oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gssapi: credential store extensions (#451)

Browse Source 
Implement the GSS-API credential store API extensions defined by MIT here:

https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions

Note: we kill off gss_acquire_cred_ext() here. This was never a public API,
although mechanisms could have implemented it and I briefly used it in my
BrowserID prototype mechanism. gss_acquire_cred_ext_from() occupies the place
in the dispatch table where gss_acquire_cred_ext() used to, but this structure
was never visible outside Heimdal (i.e. it is only used by internal
mechanisms);

(Mechanisms that need to accept arbitrary key/value dictionaries from
applications should now implement gss_acquire_cred_from().)
This commit is contained in:
Luke Howard
2019-01-03 09:26:41 +11:00
committed by Nico Williams
parent a7d42cdf6b
commit e0bb9c10ca
39 changed files with 1289 additions and 1054 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/gssapi/Makefile.am
View File

@@ -82,9 +82,10 @@ mechsrc = \
mech/doxygen.c \
mech/gss_accept_sec_context.c \
mech/gss_acquire_cred.c \
mech/gss_acquire_cred_ext.c \
mech/gss_acquire_cred_from.c \
mech/gss_acquire_cred_with_password.c \
mech/gss_add_cred.c \
mech/gss_add_cred_from.c \
mech/gss_add_cred_with_password.c \
mech/gss_add_oid_set_member.c \
mech/gss_aeap.c \
@@ -141,6 +142,7 @@ mechsrc = \
mech/gss_set_sec_context_option.c \
mech/gss_sign.c \
mech/gss_store_cred.c \
mech/gss_store_cred_into.c \
mech/gss_test_oid_set_member.c \
mech/gss_unseal.c \
mech/gss_unwrap.c \

8
lib/gssapi/NTMakefile
View File

@@ -98,9 +98,10 @@ mechsrc = \
mech/cred.h \
mech/gss_accept_sec_context.c \
mech/gss_acquire_cred.c \
mech/gss_acquire_cred_ext.c \
mech/gss_acquire_cred_from.c \
mech/gss_acquire_cred_with_password.c \
mech/gss_add_cred.c \
mech/gss_add_cred_from.c \
mech/gss_add_cred_with_password.c \
mech/gss_add_oid_set_member.c \
mech/gss_aeap.c \
@@ -158,6 +159,7 @@ mechsrc = \
mech/gss_set_sec_context_option.c \
mech/gss_sign.c \
mech/gss_store_cred.c \
mech/gss_store_cred_into.c \
mech/gss_test_oid_set_member.c \
mech/gss_unseal.c \
mech/gss_unwrap.c \
@@ -328,9 +330,10 @@ libgssapi_OBJs = \
$(OBJ)\mech/context.obj \
$(OBJ)\mech/gss_accept_sec_context.obj \
$(OBJ)\mech/gss_acquire_cred.obj \
$(OBJ)\mech/gss_acquire_cred_ext.obj \
$(OBJ)\mech/gss_acquire_cred_from.obj \
$(OBJ)\mech/gss_acquire_cred_with_password.obj \
$(OBJ)\mech/gss_add_cred.obj \
$(OBJ)\mech/gss_add_cred_from.obj \
$(OBJ)\mech/gss_add_cred_with_password.obj \
$(OBJ)\mech/gss_add_oid_set_member.obj \
$(OBJ)\mech/gss_aeap.obj \
@@ -388,6 +391,7 @@ libgssapi_OBJs = \
$(OBJ)\mech/gss_set_sec_context_option.obj \
$(OBJ)\mech/gss_sign.obj \
$(OBJ)\mech/gss_store_cred.obj \
$(OBJ)\mech/gss_store_cred_into.obj \
$(OBJ)\mech/gss_test_oid_set_member.obj \
$(OBJ)\mech/gss_unseal.obj \
$(OBJ)\mech/gss_unwrap.obj \

64
lib/gssapi/gssapi/gssapi.h
View File

@@ -141,13 +141,25 @@ typedef struct gss_iov_buffer_desc_struct {
gss_buffer_desc buffer;
} gss_iov_buffer_desc, *gss_iov_buffer_t;
/* Credential store extensions */
typedef struct gss_key_value_element_struct {
const char *key;
const char *value;
} gss_key_value_element_desc;
typedef struct gss_key_value_set_struct {
OM_uint32 count; /* should be size_t, but for MIT compat */
gss_key_value_element_desc *elements;
} gss_key_value_set_desc, *gss_key_value_set_t;
typedef const gss_key_value_set_desc *gss_const_key_value_set_t;
/*
* For now, define a QOP-type as an OM_uint32
*/
typedef OM_uint32 gss_qop_t;
/*
* Flag bits for context-level services.
*/
@@ -220,6 +232,7 @@ typedef OM_uint32 gss_qop_t;
#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
#define GSS_C_EMPTY_BUFFER {0, NULL}
#define GSS_C_NO_IOV_BUFFER ((gss_iov_buffer_t)0)
#define GSS_C_NO_CRED_STORE ((gss_key_value_set_t)0)
/*
* Some alternate names for a couple of the above
@@ -1123,16 +1136,57 @@ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_duplicate_cred (
gss_const_cred_id_t /*input_cred_handle*/,
gss_cred_id_t * /*output_cred_handle*/
);
/*
*
*/
GSSAPI_LIB_FUNCTION const char * GSSAPI_LIB_CALL
gss_oid_to_name(gss_const_OID oid);
GSSAPI_LIB_FUNCTION gss_OID GSSAPI_LIB_CALL
gss_name_to_oid(const char *name);
/*
* Credential store extensions
*/
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_acquire_cred_from(
OM_uint32 * /* minor_status */,
gss_const_name_t /* desired_name */,
OM_uint32 /* time_req */,
const gss_OID_set /* desired_mechs */,
gss_cred_usage_t /* cred_usage */,
gss_const_key_value_set_t /* cred_store */,
gss_cred_id_t * /* output_cred_handle */,
gss_OID_set * /* actual_mechs */,
OM_uint32 * /* time_rec */
);
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_add_cred_from(
OM_uint32 * /* minor_status */,
gss_cred_id_t /* input_cred_handle */,
gss_const_name_t /* desired_name */,
const gss_OID /* desired_mech */,
gss_cred_usage_t /* cred_usage */,
OM_uint32 /* initiator_time_req */,
OM_uint32 /* acceptor_time_req */,
gss_const_key_value_set_t /* cred_store */,
gss_cred_id_t * /* output_cred_handle */,
gss_OID_set * /* actual_mechs */,
OM_uint32 * /* initiator_time_rec */,
OM_uint32 * /*acceptor_time_rec */
);
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_store_cred_into(
OM_uint32 * /* minor_status */,
gss_const_cred_id_t /* input_cred_handle */,
gss_cred_usage_t /* input_usage */,
const gss_OID /* desired_mech */,
OM_uint32 /* overwrite_cred */,
OM_uint32 /* default_cred */,
gss_const_key_value_set_t /* cred_store */,
gss_OID_set * /* elements_stored */,
gss_cred_usage_t * /* cred_usage_stored */
);
GSSAPI_CPP_END
#if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__))

7
lib/gssapi/gssapi/gssapi_oid.h
View File

@@ -109,13 +109,6 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_name_oid_desc;
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_description_oid_desc;
#define GSS_C_MA_MECH_DESCRIPTION (&__gss_c_ma_mech_description_oid_desc)
/* credential types */
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_password_oid_desc;
#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_certificate_oid_desc;
#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
/* Heimdal mechanisms - 1.2.752.43.14 */
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_sasl_digest_md5_mechanism_oid_desc;
#define GSS_SASL_DIGEST_MD5_MECHANISM (&__gss_sasl_digest_md5_mechanism_oid_desc)

76
lib/gssapi/gssapi_mech.h
View File

@@ -360,18 +360,7 @@ typedef OM_uint32 GSSAPI_CALLCONV
_gss_import_cred_t(OM_uint32 * minor_status,
gss_buffer_t cred_token,
gss_cred_id_t * cred_handle);
typedef OM_uint32 GSSAPI_CALLCONV
_gss_acquire_cred_ext_t(OM_uint32 * /*minor_status */,
gss_const_name_t /* desired_name */,
gss_const_OID /* credential_type */,
const void * /* credential_data */,
OM_uint32 /* time_req */,
gss_const_OID /* desired_mech */,
gss_cred_usage_t /* cred_usage */,
gss_cred_id_t * /* output_cred_handle */);
typedef void GSSAPI_CALLCONV
_gss_iter_creds_t(OM_uint32 /* flags */,
void * /* userctx */,
@@ -447,6 +436,42 @@ typedef OM_uint32 GSSAPI_CALLCONV _gss_export_name_composite_t (
gss_buffer_t /* exp_composite_name */
);
typedef OM_uint32 GSSAPI_CALLCONV
_gss_acquire_cred_from_t(OM_uint32 *minor_status,
gss_const_name_t desired_name,
OM_uint32 time_req,
gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_const_key_value_set_t cred_store,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec);
typedef OM_uint32 GSSAPI_CALLCONV
_gss_add_cred_from_t(OM_uint32 *minor_status,
gss_cred_id_t input_cred_handle,
gss_const_name_t desired_name,
const gss_OID desired_mech,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
OM_uint32 acceptor_time_req,
gss_const_key_value_set_t cred_store,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec);
typedef OM_uint32 GSSAPI_CALLCONV
_gss_store_cred_into_t(OM_uint32 *minor_status,
gss_const_cred_id_t input_cred_handle,
gss_cred_usage_t input_usage,
gss_OID desired_mech,
OM_uint32 overwrite_cred,
OM_uint32 default_cred,
gss_const_key_value_set_t cred_store,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored);
/*
*
*/
@@ -485,7 +510,7 @@ typedef OM_uint32 GSSAPI_CALLCONV _gss_authorize_localname_t (
/* mechglue internal */
struct gss_mech_compat_desc_struct;
#define GMI_VERSION 5
#define GMI_VERSION 6
/* gm_flags */
#define GM_USE_MG_CRED 1 /* uses mech glue credentials */
@@ -535,7 +560,7 @@ typedef struct gssapi_mech_interface_desc {
_gss_store_cred_t *gm_store_cred;
_gss_export_cred_t *gm_export_cred;
_gss_import_cred_t *gm_import_cred;
_gss_acquire_cred_ext_t *gm_acquire_cred_ext;
_gss_acquire_cred_from_t *gm_acquire_cred_from; /* was acquire_cred_ext */
_gss_iter_creds_t *gm_iter_creds;
_gss_destroy_cred_t *gm_destroy_cred;
_gss_cred_hold_t *gm_cred_hold;
@@ -553,6 +578,8 @@ typedef struct gssapi_mech_interface_desc {
_gss_delete_name_attribute_t *gm_delete_name_attribute;
_gss_export_name_composite_t *gm_export_name_composite;
_gss_duplicate_cred_t *gm_duplicate_cred;
_gss_add_cred_from_t *gm_add_cred_from;
_gss_store_cred_into_t *gm_store_cred_into;
struct gss_mech_compat_desc_struct *gm_compat;
} gssapi_mech_interface_desc, *gssapi_mech_interface;
@@ -582,25 +609,4 @@ struct _gss_oid_name_table {
extern struct _gss_oid_name_table _gss_ont_mech[];
extern struct _gss_oid_name_table _gss_ont_ma[];
/*
* Extended credentials acqusition API, not to be exported until
* it or something equivalent has been standardised.
*/
extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc;
#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc;
#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
OM_uint32 _gss_acquire_cred_ext
(OM_uint32 * /*minor_status*/,
gss_const_name_t /*desired_name*/,
gss_const_OID /*credential_type*/,
const void * /*credential_data*/,
OM_uint32 /*time_req*/,
gss_const_OID /*desired_mech*/,
gss_cred_usage_t /*cred_usage*/,
gss_cred_id_t * /*output_cred_handle*/
);
#endif /* GSSAPI_MECH_H */

