oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Rename local include file, remove global files.

Browse Source 
Stop exposing global gssapi symbols.
Rename gss_context_id_t and gss_cred_id_t to local names.
Remove SPNEGO code, its now in its own gssapi module.
Add mechglue inquire functions.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17697 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-06-28 08:54:04 +00:00
parent 2baa7e7d61
commit ee09f98c15
66 changed files with 1727 additions and 6039 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
lib/gssapi/krb5/8003.c
View File

@@ -31,12 +31,12 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
krb5_error_code
gssapi_encode_om_uint32(OM_uint32 n, u_char *p)
_gsskrb5_encode_om_uint32(OM_uint32 n, u_char *p)
{
p[0] = (n >> 0) & 0xFF;
p[1] = (n >> 8) & 0xFF;
@@ -46,7 +46,7 @@ gssapi_encode_om_uint32(OM_uint32 n, u_char *p)
}
krb5_error_code
gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p)
_gsskrb5_encode_be_om_uint32(OM_uint32 n, u_char *p)
{
p[0] = (n >> 24) & 0xFF;
p[1] = (n >> 16) & 0xFF;
@@ -56,7 +56,7 @@ gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p)
}
krb5_error_code
gssapi_decode_om_uint32(const void *ptr, OM_uint32 *n)
_gsskrb5_decode_om_uint32(const void *ptr, OM_uint32 *n)
{
const u_char *p = ptr;
*n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
@@ -64,7 +64,7 @@ gssapi_decode_om_uint32(const void *ptr, OM_uint32 *n)
}
krb5_error_code
gssapi_decode_be_om_uint32(const void *ptr, OM_uint32 *n)
_gsskrb5_decode_be_om_uint32(const void *ptr, OM_uint32 *n)
{
const u_char *p = ptr;
*n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0);
@@ -79,23 +79,23 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
MD5_CTX md5;
MD5_Init(&md5);
gssapi_encode_om_uint32 (b->initiator_addrtype, num);
_gsskrb5_encode_om_uint32 (b->initiator_addrtype, num);
MD5_Update (&md5, num, sizeof(num));
gssapi_encode_om_uint32 (b->initiator_address.length, num);
_gsskrb5_encode_om_uint32 (b->initiator_address.length, num);
MD5_Update (&md5, num, sizeof(num));
if (b->initiator_address.length)
MD5_Update (&md5,
b->initiator_address.value,
b->initiator_address.length);
gssapi_encode_om_uint32 (b->acceptor_addrtype, num);
_gsskrb5_encode_om_uint32 (b->acceptor_addrtype, num);
MD5_Update (&md5, num, sizeof(num));
gssapi_encode_om_uint32 (b->acceptor_address.length, num);
_gsskrb5_encode_om_uint32 (b->acceptor_address.length, num);
MD5_Update (&md5, num, sizeof(num));
if (b->acceptor_address.length)
MD5_Update (&md5,
b->acceptor_address.value,
b->acceptor_address.length);
gssapi_encode_om_uint32 (b->application_data.length, num);
_gsskrb5_encode_om_uint32 (b->application_data.length, num);
MD5_Update (&md5, num, sizeof(num));
if (b->application_data.length)
MD5_Update (&md5,
@@ -112,7 +112,7 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
*/
OM_uint32
gssapi_krb5_create_8003_checksum (
_gsskrb5_create_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
OM_uint32 flags,
@@ -136,7 +136,7 @@ gssapi_krb5_create_8003_checksum (
}
p = result->checksum.data;
gssapi_encode_om_uint32 (16, p);
_gsskrb5_encode_om_uint32 (16, p);
p += 4;
if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) {
memset (p, 0, 16);
@@ -144,7 +144,7 @@ gssapi_krb5_create_8003_checksum (
hash_input_chan_bindings (input_chan_bindings, p);
}
p += 16;
gssapi_encode_om_uint32 (flags, p);
_gsskrb5_encode_om_uint32 (flags, p);
p += 4;
if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) {
@@ -167,7 +167,7 @@ gssapi_krb5_create_8003_checksum (
*/
OM_uint32
gssapi_krb5_verify_8003_checksum(
_gsskrb5_verify_8003_checksum(
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
const Checksum *cksum,
@@ -192,7 +192,7 @@ gssapi_krb5_verify_8003_checksum(
}
p = cksum->checksum.data;
gssapi_decode_om_uint32(p, &length);
_gsskrb5_decode_om_uint32(p, &length);
if(length != sizeof(hash)) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
@@ -214,7 +214,7 @@ gssapi_krb5_verify_8003_checksum(
p += sizeof(hash);
gssapi_decode_om_uint32(p, flags);
_gsskrb5_decode_om_uint32(p, flags);
p += 4;
if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {

1566
lib/gssapi/krb5/ChangeLog
View File

File diff suppressed because it is too large Load Diff

99
lib/gssapi/krb5/Makefile.am
View File

@@ -1,99 +0,0 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += -I$(srcdir)/../krb5 \
-I${srcdir}/../asn1/include \
$(INCLUDE_des) \
$(INCLUDE_krb4)
spnego_files = \
asn1_ContextFlags.x \
asn1_MechType.x \
asn1_MechTypeList.x \
asn1_NegotiationToken.x \
asn1_NegTokenInit.x \
asn1_NegTokenTarg.x
BUILT_SOURCES = $(spnego_files:.x=.c)
lib_LTLIBRARIES = libgssapi.la
libgssapi_la_LDFLAGS = -version-info 4:0:0
libgssapi_la_LIBADD = \
../krb5/libkrb5.la \
$(LIB_des) \
../asn1/libasn1.la \
$(LIB_roken)
man_MANS = gssapi.3 gss_acquire_cred.3
include_HEADERS = gssapi.h
libgssapi_la_SOURCES = \
$(BUILT_SOURCES) \
8003.c \
accept_sec_context.c \
acquire_cred.c \
add_cred.c \
add_oid_set_member.c \
arcfour.c \
canonicalize_name.c \
ccache_name.c \
cfx.c \
compare_name.c \
compat.c \
context_time.c \
copy_ccache.c \
create_emtpy_oid_set.c \
decapsulate.c \
delete_sec_context.c \
display_name.c \
display_status.c \
duplicate_name.c \
encapsulate.c \
export_sec_context.c \
export_name.c \
external.c \
get_mic.c \
gssapi.h \
gssapi_locl.h \
import_name.c \
import_sec_context.c \
indicate_mechs.c \
init.c \
init_sec_context.c \
inquire_context.c \
inquire_cred.c \
inquire_cred_by_mech.c \
inquire_mechs_for_name.c \
inquire_names_for_mech.c \
oid_to_str.c \
process_context_token.c \
release_buffer.c \
release_cred.c \
release_name.c \
release_oid_set.c \
sequence.c \
test_oid_set_member.c \
ticket_flags.c \
unwrap.c \
v1.c \
verify_mic.c \
wrap.c \
address_to_krb5addr.c
CLEANFILES = $(BUILT_SOURCES) $(spnego_files) spnego_asn1.h spnego_asn1_files
$(spnego_files) spnego_asn1.h: spnego_asn1_files
spnego_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego.asn1
../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego.asn1 spnego_asn1
$(libgssapi_la_OBJECTS): spnego_asn1.h
TESTS = test_sequence test_oid
check_PROGRAMS = test_acquire_cred $(TESTS)
noinst_PROGRAMS = test_cred test_kcred
LDADD = libgssapi.la $(LIB_roken)

