v2_oid_desc) + +extern gss_OID_desc __gss_c_ntlm_session_key_oid_desc; +#define GSS_C_NTLM_SESSION_KEY (&__gss_c_ntlm_session_key_oid_desc) + +extern gss_OID_desc __gss_c_ntlm_force_v1_oid_desc; +#define GSS_C_NTLM_FORCE_V1 (&__gss_c_ntlm_force_v1_oid_desc) + +extern gss_OID_desc __gss_krb5_cred_no_ci_flags_x_oid_desc; +#define GSS_KRB5_CRED_NO_CI_FLAGS_X (&__gss_krb5_cred_no_ci_flags_x_oid_desc) + +extern gss_OID_desc __gss_krb5_import_cred_x_oid_desc; +#define GSS_KRB5_IMPORT_CRED_X (&__gss_krb5_import_cred_x_oid_desc) + + /* glue for gss_inquire_saslname_for_mech */ +extern gss_OID_desc __gss_c_ma_sasl_mech_name_oid_desc; +#define GSS_C_MA_SASL_MECH_NAME (&__gss_c_ma_sasl_mech_name_oid_desc) + +extern gss_OID_desc __gss_c_ma_mech_name_oid_desc; +#define GSS_C_MA_MECH_NAME (&__gss_c_ma_mech_name_oid_desc) + +extern gss_OID_desc __gss_c_ma_mech_description_oid_desc; +#define GSS_C_MA_MECH_DESCRIPTION (&__gss_c_ma_mech_description_oid_desc) + +/* + * Digest mechanisms - 1.2.752.43.14 + */ +extern gss_OID_desc __gss_sasl_digest_md5_mechanism_oid_desc; +#define GSS_SASL_DIGEST_MD5_MECHANISM (&__gss_sasl_digest_md5_mechanism_oid_desc) + +/* + * "Standard" mechs + */ +extern gss_OID_desc __gss_krb5_mechanism_oid_desc; +#define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc) + +extern gss_OID_desc __gss_ntlm_mechanism_oid_desc; +#define GSS_NTLM_MECHANISM (&__gss_ntlm_mechanism_oid_desc) + +extern gss_OID_desc __gss_spnego_mechanism_oid_desc; +#define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc) + + /* From Luke Howard */ +extern gss_OID_desc __gss_c_peer_has_updated_spnego_oid_desc; +#define GSS_C_PEER_HAS_UPDATED_SPNEGO (&__gss_c_peer_has_updated_spnego_oid_desc) + +/* + * OID mappings with name and short description and and slightly longer description + */ +/* + * RFC5587 + */ +extern gss_OID_desc __gss_c_ma_mech_concrete_oid_desc; +#define GSS_C_MA_MECH_CONCRETE (&__gss_c_ma_mech_concrete_oid_desc) + +extern gss_OID_desc __gss_c_ma_mech_pseudo_oid_desc; +#define GSS_C_MA_MECH_PSEUDO (&__gss_c_ma_mech_pseudo_oid_desc) + +extern gss_OID_desc __gss_c_ma_mech_composite_oid_desc; +#define GSS_C_MA_MECH_COMPOSITE (&__gss_c_ma_mech_composite_oid_desc) + +extern gss_OID_desc __gss_c_ma_mech_nego_oid_desc; +#define GSS_C_MA_MECH_NEGO (&__gss_c_ma_mech_nego_oid_desc) + +extern gss_OID_desc __gss_c_ma_mech_glue_oid_desc; +#define GSS_C_MA_MECH_GLUE (&__gss_c_ma_mech_glue_oid_desc) + +extern gss_OID_desc __gss_c_ma_not_mech_oid_desc; +#define GSS_C_MA_NOT_MECH (&__gss_c_ma_not_mech_oid_desc) + +extern gss_OID_desc __gss_c_ma_deprecated_oid_desc; +#define GSS_C_MA_DEPRECATED (&__gss_c_ma_deprecated_oid_desc) + +extern gss_OID_desc __gss_c_ma_not_dflt_mech_oid_desc; +#define GSS_C_MA_NOT_DFLT_MECH (&__gss_c_ma_not_dflt_mech_oid_desc) + +extern gss_OID_desc __gss_c_ma_itok_framed_oid_desc; +#define GSS_C_MA_ITOK_FRAMED (&__gss_c_ma_itok_framed_oid_desc) + +extern gss_OID_desc __gss_c_ma_auth_init_oid_desc; +#define GSS_C_MA_AUTH_INIT (&__gss_c_ma_auth_init_oid_desc) + +extern gss_OID_desc __gss_c_ma_auth_targ_oid_desc; +#define GSS_C_MA_AUTH_TARG (&__gss_c_ma_auth_targ_oid_desc) + +extern gss_OID_desc __gss_c_ma_auth_init_init_oid_desc; +#define GSS_C_MA_AUTH_INIT_INIT (&__gss_c_ma_auth_init_init_oid_desc) + +extern gss_OID_desc __gss_c_ma_auth_targ_init_oid_desc; +#define GSS_C_MA_AUTH_TARG_INIT (&__gss_c_ma_auth_targ_init_oid_desc) + +extern gss_OID_desc __gss_c_ma_auth_init_anon_oid_desc; +#define GSS_C_MA_AUTH_INIT_ANON (&__gss_c_ma_auth_init_anon_oid_desc) + +extern gss_OID_desc __gss_c_ma_auth_targ_anon_oid_desc; +#define GSS_C_MA_AUTH_TARG_ANON (&__gss_c_ma_auth_targ_anon_oid_desc) + +extern gss_OID_desc __gss_c_ma_deleg_cred_oid_desc; +#define GSS_C_MA_DELEG_CRED (&__gss_c_ma_deleg_cred_oid_desc) + +extern gss_OID_desc __gss_c_ma_integ_prot_oid_desc; +#define GSS_C_MA_INTEG_PROT (&__gss_c_ma_integ_prot_oid_desc) + +extern gss_OID_desc __gss_c_ma_conf_prot_oid_desc; +#define GSS_C_MA_CONF_PROT (&__gss_c_ma_conf_prot_oid_desc) + +extern gss_OID_desc __gss_c_ma_mic_oid_desc; +#define GSS_C_MA_MIC (&__gss_c_ma_mic_oid_desc) + +extern gss_OID_desc __gss_c_ma_wrap_oid_desc; +#define GSS_C_MA_WRAP (&__gss_c_ma_wrap_oid_desc) + +extern gss_OID_desc __gss_c_ma_prot_ready_oid_desc; +#define GSS_C_MA_PROT_READY (&__gss_c_ma_prot_ready_oid_desc) + +extern gss_OID_desc __gss_c_ma_replay_det_oid_desc; +#define GSS_C_MA_REPLAY_DET (&__gss_c_ma_replay_det_oid_desc) + +extern gss_OID_desc __gss_c_ma_oos_det_oid_desc; +#define GSS_C_MA_OOS_DET (&__gss_c_ma_oos_det_oid_desc) + +extern gss_OID_desc __gss_c_ma_cbindings_oid_desc; +#define GSS_C_MA_CBINDINGS (&__gss_c_ma_cbindings_oid_desc) + +extern gss_OID_desc __gss_c_ma_pfs_oid_desc; +#define GSS_C_MA_PFS (&__gss_c_ma_pfs_oid_desc) + +extern gss_OID_desc __gss_c_ma_compress_oid_desc; +#define GSS_C_MA_COMPRESS (&__gss_c_ma_compress_oid_desc) + +extern gss_OID_desc __gss_c_ma_ctx_trans_oid_desc; +#define GSS_C_MA_CTX_TRANS (&__gss_c_ma_ctx_trans_oid_desc) + +#endif /* GSSAPI_GSSAPI_OID */ diff --git a/lib/gssapi/gssapi_mech.h b/lib/gssapi/gssapi_mech.h index 93b7bf72d..3378ea8c8 100644 --- a/lib/gssapi/gssapi_mech.h +++ b/lib/gssapi/gssapi_mech.h @@ -354,7 +354,60 @@ _gss_import_cred_t(OM_uint32 * minor_status, gss_cred_id_t * cred_handle); -#define GMI_VERSION 2 +typedef OM_uint32 +_gss_acquire_cred_ex_t(void * /* status */, + const gss_name_t /* desired_name */, + OM_uint32 /* flags */, + OM_uint32 /* time_req */, + gss_cred_usage_t /* cred_usage */, + void * /* identity */, + void * /* ctx */, + void (* /*complete */)(void *, OM_uint32, void *, gss_cred_id_t, OM_uint32)); + +typedef void +_gss_iter_creds_t(OM_uint32 /* flags */, + void * /* userctx */, + void (* /*cred_iter */ )(void *, gss_OID, gss_cred_id_t)); + +typedef OM_uint32 +_gss_destroy_cred_t(OM_uint32 * /* minor_status */, + gss_cred_id_t */* cred */); + +typedef OM_uint32 +_gss_cred_hold_t(OM_uint32 * /* minor_status */, + gss_cred_id_t /* cred */); + +typedef OM_uint32 +_gss_cred_unhold_t(OM_uint32 * /* minor_status */, + gss_cred_id_t /* cred */); + +typedef OM_uint32 +_gss_cred_label_set_t(OM_uint32 * /* minor_status */, + gss_cred_id_t /* cred */, + const char * /* label */, + gss_buffer_t /* value */); + +typedef OM_uint32 +_gss_cred_label_get_t(OM_uint32 * /* minor_status */, + gss_cred_id_t /* cred */, + const char * /* label */, + gss_buffer_t /* value */); + +typedef struct gss_mo_desc_struct gss_mo_desc; + +struct gss_mo_desc_struct { + gss_OID option; + OM_uint32 flags; +#define GSS_MO_MA 1 +#define GSS_MO_MA_CRITICAL 2 + const char *name; + void *ctx; + int (*get)(gss_const_OID, gss_mo_desc *, gss_buffer_t); + int (*set)(gss_const_OID, gss_mo_desc *, int, gss_buffer_t); +}; + + +#define GMI_VERSION 4 /* gm_flags */ #define GM_USE_MG_CRED 1 /* uses mech glue credentials */ @@ -405,10 +458,19 @@ typedef struct gssapi_mech_interface_desc { _gss_store_cred_t *gm_store_cred; _gss_export_cred_t *gm_export_cred; _gss_import_cred_t *gm_import_cred; + _gss_acquire_cred_ex_t *gm_acquire_cred_ex; + _gss_iter_creds_t *gm_iter_creds; + _gss_destroy_cred_t *gm_destroy_cred; + _gss_cred_hold_t *gm_cred_hold; + _gss_cred_unhold_t *gm_cred_unhold; + _gss_cred_label_get_t *gm_cred_label_get; + _gss_cred_label_set_t *gm_cred_label_set; + gss_mo_desc *gm_mo; + size_t gm_mo_num; } gssapi_mech_interface_desc, *gssapi_mech_interface; gssapi_mech_interface -__gss_get_mechanism(gss_OID /* oid */); +__gss_get_mechanism(gss_const_OID /* oid */); gssapi_mech_interface __gss_spnego_initialize(void); gssapi_mech_interface __gss_krb5_initialize(void); @@ -416,4 +478,18 @@ gssapi_mech_interface __gss_ntlm_initialize(void); void gss_mg_collect_error(gss_OID, OM_uint32, OM_uint32); +int _gss_mo_get_option_1(gss_const_OID, gss_mo_desc *, gss_buffer_t); +int _gss_mo_get_option_0(gss_const_OID, gss_mo_desc *, gss_buffer_t); +int _gss_mo_get_ctx_as_string(gss_const_OID, gss_mo_desc *, gss_buffer_t); + +struct _gss_oid_name_table { + gss_OID oid; + const char *name; + const char *short_desc; + const char *long_desc; +}; + +extern struct _gss_oid_name_table _gss_ont_mech[]; +extern struct _gss_oid_name_table _gss_ont_ma[]; + #endif /* GSSAPI_MECH_H */ diff --git a/lib/gssapi/gss.c b/lib/gssapi/gsstool.c similarity index 54% rename from lib/gssapi/gss.c rename to lib/gssapi/gsstool.c index 92754581f..9410018ae 100644 --- a/lib/gssapi/gss.c +++ b/lib/gssapi/gsstool.c @@ -3,6 +3,8 @@ * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * + * Portions Copyright (c) 2009 - 2010 Apple Inc. All rights reserved. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -31,9 +33,7 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifdef HAVE_CONFIG_H #include -#endif #include #include @@ -45,7 +45,7 @@ #include #include #include -#include + static int version_flag = 0; static int help_flag = 0; @@ -65,6 +65,11 @@ usage (int ret) #define COL_OID "OID" #define COL_NAME "Name" +#define COL_DESC "Description" +#define COL_VALUE "Value" +#define COL_MECH "Mech" +#define COL_EXPIRE "Expire" +#define COL_SASL "SASL" int supported_mechanisms(void *argptr, int argc, char **argv) @@ -87,24 +92,37 @@ supported_mechanisms(void *argptr, int argc, char **argv) rtbl_set_separator(ct, " "); rtbl_add_column(ct, COL_OID, 0); rtbl_add_column(ct, COL_NAME, 0); + rtbl_add_column(ct, COL_DESC, 0); + rtbl_add_column(ct, COL_SASL, 0); for (i = 0; i < mechs->count; i++) { - gss_buffer_desc name; + gss_buffer_desc str, sasl_name, mech_name, mech_desc; - maj_stat = gss_oid_to_str(&min_stat, &mechs->elements[i], &name); + maj_stat = gss_oid_to_str(&min_stat, &mechs->elements[i], &str); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_oid_to_str failed"); rtbl_add_column_entryv(ct, COL_OID, "%.*s", - (int)name.length, (char *)name.value); - gss_release_buffer(&min_stat, &name); + (int)str.length, (char *)str.value); + gss_release_buffer(&min_stat, &str); + + (void)gss_inquire_saslname_for_mech(&min_stat, + &mechs->elements[i], + &sasl_name, + &mech_name, + &mech_desc); + + rtbl_add_column_entryv(ct, COL_NAME, "%.*s", + (int)mech_name.length, (char *)mech_name.value); + rtbl_add_column_entryv(ct, COL_DESC, "%.*s", + (int)mech_desc.length, (char *)mech_desc.value); + rtbl_add_column_entryv(ct, COL_SASL, "%.*s", + (int)sasl_name.length, (char *)sasl_name.value); + + gss_release_buffer(&min_stat, &mech_name); + gss_release_buffer(&min_stat, &mech_desc); + gss_release_buffer(&min_stat, &sasl_name); - if (gss_oid_equal(&mechs->elements[i], GSS_KRB5_MECHANISM)) - rtbl_add_column_entry(ct, COL_NAME, "Kerberos 5"); - else if (gss_oid_equal(&mechs->elements[i], GSS_SPNEGO_MECHANISM)) - rtbl_add_column_entry(ct, COL_NAME, "SPNEGO"); - else if (gss_oid_equal(&mechs->elements[i], GSS_NTLM_MECHANISM)) - rtbl_add_column_entry(ct, COL_NAME, "NTLM"); } gss_release_oid_set(&min_stat, &mechs); @@ -114,57 +132,88 @@ supported_mechanisms(void *argptr, int argc, char **argv) return 0; } -#if 0 -/* - * - */ +void static +print_mech_attr(const char *mechname, gss_const_OID mech, gss_OID_set set) +{ + gss_buffer_desc name, desc; + OM_uint32 major, minor; + rtbl_t ct; + size_t n; -#define DOVEDOT_MAJOR_VERSION 1 -#define DOVEDOT_MINOR_VERSION 0 + ct = rtbl_create(); + if (ct == NULL) + errx(1, "rtbl_create"); -/* - S: MECH mech mech-parameters - S: MECH mech mech-parameters - S: VERSION major minor - S: CPID pid - S: CUID pid - S: ... - S: DONE - C: VERSION major minor - C: CPID pid + rtbl_set_separator(ct, " "); + rtbl_add_column(ct, COL_OID, 0); + rtbl_add_column(ct, COL_DESC, 0); + if (mech) + rtbl_add_column(ct, COL_VALUE, 0); - C: AUTH id method service= resp= - C: CONT id message + for (n = 0; n < set->count; n++) { + major = gss_display_mech_attr(&minor, &set->elements[n], &name, &desc, NULL); + if (major) + continue; + + rtbl_add_column_entryv(ct, COL_OID, "%.*s", + (int)name.length, (char *)name.value); + rtbl_add_column_entryv(ct, COL_DESC, "%.*s", + (int)desc.length, (char *)desc.value); + if (mech) { + gss_buffer_desc value; + + if (gss_mo_get(mech, &set->elements[n], &value) != 0) + value.length = 0; + + if (value.length) + rtbl_add_column_entryv(ct, COL_VALUE, "%.*s", + (int)value.length, (char *)value.value); + else + rtbl_add_column_entryv(ct, COL_VALUE, "<>"); + gss_release_buffer(&minor, &value); + } + + gss_release_buffer(&minor, &name); + gss_release_buffer(&minor, &desc); + } + + printf("attributes for: %s\n", mechname); + rtbl_format(ct, stdout); + rtbl_destroy(ct); +} - S: OK id user= - S: FAIL id reason= - S: CONTINUE id message -*/ int -dovecot_server(void *argptr, int argc, char **argv) +attrs_for_mech(struct attrs_for_mech_options *opt, int argc, char **argv) { - krb5_storage *sp; - int fd = 0; + gss_OID_set mech_attr = NULL, known_mech_attrs = NULL; + gss_OID mech = GSS_C_NO_OID; + OM_uint32 major, minor; - sp = krb5_storage_from_fd(fd); - if (sp == NULL) - errx(1, "krb5_storage_from_fd"); - - krb5_store_stringnl(sp, "MECH\tGSSAPI"); - krb5_store_stringnl(sp, "VERSION\t1\t0"); - krb5_store_stringnl(sp, "DONE"); - - while (1) { - char *cmd; - if (krb5_ret_stringnl(sp, &cmd) != 0) - break; - printf("cmd: %s\n", cmd); - free(cmd); + if (opt->mech_string) { + mech = gss_name_to_oid(opt->mech_string); + if (mech == NULL) + errx(1, "mech %s is unknown", opt->mech_string); } + + major = gss_inquire_attrs_for_mech(&minor, mech, &mech_attr, &known_mech_attrs); + if (major) + errx(1, "gss_inquire_attrs_for_mech"); + + if (mech) { + print_mech_attr(opt->mech_string, mech, mech_attr); + } + + if (opt->all_flag) { + print_mech_attr("all mechs", NULL, known_mech_attrs); + } + + gss_release_oid_set(&minor, &mech_attr); + gss_release_oid_set(&minor, &known_mech_attrs); + return 0; } -#endif + /* * diff --git a/lib/gssapi/krb5/external.c b/lib/gssapi/krb5/external.c index ef33c5575..d6f14a48f 100644 --- a/lib/gssapi/krb5/external.c +++ b/lib/gssapi/krb5/external.c @@ -152,47 +152,6 @@ gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_export_name_oid_desc = gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_oid_desc = {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") }; -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) user_name(1)}. The recommended symbolic name for this - * type is "GSS_KRB5_NT_USER_NAME". - */ - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) machine_uid_name(2)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". - */ - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) string_uid_name(3)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_STRING_UID_NAME". - */ - -/* - * To support ongoing experimentation, testing, and evolution of the - * specification, the Kerberos V5 GSS-API mechanism as defined in this - * and any successor memos will be identified with the following Object - * Identifier, as defined in RFC-1510, until the specification is - * advanced to the level of Proposed Standard RFC: - * - * {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)} - * - * Upon advancement to the level of Proposed Standard RFC, the Kerberos - * V5 GSS-API mechanism will be identified by an Object Identifier - * having the value: - * - * {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - * gssapi(2) krb5(2)} - */ - -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = - {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }; - /* * draft-ietf-cat-iakerb-09, IAKERB: * The mechanism ID for IAKERB proxy GSS-API Kerberos, in accordance @@ -212,105 +171,101 @@ gss_OID_desc GSSAPI_LIB_VARIABLE __gss_iakerb_proxy_mechanism_oid_desc = gss_OID_desc GSSAPI_LIB_VARIABLE __gss_iakerb_min_msg_mechanism_oid_desc = {7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") }; -/* - * - */ - -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = - {9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"}; - -/* - * 1.2.752.43.13 Heimdal GSS-API Extentions - */ - -/* 1.2.752.43.13.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")}; - -/* 1.2.752.43.13.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")}; - -/* 1.2.752.43.13.3 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")}; - -/* 1.2.752.43.13.4 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")}; - -/* 1.2.752.43.13.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")}; - -/* 1.2.752.43.13.6 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")}; - -/* 1.2.752.43.13.6.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = - {7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")}; - -/* 1.2.752.43.13.7 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")}; - -/* 1.2.752.43.13.8 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")}; - -/* 1.2.752.43.13.9 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")}; - -/* 1.2.752.43.13.10 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")}; - -/* 1.2.752.43.13.11 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")}; - -/* 1.2.752.43.13.12 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")}; - -/* 1.2.752.43.13.13 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")}; - -/* 1.2.752.43.13.14 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")}; - -/* 1.2.752.43.13.15 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")}; - -/* 1.2.752.43.13.16 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")}; - -/* 1.2.752.43.13.17 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")}; - -/* 1.2.752.43.13.18 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12")}; - -/* 1.2.752.43.13.19 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x13")}; - -/* 1.2.752.43.14.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = - {6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; - /* * Context for krb5 calls. */ +static gss_mo_desc krb5_mo[] = { + { + GSS_C_MA_SASL_MECH_NAME, + GSS_MO_MA, + "SASL mech name", + "GS2-KRB5", + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_NAME, + GSS_MO_MA, + "Mechanism name", + "KRB5", + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_DESCRIPTION, + GSS_MO_MA, + "Mechanism description", + "Heimdal Kerberos 5 mech", + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_CONCRETE, + GSS_MO_MA + }, + { + GSS_C_MA_ITOK_FRAMED, + GSS_MO_MA + }, + { + GSS_C_MA_AUTH_INIT, + GSS_MO_MA + }, + { + GSS_C_MA_AUTH_TARG, + GSS_MO_MA + }, + { + GSS_C_MA_AUTH_INIT_ANON, + GSS_MO_MA + }, + { + GSS_C_MA_DELEG_CRED, + GSS_MO_MA + }, + { + GSS_C_MA_INTEG_PROT, + GSS_MO_MA + }, + { + GSS_C_MA_CONF_PROT, + GSS_MO_MA + }, + { + GSS_C_MA_MIC, + GSS_MO_MA + }, + { + GSS_C_MA_WRAP, + GSS_MO_MA + }, + { + GSS_C_MA_PROT_READY, + GSS_MO_MA + }, + { + GSS_C_MA_REPLAY_DET, + GSS_MO_MA + }, + { + GSS_C_MA_OOS_DET, + GSS_MO_MA + }, + { + GSS_C_MA_CBINDINGS, + GSS_MO_MA + }, + { + GSS_C_MA_PFS, + GSS_MO_MA + }, + { + GSS_C_MA_CTX_TRANS, + GSS_MO_MA + } +}; + /* * */ @@ -359,7 +314,16 @@ static gssapi_mech_interface_desc krb5_mech = { _gk_wrap_iov_length, _gsskrb5_store_cred, _gsskrb5_export_cred, - _gsskrb5_import_cred + _gsskrb5_import_cred, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + krb5_mo, + sizeof(krb5_mo) / sizeof(krb5_mo[0]) }; gssapi_mech_interface diff --git a/lib/gssapi/krb5/set_cred_option.c b/lib/gssapi/krb5/set_cred_option.c index d6255bacb..5ff6172fb 100644 --- a/lib/gssapi/krb5/set_cred_option.c +++ b/lib/gssapi/krb5/set_cred_option.c @@ -32,15 +32,6 @@ #include "gsskrb5_locl.h" -/* 1.2.752.43.13.17 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")}; - -/* 1.2.752.43.13.18 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12")}; - - static OM_uint32 import_cred(OM_uint32 *minor_status, krb5_context context, diff --git a/lib/gssapi/mech/gss_mech_switch.c b/lib/gssapi/mech/gss_mech_switch.c index 5fc41d995..b1368db91 100644 --- a/lib/gssapi/mech/gss_mech_switch.c +++ b/lib/gssapi/mech/gss_mech_switch.c @@ -353,7 +353,7 @@ _gss_load_mech(void) } gssapi_mech_interface -__gss_get_mechanism(gss_OID mech) +__gss_get_mechanism(gss_const_OID mech) { struct _gss_mech_switch *m; diff --git a/lib/gssapi/mech/gss_mo.c b/lib/gssapi/mech/gss_mo.c new file mode 100644 index 000000000..8c8099d98 --- /dev/null +++ b/lib/gssapi/mech/gss_mo.c @@ -0,0 +1,464 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" + +static int +get_option_def(int def, gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value) +{ + return def; +} + + +int +_gss_mo_get_option_1(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value) +{ + return get_option_def(1, mech, mo, value); +} + +int +_gss_mo_get_option_0(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value) +{ + return get_option_def(0, mech, mo, value); +} + +int +_gss_mo_get_ctx_as_string(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value) +{ + if (value) { + value->value = strdup((char *)mo->ctx); + if (value->value == NULL) + return 1; + value->length = strlen((char *)mo->ctx); + } + return 