238
lib/gssapi/krb5/acquire_cred.c
View File

@@ -33,6 +33,44 @@
#include "gsskrb5_locl.h"
/*
* Find an element in a cred store. Returns GSS_S_COMPLETE if the cred store
* is absent or well formed, irrespective of whether the element exists. The
* caller should check for *value != NULL before using; values are typically
* optional, hence this behavior. (The caller should validate the return
* value at least once though, to check it is well-formed.)
*/
OM_uint32
__gsskrb5_cred_store_find(OM_uint32 *minor_status,
gss_const_key_value_set_t cred_store,
const char *key,
const char **value)
{
size_t i;
*value = NULL;
if (cred_store == GSS_C_NO_CRED_STORE)
return GSS_S_COMPLETE;
else if (cred_store->count == 0) {
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_NO_CRED;
}
for (i = 0; i < cred_store->count; i++) {
if (strcmp(key, cred_store->elements[i].key) == 0) {
if (*value) {
*value = NULL;
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_DUPLICATE_ELEMENT;
}
*value = cred_store->elements[i].value;
}
}
return GSS_S_COMPLETE;
}
OM_uint32
__gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
krb5_context context,
@@ -58,13 +96,21 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
static krb5_error_code
get_system_keytab(krb5_context context, krb5_keytab *keytab)
get_system_keytab(krb5_context context,
gss_const_key_value_set_t cred_store,
krb5_keytab *keytab)
{
krb5_error_code kret;
const char *cs_ktname;
OM_uint32 tmp;
__gsskrb5_cred_store_find(&tmp, cred_store, "keytab", &cs_ktname);
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if (_gsskrb5_keytab != NULL) {
if (cs_ktname)
kret = krb5_kt_resolve(context, cs_ktname, keytab);
else if (_gsskrb5_keytab != NULL) {
char *name = NULL;
kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name);
@@ -82,15 +128,26 @@ get_system_keytab(krb5_context context, krb5_keytab *keytab)
static krb5_error_code
get_client_keytab(krb5_context context,
gss_const_key_value_set_t cred_store,
krb5_const_principal principal,
krb5_keytab *keytab)
{
krb5_error_code ret;
char *name = NULL;
const char *cs_ktname;
OM_uint32 tmp;
__gsskrb5_cred_store_find(&tmp, cred_store, "client_keytab", &cs_ktname);
if (cs_ktname)
ret = krb5_kt_resolve(context, cs_ktname, keytab);
else {
char *name = NULL;
ret = _krb5_kt_client_default_name(context, &name);
if (ret == 0)
ret = krb5_kt_resolve(context, name, keytab);
krb5_xfree(name);
}
ret = _krb5_kt_client_default_name(context, &name);
if (ret == 0)
ret = krb5_kt_resolve(context, name, keytab);
if (ret == 0 && principal) {
krb5_keytab_entry entry;
@@ -99,14 +156,31 @@ get_client_keytab(krb5_context context,
if (ret == 0)
krb5_kt_free_entry(context, &entry);
}
krb5_xfree(name);
if (ret)
ret = get_system_keytab(context, keytab);
ret = get_system_keytab(context, GSS_C_NO_CRED_STORE, keytab);
return ret;
}
static krb5_boolean
is_valid_password_cred_store(gss_const_key_value_set_t cred_store)
{
size_t i;
if (cred_store == GSS_C_NO_CRED_STORE)
return TRUE;
/* XXX don't check keytab, someday we will allow password+acceptor creds */
for (i = 0; i < cred_store->count; i++) {
if (strcmp(cred_store->elements[i].key, "ccache") == 0 ||
strcmp(cred_store->elements[i].key, "client_keytab") == 0)
return FALSE;
}
return TRUE;
}
/*
* This function produces a cred with a MEMORY ccache containing a TGT
* acquired with a password.
@@ -116,8 +190,9 @@ acquire_cred_with_password(OM_uint32 *minor_status,
krb5_context context,
const char *password,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_const_key_value_set_t cred_store,
gsskrb5_cred handle)
{
OM_uint32 ret = GSS_S_FAILURE;
@@ -128,6 +203,11 @@ acquire_cred_with_password(OM_uint32 *minor_status,
time_t now;
OM_uint32 left;
if (!is_valid_password_cred_store(cred_store)) {
*minor_status = GSS_KRB5_S_G_BAD_PASSWORD_CRED_STORE;
return GSS_S_NO_CRED;
}
if (cred_usage == GSS_C_ACCEPT) {
/*
* TODO: Here we should eventually support user2user (when we get
@@ -212,11 +292,12 @@ static OM_uint32
acquire_initiator_cred(OM_uint32 *minor_status,
krb5_context context,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_const_key_value_set_t cred_store,
gsskrb5_cred handle)
{
OM_uint32 ret = GSS_S_FAILURE;
OM_uint32 ret;
krb5_creds cred;
krb5_get_init_creds_opt *opt;
krb5_principal def_princ = NULL;
@@ -225,11 +306,19 @@ acquire_initiator_cred(OM_uint32 *minor_status,
krb5_keytab keytab = NULL;
krb5_error_code kret = 0;
OM_uint32 left;
const char *cs_ccache_name;
time_t lifetime = 0;
time_t now;
memset(&cred, 0, sizeof(cred));
ret = __gsskrb5_cred_store_find(minor_status, cred_store,
"ccache", &cs_ccache_name);
if (GSS_ERROR(ret))
return ret;
ret = GSS_S_FAILURE;
/*
* Get current time early so we can set handle->endtime to a value that
* cannot accidentally be past the real endtime. We need a variant of
@@ -239,7 +328,8 @@ acquire_initiator_cred(OM_uint32 *minor_status,
/*
* First look for a ccache that has the desired_name (which may be
* the default credential name).
* the default credential name), unless a specific credential cache
* was included in cred_store.
*
* If we don't have an unexpired credential, acquire one with a
* keytab.
@@ -250,7 +340,7 @@ acquire_initiator_cred(OM_uint32 *minor_status,
* If we don't have any such ccache, then use a MEMORY ccache.
*/
if (handle->principal != NULL) {
if (handle->principal != NULL && cs_ccache_name == NULL) {
/*
* Not default credential case. See if we can find a ccache in
* the cccol for the desired_name.
@@ -277,7 +367,10 @@ acquire_initiator_cred(OM_uint32 *minor_status,
* Either desired_name was GSS_C_NO_NAME (default cred) or
* krb5_cc_cache_match() failed (or found expired).
*/
kret = krb5_cc_default(context, &def_ccache);
if (cs_ccache_name)
kret = krb5_cc_resolve(context, cs_ccache_name, &def_ccache);
else
kret = krb5_cc_default(context, &def_ccache);
if (kret != 0)
goto try_keytab;
kret = krb5_cc_get_lifetime(context, def_ccache, &lifetime);
@@ -319,7 +412,7 @@ try_keytab:
if (kret)
goto end;
}
kret = get_client_keytab(context, handle->principal, &keytab);
kret = get_client_keytab(context, cred_store, handle->principal, &keytab);
if (kret)
goto end;
@@ -398,8 +491,9 @@ static OM_uint32
acquire_acceptor_cred(OM_uint32 * minor_status,
krb5_context context,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_const_key_value_set_t cred_store,
gsskrb5_cred handle)
{
OM_uint32 ret;
@@ -407,7 +501,7 @@ acquire_acceptor_cred(OM_uint32 * minor_status,
ret = GSS_S_FAILURE;
kret = get_system_keytab(context, &handle->keytab);
kret = get_system_keytab(context, cred_store, &handle->keytab);
if (kret)
goto end;
@@ -449,18 +543,23 @@ end:
return (ret);
}
OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_from
(OM_uint32 * minor_status,
gss_const_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_const_key_value_set_t cred_store,
gss_cred_id_t * output_cred_handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
gss_OID_set *actual_mechs,
OM_uint32 *time_rec
)
{
krb5_context context;
gsskrb5_cred handle;
OM_uint32 ret;
const char *password = NULL;
if (desired_mechs) {
int present = 0;
@@ -475,43 +574,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
}
}
ret = _gsskrb5_acquire_cred_ext(minor_status,
desired_name,
GSS_C_NO_OID,
NULL,
time_req,
GSS_KRB5_MECHANISM,
cred_usage,
output_cred_handle);
if (ret)
return ret;
ret = _gsskrb5_inquire_cred(minor_status, *output_cred_handle,
NULL, time_rec, NULL, actual_mechs);
if (ret) {
OM_uint32 tmp;
_gsskrb5_release_cred(&tmp, output_cred_handle);
}
return ret;
}
OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
(OM_uint32 * minor_status,
gss_const_name_t desired_name,
gss_const_OID credential_type,
const void *credential_data,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gss_cred_id_t * output_cred_handle
)
{
krb5_context context;
gsskrb5_cred handle;
OM_uint32 ret;
cred_usage &= GSS_C_OPTION_MASK;
if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE &&
@@ -520,6 +582,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
return GSS_S_FAILURE;
}
ret = __gsskrb5_cred_store_find(minor_status, cred_store,
"password", &password);
if (GSS_ERROR(ret))
return ret;
GSSAPI_KRB5_INIT(&context);
*output_cred_handle = GSS_C_NO_CREDENTIAL;
@@ -542,57 +609,24 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
}
}
if (credential_type != GSS_C_NO_OID &&
gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
/* Acquire a cred with a password */
gss_const_buffer_t pwbuf = credential_data;
char *pw;
if (pwbuf == NULL) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = KRB5_NOCREDS_SUPPLIED; /* see below */
return GSS_S_CALL_INACCESSIBLE_READ;
}
/* NUL-terminate the password, if it wasn't already */
pw = strndup(pwbuf->value, pwbuf->length);
if (pw == NULL) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = krb5_enomem(context);
return GSS_S_CALL_INACCESSIBLE_READ;
}
ret = acquire_cred_with_password(minor_status, context, pw, time_req,
desired_mech, cred_usage, handle);
free(pw);
if (password) {
ret = acquire_cred_with_password(minor_status, context, password, time_req,
desired_mechs, cred_usage, cred_store, handle);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
free(handle);
return (ret);
}
} else if (credential_type != GSS_C_NO_OID) {
/*
* _gss_acquire_cred_ext() called with something other than a password.
*
* Not supported.
*
* _gss_acquire_cred_ext() is not a supported public interface, so
* we don't have to try too hard as to minor status codes here.
*/
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = ENOTSUP;
return GSS_S_FAILURE;
} else {
/*
* Acquire a credential from the background credential store (ccache,
* keytab).
* Acquire a credential from the specified or background credential
* store (ccache, keytab).
*/
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, context, time_req,
desired_mech, cred_usage, handle);
desired_mechs, cred_usage,
cred_store, handle);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
@@ -602,7 +636,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
}
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
ret = acquire_acceptor_cred(minor_status, context, time_req,
desired_mech, cred_usage, handle);
desired_mechs, cred_usage,
cred_store, handle);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
@@ -615,6 +650,10 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
if (ret == GSS_S_COMPLETE)
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
handle->usage = cred_usage;
if (ret == GSS_S_COMPLETE)
ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
NULL, time_rec, NULL, actual_mechs);
if (ret != GSS_S_COMPLETE) {
if (handle->mechanisms != NULL)
gss_release_oid_set(NULL, &handle->mechanisms);
@@ -623,7 +662,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
free(handle);
return (ret);
}
handle->usage = cred_usage;
*minor_status = 0;
*output_cred_handle = (gss_cred_id_t)handle;
return (GSS_S_COMPLETE);

20
lib/gssapi/krb5/add_cred.c
View File

@@ -33,14 +33,15 @@
#include "gsskrb5_locl.h"
OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred_from (
OM_uint32 *minor_status,
gss_const_cred_id_t input_cred_handle,
gss_cred_id_t input_cred_handle,
gss_const_name_t desired_name,
const gss_OID desired_mech,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
OM_uint32 acceptor_time_req,
gss_const_key_value_set_t cred_store,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *initiator_time_rec,
@@ -75,13 +76,14 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
heim_assert(output_cred_handle != NULL,
"internal error in _gsskrb5_add_cred()");
major = _gsskrb5_acquire_cred(minor_status, desired_name,
min(initiator_time_req,
acceptor_time_req),
GSS_C_NO_OID_SET,
cred_usage,
output_cred_handle,
actual_mechs, &lifetime);
major = _gsskrb5_acquire_cred_from(minor_status, desired_name,
min(initiator_time_req,
acceptor_time_req),
GSS_C_NO_OID_SET,
cred_usage,
cred_store,
output_cred_handle,
actual_mechs, &lifetime);
if (major != GSS_S_COMPLETE)
goto failure;