715
lib/gssapi/krb5/accept_sec_context.c
View File

File diff suppressed because it is too large Load Diff

141
lib/gssapi/krb5/acquire_cred.c
View File

@@ -31,12 +31,12 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32
_gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status,
__gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
krb5_ccache id,
krb5_principal principal,
OM_uint32 *lifetime)
@@ -48,32 +48,32 @@ _gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status,
memset(&in_cred, 0, sizeof(in_cred));
in_cred.client = principal;
realm = krb5_principal_get_realm(gssapi_krb5_context, principal);
realm = krb5_principal_get_realm(_gsskrb5_context, principal);
if (realm == NULL) {
gssapi_krb5_clear_status ();
_gsskrb5_clear_status ();
*minor_status = KRB5_PRINC_NOMATCH; /* XXX */
return GSS_S_FAILURE;
}
kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server,
kret = krb5_make_principal(_gsskrb5_context, &in_cred.server,
realm, KRB5_TGS_NAME, realm, NULL);
if (kret) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_get_credentials(gssapi_krb5_context, 0,
kret = krb5_get_credentials(_gsskrb5_context, 0,
id, &in_cred, &out_cred);
krb5_free_principal(gssapi_krb5_context, in_cred.server);
krb5_free_principal(_gsskrb5_context, in_cred.server);
if (kret) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = kret;
return GSS_S_FAILURE;
}
*lifetime = out_cred->times.endtime;
krb5_free_creds(gssapi_krb5_context, out_cred);
krb5_free_creds(_gsskrb5_context, out_cred);
return GSS_S_COMPLETE;
}
@@ -89,14 +89,14 @@ get_keytab(krb5_keytab *keytab)
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if (gssapi_krb5_keytab != NULL) {
kret = krb5_kt_get_name(gssapi_krb5_context,
gssapi_krb5_keytab,
if (_gsskrb5_keytab != NULL) {
kret = krb5_kt_get_name(_gsskrb5_context,
_gsskrb5_keytab,
kt_name, sizeof(kt_name));
if (kret == 0)
kret = krb5_kt_resolve(gssapi_krb5_context, kt_name, keytab);
kret = krb5_kt_resolve(_gsskrb5_context, kt_name, keytab);
} else
kret = krb5_kt_default(gssapi_krb5_context, keytab);
kret = krb5_kt_default(_gsskrb5_context, keytab);
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
@@ -109,7 +109,7 @@ static OM_uint32 acquire_initiator_cred
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_cred_id_t handle,
gsskrb5_cred handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
)
@@ -132,33 +132,33 @@ static OM_uint32 acquire_initiator_cred
* caches, otherwise, fall back to default cache. Ignore
* errors. */
if (handle->principal)
kret = krb5_cc_cache_match (gssapi_krb5_context,
kret = krb5_cc_cache_match (_gsskrb5_context,
handle->principal,
NULL,
&ccache);
if (ccache == NULL) {
kret = krb5_cc_default(gssapi_krb5_context, &ccache);
kret = krb5_cc_default(_gsskrb5_context, &ccache);
if (kret)
goto end;
}
kret = krb5_cc_get_principal(gssapi_krb5_context, ccache,
kret = krb5_cc_get_principal(_gsskrb5_context, ccache,
&def_princ);
if (kret != 0) {
/* we'll try to use a keytab below */
krb5_cc_destroy(gssapi_krb5_context, ccache);
krb5_cc_destroy(_gsskrb5_context, ccache);
ccache = NULL;
kret = 0;
} else if (handle->principal == NULL) {
kret = krb5_copy_principal(gssapi_krb5_context, def_princ,
kret = krb5_copy_principal(_gsskrb5_context, def_princ,
&handle->principal);
if (kret)
goto end;
} else if (handle->principal != NULL &&
krb5_principal_compare(gssapi_krb5_context, handle->principal,
krb5_principal_compare(_gsskrb5_context, handle->principal,
def_princ) == FALSE) {
/* Before failing, lets check the keytab */
krb5_free_principal(gssapi_krb5_context, def_princ);
krb5_free_principal(_gsskrb5_context, def_princ);
def_princ = NULL;
}
if (def_princ == NULL) {
@@ -166,7 +166,7 @@ static OM_uint32 acquire_initiator_cred
* so attempt to get a TGT using a keytab.
*/
if (handle->principal == NULL) {
kret = krb5_get_default_principal(gssapi_krb5_context,
kret = krb5_get_default_principal(_gsskrb5_context,
&handle->principal);
if (kret)
goto end;
@@ -174,29 +174,29 @@ static OM_uint32 acquire_initiator_cred
kret = get_keytab(&keytab);
if (kret)
goto end;
kret = krb5_get_init_creds_opt_alloc(gssapi_krb5_context, &opt);
kret = krb5_get_init_creds_opt_alloc(_gsskrb5_context, &opt);
if (kret)
goto end;
kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred,
kret = krb5_get_init_creds_keytab(_gsskrb5_context, &cred,
handle->principal, keytab, 0, NULL, opt);
krb5_get_init_creds_opt_free(opt);
if (kret)
goto end;
kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops,
kret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops,
&ccache);
if (kret)
goto end;
kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client);
kret = krb5_cc_initialize(_gsskrb5_context, ccache, cred.client);
if (kret)
goto end;
kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred);
kret = krb5_cc_store_cred(_gsskrb5_context, ccache, &cred);
if (kret)
goto end;
handle->lifetime = cred.times.endtime;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
} else {
ret = _gssapi_krb5_ccache_lifetime(minor_status,
ret = __gsskrb5_ccache_lifetime(minor_status,
ccache,
handle->principal,
&handle->lifetime);
@@ -210,17 +210,17 @@ static OM_uint32 acquire_initiator_cred
end:
if (cred.client != NULL)
krb5_free_cred_contents(gssapi_krb5_context, &cred);
krb5_free_cred_contents(_gsskrb5_context, &cred);
if (def_princ != NULL)
krb5_free_principal(gssapi_krb5_context, def_princ);
krb5_free_principal(_gsskrb5_context, def_princ);
if (keytab != NULL)
krb5_kt_close(gssapi_krb5_context, keytab);
krb5_kt_close(_gsskrb5_context, keytab);
if (ret != GSS_S_COMPLETE) {
if (ccache != NULL)
krb5_cc_close(gssapi_krb5_context, ccache);
krb5_cc_close(_gsskrb5_context, ccache);
if (kret != 0) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
}
}
return (ret);
@@ -232,7 +232,7 @@ static OM_uint32 acquire_acceptor_cred
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_cred_id_t handle,
gsskrb5_cred handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
)
@@ -250,38 +250,38 @@ static OM_uint32 acquire_acceptor_cred
if (handle->principal) {
krb5_keytab_entry entry;
kret = krb5_kt_get_entry(gssapi_krb5_context, handle->keytab,
kret = krb5_kt_get_entry(_gsskrb5_context, handle->keytab,
handle->principal, 0, 0, &entry);
if (kret)
goto end;
krb5_kt_free_entry(gssapi_krb5_context, &entry);
krb5_kt_free_entry(_gsskrb5_context, &entry);
}
ret = GSS_S_COMPLETE;
end:
if (ret != GSS_S_COMPLETE) {
if (handle->keytab != NULL)
krb5_kt_close(gssapi_krb5_context, handle->keytab);
krb5_kt_close(_gsskrb5_context, handle->keytab);
if (kret != 0) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
}
}
return (ret);
}
OM_uint32 gss_acquire_cred
(OM_uint32 * minor_status,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_cred_id_t * output_cred_handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
)
OM_uint32 _gsskrb5_acquire_cred
(OM_uint32 * minor_status,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_cred_id_t * output_cred_handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
)
{
gss_cred_id_t handle;
gsskrb5_cred handle;
OM_uint32 ret;
if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
@@ -300,8 +300,8 @@ OM_uint32 gss_acquire_cred
if (desired_mechs) {
int present = 0;
ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
desired_mechs, &present);
ret = _gsskrb5_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
desired_mechs, &present);
if (ret)
return ret;
if (!present) {
@@ -310,18 +310,17 @@ OM_uint32 gss_acquire_cred
}
}
handle = (gss_cred_id_t)malloc(sizeof(*handle));
if (handle == GSS_C_NO_CREDENTIAL) {
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
memset(handle, 0, sizeof (*handle));
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
if (desired_name != GSS_C_NO_NAME) {
ret = gss_duplicate_name(minor_status, desired_name,
&handle->principal);
ret = _gsskrb5_duplicate_name(minor_status, desired_name,
&handle->principal);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
@@ -330,42 +329,42 @@ OM_uint32 gss_acquire_cred
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, desired_name, time_req,
desired_mechs, cred_usage, handle, actual_mechs, time_rec);
desired_mechs, cred_usage, handle, actual_mechs, time_rec);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
free(handle);
return (ret);
}
}
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
ret = acquire_acceptor_cred(minor_status, desired_name, time_req,
desired_mechs, cred_usage, handle, actual_mechs, time_rec);
desired_mechs, cred_usage, handle, actual_mechs, time_rec);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
free(handle);
return (ret);
}
}
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms);
if (ret == GSS_S_COMPLETE)
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
if (ret == GSS_S_COMPLETE)
ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL,
actual_mechs);
ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
NULL, time_rec, NULL, actual_mechs);
if (ret != GSS_S_COMPLETE) {
if (handle->mechanisms != NULL)
gss_release_oid_set(NULL, &handle->mechanisms);
_gsskrb5_release_oid_set(NULL, &handle->mechanisms);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
free(handle);
return (ret);
}
*minor_status = 0;
if (time_rec) {
ret = gssapi_lifetime_left(minor_status,
ret = _gsskrb5_lifetime_left(minor_status,
handle->lifetime,
time_rec);
@@ -373,6 +372,6 @@ OM_uint32 gss_acquire_cred
return ret;
}
handle->usage = cred_usage;
*output_cred_handle = handle;
*output_cred_handle = (gss_cred_id_t)handle;
return (GSS_S_COMPLETE);
}

60
lib/gssapi/krb5/add_cred.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_add_cred (
OM_uint32 _gsskrb5_add_cred (
OM_uint32 *minor_status,
const gss_cred_id_t input_cred_handle,
const gss_name_t desired_name,
@@ -49,22 +49,22 @@ OM_uint32 gss_add_cred (
OM_uint32 *acceptor_time_rec)
{
OM_uint32 ret, lifetime;
gss_cred_id_t cred, handle;
gsskrb5_cred cred, handle;
handle = NULL;
cred = input_cred_handle;
cred = (gsskrb5_cred)input_cred_handle;
if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) {
*minor_status = 0;
return GSS_S_BAD_MECH;
}
if (cred == GSS_C_NO_CREDENTIAL && output_cred_handle == NULL) {
if (cred == NULL && output_cred_handle == NULL) {
*minor_status = 0;
return GSS_S_NO_CRED;
}
if (cred == GSS_C_NO_CREDENTIAL) { /* XXX standard conformance failure */
if (cred == NULL) { /* XXX standard conformance failure */
*minor_status = 0;
return GSS_S_NO_CRED;
}
@@ -81,7 +81,7 @@ OM_uint32 gss_add_cred (
/* check that we have the same name */
if (desired_name != GSS_C_NO_NAME &&
krb5_principal_compare(gssapi_krb5_context, desired_name,
krb5_principal_compare(_gsskrb5_context, desired_name,
cred->principal) != FALSE) {
if (output_cred_handle)
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
@@ -92,15 +92,13 @@ OM_uint32 gss_add_cred (
/* make a copy */
if (output_cred_handle) {
handle = (gss_cred_id_t)malloc(sizeof(*handle));
if (handle == GSS_C_NO_CREDENTIAL) {
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
memset(handle, 0, sizeof (*handle));
handle->usage = cred_usage;
handle->lifetime = cred->lifetime;
handle->principal = NULL;
@@ -111,8 +109,8 @@ OM_uint32 gss_add_cred (
ret = GSS_S_FAILURE;
ret = gss_duplicate_name(minor_status, cred->principal,
&handle->principal);
ret = _gsskrb5_duplicate_name(minor_status, cred->principal,
&handle->principal);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
free(handle);
@@ -127,7 +125,7 @@ OM_uint32 gss_add_cred (
ret = GSS_S_FAILURE;
kret = krb5_kt_get_type(gssapi_krb5_context, cred->keytab,
kret = krb5_kt_get_type(_gsskrb5_context, cred->keytab,
name, KRB5_KT_PREFIX_MAX_LEN);
if (kret) {
*minor_status = kret;
@@ -136,7 +134,7 @@ OM_uint32 gss_add_cred (
len = strlen(name);
name[len++] = ':';
kret = krb5_kt_get_name(gssapi_krb5_context, cred->keytab,
kret = krb5_kt_get_name(_gsskrb5_context, cred->keytab,
name + len,
sizeof(name) - len);
if (kret) {
@@ -144,7 +142,7 @@ OM_uint32 gss_add_cred (
goto failure;
}
kret = krb5_kt_resolve(gssapi_krb5_context, name,
kret = krb5_kt_resolve(_gsskrb5_context, name,
&handle->keytab);
if (kret){
*minor_status = kret;
@@ -159,21 +157,21 @@ OM_uint32 gss_add_cred (
ret = GSS_S_FAILURE;
type = krb5_cc_get_type(gssapi_krb5_context, cred->ccache);
type = krb5_cc_get_type(_gsskrb5_context, cred->ccache);
if (type == NULL){
*minor_status = ENOMEM;
goto failure;
}
if (strcmp(type, "MEMORY") == 0) {
ret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops,
ret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops,
&handle->ccache);
if (ret) {
*minor_status = ret;
goto failure;
}
ret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache,
ret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache,
handle->ccache);
if (ret) {
*minor_status = ret;
@@ -181,7 +179,7 @@ OM_uint32 gss_add_cred (
}
} else {
name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache);
name = krb5_cc_get_name(_gsskrb5_context, cred->ccache);
if (name == NULL) {
*minor_status = ENOMEM;
goto failure;
@@ -193,7 +191,7 @@ OM_uint32 gss_add_cred (
goto failure;
}
kret = krb5_cc_resolve(gssapi_krb5_context, type_name,
kret = krb5_cc_resolve(_gsskrb5_context, type_name,
&handle->ccache);
free(type_name);
if (kret) {
@@ -202,20 +200,20 @@ OM_uint32 gss_add_cred (
}
}
}
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms);
if (ret)
goto failure;
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
if (ret)
goto failure;
}
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
ret = gss_inquire_cred(minor_status, cred, NULL, &lifetime,
NULL, actual_mechs);
ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred,
NULL, &lifetime, NULL, actual_mechs);
if (ret)
goto failure;
@@ -225,7 +223,7 @@ OM_uint32 gss_add_cred (
*acceptor_time_rec = lifetime;
if (output_cred_handle) {
*output_cred_handle = handle;
*output_cred_handle = (gss_cred_id_t)handle;
}
*minor_status = 0;
@@ -235,13 +233,13 @@ OM_uint32 gss_add_cred (
if (handle) {
if (handle->principal)
gss_release_name(NULL, &handle->principal);
_gsskrb5_release_name(NULL, &handle->principal);
if (handle->keytab)
krb5_kt_close(gssapi_krb5_context, handle->keytab);
krb5_kt_close(_gsskrb5_context, handle->keytab);
if (handle->ccache)
krb5_cc_destroy(gssapi_krb5_context, handle->ccache);
krb5_cc_destroy(_gsskrb5_context, handle->ccache);
if (handle->mechanisms)
gss_release_oid_set(NULL, &handle->mechanisms);
_gsskrb5_release_oid_set(NULL, &handle->mechanisms);
free(handle);
}
if (output_cred_handle)