0; +} + +GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL +gss_mo_set(gss_const_OID mech, gss_const_OID option, + int enable, gss_buffer_t value) +{ + gssapi_mech_interface m; + size_t n; + + if ((m = __gss_get_mechanism(mech)) == NULL) + return GSS_S_BAD_MECH; + + for (n = 0; n < m->gm_mo_num; n++) + if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].set) + return m->gm_mo[n].set(mech, &m->gm_mo[n], enable, value); + return 0; +} + +GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL +gss_mo_get(gss_const_OID mech, gss_const_OID option, gss_buffer_t value) +{ + gssapi_mech_interface m; + size_t n; + + _mg_buffer_zero(value); + + if ((m = __gss_get_mechanism(mech)) == NULL) + return 0; + + for (n = 0; n < m->gm_mo_num; n++) + if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].get) + return m->gm_mo[n].get(mech, &m->gm_mo[n], value); + + return 0; +} + +static void +add_all_mo(gssapi_mech_interface m, gss_OID_set *options, OM_uint32 mask) +{ + OM_uint32 minor; + size_t n; + + for (n = 0; n < m->gm_mo_num; n++) + if ((m->gm_mo[n].flags & mask) == mask) + gss_add_oid_set_member(&minor, m->gm_mo[n].option, options); +} + +GSSAPI_LIB_FUNCTION void GSSAPI_LIB_CALL +gss_mo_list(gss_const_OID mech, gss_OID_set *options) +{ + gssapi_mech_interface m; + OM_uint32 major, minor; + + if (options == NULL) + return; + + *options = GSS_C_NO_OID_SET; + + if ((m = __gss_get_mechanism(mech)) == NULL) + return; + + major = gss_create_empty_oid_set(&minor, options); + if (major != GSS_S_COMPLETE) + return; + + add_all_mo(m, options, 0); +} + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_mo_name(gss_const_OID mech, gss_const_OID option, gss_buffer_t name) +{ + gssapi_mech_interface m; + size_t n; + + if (name == NULL) + return GSS_S_BAD_NAME; + + if ((m = __gss_get_mechanism(mech)) == NULL) + return GSS_S_BAD_MECH; + + for (n = 0; n < m->gm_mo_num; n++) { + if (gss_oid_equal(option, m->gm_mo[n].option)) { + /* + * If ther is no name, its because its a GSS_C_MA and there is already a table for that. + */ + if (m->gm_mo[n].name) { + name->value = strdup(m->gm_mo[n].name); + if (name->value == NULL) + return GSS_S_BAD_NAME; + name->length = strlen(m->gm_mo[n].name); + return GSS_S_COMPLETE; + } else { + OM_uint32 junk; + return gss_display_mech_attr(&junk, option, + NULL, name, NULL); + } + } + } + return GSS_S_BAD_NAME; +} + +/* + * Helper function to allow NULL name + */ + +static OM_uint32 +mo_value(const gss_const_OID mech, gss_const_OID option, gss_buffer_t name) +{ + if (name == NULL) + return GSS_S_COMPLETE; + + if (gss_mo_get(mech, option, name) != 0 && name->length == 0) + return GSS_S_FAILURE; + + return GSS_S_COMPLETE; +} + +/** + * Returns differnt protocol names and description of the mechanism. + * + * @param minor_status minor status code + * @param desired_mech mech list query + * @param sasl_mech_name SASL GS2 protocol name + * @param mech_name gssapi protocol name + * @param mech_description description of gssapi mech + * + * @return returns GSS_S_COMPLETE or a error code. + * + * @ingroup gssapi + */ + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_inquire_saslname_for_mech(OM_uint32 *minor_status, + const gss_OID desired_mech, + gss_buffer_t sasl_mech_name, + gss_buffer_t mech_name, + gss_buffer_t mech_description) +{ + OM_uint32 major; + + _mg_buffer_zero(sasl_mech_name); + _mg_buffer_zero(mech_name); + _mg_buffer_zero(mech_description); + + if (minor_status) + *minor_status = 0; + + if (desired_mech == NULL) + return GSS_S_BAD_MECH; + + major = mo_value(desired_mech, GSS_C_MA_SASL_MECH_NAME, sasl_mech_name); + if (major) return major; + + major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name); + if (major) return major; + + major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description); + if (major) return major; + + return GSS_S_COMPLETE; +} + +/** + * Find a mech for a sasl name + * + * @param minor_status minor status code + * @param sasl_mech_name + * @param mech_type + * + * @return returns GSS_S_COMPLETE or an error code. + */ + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_inquire_mech_for_saslname(OM_uint32 *minor_status, + const gss_buffer_t sasl_mech_name, + gss_OID *mech_type) +{ + struct _gss_mech_switch *m; + gss_buffer_desc name; + OM_uint32 major; + + _gss_load_mech(); + + *mech_type = NULL; + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + + major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name); + if (major) + continue; + if (name.length == sasl_mech_name->length && + memcmp(name.value, sasl_mech_name->value, name.length) == 0) { + gss_release_buffer(&major, &name); + *mech_type = &m->gm_mech_oid; + return 0; + } + gss_release_buffer(&major, &name); + } + + return GSS_S_BAD_MECH; +} + +/** + * Return set of mechanism that fullfill the criteria + * + * @param minor_status minor status code + * @param desired_mech_attrs + * @param except_mech_attrs + * @param critical_mech_attrs + * @param mechs returned mechs, free with gss_release_oid_set(). + * + * @return returns GSS_S_COMPLETE or an error code. + */ + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_indicate_mechs_by_attrs(OM_uint32 * minor_status, + gss_const_OID_set desired_mech_attrs, + gss_const_OID_set except_mech_attrs, + gss_const_OID_set critical_mech_attrs, + gss_OID_set *mechs) +{ + struct _gss_mech_switch *ms; + OM_uint32 major; + size_t n, m; + + major = gss_create_empty_oid_set(minor_status, mechs); + if (major) + return major; + + _gss_load_mech(); + + SLIST_FOREACH(ms, &_gss_mechs, gm_link) { + gssapi_mech_interface mi = &ms->gm_mech; + + if (desired_mech_attrs) { + for (n = 0; n < desired_mech_attrs->count; n++) { + for (m = 0; m < mi->gm_mo_num; m++) + if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n])) + break; + if (m == mi->gm_mo_num) + goto next; + } + } + + if (except_mech_attrs) { + for (n = 0; n < desired_mech_attrs->count; n++) { + for (m = 0; m < mi->gm_mo_num; m++) { + if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n])) + goto next; + } + } + } + + if (critical_mech_attrs) { + for (n = 0; n < desired_mech_attrs->count; n++) { + for (m = 0; m < mi->gm_mo_num; m++) { + if (mi->gm_mo[m].flags & GSS_MO_MA_CRITICAL) + continue; + if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n])) + break; + } + if (m == mi->gm_mo_num) + goto next; + } + } + + + next: + do { } while(0); + } + + + return GSS_S_FAILURE; +} + +/** + * List support attributes for a mech and/or all mechanisms. + * + * @param minor_status minor status code + * @param mech given together with mech_attr will return the list of + * attributes for mechanism, can optionally be GSS_C_NO_OID. + * @param mech_attr see mech parameter, can optionally be NULL, + * release with gss_release_oid_set(). + * @param known_mech_attrs all attributes for mechanisms supported, + * release with gss_release_oid_set(). + * + * @ingroup gssapi + */ + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_inquire_attrs_for_mech(OM_uint32 * minor_status, + gss_const_OID mech, + gss_OID_set *mech_attr, + gss_OID_set *known_mech_attrs) +{ + OM_uint32 major, junk; + + if (mech_attr && mech) { + gssapi_mech_interface m; + + if ((m = __gss_get_mechanism(mech)) == NULL) { + *minor_status = 0; + return GSS_S_BAD_MECH; + } + + major = gss_create_empty_oid_set(minor_status, mech_attr); + if (major != GSS_S_COMPLETE) + return major; + + add_all_mo(m, mech_attr, GSS_MO_MA); + } + + if (known_mech_attrs) { + struct _gss_mech_switch *m; + + major = gss_create_empty_oid_set(minor_status, known_mech_attrs); + if (major) { + if (mech_attr) + gss_release_oid_set(&junk, mech_attr); + return major; + } + + _gss_load_mech(); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) + add_all_mo(&m->gm_mech, known_mech_attrs, GSS_MO_MA); + } + + + return GSS_S_COMPLETE; +} + +/** + * Return names and descriptions of mech attributes + * + * @param minor_status minor status code + * @param mech_attr + * @param name + * @param short_desc + * @param long_desc + * + * @return returns GSS_S_COMPLETE or an error code. + */ + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_display_mech_attr(OM_uint32 * minor_status, + gss_const_OID mech_attr, + gss_buffer_t name, + gss_buffer_t short_desc, + gss_buffer_t long_desc) +{ + struct _gss_oid_name_table *ma = NULL; + OM_uint32 major; + size_t n; + + _mg_buffer_zero(name); + _mg_buffer_zero(short_desc); + _mg_buffer_zero(long_desc); + + if (minor_status) + *minor_status = 0; + + for (n = 0; ma == NULL && _gss_ont_ma[n].oid; n++) + if (gss_oid_equal(mech_attr, _gss_ont_ma[n].oid)) + ma = &_gss_ont_ma[n]; + + if (ma == NULL) + return GSS_S_BAD_MECH_ATTR; + + if (name) { + gss_buffer_desc n; + n.value = rk_UNCONST(ma->name); + n.length = strlen(ma->name); + major = _gss_copy_buffer(minor_status, &n, name); + if (major != GSS_S_COMPLETE) + return major; + } + + if (short_desc) { + gss_buffer_desc n; + n.value = rk_UNCONST(ma->short_desc); + n.length = strlen(ma->short_desc); + major = _gss_copy_buffer(minor_status, &n, short_desc); + if (major != GSS_S_COMPLETE) + return major; + } + + if (long_desc) { + gss_buffer_desc n; + n.value = rk_UNCONST(ma->long_desc); + n.length = strlen(ma->long_desc); + major = _gss_copy_buffer(minor_status, &n, long_desc); + if (major != GSS_S_COMPLETE) + return major; + } + + return GSS_S_COMPLETE; +} diff --git a/lib/gssapi/mech/gss_oid.c b/lib/gssapi/mech/gss_oid.c new file mode 100644 index 000000000..43c581110 --- /dev/null +++ b/lib/gssapi/mech/gss_oid.c @@ -0,0 +1,243 @@ +#include "gssapi.h" + +#include "gssapi_mech.h" + +/* GSS_KRB5_COPY_CCACHE_X - 1.2.752.43.13.1 */ +gss_OID_desc __gss_krb5_copy_ccache_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x01" }; + +/* GSS_KRB5_GET_TKT_FLAGS_X - 1.2.752.43.13.2 */ +gss_OID_desc __gss_krb5_get_tkt_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x02" }; + +/* GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X - 1.2.752.43.13.3 */ +gss_OID_desc __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x03" }; + +/* GSS_KRB5_COMPAT_DES3_MIC_X - 1.2.752.43.13.4 */ +gss_OID_desc __gss_krb5_compat_des3_mic_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x04" }; + +/* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X - 1.2.752.43.13.5 */ +gss_OID_desc __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x05" }; + +/* GSS_KRB5_EXPORT_LUCID_CONTEXT_X - 1.2.752.43.13.6 */ +gss_OID_desc __gss_krb5_export_lucid_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x06" }; + +/* GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X - 1.2.752.43.13.6.1 */ +gss_OID_desc __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x06\x01" }; + +/* GSS_KRB5_SET_DNS_CANONICALIZE_X - 1.2.752.43.13.7 */ +gss_OID_desc __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x07" }; + +/* GSS_KRB5_GET_SUBKEY_X - 1.2.752.43.13.8 */ +gss_OID_desc __gss_krb5_get_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x08" }; + +/* GSS_KRB5_GET_INITIATOR_SUBKEY_X - 1.2.752.43.13.9 */ +gss_OID_desc __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x09" }; + +/* GSS_KRB5_GET_ACCEPTOR_SUBKEY_X - 1.2.752.43.13.10 */ +gss_OID_desc __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0a" }; + +/* GSS_KRB5_SEND_TO_KDC_X - 1.2.752.43.13.11 */ +gss_OID_desc __gss_krb5_send_to_kdc_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0b" }; + +/* GSS_KRB5_GET_AUTHTIME_X - 1.2.752.43.13.12 */ +gss_OID_desc __gss_krb5_get_authtime_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0c" }; + +/* GSS_KRB5_GET_SERVICE_KEYBLOCK_X - 1.2.752.43.13.13 */ +gss_OID_desc __gss_krb5_get_service_keyblock_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0d" }; + +/* GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X - 1.2.752.43.13.14 */ +gss_OID_desc __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0e" }; + +/* GSS_KRB5_SET_DEFAULT_REALM_X - 1.2.752.43.13.15 */ +gss_OID_desc __gss_krb5_set_default_realm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0f" }; + +/* GSS_KRB5_CCACHE_NAME_X - 1.2.752.43.13.16 */ +gss_OID_desc __gss_krb5_ccache_name_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x10" }; + +/* GSS_KRB5_SET_TIME_OFFSET_X - 1.2.752.43.13.17 */ +gss_OID_desc __gss_krb5_set_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x11" }; + +/* GSS_KRB5_GET_TIME_OFFSET_X - 1.2.752.43.13.18 */ +gss_OID_desc __gss_krb5_get_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x12" }; + +/* GSS_KRB5_PLUGIN_REGISTER_X - 1.2.752.43.13.19 */ +gss_OID_desc __gss_krb5_plugin_register_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x13" }; + +/* GSS_NTLM_GET_SESSION_KEY_X - 1.2.752.43.13.20 */ +gss_OID_desc __gss_ntlm_get_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x14" }; + +/* GSS_C_NT_NTLM - 1.2.752.43.13.21 */ +gss_OID_desc __gss_c_nt_ntlm_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x15" }; + +/* GSS_C_NT_DN - 1.2.752.43.13.22 */ +gss_OID_desc __gss_c_nt_dn_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x16" }; + +/* GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL - 1.2.752.43.13.23 */ +gss_OID_desc __gss_krb5_nt_principal_name_referral_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x17" }; + +/* GSS_C_NTLM_AVGUEST - 1.2.752.43.13.24 */ +gss_OID_desc __gss_c_ntlm_avguest_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x18" }; + +/* GSS_C_NTLM_V1 - 1.2.752.43.13.25 */ +gss_OID_desc __gss_c_ntlm_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x19" }; + +/* GSS_C_NTLM_V2 - 1.2.752.43.13.26 */ +gss_OID_desc __gss_c_ntlm_v2_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1a" }; + +/* GSS_C_NTLM_SESSION_KEY - 1.2.752.43.13.27 */ +gss_OID_desc __gss_c_ntlm_session_key_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1b" }; + +/* GSS_C_NTLM_FORCE_V1 - 1.2.752.43.13.28 */ +gss_OID_desc __gss_c_ntlm_force_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1c" }; + +/* GSS_KRB5_CRED_NO_CI_FLAGS_X - 1.2.752.43.13.29 */ +gss_OID_desc __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1d" }; + +/* GSS_KRB5_IMPORT_CRED_X - 1.2.752.43.13.30 */ +gss_OID_desc __gss_krb5_import_cred_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1e" }; + +/* GSS_C_MA_SASL_MECH_NAME - 1.2.752.43.13.100 */ +gss_OID_desc __gss_c_ma_sasl_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x64" }; + +/* GSS_C_MA_MECH_NAME - 1.2.752.43.13.101 */ +gss_OID_desc __gss_c_ma_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x65" }; + +/* GSS_C_MA_MECH_DESCRIPTION - 1.2.752.43.13.102 */ +gss_OID_desc __gss_c_ma_mech_description_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x66" }; + +/* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */ +gss_OID_desc __gss_sasl_digest_md5_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x01" }; + +/* GSS_KRB5_MECHANISM - 1.2.840.113554.1.2.2 */ +gss_OID_desc __gss_krb5_mechanism_oid_desc = { 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; + +/* GSS_NTLM_MECHANISM - 1.3.6.1.4.1.311.2.2.10 */ +gss_OID_desc __gss_ntlm_mechanism_oid_desc = { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" }; + +/* GSS_SPNEGO_MECHANISM - 1.3.6.1.5.5.2 */ +gss_OID_desc __gss_spnego_mechanism_oid_desc = { 6, "\x2b\x06\x01\x05\x05\x02" }; + +/* GSS_C_PEER_HAS_UPDATED_SPNEGO - 1.3.6.1.4.1.9513.19.5 */ +gss_OID_desc __gss_c_peer_has_updated_spnego_oid_desc = { 9, "\x2b\x06\x01\x04\x01\xca\x29\x13\x05" }; + +/* GSS_C_MA_MECH_CONCRETE - 1.3.6.1.5.5.13.1 */ +gss_OID_desc __gss_c_ma_mech_concrete_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x01" }; + +/* GSS_C_MA_MECH_PSEUDO - 1.3.6.1.5.5.13.2 */ +gss_OID_desc __gss_c_ma_mech_pseudo_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x02" }; + +/* GSS_C_MA_MECH_COMPOSITE - 1.3.6.1.5.5.13.3 */ +gss_OID_desc __gss_c_ma_mech_composite_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x03" }; + +/* GSS_C_MA_MECH_NEGO - 1.3.6.1.5.5.13.4 */ +gss_OID_desc __gss_c_ma_mech_nego_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x04" }; + +/* GSS_C_MA_MECH_GLUE - 1.3.6.1.5.5.13.5 */ +gss_OID_desc __gss_c_ma_mech_glue_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x05" }; + +/* GSS_C_MA_NOT_MECH - 1.3.6.1.5.5.13.6 */ +gss_OID_desc __gss_c_ma_not_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x06" }; + +/* GSS_C_MA_DEPRECATED - 1.3.6.1.5.5.13.7 */ +gss_OID_desc __gss_c_ma_deprecated_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x07" }; + +/* GSS_C_MA_NOT_DFLT_MECH - 1.3.6.1.5.5.13.8 */ +gss_OID_desc __gss_c_ma_not_dflt_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x08" }; + +/* GSS_C_MA_ITOK_FRAMED - 1.3.6.1.5.5.13.9 */ +gss_OID_desc __gss_c_ma_itok_framed_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x09" }; + +/* GSS_C_MA_AUTH_INIT - 1.3.6.1.5.5.13.10 */ +gss_OID_desc __gss_c_ma_auth_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0a" }; + +/* GSS_C_MA_AUTH_TARG - 1.3.6.1.5.5.13.11 */ +gss_OID_desc __gss_c_ma_auth_targ_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0b" }; + +/* GSS_C_MA_AUTH_INIT_INIT - 1.3.6.1.5.5.13.12 */ +gss_OID_desc __gss_c_ma_auth_init_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0c" }; + +/* GSS_C_MA_AUTH_TARG_INIT - 1.3.6.1.5.5.13.13 */ +gss_OID_desc __gss_c_ma_auth_targ_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0d" }; + +/* GSS_C_MA_AUTH_INIT_ANON - 1.3.6.1.5.5.13.14 */ +gss_OID_desc __gss_c_ma_auth_init_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0e" }; + +/* GSS_C_MA_AUTH_TARG_ANON - 1.3.6.1.5.5.13.15 */ +gss_OID_desc __gss_c_ma_auth_targ_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0f" }; + +/* GSS_C_MA_DELEG_CRED - 1.3.6.1.5.5.13.16 */ +gss_OID_desc __gss_c_ma_deleg_cred_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x10" }; + +/* GSS_C_MA_INTEG_PROT - 1.3.6.1.5.5.13.17 */ +gss_OID_desc __gss_c_ma_integ_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x11" }; + +/* GSS_C_MA_CONF_PROT - 1.3.6.1.5.5.13.18 */ +gss_OID_desc __gss_c_ma_conf_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x12" }; + +/* GSS_C_MA_MIC - 1.3.6.1.5.5.13.19 */ +gss_OID_desc __gss_c_ma_mic_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x13" }; + +/* GSS_C_MA_WRAP - 1.3.6.1.5.5.13.20 */ +gss_OID_desc __gss_c_ma_wrap_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x14" }; + +/* GSS_C_MA_PROT_READY - 1.3.6.1.5.5.13.21 */ +gss_OID_desc __gss_c_ma_prot_ready_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x15" }; + +/* GSS_C_MA_REPLAY_DET - 1.3.6.1.5.5.13.22 */ +gss_OID_desc __gss_c_ma_replay_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x16" }; + +/* GSS_C_MA_OOS_DET - 1.3.6.1.5.5.13.23 */ +gss_OID_desc __gss_c_ma_oos_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x17" }; + +/* GSS_C_MA_CBINDINGS - 1.3.6.1.5.5.13.24 */ +gss_OID_desc __gss_c_ma_cbindings_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x18" }; + +/* GSS_C_MA_PFS - 1.3.6.1.5.5.13.25 */ +gss_OID_desc __gss_c_ma_pfs_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x19" }; + +/* GSS_C_MA_COMPRESS - 1.3.6.1.5.5.13.26 */ +gss_OID_desc __gss_c_ma_compress_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1a" }; + +/* GSS_C_MA_CTX_TRANS - 1.3.6.1.5.5.13.27 */ +gss_OID_desc __gss_c_ma_ctx_trans_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1b" }; + +struct _gss_oid_name_table _gss_ont_ma[] = { + { GSS_C_MA_COMPRESS, "GSS_C_MA_COMPRESS", "compress", "" }, + { GSS_C_MA_AUTH_TARG_INIT, "GSS_C_MA_AUTH_TARG_INIT", "auth-targ-princ-initial", "" }, + { GSS_C_MA_CBINDINGS, "GSS_C_MA_CBINDINGS", "channel-bindings", "" }, + { GSS_C_MA_WRAP, "GSS_C_MA_WRAP", "wrap", "" }, + { GSS_C_MA_ITOK_FRAMED, "GSS_C_MA_ITOK_FRAMED", "initial-is-framed", "" }, + { GSS_C_MA_MECH_NEGO, "GSS_C_MA_MECH_NEGO", "mech-negotiation-mech", "" }, + { GSS_C_MA_MECH_COMPOSITE, "GSS_C_MA_MECH_COMPOSITE", "composite-mech", "" }, + { GSS_C_MA_REPLAY_DET, "GSS_C_MA_REPLAY_DET", "replay-detection", "" }, + { GSS_C_MA_AUTH_INIT_ANON, "GSS_C_MA_AUTH_INIT_ANON", "auth-init-princ-anon", "" }, + { GSS_C_MA_PROT_READY, "GSS_C_MA_PROT_READY", "prot-ready", "" }, + { GSS_C_MA_AUTH_INIT, "GSS_C_MA_AUTH_INIT", "auth-init-princ", "" }, + { GSS_C_MA_PFS, "GSS_C_MA_PFS", "pfs", "" }, + { GSS_C_MA_CONF_PROT, "GSS_C_MA_CONF_PROT", "conf-prot", "" }, + { GSS_C_MA_MECH_PSEUDO, "GSS_C_MA_MECH_PSEUDO", "pseudo-mech", "" }, + { GSS_C_MA_AUTH_TARG, "GSS_C_MA_AUTH_TARG", "auth-targ-princ", "" }, + { GSS_C_MA_MECH_NAME, "GSS_C_MA_MECH_NAME", "GSS mech name", "The name of the GSS-API mechanism" }, + { GSS_C_MA_NOT_MECH, "GSS_C_MA_NOT_MECH", "not-mech", "" }, + { GSS_C_MA_MIC, "GSS_C_MA_MIC", "mic", "" }, + { GSS_C_MA_DEPRECATED, "GSS_C_MA_DEPRECATED", "mech-deprecated", "" }, + { GSS_C_MA_MECH_GLUE, "GSS_C_MA_MECH_GLUE", "mech-glue", "" }, + { GSS_C_MA_DELEG_CRED, "GSS_C_MA_DELEG_CRED", "deleg-cred", "" }, + { GSS_C_MA_NOT_DFLT_MECH, "GSS_C_MA_NOT_DFLT_MECH", "mech-not-default", "" }, + { GSS_C_MA_AUTH_TARG_ANON, "GSS_C_MA_AUTH_TARG_ANON", "auth-targ-princ-anon", "" }, + { GSS_C_MA_INTEG_PROT, "GSS_C_MA_INTEG_PROT", "integ-prot", "" }, + { GSS_C_MA_CTX_TRANS, "GSS_C_MA_CTX_TRANS", "context-transfer", "" }, + { GSS_C_MA_MECH_DESCRIPTION, "GSS_C_MA_MECH_DESCRIPTION", "Mech