13
lib/gssapi/krb5/duplicate_cred.c
View File

@@ -53,12 +53,13 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_duplicate_cred (
if (input_cred_handle == GSS_C_NO_CREDENTIAL) {
/* Duplicate the default credential */
return _gsskrb5_acquire_cred(minor_status, GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_BOTH,
output_cred_handle,
NULL, NULL);
return _gsskrb5_acquire_cred_from(minor_status, GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_BOTH,
GSS_C_NO_CRED_STORE,
output_cred_handle,
NULL, NULL);
}
/* Duplicate the input credential */

10
lib/gssapi/krb5/external.c
View File

@@ -339,7 +339,7 @@ static gssapi_mech_interface_desc krb5_mech = {
"kerberos 5",
{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") },
0,
_gsskrb5_acquire_cred,
NULL, /* gm_acquire_cred */
_gsskrb5_release_cred,
_gsskrb5_init_sec_context,
_gsskrb5_accept_sec_context,
@@ -360,7 +360,7 @@ static gssapi_mech_interface_desc krb5_mech = {
_gsskrb5_inquire_cred,
_gsskrb5_inquire_context,
_gsskrb5_wrap_size_limit,
_gsskrb5_add_cred,
NULL, /* gm_add_cred */
_gsskrb5_inquire_cred_by_mech,
_gsskrb5_export_sec_context,
_gsskrb5_import_sec_context,
@@ -376,10 +376,10 @@ static gssapi_mech_interface_desc krb5_mech = {
_gk_wrap_iov,
_gk_unwrap_iov,
_gk_wrap_iov_length,
_gsskrb5_store_cred,
NULL, /* gm_store_cred */
_gsskrb5_export_cred,
_gsskrb5_import_cred,
_gsskrb5_acquire_cred_ext,
_gsskrb5_acquire_cred_from,
NULL,
NULL,
NULL,
@@ -397,6 +397,8 @@ static gssapi_mech_interface_desc krb5_mech = {
NULL, /* gm_delete_name_attribute */
NULL, /* gm_export_name_composite */
_gsskrb5_duplicate_cred,
_gsskrb5_add_cred_from,
_gsskrb5_store_cred_into,
NULL /* gm_compat */
};

2
lib/gssapi/krb5/gkrb5_err.et
View File

@@ -17,6 +17,8 @@ error_code G_BAD_MSG_CTX, "Message context invalid"
error_code G_WRONG_SIZE, "Buffer is the wrong size"
error_code G_BAD_USAGE, "Credential usage type is unknown"
error_code G_UNKNOWN_QOP, "Unknown quality of protection specified"
error_code G_UNKNOWN_CRED_STORE_ELEMENT, "Credential store contained unknown elements"
error_code G_BAD_PASSWORD_CRED_STORE, "Credential store cannot contain both a password and a credentials cache or client keytab"
index 128

34
lib/gssapi/krb5/inquire_cred.c
View File

@@ -80,14 +80,15 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred
* function.
*/
/* Get the info for the default ACCEPT credential */
aret = _gsskrb5_acquire_cred(&aminor,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_ACCEPT,
&aqcred_accept,
NULL,
NULL);
aret = _gsskrb5_acquire_cred_from(&aminor,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_ACCEPT,
GSS_C_NO_CRED_STORE,
&aqcred_accept,
NULL,
NULL);
if (aret == GSS_S_COMPLETE) {
aret = _gsskrb5_inquire_cred(&aminor,
aqcred_accept,
@@ -116,14 +117,15 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred
}
/* Get the info for the default INITIATE credential */
ret = _gsskrb5_acquire_cred(minor_status,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&aqcred_init,
NULL,
NULL);
ret = _gsskrb5_acquire_cred_from(minor_status,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
GSS_C_NO_CRED_STORE,
&aqcred_init,
NULL,
NULL);
if (ret == GSS_S_COMPLETE) {
ret = _gsskrb5_inquire_cred(minor_status,
aqcred_init,

89
lib/gssapi/krb5/store_cred.c
View File

@@ -34,23 +34,25 @@
#include "gsskrb5_locl.h"
OM_uint32 GSSAPI_CALLCONV
_gsskrb5_store_cred(OM_uint32 *minor_status,
gss_cred_id_t input_cred_handle,
gss_cred_usage_t cred_usage,
const gss_OID desired_mech,
OM_uint32 overwrite_cred,
OM_uint32 default_cred,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
_gsskrb5_store_cred_into(OM_uint32 *minor_status,
gss_const_cred_id_t input_cred_handle,
gss_cred_usage_t cred_usage,
const gss_OID desired_mech,
OM_uint32 overwrite_cred,
OM_uint32 default_cred,
gss_const_key_value_set_t cred_store,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
{
krb5_context context;
krb5_error_code ret;
gsskrb5_cred cred;
krb5_ccache id = NULL;
krb5_ccache def_ccache = NULL;
const char *def_type = NULL;
time_t exp_current;
time_t exp_new;
const char *cs_ccache_name = NULL;
OM_uint32 major_status;
*minor_status = 0;
@@ -89,38 +91,47 @@ _gsskrb5_store_cred(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
ret = krb5_cc_default(context, &def_ccache);
if (ret == 0) {
def_type = krb5_cc_get_type(context, def_ccache);
krb5_cc_close(context, def_ccache);
if (cred_store != GSS_C_NO_CRED_STORE) {
major_status = __gsskrb5_cred_store_find(minor_status, cred_store,
"ccache", &cs_ccache_name);
if (major_status == GSS_S_COMPLETE && cs_ccache_name == NULL) {
*minor_status = GSS_KRB5_S_G_UNKNOWN_CRED_STORE_ELEMENT;
major_status = GSS_S_NO_CRED;
}
if (GSS_ERROR(major_status)) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
return major_status;
}
}
def_ccache = NULL;
/* write out cred to credential cache */
ret = krb5_cc_cache_match(context, cred->principal, &id);
if (ret) {
if (default_cred) {
ret = krb5_cc_default(context, &id);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_FAILURE;
}
} else {
if (def_type == NULL ||
!krb5_cc_support_switch(context, def_type)) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0; /* XXX */
return GSS_S_NO_CRED; /* XXX */
}
ret = krb5_cc_new_unique(context, def_type, NULL, &id);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_FAILURE;
}
overwrite_cred = 1;
}
if (cs_ccache_name)
ret = krb5_cc_resolve(context, cs_ccache_name, &id);
else {
krb5_ccache def_ccache = NULL;
if (krb5_cc_default(context, &def_ccache) == 0) {
def_type = krb5_cc_get_type(context, def_ccache);
krb5_cc_close(context, def_ccache);
}
/* write out cred to credential cache */
ret = krb5_cc_cache_match(context, cred->principal, &id);
if (ret) {
if (default_cred)
ret = krb5_cc_default(context, &id);
else if (def_type &&
krb5_cc_support_switch(context, def_type)) {
ret = krb5_cc_new_unique(context, def_type, NULL, &id);
overwrite_cred = 1;
} else
ret = 0; /* == GSS_C_NO_CRED */
}
}
if (ret || id == NULL) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return ret == 0 ? GSS_S_NO_CRED : GSS_S_FAILURE;
}
if (!overwrite_cred) {

5
lib/gssapi/libgssapi-exports.def
View File

@@ -9,13 +9,13 @@ EXPORTS
__gss_krb5_nt_principal_name_oid_desc DATA
__gss_c_attr_stream_sizes_oid_desc DATA
__gss_c_attr_local_login_user DATA
__gss_c_cred_certificate_oid_desc DATA
__gss_c_cred_password_oid_desc DATA
gss_accept_sec_context
gss_acquire_cred
gss_acquire_cred_from
gss_acquire_cred_with_password
gss_add_buffer_set_member
gss_add_cred
gss_add_cred_from
gss_add_cred_with_password
gss_add_oid_set_member
gss_authorize_localname
@@ -91,6 +91,7 @@ EXPORTS
gss_set_sec_context_option
gss_sign
gss_store_cred
gss_store_cred_into
gss_test_oid_set_member
gss_unseal
gss_unwrap

23
lib/gssapi/mech/cred.h
View File

@@ -39,19 +39,18 @@ struct _gss_cred {
struct _gss_mechanism_cred_list gc_mc;
};
struct _gss_mechanism_cred *
_gss_copy_cred(struct _gss_mechanism_cred *mc);
struct _gss_mechanism_name;
OM_uint32
_gss_acquire_mech_cred(OM_uint32 *minor_status,
gssapi_mech_interface m,
const struct _gss_mechanism_name *mn,
gss_const_OID credential_type,
const void *credential_data,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
struct _gss_mechanism_cred **output_cred_handle);
_gss_mg_add_mech_cred(OM_uint32 *minor_status,
gssapi_mech_interface m,
const struct _gss_mechanism_cred *mc,
const struct _gss_mechanism_name *mn,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
OM_uint32 acceptor_time_req,
gss_const_key_value_set_t cred_store,
struct _gss_mechanism_cred **output_cred_handle,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec);

136
lib/gssapi/mech/gss_acquire_cred.c
View File

@@ -38,131 +38,13 @@ gss_acquire_cred(OM_uint32 *minor_status,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
OM_uint32 major_status;
gss_OID_set mechs = desired_mechs;
gss_OID_set_desc set;
struct _gss_name *name = (struct _gss_name *) desired_name;
gssapi_mech_interface m;
struct _gss_cred *cred;
struct _gss_mechanism_cred *mc;
OM_uint32 min_time, cred_time;
size_t i;
*minor_status = 0;
if (output_cred_handle == NULL)
return GSS_S_CALL_INACCESSIBLE_READ;
if (actual_mechs)
*actual_mechs = GSS_C_NO_OID_SET;
if (time_rec)
*time_rec = 0;
_gss_load_mech();
/*
* First make sure that at least one of the requested
* mechanisms is one that we support.
*/
if (mechs) {
for (i = 0; i < mechs->count; i++) {
int t;
gss_test_oid_set_member(minor_status,
&mechs->elements[i], _gss_mech_oids, &t);
if (t)
break;
}
if (i == mechs->count) {
*minor_status = 0;
return (GSS_S_BAD_MECH);
}
}
if (actual_mechs) {
major_status = gss_create_empty_oid_set(minor_status,
actual_mechs);
if (major_status)
return (major_status);
}
cred = malloc(sizeof(struct _gss_cred));
if (!cred) {
if (actual_mechs)
gss_release_oid_set(minor_status, actual_mechs);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
HEIM_SLIST_INIT(&cred->gc_mc);
if (mechs == GSS_C_NO_OID_SET)
mechs = _gss_mech_oids;
set.count = 1;
min_time = GSS_C_INDEFINITE;
for (i = 0; i < mechs->count; i++) {
struct _gss_mechanism_name *mn = NULL;
m = __gss_get_mechanism(&mechs->elements[i]);
if (!m)
continue;
if (desired_name != GSS_C_NO_NAME) {
major_status = _gss_find_mn(minor_status, name,
&mechs->elements[i], &mn);
if (major_status != GSS_S_COMPLETE)
continue;
}
mc = malloc(sizeof(struct _gss_mechanism_cred));
if (!mc) {
continue;
}
mc->gmc_mech = m;
mc->gmc_mech_oid = &m->gm_mech_oid;
/*
* XXX Probably need to do something with actual_mechs.
*/
set.elements = &mechs->elements[i];
major_status = m->gm_acquire_cred(minor_status,
(desired_name != GSS_C_NO_NAME
? mn->gmn_name : GSS_C_NO_NAME),
time_req, &set, cred_usage,
&mc->gmc_cred, NULL, &cred_time);
if (major_status) {
free(mc);
continue;
}
if (cred_time < min_time)
min_time = cred_time;
if (actual_mechs) {
major_status = gss_add_oid_set_member(minor_status,
mc->gmc_mech_oid, actual_mechs);
if (major_status) {
m->gm_release_cred(minor_status,
&mc->gmc_cred);
free(mc);
continue;
}
}
HEIM_SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
}
/*
* If we didn't manage to create a single credential, return
* an error.
*/
if (!HEIM_SLIST_FIRST(&cred->gc_mc)) {
free(cred);
if (actual_mechs)
gss_release_oid_set(minor_status, actual_mechs);
*minor_status = 0;
return (GSS_S_NO_CRED);
}
if (time_rec)
*time_rec = min_time;
*output_cred_handle = (gss_cred_id_t) cred;
*minor_status = 0;
return (GSS_S_COMPLETE);
return gss_acquire_cred_from(minor_status,
desired_name,
time_req,
desired_mechs,
cred_usage,
GSS_C_NO_CRED_STORE,
output_cred_handle,
actual_mechs,
time_rec);
}