7
lib/gssapi/krb5/add_oid_set_member.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_add_oid_set_member (
OM_uint32 _gsskrb5_add_oid_set_member (
OM_uint32 * minor_status,
const gss_OID member_oid,
gss_OID_set * oid_set
@@ -46,7 +46,8 @@ OM_uint32 gss_add_oid_set_member (
OM_uint32 res;
int present;
res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present);
res = _gsskrb5_test_oid_set_member(minor_status, member_oid,
*oid_set, &present);
if (res != GSS_S_COMPLETE)
return res;

14
lib/gssapi/krb5/address_to_krb5addr.c
View File

@@ -31,15 +31,15 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
#include <roken.h>
krb5_error_code
gss_address_to_krb5addr(OM_uint32 gss_addr_type,
gss_buffer_desc *gss_addr,
int16_t port,
krb5_address *address)
_gsskrb5i_address_to_krb5addr(OM_uint32 gss_addr_type,
gss_buffer_desc *gss_addr,
int16_t port,
krb5_address *address)
{
int addr_type;
struct sockaddr sa;
@@ -61,7 +61,7 @@ gss_address_to_krb5addr(OM_uint32 gss_addr_type,
return GSS_S_FAILURE;
}
problem = krb5_h_addr2sockaddr (gssapi_krb5_context,
problem = krb5_h_addr2sockaddr (_gsskrb5_context,
addr_type,
gss_addr->value,
&sa,
@@ -70,7 +70,7 @@ gss_address_to_krb5addr(OM_uint32 gss_addr_type,
if (problem)
return GSS_S_FAILURE;
problem = krb5_sockaddr2address (gssapi_krb5_context, &sa, address);
problem = krb5_sockaddr2address (_gsskrb5_context, &sa, address);
return problem;
}

64
lib/gssapi/krb5/arcfour.c
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
@@ -127,13 +127,13 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
memcpy(ptr + l1, v2, l2);
memcpy(ptr + l1 + l2, v3, l3);
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret) {
free(ptr);
return ret;
}
ret = krb5_create_checksum(gssapi_krb5_context,
ret = krb5_create_checksum(_gsskrb5_context,
crypto,
usage,
0,
@@ -144,7 +144,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz);
free_Checksum(&CKSUM);
}
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return ret;
}
@@ -152,7 +152,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
OM_uint32
_gssapi_get_mic_arcfour(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -164,7 +164,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
u_char k6_data[16], *p0, *p;
RC4_KEY rc4_key;
gssapi_krb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
_gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
message_token->length = total_len;
message_token->value = malloc (total_len);
@@ -195,28 +195,28 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
message_buffer->value, message_buffer->length,
NULL, 0);
if (ret) {
gss_release_buffer(minor_status, message_token);
_gsskrb5_release_buffer(minor_status, message_token);
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = arcfour_mic_key(gssapi_krb5_context, key,
ret = arcfour_mic_key(_gsskrb5_context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
gss_release_buffer(minor_status, message_token);
_gsskrb5_release_buffer(minor_status, message_token);
*minor_status = ret;
return GSS_S_FAILURE;
}
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
context_handle->auth_context,
&seq_number);
p = p0 + 8; /* SND_SEQ */
gssapi_encode_be_om_uint32(seq_number, p);
_gsskrb5_encode_be_om_uint32(seq_number, p);
krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -236,7 +236,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
OM_uint32
_gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -254,7 +254,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
*qop_state = 0;
p = token_buffer->value;
omret = gssapi_krb5_verify_header (&p,
omret = _gsskrb5_verify_header (&p,
token_buffer->length,
(u_char *)type,
GSS_KRB5_MECHANISM);
@@ -278,7 +278,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
return GSS_S_FAILURE;
}
ret = arcfour_mic_key(gssapi_krb5_context, key,
ret = arcfour_mic_key(_gsskrb5_context, key,
cksum_data, sizeof(cksum_data),
k6_data, sizeof(k6_data));
if (ret) {
@@ -302,7 +302,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
memset(k6_data, 0, sizeof(k6_data));
}
gssapi_decode_be_om_uint32(SND_SEQ, &seq_number);
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL)
cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
@@ -327,7 +327,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
OM_uint32
_gssapi_wrap_arcfour(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -377,13 +377,13 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
p = NULL;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
context_handle->auth_context,
&seq_number);
gssapi_encode_be_om_uint32(seq_number, p0 + 8);
_gsskrb5_encode_be_om_uint32(seq_number, p0 + 8);
krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -407,7 +407,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
datalen);
if (ret) {
*minor_status = ret;
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
@@ -421,12 +421,12 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
for (i = 0; i < 16; i++)
Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
}
ret = arcfour_mic_key(gssapi_krb5_context, &Klocal,
ret = arcfour_mic_key(_gsskrb5_context, &Klocal,
p0 + 8, 4, /* SND_SEQ */
k6_data, sizeof(k6_data));
memset(Klocaldata, 0, sizeof(Klocaldata));
if (ret) {
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -442,11 +442,11 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
}
memset(k6_data, 0, sizeof(k6_data));
ret = arcfour_mic_key(gssapi_krb5_context, key,
ret = arcfour_mic_key(_gsskrb5_context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -468,7 +468,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
}
OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
@@ -524,7 +524,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
return GSS_S_BAD_MIC;
p = NULL;
ret = arcfour_mic_key(gssapi_krb5_context, key,
ret = arcfour_mic_key(_gsskrb5_context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
@@ -541,7 +541,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
memset(k6_data, 0, sizeof(k6_data));
}
gssapi_decode_be_om_uint32(SND_SEQ, &seq_number);
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL)
cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
@@ -563,7 +563,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
for (i = 0; i < 16; i++)
Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
}
ret = arcfour_mic_key(gssapi_krb5_context, &Klocal,
ret = arcfour_mic_key(_gsskrb5_context, &Klocal,
SND_SEQ, 4,
k6_data, sizeof(k6_data));
memset(Klocaldata, 0, sizeof(Klocaldata));
@@ -597,7 +597,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen);
if (ret) {
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
*minor_status = 0;
return ret;
}
@@ -610,14 +610,14 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
output_message_buffer->value,
output_message_buffer->length + padlen);
if (ret) {
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
*minor_status = ret;
return GSS_S_FAILURE;
}
cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
if (cmp) {
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
*minor_status = 0;
return GSS_S_BAD_MIC;
}

6
lib/gssapi/krb5/canonicalize_name.c
View File

@@ -31,16 +31,16 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_canonicalize_name (
OM_uint32 _gsskrb5_canonicalize_name (
OM_uint32 * minor_status,
const gss_name_t input_name,
const gss_OID mech_type,
gss_name_t * output_name
)
{
return gss_duplicate_name (minor_status, input_name, output_name);
return _gsskrb5_duplicate_name (minor_status, input_name, output_name);
}

16
lib/gssapi/krb5/ccache_name.c
View File

@@ -31,16 +31,16 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
char *last_out_name;
OM_uint32
gss_krb5_ccache_name(OM_uint32 *minor_status,
const char *name,
const char **out_name)
_gsskrb5_krb5_ccache_name(OM_uint32 *minor_status,
const char *name,
const char **out_name)
{
krb5_error_code kret;
@@ -56,10 +56,10 @@ gss_krb5_ccache_name(OM_uint32 *minor_status,
last_out_name = NULL;
}
n = krb5_cc_default_name(gssapi_krb5_context);
n = krb5_cc_default_name(_gsskrb5_context);
if (n == NULL) {
*minor_status = ENOMEM;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
last_out_name = strdup(n);
@@ -70,10 +70,10 @@ gss_krb5_ccache_name(OM_uint32 *minor_status,
*out_name = last_out_name;
}
kret = krb5_cc_set_default_name(gssapi_krb5_context, name);
kret = krb5_cc_set_default_name(_gsskrb5_context, name);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
return GSS_S_COMPLETE;