description", "The long description of the mechanism" }, + { GSS_C_MA_OOS_DET, "GSS_C_MA_OOS_DET", "oos-detection", "" }, + { GSS_C_MA_AUTH_INIT_INIT, "GSS_C_MA_AUTH_INIT_INIT", "auth-init-princ-initial", "" }, + { GSS_C_MA_MECH_CONCRETE, "GSS_C_MA_MECH_CONCRETE", "concrete-mech", "Indicates that a mech is neither a pseudo-mechanism nor a composite mechanism" }, + { GSS_C_MA_SASL_MECH_NAME, "GSS_C_MA_SASL_MECH_NAME", "SASL mechanism name", "The name of the SASL mechanism" }, + { NULL } +}; + +struct _gss_oid_name_table _gss_ont_mech[] = { + { GSS_KRB5_MECHANISM, "GSS_KRB5_MECHANISM", "Kerberos 5", "Heimdal Kerberos 5 mechanism" }, + { GSS_SPNEGO_MECHANISM, "GSS_SPNEGO_MECHANISM", "SPNEGO", "Heimdal SPNEGO mechanism" }, + { GSS_NTLM_MECHANISM, "GSS_NTLM_MECHANISM", "NTLM", "Heimdal NTLM mechanism" }, + { NULL } +}; + diff --git a/lib/gssapi/mech/gss_oid_equal.c b/lib/gssapi/mech/gss_oid_equal.c index 3e6413508..7d6ded39e 100644 --- a/lib/gssapi/mech/gss_oid_equal.c +++ b/lib/gssapi/mech/gss_oid_equal.c @@ -48,7 +48,7 @@ */ GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL -gss_oid_equal(const gss_OID a, const gss_OID b) +gss_oid_equal(gss_const_OID a, gss_const_OID b) { if (a == b && a != GSS_C_NO_OID) return 1; diff --git a/lib/gssapi/mech/gss_oid_to_str.c b/lib/gssapi/mech/gss_oid_to_str.c index d8e188da0..a1d776877 100644 --- a/lib/gssapi/mech/gss_oid_to_str.c +++ b/lib/gssapi/mech/gss_oid_to_str.c @@ -65,3 +65,34 @@ gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str) *minor_status = 0; return GSS_S_COMPLETE; } + +GSSAPI_LIB_FUNCTION const char * GSSAPI_LIB_CALL +gss_oid_to_name(gss_const_OID oid) +{ + size_t i; + + for (i = 0; _gss_ont_mech[i].oid; i++) { + if (gss_oid_equal(oid, _gss_ont_mech[i].oid)) + return _gss_ont_mech[i].name; + } + return NULL; +} + +GSSAPI_LIB_FUNCTION gss_OID GSSAPI_LIB_CALL +gss_name_to_oid(const char *name) +{ + size_t i, partial = (size_t)-1; + + for (i = 0; _gss_ont_mech[i].oid; i++) { + if (strcasecmp(name, _gss_ont_mech[i].short_desc) == 0) + return _gss_ont_mech[i].oid; + if (strncasecmp(name, _gss_ont_mech[i].short_desc, strlen(name)) == 0) { + if (partial != (size_t)-1) + return NULL; + partial = i; + } + } + if (partial != (size_t)-1) + return _gss_ont_mech[partial].oid; + return NULL; +} diff --git a/lib/gssapi/mech/mech_locl.h b/lib/gssapi/mech/mech_locl.h index 17721fd3c..cb10c23c3 100644 --- a/lib/gssapi/mech/mech_locl.h +++ b/lib/gssapi/mech/mech_locl.h @@ -64,4 +64,17 @@ #include "utils.h" #define _mg_buffer_zero(buffer) \ - do { (buffer)->value = NULL; (buffer)->length = 0; } while(0) + do { \ + if (buffer) { \ + (buffer)->value = NULL; \ + (buffer)->length = 0; \ + } \ + } while(0) + +#define _mg_oid_set_zero(oid_set) \ + do { \ + if (oid_set) { \ + (oid_set)->elements = NULL; \ + (oid_set)->count = 0; \ + } \ + } while(0) diff --git a/lib/gssapi/ntlm/external.c b/lib/gssapi/ntlm/external.c index 1d2b2d628..66afe2694 100644 --- a/lib/gssapi/ntlm/external.c +++ b/lib/gssapi/ntlm/external.c @@ -33,6 +33,33 @@ #include "ntlm.h" +static gss_mo_desc ntlm_mo[] = { + { + GSS_C_MA_SASL_MECH_NAME, + GSS_MO_MA, + "SASL mech name", + "NTLM", + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_NAME, + GSS_MO_MA, + "Mechanism name", + "NTLMSPP", + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_DESCRIPTION, + GSS_MO_MA, + "Mechanism description", + "Heimdal NTLMSSP Mechanism", + _gss_mo_get_ctx_as_string, + NULL + } +}; + static gssapi_mech_interface_desc ntlm_mech = { GMI_VERSION, "ntlm", @@ -66,7 +93,27 @@ static gssapi_mech_interface_desc ntlm_mech = { _gss_ntlm_inquire_names_for_mech, _gss_ntlm_inquire_mechs_for_name, _gss_ntlm_canonicalize_name, - _gss_ntlm_duplicate_name + _gss_ntlm_duplicate_name, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + ntlm_mo, + sizeof(ntlm_mo) / sizeof(ntlm_mo[0]) }; gssapi_mech_interface @@ -74,6 +121,3 @@ __gss_ntlm_initialize(void) { return &ntlm_mech; } - -gss_OID_desc __gss_ntlm_mechanism_oid_desc = - {10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") }; diff --git a/lib/gssapi/oid.txt b/lib/gssapi/oid.txt new file mode 100644 index 000000000..3bd7f3956 --- /dev/null +++ b/lib/gssapi/oid.txt @@ -0,0 +1,132 @@ +# /* contact Love Hörnquist Åstrand for new oid arcs */ + +# /* +# * 1.2.752.43.13 Heimdal GSS-API Extentions +# */ + +oid base GSS_KRB5_COPY_CCACHE_X 1.2.752.43.13.1 +oid base GSS_KRB5_GET_TKT_FLAGS_X 1.2.752.43.13.2 +oid base GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X 1.2.752.43.13.3 +oid base GSS_KRB5_COMPAT_DES3_MIC_X 1.2.752.43.13.4 +oid base GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X 1.2.752.43.13.5 +oid base GSS_KRB5_EXPORT_LUCID_CONTEXT_X 1.2.752.43.13.6 +oid base GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X 1.2.752.43.13.6.1 +oid base GSS_KRB5_SET_DNS_CANONICALIZE_X 1.2.752.43.13.7 +oid base GSS_KRB5_GET_SUBKEY_X 1.2.752.43.13.8 +oid base GSS_KRB5_GET_INITIATOR_SUBKEY_X 1.2.752.43.13.9 +oid base GSS_KRB5_GET_ACCEPTOR_SUBKEY_X 1.2.752.43.13.10 +oid base GSS_KRB5_SEND_TO_KDC_X 1.2.752.43.13.11 +oid base GSS_KRB5_GET_AUTHTIME_X 1.2.752.43.13.12 +oid base GSS_KRB5_GET_SERVICE_KEYBLOCK_X 1.2.752.43.13.13 +oid base GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X 1.2.752.43.13.14 +oid base GSS_KRB5_SET_DEFAULT_REALM_X 1.2.752.43.13.15 +oid base GSS_KRB5_CCACHE_NAME_X 1.2.752.43.13.16 +oid base GSS_KRB5_SET_TIME_OFFSET_X 1.2.752.43.13.17 +oid base GSS_KRB5_GET_TIME_OFFSET_X 1.2.752.43.13.18 +oid base GSS_KRB5_PLUGIN_REGISTER_X 1.2.752.43.13.19 +oid base GSS_NTLM_GET_SESSION_KEY_X 1.2.752.43.13.20 +oid base GSS_C_NT_NTLM 1.2.752.43.13.21 +oid base GSS_C_NT_DN 1.2.752.43.13.22 +oid base GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL 1.2.752.43.13.23 +oid base GSS_C_NTLM_AVGUEST 1.2.752.43.13.24 +oid base GSS_C_NTLM_V1 1.2.752.43.13.25 +oid base GSS_C_NTLM_V2 1.2.752.43.13.26 +oid base GSS_C_NTLM_SESSION_KEY 1.2.752.43.13.27 +oid base GSS_C_NTLM_FORCE_V1 1.2.752.43.13.28 +oid base GSS_KRB5_CRED_NO_CI_FLAGS_X 1.2.752.43.13.29 +oid base GSS_KRB5_IMPORT_CRED_X 1.2.752.43.13.30 + +# /* glue for gss_inquire_saslname_for_mech */ +oid base GSS_C_MA_SASL_MECH_NAME 1.2.752.43.13.100 +oid base GSS_C_MA_MECH_NAME 1.2.752.43.13.101 +oid base GSS_C_MA_MECH_DESCRIPTION 1.2.752.43.13.102 + +#/* +# * Digest mechanisms - 1.2.752.43.14 +# */ + +oid base GSS_SASL_DIGEST_MD5_MECHANISM 1.2.752.43.14.1 + +#/* +# * "Standard" mechs +# */ + +oid base GSS_KRB5_MECHANISM 1.2.840.113554.1.2.2 +oid base GSS_NTLM_MECHANISM 1.3.6.1.4.1.311.2.2.10 +oid base GSS_SPNEGO_MECHANISM 1.3.6.1.5.5.2 + +# /* From Luke Howard */ + +oid base GSS_C_PEER_HAS_UPDATED_SPNEGO 