203
lib/gssapi/mech/gss_acquire_cred_ext.c
View File

@@ -1,203 +0,0 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Portions Copyright (c) 2011 PADL Software Pty Ltd.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_acquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include "mech_locl.h"
OM_uint32
_gss_acquire_mech_cred(OM_uint32 *minor_status,
gssapi_mech_interface m,
const struct _gss_mechanism_name *mn,
gss_const_OID credential_type,
const void *credential_data,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
struct _gss_mechanism_cred **output_cred_handle)
{
OM_uint32 major_status;
struct _gss_mechanism_cred *mc;
gss_OID_set_desc set2;
*output_cred_handle = NULL;
mc = calloc(1, sizeof(struct _gss_mechanism_cred));
if (mc == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
mc->gmc_mech = m;
mc->gmc_mech_oid = &m->gm_mech_oid;
set2.count = 1;
set2.elements = mc->gmc_mech_oid;
if (m->gm_acquire_cred_ext) {
major_status = m->gm_acquire_cred_ext(minor_status,
mn->gmn_name,
credential_type,
credential_data,
time_req,
mc->gmc_mech_oid,
cred_usage,
&mc->gmc_cred);
} else if (gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD) &&
m->gm_compat &&
m->gm_compat->gmc_acquire_cred_with_password) {
/*
* Shim for mechanisms that adhere to API-as-SPI and do not
* implement gss_acquire_cred_ext().
*/
major_status = m->gm_compat->gmc_acquire_cred_with_password(minor_status,
mn->gmn_name,
(const gss_buffer_t)credential_data,
time_req,
&set2,
cred_usage,
&mc->gmc_cred,
NULL,
NULL);
} else if (credential_type == GSS_C_NO_OID) {
major_status = m->gm_acquire_cred(minor_status,
mn->gmn_name,
time_req,
&set2,
cred_usage,
&mc->gmc_cred,
NULL,
NULL);
} else {
major_status = GSS_S_UNAVAILABLE;
free(mc);
mc= NULL;
}
if (major_status != GSS_S_COMPLETE)
free(mc);
else
*output_cred_handle = mc;
return major_status;
}
/**
* This function is not a public interface and is deprecated anyways, do
* not use. Use gss_acquire_cred_with_password() instead for now.
*
* @deprecated
*/
OM_uint32
_gss_acquire_cred_ext(OM_uint32 *minor_status,
gss_const_name_t desired_name,
gss_const_OID credential_type,
const void *credential_data,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gss_cred_id_t *output_cred_handle)
{
OM_uint32 major_status;
struct _gss_name *name = (struct _gss_name *) desired_name;
gssapi_mech_interface m;
struct _gss_cred *cred;
gss_OID_set_desc set, *mechs;
size_t i;
*minor_status = 0;
if (output_cred_handle == NULL)
return GSS_S_CALL_INACCESSIBLE_READ;
_gss_load_mech();
if (desired_mech != GSS_C_NO_OID) {
int match = 0;
gss_test_oid_set_member(minor_status, (gss_OID)desired_mech,
_gss_mech_oids, &match);
if (!match)
return GSS_S_BAD_MECH;
set.count = 1;
set.elements = (gss_OID)desired_mech;
mechs = &set;
} else
mechs = _gss_mech_oids;
cred = calloc(1, sizeof(*cred));
if (cred == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
HEIM_SLIST_INIT(&cred->gc_mc);
for (i = 0; i < mechs->count; i++) {
struct _gss_mechanism_name *mn = NULL;
struct _gss_mechanism_cred *mc = NULL;
m = __gss_get_mechanism(&mechs->elements[i]);
if (!m)
continue;
if (desired_name != GSS_C_NO_NAME) {
major_status = _gss_find_mn(minor_status, name,
&mechs->elements[i], &mn);
if (major_status != GSS_S_COMPLETE)
continue;
}
major_status = _gss_acquire_mech_cred(minor_status, m, mn,
credential_type, credential_data,
time_req, desired_mech, cred_usage,
&mc);
if (GSS_ERROR(major_status)) {
if (mechs->count == 1)
_gss_mg_error(m, major_status, *minor_status);
continue;
}
HEIM_SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
}
/*
* If we didn't manage to create a single credential, return
* an error.
*/
if (!HEIM_SLIST_FIRST(&cred->gc_mc)) {
free(cred);
if (mechs->count > 1)
*minor_status = 0;
return GSS_S_NO_CRED;
}
*output_cred_handle = (gss_cred_id_t) cred;
*minor_status = 0;
return GSS_S_COMPLETE;
}

265
lib/gssapi/mech/gss_acquire_cred_from.c Normal file
View File

@@ -0,0 +1,265 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Portions Copyright (c) 2011, 2018 PADL Software Pty Ltd.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_acquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include "mech_locl.h"
/*
* Shim for gss_acquire_cred_with_password()
*/
static const char *
find_password_in_cred_store(gss_const_key_value_set_t cred_store)
{
size_t i;
if (cred_store == GSS_C_NO_CRED_STORE)
return NULL;
for (i = 0; i < cred_store->count; i++) {
if (strcmp(cred_store->elements[i].key, "password") == 0)
return cred_store->elements[i].value;
}
return NULL;
}
static OM_uint32
acquire_mech_cred(OM_uint32 *minor_status,
gssapi_mech_interface m,
const struct _gss_mechanism_name *mn,
OM_uint32 time_req,
gss_cred_usage_t cred_usage,
gss_const_key_value_set_t cred_store,
struct _gss_mechanism_cred **out,
OM_uint32 *time_rec)
{
OM_uint32 major_status;
struct _gss_mechanism_cred *mc;
gss_OID_set_desc mech;
const char *spassword;
*out = NULL;
if (time_rec)
*time_rec = 0;
mc = calloc(1, sizeof(struct _gss_mechanism_cred));
if (mc == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
mc->gmc_mech = m;
mc->gmc_mech_oid = &m->gm_mech_oid;
mech.count = 1;
mech.elements = mc->gmc_mech_oid;
if (m->gm_acquire_cred_from) {
major_status = m->gm_acquire_cred_from(minor_status,
mn ? mn->gmn_name : GSS_C_NO_NAME,
time_req,
&mech,
cred_usage,
cred_store,
&mc->gmc_cred,
NULL,
time_rec);
} else if (cred_store == GSS_C_NO_CRED_STORE && m->gm_acquire_cred) {
major_status = m->gm_acquire_cred(minor_status,
mn ? mn->gmn_name : GSS_C_NO_NAME,
time_req,
&mech,
cred_usage,
&mc->gmc_cred,
NULL,
time_rec);
} else if (m->gm_compat &&
m->gm_compat->gmc_acquire_cred_with_password &&
(spassword = find_password_in_cred_store(cred_store)) != NULL) {
gss_buffer_desc password;
password.length = strlen(spassword);
password.value = rk_UNCONST(spassword);
/* compat glue for loadable mechanisms that implement API-as-SPI */
major_status = m->gm_compat->gmc_acquire_cred_with_password(minor_status,
mn ? mn->gmn_name : GSS_C_NO_NAME,
&password,
time_req,
&mech,
cred_usage,
&mc->gmc_cred,
NULL,
time_rec);
} else
major_status = GSS_S_UNAVAILABLE;
heim_assert(major_status == GSS_S_COMPLETE || mc->gmc_cred == NULL,
"gss_acquire_cred_from: mech succeeded but did not return a credential");
if (major_status == GSS_S_COMPLETE)
*out = mc;
else
free(mc);
return major_status;
}
OM_uint32
gss_acquire_cred_from(OM_uint32 *minor_status,
gss_const_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_const_key_value_set_t cred_store,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
OM_uint32 major_status, minor;
struct _gss_name *name = (struct _gss_name *)desired_name;
gssapi_mech_interface m;
struct _gss_cred *cred = NULL;
size_t i;
OM_uint32 min_time = GSS_C_INDEFINITE;
gss_OID_set mechs;
*minor_status = 0;
if (output_cred_handle == NULL)
return GSS_S_CALL_INACCESSIBLE_READ;
*output_cred_handle = GSS_C_NO_CREDENTIAL;
if (actual_mechs)
*actual_mechs = GSS_C_NO_OID_SET;
if (time_rec)
*time_rec = 0;
_gss_load_mech();
if (desired_mechs) {
int match = 0;
for (i = 0; i < desired_mechs->count; i++) {
gss_test_oid_set_member(minor_status, &desired_mechs->elements[i],
_gss_mech_oids, &match);
if (match)
break;
}
if (!match) {
*minor_status = 0;
major_status = GSS_S_BAD_MECH;
goto cleanup;
}
mechs = desired_mechs;
} else
mechs = _gss_mech_oids;
cred = calloc(1, sizeof(*cred));
if (cred == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
HEIM_SLIST_INIT(&cred->gc_mc);
if (actual_mechs) {
major_status = gss_create_empty_oid_set(minor_status, actual_mechs);
if (GSS_ERROR(major_status))
goto cleanup;
}
major_status = GSS_S_UNAVAILABLE; /* in case of no mechs */
for (i = 0; i < mechs->count; i++) {
struct _gss_mechanism_name *mn = NULL;
struct _gss_mechanism_cred *mc = NULL;
OM_uint32 cred_time;
m = __gss_get_mechanism(&mechs->elements[i]);
if (m == NULL)
continue;
if (desired_name != GSS_C_NO_NAME) {
major_status = _gss_find_mn(minor_status, name,
&mechs->elements[i], &mn);
if (major_status != GSS_S_COMPLETE)
continue;
}
major_status = acquire_mech_cred(minor_status, m, mn,
time_req, cred_usage,
cred_store, &mc, &cred_time);
if (major_status != GSS_S_COMPLETE) {
if (mechs->count == 1)
_gss_mg_error(m, major_status, *minor_status);
continue;
}
HEIM_SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
if (cred_time < min_time)
min_time = cred_time;
if (actual_mechs != NULL) {
major_status = gss_add_oid_set_member(minor_status,
mc->gmc_mech_oid,
actual_mechs);
if (GSS_ERROR(major_status))
goto cleanup;
}
}
/*
* If we didn't manage to create a single credential, return
* an error.
*/
if (!HEIM_SLIST_FIRST(&cred->gc_mc)) {
if (mechs->count > 1) {
*minor_status = 0;
major_status = GSS_S_NO_CRED;
}
heim_assert(major_status != GSS_S_COMPLETE,
"lack of credentials must result in an error");
goto cleanup;
}
*minor_status = 0;
major_status = GSS_S_COMPLETE;
*output_cred_handle = (gss_cred_id_t)cred;
if (time_rec)
*time_rec = min_time;
cleanup:
if (major_status != GSS_S_COMPLETE) {
gss_release_cred(&minor, (gss_cred_id_t *)&cred);
if (actual_mechs)
gss_release_oid_set(&minor, actual_mechs);
}
return major_status;
}