168
lib/gssapi/krb5/cfx.c
View File

@@ -30,7 +30,7 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
@@ -57,12 +57,12 @@ wrap_length_cfx(krb5_crypto crypto,
*output_length = sizeof(gss_cfx_wrap_token_desc);
*padlength = 0;
ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, crypto, &type);
ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type);
if (ret) {
return ret;
}
ret = krb5_checksumsize(gssapi_krb5_context, type, cksumsize);
ret = krb5_checksumsize(_gsskrb5_context, type, cksumsize);
if (ret) {
return ret;
}
@@ -73,7 +73,7 @@ wrap_length_cfx(krb5_crypto crypto,
/* Header is concatenated with data before encryption */
input_length += sizeof(gss_cfx_wrap_token_desc);
ret = krb5_crypto_getpadsize(gssapi_krb5_context, crypto, &padsize);
ret = krb5_crypto_getpadsize(_gsskrb5_context, crypto, &padsize);
if (ret) {
return ret;
}
@@ -85,7 +85,7 @@ wrap_length_cfx(krb5_crypto crypto,
/* We add the pad ourselves (noted here for completeness only) */
input_length += *padlength;
*output_length += krb5_get_wrapped_length(gssapi_krb5_context,
*output_length += krb5_get_wrapped_length(_gsskrb5_context,
crypto, input_length);
} else {
/* Checksum is concatenated with data */
@@ -98,7 +98,7 @@ wrap_length_cfx(krb5_crypto crypto,
}
OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
@@ -110,9 +110,9 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
uint16_t padlength;
size_t output_length, cksumsize;
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -121,9 +121,9 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
req_output_size,
&output_length, &cksumsize, &padlength);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@@ -135,7 +135,7 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
*max_input_size = 0;
}
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_COMPLETE;
}
@@ -185,7 +185,7 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
}
OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -203,9 +203,9 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
int32_t seq_number;
u_char *p;
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -214,9 +214,9 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
input_message_buffer->length,
&wrapped_len, &cksumsize, &padlength);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@@ -227,7 +227,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(output_message_buffer->length);
if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@@ -277,12 +277,12 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
token->RRC[1] = 0;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(gssapi_krb5_context,
krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
context_handle->auth_context,
&seq_number);
gssapi_encode_be_om_uint32(0, &token->SND_SEQ[0]);
gssapi_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(gssapi_krb5_context,
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -317,16 +317,16 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
memcpy(p + input_message_buffer->length + padlength,
token, sizeof(*token));
ret = krb5_encrypt(gssapi_krb5_context, crypto,
ret = krb5_encrypt(_gsskrb5_context, crypto,
usage, p,
input_message_buffer->length + padlength +
sizeof(*token),
&cipher);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
assert(sizeof(*token) + cipher.length == wrapped_len);
@@ -335,10 +335,10 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
memcpy(p, cipher.data, cipher.length);
@@ -350,23 +350,23 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
buf = malloc(input_message_buffer->length + sizeof(*token));
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
memcpy(buf, input_message_buffer->value, input_message_buffer->length);
memcpy(buf + input_message_buffer->length, token, sizeof(*token));
ret = krb5_create_checksum(gssapi_krb5_context, crypto,
ret = krb5_create_checksum(_gsskrb5_context, crypto,
usage, 0, buf,
input_message_buffer->length +
sizeof(*token),
&cksum);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
free(buf);
return GSS_S_FAILURE;
}
@@ -387,17 +387,17 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
ret = rrc_rotate(p,
input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
free_Checksum(&cksum);
return GSS_S_FAILURE;
}
free_Checksum(&cksum);
}
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
if (conf_state != NULL) {
*conf_state = conf_req_flag;
@@ -408,7 +408,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
}
OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
@@ -471,8 +471,8 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/*
* Check sequence number
*/
gssapi_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
gssapi_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
if (seq_number_hi) {
/* no support for 64-bit sequence numbers */
*minor_status = ERANGE;
@@ -484,7 +484,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
if (ret != 0) {
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return ret;
}
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -492,9 +492,9 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/*
* Decrypt and/or verify checksum
*/
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -512,23 +512,23 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Rotate by RRC; bogus to do this in-place XXX */
*minor_status = rrc_rotate(p, len, rrc, TRUE);
if (*minor_status != 0) {
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
if (token_flags & CFXSealed) {
ret = krb5_decrypt(gssapi_krb5_context, crypto, usage,
ret = krb5_decrypt(_gsskrb5_context, crypto, usage,
p, len, &data);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_BAD_MIC;
}
/* Check that there is room for the pad and token header */
if (data.length < ec + sizeof(*token)) {
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_data_free(&data);
return GSS_S_DEFECTIVE_TOKEN;
}
@@ -541,7 +541,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check the integrity of the header */
if (memcmp(p, token, sizeof(*token)) != 0) {
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_data_free(&data);
return GSS_S_BAD_MIC;
}
@@ -552,12 +552,12 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
Checksum cksum;
/* Determine checksum type */
ret = krb5_crypto_get_checksum_type(gssapi_krb5_context,
ret = krb5_crypto_get_checksum_type(_gsskrb5_context,
crypto, &cksum.cksumtype);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@@ -566,7 +566,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check we have at least as much data as the checksum */
if (len < cksum.checksum.length) {
*minor_status = ERANGE;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_BAD_MIC;
}
@@ -578,7 +578,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(len + sizeof(*token));
if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@@ -595,21 +595,21 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
token->RRC[0] = 0;
token->RRC[1] = 0;
ret = krb5_verify_checksum(gssapi_krb5_context, crypto,
ret = krb5_verify_checksum(_gsskrb5_context, crypto,
usage,
output_message_buffer->value,
len + sizeof(*token),
&cksum);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_BAD_MIC;
}
}
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
if (qop_state != NULL) {
*qop_state = GSS_C_QOP_DEFAULT;
@@ -620,7 +620,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
}
OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -635,9 +635,9 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
size_t len;
int32_t seq_number;
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -646,7 +646,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
buf = malloc(len);
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@@ -663,12 +663,12 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
memset(token->Filler, 0xFF, 5);
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(gssapi_krb5_context,
krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
context_handle->auth_context,
&seq_number);
gssapi_encode_be_om_uint32(0, &token->SND_SEQ[0]);
gssapi_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(gssapi_krb5_context,
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -679,16 +679,16 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
}
ret = krb5_create_checksum(gssapi_krb5_context, crypto,
ret = krb5_create_checksum(_gsskrb5_context, crypto,
usage, 0, buf, len, &cksum);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
free(buf);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
/* Determine MIC length */
message_token->length = sizeof(*token) + cksum.checksum.length;
@@ -713,7 +713,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
}
OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t *qop_state,
@@ -764,8 +764,8 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
/*
* Check sequence number
*/
gssapi_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
gssapi_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
if (seq_number_hi) {
*minor_status = ERANGE;
return GSS_S_UNSEQ_TOKEN;
@@ -783,19 +783,19 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
/*
* Verify checksum
*/
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, crypto,
ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto,
&cksum.cksumtype);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@@ -811,21 +811,21 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
buf = malloc(message_buffer->length + sizeof(*token));
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
memcpy(buf, message_buffer->value, message_buffer->length);
memcpy(buf + message_buffer->length, token, sizeof(*token));
ret = krb5_verify_checksum(gssapi_krb5_context, crypto,
ret = krb5_verify_checksum(_gsskrb5_context, crypto,
usage,
buf,
sizeof(*token) + message_buffer->length,
&cksum);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
free(buf);
return GSS_S_BAD_MIC;
}

39
lib/gssapi/krb5/cfx.h
View File

@@ -62,43 +62,4 @@ typedef struct gss_cfx_delete_token_desc_struct {
u_char SND_SEQ[8];
} gss_cfx_delete_token_desc, *gss_cfx_delete_token;
OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
OM_uint32 *max_input_size,
krb5_keyblock *key);
OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
int *conf_state,
gss_buffer_t output_message_buffer,
krb5_keyblock *key);
OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
gss_qop_t *qop_state,
krb5_keyblock *key);
OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
krb5_keyblock *key);
OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t *qop_state,
krb5_keyblock *key);
#endif /* GSSAPI_CFX_H_ */

6
lib/gssapi/krb5/compare_name.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_compare_name
OM_uint32 _gsskrb5_compare_name
(OM_uint32 * minor_status,
const gss_name_t name1,
const gss_name_t name2,
@@ -44,7 +44,7 @@ OM_uint32 gss_compare_name
{
GSSAPI_KRB5_INIT();
*name_equal = krb5_principal_compare (gssapi_krb5_context,
*name_equal = krb5_principal_compare (_gsskrb5_context,
name1, name2);
*minor_status = 0;
return GSS_S_COMPLETE;