1.3.6.1.4.1.9513.19.5 + +#/* +# * OID mappings with name and short description and and slightly longer description +# */ + +desc mech GSS_KRB5_MECHANISM "Kerberos 5" "Heimdal Kerberos 5 mechanism" +desc mech GSS_NTLM_MECHANISM "NTLM" "Heimdal NTLM mechanism" +desc mech GSS_SPNEGO_MECHANISM "SPNEGO" "Heimdal SPNEGO mechanism" + +desc ma GSS_C_MA_MECH_NAME "GSS mech name" "The name of the GSS-API mechanism" +desc ma GSS_C_MA_SASL_MECH_NAME "SASL mechanism name" "The name of the SASL mechanism" +desc ma GSS_C_MA_MECH_DESCRIPTION "Mech description" "The long description of the mechanism" + +#/* +# * RFC5587 +# */ + +oid base GSS_C_MA_MECH_CONCRETE 1.3.6.1.5.5.13.1 +oid base GSS_C_MA_MECH_PSEUDO 1.3.6.1.5.5.13.2 +oid base GSS_C_MA_MECH_COMPOSITE 1.3.6.1.5.5.13.3 +oid base GSS_C_MA_MECH_NEGO 1.3.6.1.5.5.13.4 +oid base GSS_C_MA_MECH_GLUE 1.3.6.1.5.5.13.5 +oid base GSS_C_MA_NOT_MECH 1.3.6.1.5.5.13.6 +oid base GSS_C_MA_DEPRECATED 1.3.6.1.5.5.13.7 +oid base GSS_C_MA_NOT_DFLT_MECH 1.3.6.1.5.5.13.8 +oid base GSS_C_MA_ITOK_FRAMED 1.3.6.1.5.5.13.9 +oid base GSS_C_MA_AUTH_INIT 1.3.6.1.5.5.13.10 +oid base GSS_C_MA_AUTH_TARG 1.3.6.1.5.5.13.11 +oid base GSS_C_MA_AUTH_INIT_INIT 1.3.6.1.5.5.13.12 +oid base GSS_C_MA_AUTH_TARG_INIT 1.3.6.1.5.5.13.13 +oid base GSS_C_MA_AUTH_INIT_ANON 1.3.6.1.5.5.13.14 +oid base GSS_C_MA_AUTH_TARG_ANON 1.3.6.1.5.5.13.15 +oid base GSS_C_MA_DELEG_CRED 1.3.6.1.5.5.13.16 +oid base GSS_C_MA_INTEG_PROT 1.3.6.1.5.5.13.17 +oid base GSS_C_MA_CONF_PROT 1.3.6.1.5.5.13.18 +oid base GSS_C_MA_MIC 1.3.6.1.5.5.13.19 +oid base GSS_C_MA_WRAP 1.3.6.1.5.5.13.20 +oid base GSS_C_MA_PROT_READY 1.3.6.1.5.5.13.21 +oid base GSS_C_MA_REPLAY_DET 1.3.6.1.5.5.13.22 +oid base GSS_C_MA_OOS_DET 1.3.6.1.5.5.13.23 +oid base GSS_C_MA_CBINDINGS 1.3.6.1.5.5.13.24 +oid base GSS_C_MA_PFS 1.3.6.1.5.5.13.25 +oid base GSS_C_MA_COMPRESS 1.3.6.1.5.5.13.26 +oid base GSS_C_MA_CTX_TRANS 1.3.6.1.5.5.13.27 + +desc ma GSS_C_MA_MECH_CONCRETE "concrete-mech" "Indicates that a mech is neither a pseudo-mechanism nor a composite mechanism" +desc ma GSS_C_MA_MECH_PSEUDO "pseudo-mech" "" +desc ma GSS_C_MA_MECH_COMPOSITE "composite-mech" "" +desc ma GSS_C_MA_MECH_NEGO "mech-negotiation-mech" "" +desc ma GSS_C_MA_MECH_GLUE "mech-glue" "" +desc ma GSS_C_MA_NOT_MECH "not-mech" "" +desc ma GSS_C_MA_DEPRECATED "mech-deprecated" "" +desc ma GSS_C_MA_NOT_DFLT_MECH "mech-not-default" "" +desc ma GSS_C_MA_ITOK_FRAMED "initial-is-framed" "" +desc ma GSS_C_MA_AUTH_INIT "auth-init-princ" "" +desc ma GSS_C_MA_AUTH_TARG "auth-targ-princ" "" +desc ma GSS_C_MA_AUTH_INIT_INIT "auth-init-princ-initial" "" +desc ma GSS_C_MA_AUTH_TARG_INIT "auth-targ-princ-initial" "" +desc ma GSS_C_MA_AUTH_INIT_ANON "auth-init-princ-anon" "" +desc ma GSS_C_MA_AUTH_TARG_ANON "auth-targ-princ-anon" "" +desc ma GSS_C_MA_DELEG_CRED "deleg-cred" "" +desc ma GSS_C_MA_INTEG_PROT "integ-prot" "" +desc ma GSS_C_MA_CONF_PROT "conf-prot" "" +desc ma GSS_C_MA_MIC "mic" "" +desc ma GSS_C_MA_WRAP "wrap" "" +desc ma GSS_C_MA_PROT_READY "prot-ready" "" +desc ma GSS_C_MA_REPLAY_DET "replay-detection" "" +desc ma GSS_C_MA_OOS_DET "oos-detection" "" +desc ma GSS_C_MA_CBINDINGS "channel-bindings" "" +desc ma GSS_C_MA_PFS "pfs" "" +desc ma GSS_C_MA_COMPRESS "compress" "" +desc ma GSS_C_MA_CTX_TRANS "context-transfer" "" diff --git a/lib/gssapi/spnego/external.c b/lib/gssapi/spnego/external.c index d21e4dc7f..505475415 100644 --- a/lib/gssapi/spnego/external.c +++ b/lib/gssapi/spnego/external.c @@ -40,6 +40,41 @@ * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). */ +static gss_mo_desc spnego_mo[] = { + { + GSS_C_MA_SASL_MECH_NAME, + GSS_MO_MA, + "SASL mech name", + "SPNEGO", + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_NAME, + GSS_MO_MA, + "Mechanism name", + "SPNEGO", + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_DESCRIPTION, + GSS_MO_MA, + "Mechanism description", + "Heimdal SPNEGO Mechanism", + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_NEGO, + GSS_MO_MA + }, + { + GSS_C_MA_MECH_PSEUDO, + GSS_MO_MA + } +}; + static gssapi_mech_interface_desc spnego_mech = { GMI_VERSION, "spnego", @@ -84,7 +119,16 @@ static gssapi_mech_interface_desc spnego_mech = { _gss_spnego_wrap_iov_length, NULL, _gss_spnego_export_cred, - _gss_spnego_import_cred + _gss_spnego_import_cred, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + spnego_mo, + sizeof(spnego_mo) / sizeof(spnego_mo[0]) }; gssapi_mech_interface @@ -92,6 +136,3 @@ __gss_spnego_initialize(void) { return &spnego_mech; } - -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = - {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; diff --git a/lib/gssapi/version-script.map b/lib/gssapi/version-script.map index f0a7bd80d..ad18ad27b 100644 --- a/lib/gssapi/version-script.map +++ b/lib/gssapi/version-script.map @@ -96,7 +96,11 @@ HEIMDAL_GSS_2.0 { gsskrb5_set_send_to_kdc; gsskrb5_set_time_offset; krb5_gss_register_acceptor_identity; - + gss_display_mech_attr; + gss_inquire_attrs_for_mech; + gss_indicate_mechs_by_attrs; + gss_inquire_mech_for_saslname; + gss_inquire_saslname_for_mech; # _gsskrb5cfx_ are really internal symbols, but export # then now to make testing easier. diff --git a/tests/bin/setup-env.in b/tests/bin/setup-env.in index 99335819e..8e5691c54 100644 --- a/tests/bin/setup-env.in +++ b/tests/bin/setup-env.in @@ -29,6 +29,7 @@ kpasswd="${TESTS_ENVIRONMENT} ${top_builddir}/kpasswd/kpasswd" kpasswdd="${TESTS_ENVIRONMENT} ${top_builddir}/kpasswd/kpasswdd" kswitch="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kcc kswitch" ktutil="${TESTS_ENVIRONMENT} ${top_builddir}/admin/ktutil" +gsstool="${TESTS_ENVIRONMENT} ${top_builddir}/lib/gssapi/gsstool" # regression test tools test_ap_req="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_ap-req" diff --git a/tests/gss/Makefile.am b/tests/gss/Makefile.am index 182deeef6..2df571013 100644 --- a/tests/gss/Makefile.am +++ b/tests/gss/Makefile.am @@ -13,6 +13,7 @@ check_SCRIPTS = $(SCRIPT_TESTS) port = 49188 do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \ + -e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \ -e 's,[@]port[@],$(port),g' \ -e 's,[@]objdir[@],$(top_builddir)/tests/gss,g' diff --git a/tests/gss/check-gss.in b/tests/gss/check-gss.in index bcce5efe1..f5254a1fc 100644 --- a/tests/gss/check-gss.in +++ b/tests/gss/check-gss.in @@ -34,11 +34,16 @@ # $Id$ # -objdir="@objdir@" -gssdir="${objdir}/../../lib/gssapi" +env_setup="@env_setup@" +confdir="@confdir@" +testdir="@testdir@" -${TESTS_ENVIRONMENT} ${gssdir}/gss help > /dev/null || exit 1 -${TESTS_ENVIRONMENT} ${gssdir}/gss supported-mechanisms > /dev/null || exit 1 +. ${env_setup} + +${TESTS_ENVIRONMENT} ${gsstool} help > /dev/null || exit 1 +${TESTS_ENVIRONMENT} ${gsstool} supported-mechanisms > /dev/null || exit 1 +${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --all > /dev/null || exit 1 +${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --mech=Kerberos > /dev/null || exit 1 exit 0