96
lib/gssapi/mech/gss_acquire_cred_with_password.c
View File

@@ -43,77 +43,43 @@ gss_acquire_cred_with_password(OM_uint32 *minor_status,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
OM_uint32 major_status, tmp_minor;
OM_uint32 major_status;
gss_key_value_element_desc kv;
gss_key_value_set_desc store;
char *spassword = NULL;
if (desired_mechs == GSS_C_NO_OID_SET) {
major_status = _gss_acquire_cred_ext(minor_status,
desired_name,
GSS_C_CRED_PASSWORD,
password,
time_req,
GSS_C_NO_OID,
cred_usage,
output_cred_handle);
if (GSS_ERROR(major_status))
return major_status;
} else {
size_t i;
struct _gss_cred *new_cred;
*output_cred_handle = GSS_C_NO_CREDENTIAL;
new_cred = calloc(1, sizeof(*new_cred));
if (new_cred == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
HEIM_SLIST_INIT(&new_cred->gc_mc);
if (password == GSS_C_NO_BUFFER || password->value == NULL)
return GSS_S_CALL_INACCESSIBLE_READ;
for (i = 0; i < desired_mechs->count; i++) {
struct _gss_cred *tmp_cred = NULL;
struct _gss_mechanism_cred *mc;
spassword = malloc(password->length + 1);
if (spassword == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
memcpy(spassword, password->value, password->length);
spassword[password->length] = '\0';
major_status = _gss_acquire_cred_ext(minor_status,
desired_name,
GSS_C_CRED_PASSWORD,
password,
time_req,
&desired_mechs->elements[i],
cred_usage,
(gss_cred_id_t *)&tmp_cred);
if (GSS_ERROR(major_status))
continue;
kv.key = "password";
kv.value = spassword;
mc = HEIM_SLIST_FIRST(&tmp_cred->gc_mc);
if (mc) {
HEIM_SLIST_REMOVE_HEAD(&tmp_cred->gc_mc, gmc_link);
HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link);
}
store.count = 1;
store.elements = &kv;
gss_release_cred(&tmp_minor, (gss_cred_id_t *)&tmp_cred);
}
if (!HEIM_SLIST_FIRST(&new_cred->gc_mc)) {
free(new_cred);
if (desired_mechs->count > 1)
*minor_status = 0;
return GSS_S_NO_CRED;
}
*output_cred_handle = (gss_cred_id_t)new_cred;
major_status = gss_acquire_cred_from(minor_status,
desired_name,
time_req,
desired_mechs,
cred_usage,
&store,
output_cred_handle,
actual_mechs,
time_rec);
if (spassword) {
memset_s(spassword, password->length, 0, password->length);
free(spassword);
}
if (actual_mechs != NULL || time_rec != NULL) {
major_status = gss_inquire_cred(minor_status,
*output_cred_handle,
NULL,
time_rec,
NULL,
actual_mechs);
if (GSS_ERROR(major_status)) {
gss_release_cred(&tmp_minor, output_cred_handle);
return major_status;
}
}
*minor_status = 0;
return GSS_S_COMPLETE;
return major_status;
}

173
lib/gssapi/mech/gss_add_cred.c
View File

@@ -30,49 +30,6 @@
#include "mech_locl.h"
struct _gss_mechanism_cred *
_gss_copy_cred(struct _gss_mechanism_cred *mc)
{
struct _gss_mechanism_cred *new_mc;
gssapi_mech_interface m = mc->gmc_mech;
OM_uint32 major_status, minor_status;
gss_name_t name;
gss_cred_id_t cred;
OM_uint32 initiator_lifetime, acceptor_lifetime;
gss_cred_usage_t cred_usage;
major_status = m->gm_inquire_cred_by_mech(&minor_status, mc->gmc_cred,
mc->gmc_mech_oid, &name,
&initiator_lifetime,
&acceptor_lifetime, &cred_usage);
if (major_status) {
_gss_mg_error(m, major_status, minor_status);
return 0;
}
major_status = m->gm_add_cred(&minor_status,
GSS_C_NO_CREDENTIAL, name, mc->gmc_mech_oid,
cred_usage, initiator_lifetime, acceptor_lifetime,
&cred, 0, 0, 0);
m->gm_release_name(&minor_status, &name);
if (major_status) {
_gss_mg_error(m, major_status, minor_status);
return 0;
}
new_mc = malloc(sizeof(struct _gss_mechanism_cred));
if (!new_mc) {
m->gm_release_cred(&minor_status, &cred);
return 0;
}
new_mc->gmc_mech = m;
new_mc->gmc_mech_oid = &m->gm_mech_oid;
new_mc->gmc_cred = cred;
return new_mc;
}
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_add_cred(OM_uint32 *minor_status,
gss_const_cred_id_t input_cred_handle,
@@ -86,122 +43,16 @@ gss_add_cred(OM_uint32 *minor_status,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
OM_uint32 major_status;
gssapi_mech_interface m;
gss_cred_id_t release_cred = GSS_C_NO_CREDENTIAL;
struct _gss_cred *mut_cred;
struct _gss_mechanism_cred *mc;
struct _gss_mechanism_cred *new_mc = NULL;
struct _gss_mechanism_name *mn = NULL;
OM_uint32 junk;
*minor_status = 0;
/* Input validation */
if (output_cred_handle)
*output_cred_handle = GSS_C_NO_CREDENTIAL;
if (initiator_time_rec)
*initiator_time_rec = 0;
if (acceptor_time_rec)
*acceptor_time_rec = 0;
if (actual_mechs)
*actual_mechs = GSS_C_NO_OID_SET;
if ((m = __gss_get_mechanism(desired_mech)) == NULL)
return GSS_S_BAD_MECH;
if (input_cred_handle == GSS_C_NO_CREDENTIAL &&
output_cred_handle == NULL) {
return GSS_S_CALL_INACCESSIBLE_WRITE;
}
/* Setup mut_cred to be the credential we mutate */
if (input_cred_handle != GSS_C_NO_CREDENTIAL &&
output_cred_handle != NULL) {
gss_cred_id_t new_cred;
/* Duplicate the input credential */
major_status = gss_duplicate_cred(minor_status, input_cred_handle,
&new_cred);
if (major_status != GSS_S_COMPLETE)
return major_status;
mut_cred = (struct _gss_cred *)new_cred;
release_cred = (gss_cred_id_t)mut_cred;
} else if (input_cred_handle != GSS_C_NO_CREDENTIAL) {
/* Mutate the input credentials */
mut_cred = rk_UNCONST(input_cred_handle);
} else {
if ((mut_cred = malloc(sizeof(*mut_cred))) == NULL) {
*minor_status = ENOMEM;
return GSS_S_UNAVAILABLE;
}
HEIM_SLIST_INIT(&mut_cred->gc_mc);
release_cred = (gss_cred_id_t)mut_cred;
}
/* Find an MN, if any */
if (desired_name) {
major_status = _gss_find_mn(minor_status,
(struct _gss_name *)desired_name,
desired_mech, &mn);
if (major_status != GSS_S_COMPLETE)
goto done;
}
/*
* We go through all the mc attached to the input_cred_handle and check the
* mechanism. If it matches, we call gss_add_cred for that mechanism,
* otherwise we just add a new mc.
*/
HEIM_SLIST_FOREACH(mc, &mut_cred->gc_mc, gmc_link) {
if (!gss_oid_equal(mc->gmc_mech_oid, desired_mech))
continue;
major_status = m->gm_add_cred(minor_status,
(gss_const_cred_id_t)mc,
mn ? mn->gmn_name : GSS_C_NO_NAME,
desired_mech, cred_usage,
initiator_time_req, acceptor_time_req,
NULL, NULL, initiator_time_rec,
acceptor_time_rec);
if (major_status != GSS_S_COMPLETE)
_gss_mg_error(m, major_status, *minor_status);
goto done;
}
new_mc = malloc(sizeof(struct _gss_mechanism_cred));
if (!new_mc) {
*minor_status = ENOMEM;
major_status = GSS_S_FAILURE;
goto done;
}
new_mc->gmc_mech = m;
new_mc->gmc_mech_oid = &m->gm_mech_oid;
major_status = m->gm_add_cred(minor_status,
GSS_C_NO_CREDENTIAL, mn ? mn->gmn_name : GSS_C_NO_NAME,
desired_mech, cred_usage, initiator_time_req, acceptor_time_req,
&new_mc->gmc_cred, NULL, initiator_time_rec, acceptor_time_rec);
if (major_status != GSS_S_COMPLETE) {
_gss_mg_error(m, major_status, *minor_status);
goto done;
}
HEIM_SLIST_INSERT_HEAD(&mut_cred->gc_mc, new_mc, gmc_link);
new_mc = NULL;
done:
/* Lastly, we have to inquire the cred to get the actual_mechs */
if (major_status == GSS_S_COMPLETE && actual_mechs != NULL) {
major_status = gss_inquire_cred(minor_status,
(gss_const_cred_id_t)mut_cred, NULL,
NULL, NULL, actual_mechs);
if (major_status != GSS_S_COMPLETE)
_gss_mg_error(m, major_status, *minor_status);
}
if (major_status == GSS_S_COMPLETE) {
if (output_cred_handle != NULL)
*output_cred_handle = (gss_cred_id_t)mut_cred;
} else {
gss_release_cred(&junk, &release_cred);
}
free(new_mc);
return major_status;
return gss_add_cred_from(minor_status,
rk_UNCONST(input_cred_handle),
desired_name,
desired_mech,
cred_usage,
initiator_time_req,
acceptor_time_req,
GSS_C_NO_CRED_STORE,
output_cred_handle,
actual_mechs,
initiator_time_rec,
acceptor_time_rec);
}

229
lib/gssapi/mech/gss_add_cred_from.c Normal file
View File

@@ -0,0 +1,229 @@
/*-
* Copyright (c) 2005 Doug Rabson
* Copyright (c) 2018 Kungliga Tekniska Högskolan
* Copyright (c) 2018 AuriStor, Inc.
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/gss_add_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#include "mech_locl.h"
OM_uint32
_gss_mg_add_mech_cred(OM_uint32 *minor_status,
gssapi_mech_interface m,
const struct _gss_mechanism_cred *mc,
const struct _gss_mechanism_name *mn,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
OM_uint32 acceptor_time_req,
gss_const_key_value_set_t cred_store,
struct _gss_mechanism_cred **out,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
OM_uint32 major_status;
struct _gss_mechanism_cred *new_mc = NULL;
if (out) {
*out = NULL;
new_mc = calloc(1, sizeof(struct _gss_mechanism_cred));
if (new_mc == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
new_mc->gmc_mech = m;
new_mc->gmc_mech_oid = &m->gm_mech_oid;
}
if (m->gm_add_cred_from) {
major_status = m->gm_add_cred_from(minor_status,
mc ? mc->gmc_cred : GSS_C_NO_CREDENTIAL,
mn ? mn->gmn_name : GSS_C_NO_NAME,
&m->gm_mech_oid,
cred_usage,
initiator_time_req,
acceptor_time_req,
cred_store,
new_mc ? &new_mc->gmc_cred : NULL,
NULL,
initiator_time_rec,
acceptor_time_rec);
} else if (cred_store == GSS_C_NO_CRED_STORE && m->gm_add_cred) {
major_status = m->gm_add_cred(minor_status,
mc ? mc->gmc_cred : GSS_C_NO_CREDENTIAL,
mn ? mn->gmn_name : GSS_C_NO_NAME,
&m->gm_mech_oid,
cred_usage,
initiator_time_req,
acceptor_time_req,
new_mc ? &new_mc->gmc_cred : NULL,
NULL,
initiator_time_rec,
acceptor_time_rec);
} else
major_status = GSS_S_UNAVAILABLE;
if (major_status == GSS_S_COMPLETE && out)
*out = new_mc;
else
free(new_mc);
return major_status;
}
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_add_cred_from(OM_uint32 *minor_status,
gss_cred_id_t input_cred_handle,
gss_const_name_t desired_name,
const gss_OID desired_mech,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
OM_uint32 acceptor_time_req,
gss_const_key_value_set_t cred_store,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
OM_uint32 major_status;
gssapi_mech_interface m;
gss_cred_id_t release_cred = GSS_C_NO_CREDENTIAL;
struct _gss_cred *mut_cred;
struct _gss_mechanism_cred *mc;
struct _gss_mechanism_cred *new_mc = NULL;
struct _gss_mechanism_name *mn = NULL;
OM_uint32 junk;
*minor_status = 0;
/* Input validation */
if (output_cred_handle)
*output_cred_handle = GSS_C_NO_CREDENTIAL;
if (initiator_time_rec)
*initiator_time_rec = 0;
if (acceptor_time_rec)
*acceptor_time_rec = 0;
if (actual_mechs)
*actual_mechs = GSS_C_NO_OID_SET;
if ((m = __gss_get_mechanism(desired_mech)) == NULL)
return GSS_S_BAD_MECH;
if (input_cred_handle == GSS_C_NO_CREDENTIAL &&
output_cred_handle == NULL) {
return GSS_S_CALL_INACCESSIBLE_WRITE;
}
/* Setup mut_cred to be the credential we mutate */
if (input_cred_handle != GSS_C_NO_CREDENTIAL &&
output_cred_handle != NULL) {
gss_cred_id_t new_cred;
/* Duplicate the input credential */
major_status = gss_duplicate_cred(minor_status, input_cred_handle,
&new_cred);
if (major_status != GSS_S_COMPLETE)
return major_status;
mut_cred = (struct _gss_cred *)new_cred;
release_cred = (gss_cred_id_t)mut_cred;
} else if (input_cred_handle != GSS_C_NO_CREDENTIAL) {
/* Mutate the input credentials */
mut_cred = rk_UNCONST(input_cred_handle);
} else {
if ((mut_cred = calloc(1, sizeof(*mut_cred))) == NULL) {
*minor_status = ENOMEM;
return GSS_S_UNAVAILABLE;
}
HEIM_SLIST_INIT(&mut_cred->gc_mc);
release_cred = (gss_cred_id_t)mut_cred;
}
/* Find an MN, if any */
if (desired_name) {
major_status = _gss_find_mn(minor_status,
(struct _gss_name *)desired_name,
desired_mech, &mn);
if (major_status != GSS_S_COMPLETE)
goto done;
}
/*
* We go through all the mc attached to the input_cred_handle and check the
* mechanism. If it matches, we call gss_add_cred for that mechanism,
* otherwise we just add a new mc.
*/
HEIM_SLIST_FOREACH(mc, &mut_cred->gc_mc, gmc_link) {
if (!gss_oid_equal(mc->gmc_mech_oid, desired_mech))
continue;
major_status = _gss_mg_add_mech_cred(minor_status, m,
mc, mn, cred_usage,
initiator_time_req, acceptor_time_req,
cred_store, NULL,
initiator_time_rec, acceptor_time_rec);
if (major_status != GSS_S_COMPLETE)
_gss_mg_error(m, major_status, *minor_status);
goto done;
}
new_mc = calloc(1, sizeof(struct _gss_mechanism_cred));
if (new_mc == NULL) {
*minor_status = ENOMEM;
major_status = GSS_S_FAILURE;
goto done;
}
new_mc->gmc_mech = m;
new_mc->gmc_mech_oid = &m->gm_mech_oid;
major_status = _gss_mg_add_mech_cred(minor_status, m, NULL, mn, cred_usage,
initiator_time_req, acceptor_time_req,
cred_store, &new_mc,
initiator_time_rec, acceptor_time_rec);
if (major_status != GSS_S_COMPLETE) {
_gss_mg_error(m, major_status, *minor_status);
goto done;
}
HEIM_SLIST_INSERT_HEAD(&mut_cred->gc_mc, new_mc, gmc_link);
new_mc = NULL;
done:
/* Lastly, we have to inquire the cred to get the actual_mechs */
if (major_status == GSS_S_COMPLETE && actual_mechs != NULL) {
major_status = gss_inquire_cred(minor_status,
(gss_const_cred_id_t)mut_cred, NULL,
NULL, NULL, actual_mechs);
if (major_status != GSS_S_COMPLETE)
_gss_mg_error(m, major_status, *minor_status);
}
if (major_status == GSS_S_COMPLETE) {
if (output_cred_handle != NULL)
*output_cred_handle = (gss_cred_id_t)mut_cred;
} else {
gss_release_cred(&junk, &release_cred);
}
free(new_mc);
return major_status;
}