63
lib/gssapi/krb5/compat.c
View File

@@ -31,42 +31,42 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
krb5_error_code
_gss_check_compat(OM_uint32 *minor_status, gss_name_t name,
const char *option, krb5_boolean *compat,
krb5_boolean match_val)
static krb5_error_code
check_compat(OM_uint32 *minor_status, gss_name_t name,
const char *option, krb5_boolean *compat,
krb5_boolean match_val)
{
krb5_error_code ret = 0;
char **p, **q;
krb5_principal match;
p = krb5_config_get_strings(gssapi_krb5_context, NULL, "gssapi",
p = krb5_config_get_strings(_gsskrb5_context, NULL, "gssapi",
option, NULL);
if(p == NULL)
return 0;
match = NULL;
for(q = p; *q; q++) {
ret = krb5_parse_name(gssapi_krb5_context, *q, &match);
ret = krb5_parse_name(_gsskrb5_context, *q, &match);
if (ret)
break;
if (krb5_principal_match(gssapi_krb5_context, name, match)) {
if (krb5_principal_match(_gsskrb5_context, name, match)) {
*compat = match_val;
break;
}
krb5_free_principal(gssapi_krb5_context, match);
krb5_free_principal(_gsskrb5_context, match);
match = NULL;
}
if (match)
krb5_free_principal(gssapi_krb5_context, match);
krb5_free_principal(_gsskrb5_context, match);
krb5_config_free_strings(p);
if (ret) {
@@ -83,18 +83,18 @@ _gss_check_compat(OM_uint32 *minor_status, gss_name_t name,
*/
OM_uint32
_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx)
_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gsskrb5_ctx ctx)
{
krb5_boolean use_compat = FALSE;
OM_uint32 ret;
if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) {
ret = _gss_check_compat(minor_status, ctx->target,
"broken_des3_mic", &use_compat, TRUE);
ret = check_compat(minor_status, ctx->target,
"broken_des3_mic", &use_compat, TRUE);
if (ret)
return ret;
ret = _gss_check_compat(minor_status, ctx->target,
"correct_des3_mic", &use_compat, FALSE);
ret = check_compat(minor_status, ctx->target,
"correct_des3_mic", &use_compat, FALSE);
if (ret)
return ret;
@@ -105,6 +105,7 @@ _gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx)
return 0;
}
#if 0
OM_uint32
gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on)
{
@@ -121,34 +122,4 @@ gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on)
return 0;
}
/*
* For compatability with the Windows SPNEGO implementation, the
* default is to ignore the mechListMIC unless the initiator specified
* CFX or configured in krb5.conf with the option
* [gssapi]require_mechlist_mic=target-principal-pattern.
* The option is valid for both initiator and acceptor.
*/
OM_uint32
_gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
gss_ctx_id_t ctx,
krb5_boolean *require_mic)
{
OM_uint32 ret;
int is_cfx = 0;
gsskrb5_is_cfx(ctx, &is_cfx);
if (is_cfx) {
/* CFX session key was used */
*require_mic = TRUE;
} else {
*require_mic = FALSE;
ret = _gss_check_compat(minor_status, ctx->target,
"require_mechlist_mic",
require_mic, TRUE);
if (ret)
return ret;
}
*minor_status = 0;
return GSS_S_COMPLETE;
}
#endif

19
lib/gssapi/krb5/context_time.c
View File

@@ -31,12 +31,12 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32
gssapi_lifetime_left(OM_uint32 *minor_status,
_gsskrb5_lifetime_left(OM_uint32 *minor_status,
OM_uint32 lifetime,
OM_uint32 *lifetime_rec)
{
@@ -48,10 +48,10 @@ gssapi_lifetime_left(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
kret = krb5_timeofday(gssapi_krb5_context, &timeret);
kret = krb5_timeofday(_gsskrb5_context, &timeret);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
@@ -64,7 +64,7 @@ gssapi_lifetime_left(OM_uint32 *minor_status,
}
OM_uint32 gss_context_time
OM_uint32 _gsskrb5_context_time
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
OM_uint32 * time_rec
@@ -72,14 +72,15 @@ OM_uint32 gss_context_time
{
OM_uint32 lifetime;
OM_uint32 major_status;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
GSSAPI_KRB5_INIT ();
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
lifetime = context_handle->lifetime;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
lifetime = ctx->lifetime;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
major_status = gssapi_lifetime_left(minor_status, lifetime, time_rec);
major_status = _gsskrb5_lifetime_left(minor_status, lifetime, time_rec);
if (major_status != GSS_S_COMPLETE)
return major_status;

75
lib/gssapi/krb5/copy_ccache.c
View File

@@ -31,10 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
#if 0
OM_uint32
gss_krb5_copy_ccache(OM_uint32 *minor_status,
gss_cred_id_t cred,
@@ -50,36 +51,37 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
kret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, out);
kret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache, out);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
*minor_status = 0;
return GSS_S_COMPLETE;
}
#endif
OM_uint32
gss_krb5_import_cred(OM_uint32 *minor_status,
_gsskrb5_import_cred(OM_uint32 *minor_status,
krb5_ccache id,
krb5_principal keytab_principal,
krb5_keytab keytab,
gss_cred_id_t *cred)
{
krb5_error_code kret;
gss_cred_id_t handle;
gsskrb5_cred handle;
OM_uint32 ret;
*cred = NULL;
GSSAPI_KRB5_INIT ();
handle = (gss_cred_id_t)calloc(1, sizeof(*handle));
if (handle == GSS_C_NO_CREDENTIAL) {
gssapi_krb5_clear_status ();
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
_gsskrb5_clear_status ();
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
@@ -92,11 +94,11 @@ gss_krb5_import_cred(OM_uint32 *minor_status,
handle->usage |= GSS_C_INITIATE;
kret = krb5_cc_get_principal(gssapi_krb5_context, id,
kret = krb5_cc_get_principal(_gsskrb5_context, id,
&handle->principal);
if (kret) {
free(handle);
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -104,34 +106,34 @@ gss_krb5_import_cred(OM_uint32 *minor_status,
if (keytab_principal) {
krb5_boolean match;
match = krb5_principal_compare(gssapi_krb5_context,
match = krb5_principal_compare(_gsskrb5_context,
handle->principal,
keytab_principal);
if (match == FALSE) {
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
free(handle);
gssapi_krb5_clear_status ();
_gsskrb5_clear_status ();
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
}
ret = _gssapi_krb5_ccache_lifetime(minor_status,
ret = __gsskrb5_ccache_lifetime(minor_status,
id,
handle->principal,
&handle->lifetime);
if (ret != GSS_S_COMPLETE) {
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
free(handle);
return ret;
}
kret = krb5_cc_get_full_name(gssapi_krb5_context, id, &str);
kret = krb5_cc_get_full_name(_gsskrb5_context, id, &str);
if (kret)
goto out;
kret = krb5_cc_resolve(gssapi_krb5_context, str, &handle->ccache);
kret = krb5_cc_resolve(_gsskrb5_context, str, &handle->ccache);
free(str);
if (kret)
goto out;
@@ -144,18 +146,18 @@ gss_krb5_import_cred(OM_uint32 *minor_status,
handle->usage |= GSS_C_ACCEPT;
if (keytab_principal && handle->principal == NULL) {
kret = krb5_copy_principal(gssapi_krb5_context,
kret = krb5_copy_principal(_gsskrb5_context,
keytab_principal,
&handle->principal);
if (kret)
goto out;
}
kret = krb5_kt_get_full_name(gssapi_krb5_context, keytab, &str);
kret = krb5_kt_get_full_name(_gsskrb5_context, keytab, &str);
if (kret)
goto out;
kret = krb5_kt_resolve(gssapi_krb5_context, str, &handle->keytab);
kret = krb5_kt_resolve(_gsskrb5_context, str, &handle->keytab);
free(str);
if (kret)
goto out;
@@ -163,10 +165,10 @@ gss_krb5_import_cred(OM_uint32 *minor_status,
if (id || keytab) {
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms);
if (ret == GSS_S_COMPLETE)
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
if (ret != GSS_S_COMPLETE) {
kret = *minor_status;
goto out;
@@ -174,13 +176,13 @@ gss_krb5_import_cred(OM_uint32 *minor_status,
}
*minor_status = 0;
*cred = handle;
*cred = (gss_cred_id_t)handle;
return GSS_S_COMPLETE;
out:
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
if (handle->principal)
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = kret;
@@ -189,29 +191,30 @@ out:
OM_uint32
gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int ad_type,
gss_buffer_t ad_data)
_gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int ad_type,
gss_buffer_t ad_data)
{
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
krb5_error_code ret;
krb5_data data;
ad_data->value = NULL;
ad_data->length = 0;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
if (context_handle->ticket == NULL) {
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (ctx->ticket == NULL) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
ret = krb5_ticket_get_authorization_data_type(gssapi_krb5_context,
context_handle->ticket,
ret = krb5_ticket_get_authorization_data_type(_gsskrb5_context,
ctx->ticket,
ad_type,
&data);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;

4
lib/gssapi/krb5/create_emtpy_oid_set.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_create_empty_oid_set (
OM_uint32 _gsskrb5_create_empty_oid_set (
OM_uint32 * minor_status,
gss_OID_set * oid_set
)

12
lib/gssapi/krb5/decapsulate.c
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
@@ -41,7 +41,7 @@ RCSID("$Id$");
*/
ssize_t
gssapi_krb5_get_mech (const u_char *ptr,
_gsskrb5_get_mech (const u_char *ptr,
size_t total_len,
const u_char **mech_ret)
{
@@ -76,7 +76,7 @@ _gssapi_verify_mech_header(u_char **str,
const u_char *p;
ssize_t mech_len;
mech_len = gssapi_krb5_get_mech (*str, total_len, &p);
mech_len = _gsskrb5_get_mech (*str, total_len, &p);
if (mech_len < 0)
return GSS_S_DEFECTIVE_TOKEN;
@@ -92,7 +92,7 @@ _gssapi_verify_mech_header(u_char **str,
}
OM_uint32
gssapi_krb5_verify_header(u_char **str,
_gsskrb5_verify_header(u_char **str,
size_t total_len,
const void *type,
gss_OID oid)
@@ -154,7 +154,7 @@ _gssapi_decapsulate(
*/
OM_uint32
gssapi_krb5_decapsulate(OM_uint32 *minor_status,
_gsskrb5_decapsulate(OM_uint32 *minor_status,
gss_buffer_t input_token_buffer,
krb5_data *out_data,
const void *type,
@@ -164,7 +164,7 @@ gssapi_krb5_decapsulate(OM_uint32 *minor_status,
OM_uint32 ret;
p = input_token_buffer->value;
ret = gssapi_krb5_verify_header(&p,
ret = _gsskrb5_verify_header(&p,
input_token_buffer->length,
type,
oid);

48
lib/gssapi/krb5/delete_sec_context.c
View File

@@ -31,16 +31,18 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_delete_sec_context
OM_uint32 _gsskrb5_delete_sec_context
(OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
gss_buffer_t output_token
)
{
gsskrb5_ctx ctx;
GSSAPI_KRB5_INIT ();
*minor_status = 0;
@@ -53,26 +55,28 @@ OM_uint32 gss_delete_sec_context
if (*context_handle == GSS_C_NO_CONTEXT)
return GSS_S_COMPLETE;
HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex);
krb5_auth_con_free (gssapi_krb5_context,
(*context_handle)->auth_context);
if((*context_handle)->source)
krb5_free_principal (gssapi_krb5_context,
(*context_handle)->source);
if((*context_handle)->target)
krb5_free_principal (gssapi_krb5_context,
(*context_handle)->target);
if ((*context_handle)->ticket)
krb5_free_ticket (gssapi_krb5_context,
(*context_handle)->ticket);
if((*context_handle)->order)
_gssapi_msg_order_destroy(&(*context_handle)->order);
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex);
memset(*context_handle, 0, sizeof(**context_handle));
free (*context_handle);
ctx = (gsskrb5_ctx) *context_handle;
*context_handle = GSS_C_NO_CONTEXT;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_free (_gsskrb5_context,
ctx->auth_context);
if(ctx->source)
krb5_free_principal (_gsskrb5_context,
ctx->source);
if(ctx->target)
krb5_free_principal (_gsskrb5_context,
ctx->target);
if (ctx->ticket)
krb5_free_ticket (_gsskrb5_context,
ctx->ticket);
if(ctx->order)
_gssapi_msg_order_destroy(&ctx->order);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
memset(ctx, 0, sizeof(*ctx));
free (ctx);
return GSS_S_COMPLETE;
}

8
lib/gssapi/krb5/display_name.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_display_name
OM_uint32 _gsskrb5_display_name
(OM_uint32 * minor_status,
const gss_name_t input_name,
gss_buffer_t output_name_buffer,
@@ -47,12 +47,12 @@ OM_uint32 gss_display_name
size_t len;
GSSAPI_KRB5_INIT ();
kret = krb5_unparse_name (gssapi_krb5_context,
kret = krb5_unparse_name (_gsskrb5_context,
input_name,
&buf);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
len = strlen (buf);

30
lib/gssapi/krb5/display_status.c
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
@@ -112,9 +112,9 @@ supplementary_error(OM_uint32 v)
}
void
gssapi_krb5_clear_status (void)
_gsskrb5_clear_status (void)
{
struct gssapi_thr_context *ctx = gssapi_get_thread_context(1);
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1);
if (ctx == NULL)
return;
HEIMDAL_MUTEX_lock(&ctx->mutex);
@@ -125,9 +125,9 @@ gssapi_krb5_clear_status (void)
}
void
gssapi_krb5_set_status (const char *fmt, ...)
_gsskrb5_set_status (const char *fmt, ...)
{
struct gssapi_thr_context *ctx = gssapi_get_thread_context(1);
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1);
va_list args;
if (ctx == NULL)
@@ -143,22 +143,22 @@ gssapi_krb5_set_status (const char *fmt, ...)
}
void
gssapi_krb5_set_error_string (void)
_gsskrb5_set_error_string (void)
{
char *e;
e = krb5_get_error_string(gssapi_krb5_context);
e = krb5_get_error_string(_gsskrb5_context);
if (e) {
gssapi_krb5_set_status("%s", e);
krb5_free_error_string(gssapi_krb5_context, e);
_gsskrb5_set_status("%s", e);
krb5_free_error_string(_gsskrb5_context, e);
} else
gssapi_krb5_clear_status();
_gsskrb5_clear_status();
}
char *
gssapi_krb5_get_error_string (void)
_gsskrb5_get_error_string (void)
{
struct gssapi_thr_context *ctx = gssapi_get_thread_context(0);
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(0);
char *ret;
if (ctx == NULL)
@@ -170,7 +170,7 @@ gssapi_krb5_get_error_string (void)
return ret;
}
OM_uint32 gss_display_status
OM_uint32 _gsskrb5_display_status
(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
@@ -200,9 +200,9 @@ OM_uint32 gss_display_status
calling_error(GSS_CALLING_ERROR(status_value)),
routine_error(GSS_ROUTINE_ERROR(status_value)));
} else if (status_type == GSS_C_MECH_CODE) {
buf = gssapi_krb5_get_error_string ();
buf = _gsskrb5_get_error_string ();
if (buf == NULL) {
const char *tmp = krb5_get_err_text (gssapi_krb5_context,
const char *tmp = krb5_get_err_text (_gsskrb5_context,
status_value);
if (tmp == NULL)
asprintf(&buf, "unknown mech error-code %u",

8
lib/gssapi/krb5/duplicate_name.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_duplicate_name (
OM_uint32 _gsskrb5_duplicate_name (
OM_uint32 * minor_status,
const gss_name_t src_name,
gss_name_t * dest_name
@@ -45,12 +45,12 @@ OM_uint32 gss_duplicate_name (
GSSAPI_KRB5_INIT ();
kret = krb5_copy_principal (gssapi_krb5_context,
kret = krb5_copy_principal (_gsskrb5_context,
src_name,
dest_name);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
} else {
*minor_status = 0;

12
lib/gssapi/krb5/encapsulate.c
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
@@ -51,7 +51,7 @@ _gssapi_encap_length (size_t data_len,
}
void
gssapi_krb5_encap_length (size_t data_len,
_gsskrb5_encap_length (size_t data_len,
size_t *len,
size_t *total_len,
const gss_OID mech)
@@ -60,7 +60,7 @@ gssapi_krb5_encap_length (size_t data_len,
}
void *
gssapi_krb5_make_header (void *ptr,
_gsskrb5_make_header (void *ptr,
size_t len,
const void *type,
const gss_OID mech)
@@ -129,7 +129,7 @@ _gssapi_encapsulate(
*/
OM_uint32
gssapi_krb5_encapsulate(
_gsskrb5_encapsulate(
OM_uint32 *minor_status,
const krb5_data *in_data,
gss_buffer_t output_token,
@@ -140,7 +140,7 @@ gssapi_krb5_encapsulate(
size_t len, outer_len;
u_char *p;
gssapi_krb5_encap_length (in_data->length, &len, &outer_len, mech);
_gsskrb5_encap_length (in_data->length, &len, &outer_len, mech);
output_token->length = outer_len;
output_token->value = malloc (outer_len);
@@ -149,7 +149,7 @@ gssapi_krb5_encapsulate(
return GSS_S_FAILURE;
}
p = gssapi_krb5_make_header (output_token->value, len, type, mech);
p = _gsskrb5_make_header (output_token->value, len, type, mech);
memcpy (p, in_data->data, in_data->length);
return GSS_S_COMPLETE;
}

8
lib/gssapi/krb5/export_name.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_export_name
OM_uint32 _gsskrb5_export_name
(OM_uint32 * minor_status,
const gss_name_t input_name,
gss_buffer_t exported_name
@@ -46,12 +46,12 @@ OM_uint32 gss_export_name
size_t len;
GSSAPI_KRB5_INIT ();
kret = krb5_unparse_name (gssapi_krb5_context,
kret = krb5_unparse_name (_gsskrb5_context,
input_name,
&name);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
len = strlen (name);

45
lib/gssapi/krb5/export_sec_context.c
View File

@@ -31,17 +31,18 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32
gss_export_sec_context (
_gsskrb5_export_sec_context (
OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
gss_buffer_t interprocess_token
)
{
const gsskrb5_ctx ctx = (const gsskrb5_ctx) *context_handle;
krb5_storage *sp;
krb5_auth_context ac;
OM_uint32 ret = GSS_S_COMPLETE;
@@ -53,21 +54,21 @@ gss_export_sec_context (
GSSAPI_KRB5_INIT ();
HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (!((*context_handle)->flags & GSS_C_TRANS_FLAG)) {
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
if (!(ctx->flags & GSS_C_TRANS_FLAG)) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
*minor_status = 0;
return GSS_S_UNAVAILABLE;
}
sp = krb5_storage_emem ();
if (sp == NULL) {
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
ac = (*context_handle)->auth_context;
ac = ctx->auth_context;
/* flagging included fields */
@@ -165,19 +166,21 @@ gss_export_sec_context (
/* names */
ret = gss_export_name (minor_status, (*context_handle)->source, &buffer);
ret = _gsskrb5_export_name (minor_status,
ctx->source, &buffer);
if (ret)
goto failure;
data.data = buffer.value;
data.length = buffer.length;
kret = krb5_store_data (sp, data);
gss_release_buffer (&minor, &buffer);
_gsskrb5_release_buffer (&minor, &buffer);
if (kret) {
*minor_status = kret;
goto failure;
}
ret = gss_export_name (minor_status, (*context_handle)->target, &buffer);
ret = _gsskrb5_export_name (minor_status,
ctx->target, &buffer);
if (ret)
goto failure;
data.data = buffer.value;
@@ -186,28 +189,28 @@ gss_export_sec_context (
ret = GSS_S_FAILURE;
kret = krb5_store_data (sp, data);
gss_release_buffer (&minor, &buffer);
_gsskrb5_release_buffer (&minor, &buffer);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_int32 (sp, (*context_handle)->flags);
kret = krb5_store_int32 (sp, ctx->flags);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_int32 (sp, (*context_handle)->more_flags);
kret = krb5_store_int32 (sp, ctx->more_flags);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_int32 (sp, (*context_handle)->lifetime);
kret = krb5_store_int32 (sp, ctx->lifetime);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = _gssapi_msg_order_export(sp, (*context_handle)->order);
kret = _gssapi_msg_order_export(sp, ctx->order);
if (kret ) {
*minor_status = kret;
goto failure;
@@ -216,21 +219,21 @@ gss_export_sec_context (
kret = krb5_storage_to_data (sp, &data);
krb5_storage_free (sp);
if (kret) {
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
*minor_status = kret;
return GSS_S_FAILURE;
}
interprocess_token->length = data.length;
interprocess_token->value = data.data;
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
ret = gss_delete_sec_context (minor_status, context_handle,
GSS_C_NO_BUFFER);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
ret = _gsskrb5_delete_sec_context (minor_status, context_handle,
GSS_C_NO_BUFFER);
if (ret != GSS_S_COMPLETE)
gss_release_buffer (NULL, interprocess_token);
_gsskrb5_release_buffer (NULL, interprocess_token);
*minor_status = 0;
return ret;
failure:
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
krb5_storage_free (sp);
return ret;
}