132
lib/gssapi/mech/gss_add_cred_with_password.c
View File

@@ -42,109 +42,47 @@ gss_add_cred_with_password(OM_uint32 *minor_status,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
OM_uint32 major_status;
gssapi_mech_interface m;
struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle;
struct _gss_cred *new_cred;
struct _gss_mechanism_cred *mc;
struct _gss_mechanism_name *mn = NULL;
OM_uint32 junk, time_req;
OM_uint32 major_status;
gss_key_value_element_desc kv;
gss_key_value_set_desc store;
char *spassword = NULL;
*minor_status = 0;
*output_cred_handle = GSS_C_NO_CREDENTIAL;
if (initiator_time_rec)
*initiator_time_rec = 0;
if (acceptor_time_rec)
*acceptor_time_rec = 0;
if (actual_mechs)
*actual_mechs = GSS_C_NO_OID_SET;
*output_cred_handle = GSS_C_NO_CREDENTIAL;
m = __gss_get_mechanism(desired_mech);
if (m == NULL) {
*minor_status = 0;
return (GSS_S_BAD_MECH);
}
if (password == GSS_C_NO_BUFFER || password->value == NULL)
return GSS_S_CALL_INACCESSIBLE_READ;
new_cred = calloc(1, sizeof(struct _gss_cred));
if (new_cred == NULL) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
HEIM_SLIST_INIT(&new_cred->gc_mc);
spassword = malloc(password->length + 1);
if (spassword == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
memcpy(spassword, password->value, password->length);
spassword[password->length] = '\0';
/*
* Copy credentials from un-desired mechanisms to the new credential.
*/
if (cred) {
HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
struct _gss_mechanism_cred *copy_mc;
kv.key = "password";
kv.value = spassword;
if (gss_oid_equal(mc->gmc_mech_oid, desired_mech)) {
continue;
}
copy_mc = _gss_copy_cred(mc);
if (copy_mc == NULL) {
gss_release_cred(&junk, (gss_cred_id_t *)&new_cred);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, copy_mc, gmc_link);
}
}
store.count = 1;
store.elements = &kv;
/*
* Figure out a suitable mn, if any.
*/
if (desired_name != GSS_C_NO_NAME) {
major_status = _gss_find_mn(minor_status,
(struct _gss_name *) desired_name,
desired_mech,
&mn);
if (major_status != GSS_S_COMPLETE) {
gss_release_cred(&junk, (gss_cred_id_t *)&new_cred);
return (major_status);
}
}
major_status = gss_add_cred_from(minor_status,
rk_UNCONST(input_cred_handle),
desired_name,
desired_mech,
cred_usage,
initiator_time_req,
acceptor_time_req,
&store,
output_cred_handle,
actual_mechs,
initiator_time_rec,
acceptor_time_rec);
if (cred_usage == GSS_C_BOTH)
time_req = initiator_time_req > acceptor_time_req ? acceptor_time_req : initiator_time_req;
else if (cred_usage == GSS_C_INITIATE)
time_req = initiator_time_req;
else
time_req = acceptor_time_req;
if (spassword) {
memset_s(spassword, password->length, 0, password->length);
free(spassword);
}
major_status = _gss_acquire_mech_cred(minor_status, m, mn,
GSS_C_CRED_PASSWORD, password,
time_req, desired_mech,
cred_usage, &mc);
if (major_status != GSS_S_COMPLETE) {
gss_release_cred(&junk, (gss_cred_id_t *)&new_cred);
return (major_status);
}
HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link);
if (actual_mechs || initiator_time_rec || acceptor_time_rec) {
OM_uint32 time_rec;
major_status = gss_inquire_cred(minor_status,
(gss_cred_id_t)new_cred,
NULL,
&time_rec,
NULL,
actual_mechs);
if (GSS_ERROR(major_status)) {
gss_release_cred(&junk, (gss_cred_id_t *)&new_cred);
return (major_status);
}
if (initiator_time_rec &&
(cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH))
*initiator_time_rec = time_rec;
if (acceptor_time_rec &&
(cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH))
*acceptor_time_rec = time_rec;
}
*output_cred_handle = (gss_cred_id_t) new_cred;
return (GSS_S_COMPLETE);
return major_status;
}

1
lib/gssapi/mech/gss_cred.c
View File

@@ -223,3 +223,4 @@ gss_import_cred(OM_uint32 * minor_status,
return major;
}

94
lib/gssapi/mech/gss_duplicate_cred.c
View File

@@ -31,24 +31,58 @@
#include "mech_locl.h"
static OM_uint32
_gss_copy_cred_element(OM_uint32 *minor_status,
struct _gss_mechanism_cred *mc,
struct _gss_mechanism_cred **out)
copy_cred_element(OM_uint32 *minor_status,
struct _gss_mechanism_cred *mc,
struct _gss_mechanism_cred **out)
{
gssapi_mech_interface m = mc->gmc_mech;
OM_uint32 major_status;
gss_name_t name;
gss_cred_id_t cred;
OM_uint32 major_status, tmp;
struct _gss_mechanism_name mn;
struct _gss_mechanism_cred *new_mc;
OM_uint32 initiator_lifetime, acceptor_lifetime;
gss_cred_usage_t cred_usage;
gss_cred_id_t dup_cred = GSS_C_NO_CREDENTIAL;
if (m->gm_duplicate_cred)
return m->gm_duplicate_cred(minor_status, (gss_const_cred_id_t)mc,
(gss_cred_id_t *)out);
if (m->gm_duplicate_cred) {
major_status = m->gm_duplicate_cred(minor_status,
mc->gmc_cred, &dup_cred);
} else if (m->gm_import_cred && m->gm_export_cred) {
gss_buffer_desc export;
/* This path won't work for ephemeral creds */
major_status = m->gm_export_cred(minor_status, mc->gmc_cred, &export);
if (major_status == GSS_S_COMPLETE) {
major_status = m->gm_import_cred(minor_status, &export, &dup_cred);
gss_release_buffer(&tmp, &export);
}
} else
major_status = GSS_S_UNAVAILABLE;
if (major_status != GSS_S_UNAVAILABLE) {
if (dup_cred != GSS_C_NO_CREDENTIAL) {
new_mc = calloc(1, sizeof(*new_mc));
if (new_mc == NULL) {
*minor_status = ENOMEM;
m->gm_release_cred(&tmp, &dup_cred);
return GSS_S_FAILURE;
}
new_mc->gmc_mech = m;
new_mc->gmc_mech_oid = mc->gmc_mech_oid;
new_mc->gmc_cred = dup_cred;
*out = new_mc;
}
return major_status;
}
mn.gmn_mech = m;
mn.gmn_mech_oid = mc->gmc_mech_oid;
mn.gmn_name = GSS_C_NO_NAME;
/* This path won't work for ephemeral creds or cred stores */
major_status = m->gm_inquire_cred_by_mech(minor_status, mc->gmc_cred,
mc->gmc_mech_oid, &name,
mc->gmc_mech_oid, &mn.gmn_name,
&initiator_lifetime,
&acceptor_lifetime, &cred_usage);
if (major_status) {
@@ -56,27 +90,25 @@ _gss_copy_cred_element(OM_uint32 *minor_status,
return major_status;
}
major_status = m->gm_add_cred(minor_status,
GSS_C_NO_CREDENTIAL, name, mc->gmc_mech_oid,
cred_usage, initiator_lifetime, acceptor_lifetime,
&cred, 0, 0, 0);
m->gm_release_name(minor_status, &name);
if (major_status) {
major_status = _gss_mg_add_mech_cred(minor_status,
m,
NULL, /* mc */
&mn,
cred_usage,
initiator_lifetime,
acceptor_lifetime,
GSS_C_NO_CRED_STORE,
&new_mc,
NULL,
NULL);
if (major_status)
_gss_mg_error(m, major_status, *minor_status);
return major_status;
}
*out = malloc(sizeof(struct _gss_mechanism_cred));
if (!*out) {
*minor_status = ENOMEM;
m->gm_release_cred(minor_status, &cred);
return GSS_S_FAILURE;
}
(*out)->gmc_mech = m;
(*out)->gmc_mech_oid = &m->gm_mech_oid;
(*out)->gmc_cred = cred;
return GSS_S_COMPLETE;
m->gm_release_name(&tmp, &mn.gmn_name);
*out = new_mc;
return major_status;
}
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
@@ -111,7 +143,7 @@ gss_duplicate_cred(OM_uint32 *minor_status,
major_status = GSS_S_NO_CRED;
HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
major_status = _gss_copy_cred_element(minor_status, mc, &copy_mc);
major_status = copy_cred_element(minor_status, mc, &copy_mc);
if (major_status != GSS_S_COMPLETE) {
_gss_mg_error(mc->gmc_mech, major_status, *minor_status);
break;

4
lib/gssapi/mech/gss_mech_switch.c
View File

@@ -386,8 +386,8 @@ _gss_load_mech(void)
OPTSYM(store_cred);
OPTSYM(export_cred);
OPTSYM(import_cred);
OPTSYM(acquire_cred_from);
#if 0
OPTSYM(acquire_cred_ext);
OPTSYM(iter_creds);
OPTSYM(destroy_cred);
OPTSYM(cred_hold);
@@ -403,6 +403,8 @@ _gss_load_mech(void)
OPTSYM(export_name_composite);
OPTSYM(localname);
OPTSYM(duplicate_cred);
OPTSYM(add_cred_from);
OPTSYM(store_cred_into);
OPTSPISYM(authorize_localname);
mi = (_gss_mo_init *)dlsym(so, "gss_mo_init");

8
lib/gssapi/mech/gss_oid.c
View File

@@ -103,12 +103,6 @@ gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, rk_UNCONST
/* GSS_C_MA_MECH_DESCRIPTION - 1.2.752.43.13.102 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x66") };
/* GSS_C_CRED_PASSWORD - 1.2.752.43.13.200 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x81\x48") };
/* GSS_C_CRED_CERTIFICATE - 1.2.752.43.13.201 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x81\x49") };
/* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
@@ -299,8 +293,6 @@ gss_OID _gss_ot_internal[] = {
&__gss_c_ma_sasl_mech_name_oid_desc,
&__gss_c_ma_mech_name_oid_desc,
&__gss_c_ma_mech_description_oid_desc,
&__gss_c_cred_password_oid_desc,
&__gss_c_cred_certificate_oid_desc,
&__gss_sasl_digest_md5_mechanism_oid_desc,
&__gss_netlogon_mechanism_oid_desc,
&__gss_netlogon_set_session_key_x_oid_desc,

64
lib/gssapi/mech/gss_store_cred.c
View File

@@ -43,58 +43,14 @@ gss_store_cred(OM_uint32 *minor_status,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
{
struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle;
struct _gss_mechanism_cred *mc;
OM_uint32 maj = GSS_S_FAILURE;
OM_uint32 junk;
size_t successes = 0;
if (minor_status == NULL)
return GSS_S_FAILURE;
if (elements_stored)
*elements_stored = NULL;
if (cred_usage_stored)
*cred_usage_stored = 0;
if (cred == NULL)
return GSS_S_NO_CONTEXT;
if (elements_stored) {
maj = gss_create_empty_oid_set(minor_status, elements_stored);
if (maj != GSS_S_COMPLETE)
return maj;
}
HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
gssapi_mech_interface m = mc->gmc_mech;
if (m == NULL || m->gm_store_cred == NULL)
continue;
if (desired_mech != GSS_C_NO_OID &&
!gss_oid_equal(&m->gm_mech_oid, desired_mech))
continue;
maj = (m->gm_store_cred)(minor_status, mc->gmc_cred,
cred_usage, desired_mech, overwrite_cred,
default_cred, NULL, cred_usage_stored);
if (maj == GSS_S_COMPLETE) {
if (elements_stored)
gss_add_oid_set_member(&junk, desired_mech, elements_stored);
successes++;
} else if (desired_mech != GSS_C_NO_OID) {
gss_release_oid_set(&junk, elements_stored);
return maj;
}
}
if (successes == 0) {
if (maj != GSS_S_COMPLETE)
return maj; /* last failure */
return GSS_S_FAILURE;
}
*minor_status = 0;
return GSS_S_COMPLETE;
return gss_store_cred_into(minor_status,
input_cred_handle,
cred_usage,
desired_mech,
overwrite_cred,
default_cred,
GSS_C_NO_CRED_STORE,
elements_stored,
cred_usage_stored);
}

130
lib/gssapi/mech/gss_store_cred_into.c Normal file
View File

@@ -0,0 +1,130 @@
/*
* Copyright (c) 2009 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "mech_locl.h"
static OM_uint32
store_mech_cred(OM_uint32 *minor_status,
gssapi_mech_interface m,
const struct _gss_mechanism_cred *mc,
gss_cred_usage_t input_usage,
OM_uint32 overwrite_cred,
OM_uint32 default_cred,
gss_const_key_value_set_t cred_store,
gss_cred_usage_t *usage_stored)
{
OM_uint32 major_status;
if (m->gm_store_cred_into)
major_status = m->gm_store_cred_into(minor_status, mc->gmc_cred,
input_usage, &m->gm_mech_oid,
overwrite_cred, default_cred,
cred_store, NULL, usage_stored);
else if (cred_store == GSS_C_NO_CRED_STORE && m->gm_store_cred)
major_status = m->gm_store_cred(minor_status, mc->gmc_cred,
input_usage, &m->gm_mech_oid,
overwrite_cred, default_cred,
NULL, usage_stored);
else
major_status = GSS_S_UNAVAILABLE;
return major_status;
}
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_store_cred_into(OM_uint32 *minor_status,
gss_const_cred_id_t input_cred_handle,
gss_cred_usage_t input_usage,
const gss_OID desired_mech,
OM_uint32 overwrite_cred,
OM_uint32 default_cred,
gss_const_key_value_set_t cred_store,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
{
struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle;
struct _gss_mechanism_cred *mc;
OM_uint32 maj = GSS_S_FAILURE;
OM_uint32 junk;
size_t successes = 0;
if (minor_status == NULL)
return GSS_S_FAILURE;
if (elements_stored)
*elements_stored = NULL;
if (cred_usage_stored)
*cred_usage_stored = 0;
if (cred == NULL)
return GSS_S_NO_CONTEXT;
if (elements_stored) {
maj = gss_create_empty_oid_set(minor_status, elements_stored);
if (maj != GSS_S_COMPLETE)
return maj;
}
HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
gssapi_mech_interface m = mc->gmc_mech;
if (m == NULL)
continue;
if (desired_mech != GSS_C_NO_OID &&
!gss_oid_equal(&m->gm_mech_oid, desired_mech))
continue;
maj = store_mech_cred(minor_status, m, mc,
input_usage, overwrite_cred,
default_cred, cred_store,
cred_usage_stored);
if (maj == GSS_S_COMPLETE) {
if (elements_stored)
gss_add_oid_set_member(&junk, desired_mech, elements_stored);
successes++;
} else if (desired_mech != GSS_C_NO_OID) {
gss_release_oid_set(&junk, elements_stored);
return maj;
}
}
if (successes == 0) {
if (maj != GSS_S_COMPLETE)
return maj; /* last failure */
return GSS_S_FAILURE;
}
*minor_status = 0;
return GSS_S_COMPLETE;
}

4
lib/gssapi/netlogon/external.c
View File

@@ -80,7 +80,7 @@ static gssapi_mech_interface_desc netlogon_mech = {
NULL, /* gm_store_cred */
NULL, /* gm_export_cred */
NULL, /* gm_import_cred */
NULL, /* gm_acquire_cred_ext */
NULL, /* gm_acquire_cred_from */
NULL, /* gm_iter_creds */
NULL, /* gm_destroy_cred */
NULL, /* gm_cred_hold */
@@ -98,6 +98,8 @@ static gssapi_mech_interface_desc netlogon_mech = {
NULL, /* gm_delete_name_attribute */
NULL, /* gm_export_name_composite */
NULL, /* gm_duplicate_cred */
NULL, /* gm_add_cred_from */
NULL, /* gm_store_cred_into */
NULL /* gm_compat */
};

17
lib/gssapi/ntlm/acquire_cred.c
View File

@@ -34,14 +34,15 @@
#include "ntlm.h"
OM_uint32 GSSAPI_CALLCONV
_gss_ntlm_acquire_cred(OM_uint32 *min_stat,
gss_const_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
_gss_ntlm_acquire_cred_from(OM_uint32 *min_stat,
gss_const_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_const_key_value_set_t cred_store,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
ntlm_name name = (ntlm_name) desired_name;
const char *domain = NULL;

8
lib/gssapi/ntlm/duplicate_cred.c
View File

@@ -43,10 +43,10 @@ _gss_ntlm_duplicate_cred(OM_uint32 *minor_status,
OM_uint32 junk;
if (input_cred_handle == GSS_C_NO_CREDENTIAL)
return _gss_ntlm_acquire_cred(minor_status, GSS_C_NO_NAME,
GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
GSS_C_BOTH, output_cred_handle, NULL,
NULL);
return _gss_ntlm_acquire_cred_from(minor_status, GSS_C_NO_NAME,
GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
GSS_C_BOTH, GSS_C_NO_CRED_STORE,
output_cred_handle, NULL, NULL);
*output_cred_handle = GSS_C_NO_CREDENTIAL;

6
lib/gssapi/ntlm/external.c
View File

@@ -65,7 +65,7 @@ static gssapi_mech_interface_desc ntlm_mech = {
"ntlm",
{10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") },
0,
_gss_ntlm_acquire_cred,
NULL,
_gss_ntlm_release_cred,
_gss_ntlm_init_sec_context,
_gss_ntlm_accept_sec_context,
@@ -105,7 +105,7 @@ static gssapi_mech_interface_desc ntlm_mech = {
NULL,
NULL,
NULL,
NULL,
_gss_ntlm_acquire_cred_from,
_gss_ntlm_iter_creds_f,
_gss_ntlm_destroy_cred,
NULL,
@@ -123,6 +123,8 @@ static gssapi_mech_interface_desc ntlm_mech = {
NULL, /* gm_delete_name_attribute */
NULL, /* gm_export_name_composite */
NULL, /* gm_duplicate_cred */
NULL, /* gm_add_cred_from */
NULL, /* gm_store_cred_into */
NULL, /* gm_compat */
};

6
lib/gssapi/oid.txt
View File

@@ -1,7 +1,7 @@
# /* contact Love Hörnquist Åstrand <lha@h5l.org> for new oid arcs */
# /*
# * 1.2.752.43.13 Heimdal GSS-API Extentions
# * 1.2.752.43.13 Heimdal GSS-API Extensions
# */
oid base GSS_KRB5_COPY_CCACHE_X 1.2.752.43.13.1
@@ -41,10 +41,6 @@ oid base GSS_C_MA_SASL_MECH_NAME 1.2.752.43.13.100
oid base GSS_C_MA_MECH_NAME 1.2.752.43.13.101
oid base GSS_C_MA_MECH_DESCRIPTION 1.2.752.43.13.102
# /* credential types */
oid base GSS_C_CRED_PASSWORD 1.2.752.43.13.200
oid base GSS_C_CRED_CERTIFICATE 1.2.752.43.13.201
#/* Heimdal mechanisms - 1.2.752.43.14 */
oid base GSS_SASL_DIGEST_MD5_MECHANISM 1.2.752.43.14.1

15
lib/gssapi/spnego/cred_stubs.c
View File

@@ -54,12 +54,13 @@ _gss_spnego_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
* we support gss_{get,set}_neg_mechs() we will need to expose
* more functionality.
*/
OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred
OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred_from
(OM_uint32 *minor_status,
gss_const_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_const_key_value_set_t cred_store,
gss_cred_id_t * output_cred_handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
@@ -106,16 +107,16 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred
}
actual_desired_mechs.count = j;
ret = gss_acquire_cred(minor_status, name,
time_req, &actual_desired_mechs,
cred_usage,
output_cred_handle,
actual_mechs, time_rec);
ret = gss_acquire_cred_from(minor_status, name,
time_req, &actual_desired_mechs,
cred_usage, cred_store,
output_cred_handle,
actual_mechs, time_rec);
if (ret != GSS_S_COMPLETE)
goto out;
out:
gss_release_name(minor_status, &name);
gss_release_name(&tmp, &name);
gss_release_oid_set(&tmp, &mechs);
if (actual_desired_mechs.elements != NULL) {
free(actual_desired_mechs.elements);

6
lib/gssapi/spnego/external.c
View File

@@ -89,7 +89,7 @@ static gssapi_mech_interface_desc spnego_mech = {
"spnego",
{6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") },
0,
_gss_spnego_acquire_cred,
NULL, /* gm_acquire_cred */
_gss_spnego_release_cred,
_gss_spnego_init_sec_context,
_gss_spnego_accept_sec_context,
@@ -129,7 +129,7 @@ static gssapi_mech_interface_desc spnego_mech = {
NULL,
_gss_spnego_export_cred,
_gss_spnego_import_cred,
NULL,
_gss_spnego_acquire_cred_from,
NULL,
NULL,
NULL,
@@ -147,6 +147,8 @@ static gssapi_mech_interface_desc spnego_mech = {
NULL, /* gm_delete_name_attribute */
NULL, /* gm_export_name_composite */
NULL, /* gm_duplicate_cred */
gss_add_cred_from,
NULL, /* gm_store_cred_into */
NULL /* gm_compat */
};