98
lib/gssapi/krb5/external.c
View File

@@ -31,7 +31,8 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
#include <gssapi_mech.h>
RCSID("$Id$");
@@ -225,18 +226,6 @@ static gss_OID_desc gss_krb5_mechanism_oid_desc =
gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
/*
* RFC2478, SPNEGO:
* The security mechanism of the initial
* negotiation token is identified by the Object Identifier
* iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
*/
static gss_OID_desc gss_spnego_mechanism_oid_desc =
{6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02")};
gss_OID GSS_SPNEGO_MECHANISM = &gss_spnego_mechanism_oid_desc;
/*
* draft-ietf-cat-iakerb-09, IAKERB:
* The mechanism ID for IAKERB proxy GSS-API Kerberos, in accordance
@@ -260,8 +249,89 @@ static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc =
gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc;
/*
*
*/
static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc =
{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"};
gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc;
/*
* GSS-API mechanism extensions
* {iso(1), org(3), dod(6), internet(1), private(4), enterprise(1),
* padl(5322), gssKrb5Extensions(19)}
*/
static gss_OID_desc gss_krb5_copy_ccache_x_oid_desc =
{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x01"};
gss_OID GSS_KRB5_COPY_CCACHE_X = &gss_krb5_copy_ccache_x_oid_desc;
static gss_OID_desc gss_krb5_get_tkt_flags_x_oid_desc =
{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x02"};
gss_OID GSS_KRB5_GET_TKT_FLAGS_X = &gss_krb5_get_tkt_flags_x_oid_desc;
static gss_OID_desc gss_krb5_extract_authz_data_from_sec_context_x_oid_desc =
{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x03"};
gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc;
static gss_OID_desc gss_krb5_compat_des3_mic_x_oid_desc =
{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"};
gss_OID GSS_KRB5_COMPAT_DES3_MIC_X = &gss_krb5_compat_des3_mic_x_oid_desc;
/*
* Context for krb5 calls.
*/
krb5_context gssapi_krb5_context;
krb5_context _gsskrb5_context;
/*
*
*/
static gssapi_mech_interface_desc krb5_mech = {
GMI_VERSION,
"kerberos 5",
{9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
_gsskrb5_acquire_cred,
_gsskrb5_release_cred,
_gsskrb5_init_sec_context,
_gsskrb5_accept_sec_context,
_gsskrb5_process_context_token,
_gsskrb5_delete_sec_context,
_gsskrb5_context_time,
_gsskrb5_get_mic,
_gsskrb5_verify_mic,
_gsskrb5_wrap,
_gsskrb5_unwrap,
_gsskrb5_display_status,
_gsskrb5_indicate_mechs,
_gsskrb5_compare_name,
_gsskrb5_display_name,
_gsskrb5_import_name,
_gsskrb5_export_name,
_gsskrb5_release_name,
_gsskrb5_inquire_cred,
_gsskrb5_inquire_context,
_gsskrb5_wrap_size_limit,
_gsskrb5_add_cred,
_gsskrb5_inquire_cred_by_mech,
_gsskrb5_export_sec_context,
_gsskrb5_import_sec_context,
_gsskrb5_inquire_names_for_mech,
_gsskrb5_inquire_mechs_for_name,
_gsskrb5_canonicalize_name,
_gsskrb5_duplicate_name,
_gsskrb5_inquire_sec_context_by_oid,
_gsskrb5_inquire_cred_by_oid
};
gssapi_mech_interface
__gss_krb5_initialize(void)
{
return &krb5_mech;
}

83
lib/gssapi/krb5/get_mic.c
View File

@@ -31,14 +31,14 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
static OM_uint32
mic_des
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx ctx,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -54,7 +54,7 @@ mic_des
int32_t seq_number;
size_t len, total_len;
gssapi_krb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
_gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
message_token->length = total_len;
message_token->value = malloc (total_len);
@@ -64,7 +64,7 @@ mic_des
return GSS_S_FAILURE;
}
p = gssapi_krb5_make_header(message_token->value,
p = _gsskrb5_make_header(message_token->value,
len,
"\x01\x01", /* TOK_ID */
GSS_KRB5_MECHANISM);
@@ -92,10 +92,10 @@ mic_des
&schedule, &zero);
memcpy (p - 8, hash, 8); /* SGN_CKSUM */
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
&seq_number);
p -= 16; /* SND_SEQ */
@@ -104,17 +104,17 @@ mic_des
p[2] = (seq_number >> 16) & 0xFF;
p[3] = (seq_number >> 24) & 0xFF;
memset (p + 4,
(context_handle->more_flags & LOCAL) ? 0 : 0xFF,
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
DES_set_key (&deskey, &schedule);
DES_cbc_encrypt ((void *)p, (void *)p, 8,
&schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
memset (deskey, 0, sizeof(deskey));
memset (&schedule, 0, sizeof(schedule));
@@ -126,7 +126,7 @@ mic_des
static OM_uint32
mic_des3
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx ctx,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -146,7 +146,7 @@ mic_des3
char *tmp;
char ivec[8];
gssapi_krb5_encap_length (36, &len, &total_len, GSS_KRB5_MECHANISM);
_gsskrb5_encap_length (36, &len, &total_len, GSS_KRB5_MECHANISM);
message_token->length = total_len;
message_token->value = malloc (total_len);
@@ -156,7 +156,7 @@ mic_des3
return GSS_S_FAILURE;
}
p = gssapi_krb5_make_header(message_token->value,
p = _gsskrb5_make_header(message_token->value,
len,
"\x01\x01", /* TOK-ID */
GSS_KRB5_MECHANISM);
@@ -180,18 +180,18 @@ mic_des3
memcpy (tmp, p - 8, 8);
memcpy (tmp + 8, message_buffer->value, message_buffer->length);
kret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
kret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
free (tmp);
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_create_checksum (gssapi_krb5_context,
kret = krb5_create_checksum (_gsskrb5_context,
crypto,
KRB5_KU_USAGE_SIGN,
0,
@@ -199,22 +199,22 @@ mic_des3
message_buffer->length + 8,
&cksum);
free (tmp);
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
memcpy (p + 8, cksum.checksum.data, cksum.checksum.length);
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
&seq_number);
seq[0] = (seq_number >> 0) & 0xFF;
@@ -222,35 +222,35 @@ mic_des3
seq[2] = (seq_number >> 16) & 0xFF;
seq[3] = (seq_number >> 24) & 0xFF;
memset (seq + 4,
(context_handle->more_flags & LOCAL) ? 0 : 0xFF,
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
kret = krb5_crypto_init(gssapi_krb5_context, key,
kret = krb5_crypto_init(_gsskrb5_context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
if (context_handle->more_flags & COMPAT_OLD_DES3)
if (ctx->more_flags & COMPAT_OLD_DES3)
memset(ivec, 0, 8);
else
memcpy(ivec, p + 8, 8);
kret = krb5_encrypt_ivec (gssapi_krb5_context,
kret = krb5_encrypt_ivec (_gsskrb5_context,
crypto,
KRB5_KU_USAGE_SEQ,
seq, 8, &encdata, ivec);
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -260,17 +260,17 @@ mic_des3
memcpy (p, encdata.data, encdata.length);
krb5_data_free (&encdata);
krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
free_Checksum (&cksum);
*minor_status = 0;
return GSS_S_COMPLETE;
}
OM_uint32 gss_get_mic
OM_uint32 _gsskrb5_get_mic
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
gss_qop_t qop_req,
@@ -278,37 +278,38 @@ OM_uint32 gss_get_mic
gss_buffer_t message_token
)
{
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
ret = gss_krb5_get_subkey(context_handle, &key);
ret = _gsskrb5i_get_subkey(ctx, &key);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
ret = mic_des (minor_status, context_handle, qop_req,
ret = mic_des (minor_status, ctx, qop_req,
message_buffer, message_token, key);
break;
case KEYTYPE_DES3 :
ret = mic_des3 (minor_status, context_handle, qop_req,
ret = mic_des3 (minor_status, ctx, qop_req,
message_buffer, message_token, key);
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_get_mic_arcfour (minor_status, context_handle, qop_req,
ret = _gssapi_get_mic_arcfour (minor_status, ctx, qop_req,
message_buffer, message_token, key);
break;
default :
ret = _gssapi_mic_cfx (minor_status, context_handle, qop_req,
ret = _gssapi_mic_cfx (minor_status, ctx, qop_req,
message_buffer, message_token, key);
break;
}
krb5_free_keyblock (gssapi_krb5_context, key);
krb5_free_keyblock (_gsskrb5_context, key);
return ret;
}