44
lib/gssapi/test_acquire_cred.c
View File

@@ -126,7 +126,8 @@ static gss_cred_id_t
acquire_cred_service(const char *service,
gss_OID nametype,
gss_OID_set oidset,
gss_cred_usage_t usage)
gss_cred_usage_t usage,
gss_const_key_value_set_t cred_store)
{
OM_uint32 major_status, minor_status;
gss_cred_id_t cred_handle;
@@ -146,14 +147,15 @@ acquire_cred_service(const char *service,
errx(1, "import_name failed");
}
major_status = gss_acquire_cred(&minor_status,
name,
0,
oidset,
usage,
&cred_handle,
NULL,
&time_rec);
major_status = gss_acquire_cred_from(&minor_status,
name,
0,
oidset,
usage,
cred_store,
&cred_handle,
NULL,
&time_rec);
if (GSS_ERROR(major_status)) {
warnx("acquire_cred failed: %s",
gssapi_err(major_status, minor_status, GSS_C_NO_OID));
@@ -180,6 +182,7 @@ static char *acquire_type;
static char *target_name;
static char *name_type;
static char *ccache;
static char *client_keytab;
static int num_loops = 1;
static struct getargs args[] = {
@@ -190,6 +193,7 @@ static struct getargs args[] = {
{"kerberos", 0, arg_flag, &kerberos_flag, "enctype-num", NULL },
{"target-name", 0, arg_string, &target_name, "name", NULL },
{"ccache", 0, arg_string, &ccache, "name", NULL },
{"client-keytab", 0,arg_string, &client_keytab, "name", NULL },
{"name-type", 0, arg_string, &name_type, "type", NULL },
{"version", 0, arg_flag, &version_flag, "print version", NULL },
{"help", 0, arg_flag, &help_flag, NULL, NULL }
@@ -213,6 +217,11 @@ main(int argc, char **argv)
int i, optidx = 0;
gss_cred_usage_t cred_usage = GSS_C_BOTH;
gss_OID type = GSS_C_NT_HOSTBASED_SERVICE;
gss_key_value_set_desc store, *storep = GSS_C_NO_CRED_STORE;
gss_key_value_element_desc elements[2];
store.count = 0;
store.elements = elements;
setprogname(argv[0]);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
@@ -253,11 +262,18 @@ main(int argc, char **argv)
}
if (ccache) {
maj_stat = gss_krb5_ccache_name(&min_stat, ccache, NULL);
if (GSS_ERROR(maj_stat))
errx(1, "gss_krb5_ccache_name %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
store.elements[store.count].key = "ccache";
store.elements[store.count].value = ccache;
store.count++;
}
if (client_keytab) {
store.elements[store.count].key = "client_keytab";
store.elements[store.count].value = client_keytab;
store.count++;
}
if (store.count)
storep = &store;
if (kerberos_flag) {
mechoid = GSS_KRB5_MECHANISM;
@@ -287,7 +303,7 @@ main(int argc, char **argv)
for (i = 0; i < num_loops; i++) {
cred = acquire_cred_service(acquire_name, type, oidset, cred_usage);
cred = acquire_cred_service(acquire_name, type, oidset, cred_usage, storep);
if (enctype) {
int32_t enctypelist = enctype;

33
lib/gssapi/test_add_store_cred.c
View File

@@ -117,8 +117,8 @@ main(int argc, char **argv)
gss_cred_id_t from_cred = GSS_C_NO_CREDENTIAL;
gss_cred_id_t to_cred = GSS_C_NO_CREDENTIAL;
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
char *from_env;
char *to_env;
gss_key_value_element_desc from_elements, to_elements;
gss_key_value_set_desc from, to;
int optidx = 0;
setprogname(argv[0]);
@@ -141,22 +141,26 @@ main(int argc, char **argv)
if (argc > 2)
errx(1, "too many arguments");
if (asprintf(&from_env, "KRB5CCNAME=%s", argv[0]) == -1 || from_env == NULL)
err(1, "out of memory");
if (asprintf(&to_env, "KRB5CCNAME=%s", argv[1]) == -1 || to_env == NULL)
err(1, "out of memory");
from_elements.key = "ccache";
from_elements.value = argv[0];
from.count = 1;
from.elements = &from_elements;
putenv(from_env);
major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,
GSS_KRB5_MECHANISM, GSS_C_INITIATE, GSS_C_INDEFINITE,
GSS_C_INDEFINITE, &from_cred, NULL, NULL, NULL);
to_elements.key = "ccache";
to_elements.value = argv[1];
to.count = 1;
to.elements = &to_elements;
major = gss_add_cred_from(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,
GSS_KRB5_MECHANISM, GSS_C_INITIATE,
GSS_C_INDEFINITE, GSS_C_INDEFINITE,
&from, &from_cred, NULL, NULL, NULL);
if (major != GSS_S_COMPLETE)
gss_err(1, major, minor, GSS_KRB5_MECHANISM,
"failed to acquire creds from %s", argv[0]);
putenv(to_env);
major = gss_store_cred(&minor, from_cred, GSS_C_INITIATE,
GSS_KRB5_MECHANISM, 1, 1, NULL, NULL);
major = gss_store_cred_into(&minor, from_cred, GSS_C_INITIATE,
GSS_KRB5_MECHANISM, 1, 1, &to, NULL, NULL);
if (major != GSS_S_COMPLETE)
gss_err(1, major, minor, GSS_KRB5_MECHANISM,
"failed to store creds into %s", argv[1]);
@@ -171,9 +175,6 @@ main(int argc, char **argv)
gss_err(1, major, minor, GSS_KRB5_MECHANISM,
"failed to acquire creds from %s", argv[1]);
(void) gss_release_cred(&minor, &cred);
putenv("KRB5CCNAME");
free(from_env);
free(to_env);
return 0;
}

46
lib/gssapi/test_context.c
View File

@@ -57,6 +57,8 @@ static int deleg_flag = 0;
static int policy_deleg_flag = 0;
static int server_no_deleg_flag = 0;
static int ei_flag = 0;
static char *client_ccache = NULL;
static char *client_keytab = NULL;
static char *gsskrb5_acceptor_identity = NULL;
static char *session_enctype_string = NULL;
static int client_time_offset = 0;
@@ -565,6 +567,8 @@ static struct getargs args[] = {
{"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag,
"use dns to canonicalize", NULL },
{"mutual-auth",0, arg_flag, &mutual_auth_flag,"mutual auth", NULL },
{"client-ccache",0, arg_string, &client_ccache, "client credentials cache", NULL },
{"client-keytab",0, arg_string, &client_keytab, "client keytab", NULL },
{"client-name", 0, arg_string, &client_name, "client name", NULL },
{"client-password", 0, arg_string, &client_password, "client password", NULL },
{"limit-enctype",0, arg_string, &limit_enctype_string, "enctype", NULL },
@@ -611,6 +615,8 @@ main(int argc, char **argv)
gss_OID_desc oids[4];
gss_OID_set_desc mechoid_descs;
gss_OID_set mechoids = GSS_C_NO_OID_SET;
gss_key_value_element_desc client_cred_elements[2];
gss_key_value_set_desc client_cred_store;
setprogname(argv[0]);
@@ -687,17 +693,39 @@ main(int argc, char **argv)
}
if (gsskrb5_acceptor_identity) {
/* XXX replace this with cred store, but test suites will need work */
maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity);
if (maj_stat)
errx(1, "gsskrb5_acceptor_identity: %s",
gssapi_err(maj_stat, 0, GSS_C_NO_OID));
}
if (client_password && (client_ccache || client_keytab)) {
errx(1, "password option mutually exclusive with ccache or keytab option");
}
if (client_password) {
credential_data.value = client_password;
credential_data.length = strlen(client_password);
}
client_cred_store.count = 0;
client_cred_store.elements = client_cred_elements;
if (client_ccache) {
client_cred_store.elements[client_cred_store.count].key = "ccache";
client_cred_store.elements[client_cred_store.count].value = client_ccache;
client_cred_store.count++;
}
if (client_keytab) {
client_cred_store.elements[client_cred_store.count].key = "client_keytab";
client_cred_store.elements[client_cred_store.count].value = client_keytab;
client_cred_store.count++;
}
if (client_name) {
gss_buffer_desc cn;
@@ -729,14 +757,16 @@ main(int argc, char **argv)
gssapi_err(maj_stat, min_stat, mechoid));
}
} else {
maj_stat = gss_acquire_cred(&min_stat,
cname,
GSS_C_INDEFINITE,
mechoids,
GSS_C_INITIATE,
&client_cred,
NULL,
NULL);
maj_stat = gss_acquire_cred_from(&min_stat,
cname,
GSS_C_INDEFINITE,
mechoids,
GSS_C_INITIATE,
client_cred_store.count ? &client_cred_store
: GSS_C_NO_CRED_STORE,
&client_cred,
NULL,
NULL);
if (GSS_ERROR(maj_stat))
errx(1, "gss_acquire_cred: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));

5
lib/gssapi/version-script.map
View File

@@ -12,14 +12,14 @@ HEIMDAL_GSS_2.0 {
__gss_c_nt_user_name_oid_desc;
__gss_krb5_nt_principal_name_oid_desc;
__gss_c_attr_stream_sizes_oid_desc;
__gss_c_cred_password_oid_desc;
__gss_c_cred_certificate_oid_desc;
__gss_c_attr_local_login_user;
gss_accept_sec_context;
gss_acquire_cred;
gss_acquire_cred_from;
gss_acquire_cred_with_password;
gss_add_buffer_set_member;
gss_add_cred;
gss_add_cred_from;
gss_add_cred_with_password;
gss_add_oid_set_member;
gss_authorize_localname;
@@ -85,6 +85,7 @@ HEIMDAL_GSS_2.0 {
gss_set_sec_context_option;
gss_sign;
gss_store_cred;
gss_store_cred_into;
gss_test_oid_set_member;
gss_unseal;
gss_unwrap;

25
tests/gss/check-spnego.in
View File

@@ -122,12 +122,15 @@ echo "======context building for each mech"
for mech in ntlm krb5 ; do
echo "${mech}"
${context} --mech-type=${mech} --ret-mech-type=${mech} \
--client-ccache="${cache}" \
--gsskrb5-acceptor-identity="${keytab}" \
--name-type=hostbased-service host@host.test.h5l.se || \
{ exitcode=1 ; echo test failed; }
done
echo "spnego"
${context} \
--client-ccache="${cache}" \
--mech-type=spnego \
--ret-mech-type=krb5 \
--name-type=hostbased-service \
@@ -136,10 +139,12 @@ ${context} \
echo "test failure cases"
${context} --mech-type=ntlm --ret-mech-type=krb5 \
--client-ccache="${cache}" \
--name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \
{ exitcode=1 ; echo test failed; }
${context} --mech-type=krb5 --ret-mech-type=ntlm \
--client-ccache="${cache}" \
--name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \
{ exitcode=1 ; echo test failed; }
@@ -185,6 +190,16 @@ for arg in \
{ exitcode=1 ; echo test failed; }
KRB5_KTNAME="${keytab}"
echo "no explicit krb5 acceptor cred ${arg}"
${context} --mech-type=spnego \
$arg \
--gsskrb5-acceptor-identity="${keytab}-no" \
--server-no-delegate \
--name-type=hostbased-service \
--ret-mech-type=krb5 \
host@host.test.h5l.se 2>/dev/null && \
{ exitcode=1 ; echo test failed; }
echo "no krb5 initiator cred ${arg}"
KRB5CCNAME="${cache}-no"
${context} --mech-type=spnego \
@@ -196,6 +211,16 @@ for arg in \
{ exitcode=1 ; echo test failed; }
KRB5CCNAME="${cache}"
echo "no explicit krb5 initiator cred ${arg}"
${context} --mech-type=spnego \
$arg \
--client-ccache="${cache}-no" \
--server-no-delegate \
--name-type=hostbased-service \
--ret-mech-type=krb5 \
host@host.test.h5l.se 2>/dev/null && \
{ exitcode=1 ; echo test failed; }
done
trap "" EXIT