681
lib/gssapi/krb5/gss_acquire_cred.3
View File

@@ -1,681 +0,0 @@
.\" Copyright (c) 2003 - 2005 Kungliga Tekniska H<>gskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd October 26, 2005
.Dt GSS_ACQUIRE_CRED 3
.Os HEIMDAL
.Sh NAME
.Nm gss_accept_sec_context ,
.Nm gss_acquire_cred ,
.Nm gss_add_cred ,
.Nm gss_add_oid_set_member ,
.Nm gss_canonicalize_name ,
.Nm gss_compare_name ,
.Nm gss_context_time ,
.Nm gss_create_empty_oid_set ,
.Nm gss_delete_sec_context ,
.Nm gss_display_name ,
.Nm gss_display_status ,
.Nm gss_duplicate_name ,
.Nm gss_export_name ,
.Nm gss_export_sec_context ,
.Nm gss_get_mic ,
.Nm gss_import_name ,
.Nm gss_import_sec_context ,
.Nm gss_indicate_mechs ,
.Nm gss_init_sec_context ,
.Nm gss_inquire_context ,
.Nm gss_inquire_cred ,
.Nm gss_inquire_cred_by_mech ,
.Nm gss_inquire_mechs_for_name ,
.Nm gss_inquire_names_for_mech ,
.Nm gss_krb5_ccache_name ,
.Nm gss_krb5_compat_des3_mic ,
.Nm gss_krb5_copy_ccache ,
.Nm gss_krb5_import_cred
.Nm gsskrb5_extract_authz_data_from_sec_context ,
.Nm gss_krb5_import_ccache ,
.Nm gss_krb5_get_tkt_flags ,
.Nm gss_process_context_token ,
.Nm gss_release_buffer ,
.Nm gss_release_cred ,
.Nm gss_release_name ,
.Nm gss_release_oid_set ,
.Nm gss_seal ,
.Nm gss_sign ,
.Nm gss_test_oid_set_member ,
.Nm gss_unseal ,
.Nm gss_unwrap ,
.Nm gss_verify ,
.Nm gss_verify_mic ,
.Nm gss_wrap ,
.Nm gss_wrap_size_limit
.Nd Generic Security Service Application Program Interface library
.Sh LIBRARY
GSS-API library (libgssapi, -lgssapi)
.Sh SYNOPSIS
.In gssapi.h
.Pp
.Ft OM_uint32
.Fo gss_accept_sec_context
.Fa "OM_uint32 * minor_status"
.Fa "gss_ctx_id_t * context_handle"
.Fa "const gss_cred_id_t acceptor_cred_handle"
.Fa "const gss_buffer_t input_token_buffer"
.Fa "const gss_channel_bindings_t input_chan_bindings"
.Fa "gss_name_t * src_name"
.Fa "gss_OID * mech_type"
.Fa "gss_buffer_t output_token"
.Fa "OM_uint32 * ret_flags"
.Fa "OM_uint32 * time_rec"
.Fa "gss_cred_id_t * delegated_cred_handle"
.Fc
.Pp
.Ft OM_uint32
.Fo gss_acquire_cred
.Fa "OM_uint32 * minor_status"
.Fa "const gss_name_t desired_name"
.Fa "OM_uint32 time_req"
.Fa "const gss_OID_set desired_mechs"
.Fa "gss_cred_usage_t cred_usage"
.Fa "gss_cred_id_t * output_cred_handle"
.Fa "gss_OID_set * actual_mechs"
.Fa "OM_uint32 * time_rec"
.Fc
.Ft OM_uint32
.Fo gss_add_cred
.Fa "OM_uint32 *minor_status"
.Fa "const gss_cred_id_t input_cred_handle"
.Fa "const gss_name_t desired_name"
.Fa "const gss_OID desired_mech"
.Fa "gss_cred_usage_t cred_usage"
.Fa "OM_uint32 initiator_time_req"
.Fa "OM_uint32 acceptor_time_req"
.Fa "gss_cred_id_t *output_cred_handle"
.Fa "gss_OID_set *actual_mechs"
.Fa "OM_uint32 *initiator_time_rec"
.Fa "OM_uint32 *acceptor_time_rec"
.Fc
.Ft OM_uint32
.Fo gss_add_oid_set_member
.Fa "OM_uint32 * minor_status"
.Fa "const gss_OID member_oid"
.Fa "gss_OID_set * oid_set"
.Fc
.Ft OM_uint32
.Fo gss_canonicalize_name
.Fa "OM_uint32 * minor_status"
.Fa "const gss_name_t input_name"
.Fa "const gss_OID mech_type"
.Fa "gss_name_t * output_name"
.Fc
.Ft OM_uint32
.Fo gss_compare_name
.Fa "OM_uint32 * minor_status"
.Fa "const gss_name_t name1"
.Fa "const gss_name_t name2"
.Fa "int * name_equal"
.Fc
.Ft OM_uint32
.Fo gss_context_time
.Fa "OM_uint32 * minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "OM_uint32 * time_rec"
.Fc
.Ft OM_uint32
.Fo gss_create_empty_oid_set
.Fa "OM_uint32 * minor_status"
.Fa "gss_OID_set * oid_set"
.Fc
.Ft OM_uint32
.Fo gss_delete_sec_context
.Fa "OM_uint32 * minor_status"
.Fa "gss_ctx_id_t * context_handle"
.Fa "gss_buffer_t output_token"
.Fc
.Ft OM_uint32
.Fo gss_display_name
.Fa "OM_uint32 * minor_status"
.Fa "const gss_name_t input_name"
.Fa "gss_buffer_t output_name_buffer"
.Fa "gss_OID * output_name_type"
.Fc
.Ft OM_uint32
.Fo gss_display_status
.Fa "OM_uint32 *minor_status"
.Fa "OM_uint32 status_value"
.Fa "int status_type"
.Fa "const gss_OID mech_type"
.Fa "OM_uint32 *message_context"
.Fa "gss_buffer_t status_string"
.Fc
.Ft OM_uint32
.Fo gss_duplicate_name
.Fa "OM_uint32 * minor_status"
.Fa "const gss_name_t src_name"
.Fa "gss_name_t * dest_name"
.Fc
.Ft OM_uint32
.Fo gss_export_name
.Fa "OM_uint32 * minor_status"
.Fa "const gss_name_t input_name"
.Fa "gss_buffer_t exported_name"
.Fc
.Ft OM_uint32
.Fo gss_export_sec_context
.Fa "OM_uint32 * minor_status"
.Fa "gss_ctx_id_t * context_handle"
.Fa "gss_buffer_t interprocess_token"
.Fc
.Ft OM_uint32
.Fo gss_get_mic
.Fa "OM_uint32 * minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "gss_qop_t qop_req"
.Fa "const gss_buffer_t message_buffer"
.Fa "gss_buffer_t message_token"
.Fc
.Ft OM_uint32
.Fo gss_import_name
.Fa "OM_uint32 * minor_status"
.Fa "const gss_buffer_t input_name_buffer"
.Fa "const gss_OID input_name_type"
.Fa "gss_name_t * output_name"
.Fc
.Ft OM_uint32
.Fo gss_import_sec_context
.Fa "OM_uint32 * minor_status"
.Fa "const gss_buffer_t interprocess_token"
.Fa "gss_ctx_id_t * context_handle"
.Fc
.Ft OM_uint32
.Fo gss_indicate_mechs
.Fa "OM_uint32 * minor_status"
.Fa "gss_OID_set * mech_set"
.Fc
.Ft OM_uint32
.Fo gss_init_sec_context
.Fa "OM_uint32 * minor_status"
.Fa "const gss_cred_id_t initiator_cred_handle"
.Fa "gss_ctx_id_t * context_handle"
.Fa "const gss_name_t target_name"
.Fa "const gss_OID mech_type"
.Fa "OM_uint32 req_flags"
.Fa "OM_uint32 time_req"
.Fa "const gss_channel_bindings_t input_chan_bindings"
.Fa "const gss_buffer_t input_token"
.Fa "gss_OID * actual_mech_type"
.Fa "gss_buffer_t output_token"
.Fa "OM_uint32 * ret_flags"
.Fa "OM_uint32 * time_rec"
.Fc
.Ft OM_uint32
.Fo gss_inquire_context
.Fa "OM_uint32 * minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "gss_name_t * src_name"
.Fa "gss_name_t * targ_name"
.Fa "OM_uint32 * lifetime_rec"
.Fa "gss_OID * mech_type"
.Fa "OM_uint32 * ctx_flags"
.Fa "int * locally_initiated"
.Fa "int * open_context"
.Fc
.Ft OM_uint32
.Fo gss_inquire_cred
.Fa "OM_uint32 * minor_status"
.Fa "const gss_cred_id_t cred_handle"
.Fa "gss_name_t * name"
.Fa "OM_uint32 * lifetime"
.Fa "gss_cred_usage_t * cred_usage"
.Fa "gss_OID_set * mechanisms"
.Fc
.Ft OM_uint32
.Fo gss_inquire_cred_by_mech
.Fa "OM_uint32 * minor_status"
.Fa "const gss_cred_id_t cred_handle"
.Fa "const gss_OID mech_type"
.Fa "gss_name_t * name"
.Fa "OM_uint32 * initiator_lifetime"
.Fa "OM_uint32 * acceptor_lifetime"
.Fa "gss_cred_usage_t * cred_usage"
.Fc
.Ft OM_uint32
.Fo gss_inquire_mechs_for_name
.Fa "OM_uint32 * minor_status"
.Fa "const gss_name_t input_name"
.Fa "gss_OID_set * mech_types"
.Fc
.Ft OM_uint32
.Fo gss_inquire_names_for_mech
.Fa "OM_uint32 * minor_status"
.Fa "const gss_OID mechanism"
.Fa "gss_OID_set * name_types"
.Fc
.Ft OM_uint32
.Fo gss_krb5_ccache_name
.Fa "OM_uint32 *minor"
.Fa "const char *name"
.Fa "const char **old_name"
.Fc
.Ft OM_uint32
.Fo gss_krb5_copy_ccache
.Fa "OM_uint32 *minor"
.Fa "gss_cred_id_t cred"
.Fa "krb5_ccache out"
.Fc
.Ft OM_uint32
.Fo gss_krb5_import_cred
.Fa "OM_uint32 *minor_status"
.Fa "krb5_ccache id"
.Fa "krb5_principal keytab_principal"
.Fa "krb5_keytab keytab"
.Fa "gss_cred_id_t *cred"
.Fc
.Ft OM_uint32
.Fo gss_krb5_compat_des3_mic
.Fa "OM_uint32 * minor_status"
.Fa "gss_ctx_id_t context_handle"
.Fa "int onoff"
.Fc
.Ft OM_uint32
.Fo gsskrb5_extract_authz_data_from_sec_context
.Fa "OM_uint32 *minor_status"
.Fa "gss_ctx_id_t context_handle"
.Fa "int ad_type"
.Fa "gss_buffer_t ad_data"
.Fc
.Ft OM_uint32
.Fo gss_krb5_import_cache
.Fa "OM_uint32 *minor"
.Fa "krb5_ccache id"
.Fa "krb5_keytab keytab"
.Fa "gss_cred_id_t *cred"
.Fc
.Ft OM_uint32
.Fo gss_krb5_get_tkt_flags
.Fa "OM_uint32 *minor_status"
.Fa "gss_ctx_id_t context_handle"
.Fa "OM_uint32 *tkt_flags"
.Fc
.Ft OM_uint32
.Fo gss_process_context_token
.Fa "OM_uint32 * minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "const gss_buffer_t token_buffer"
.Fc
.Ft OM_uint32
.Fo gss_release_buffer
.Fa "OM_uint32 * minor_status"
.Fa "gss_buffer_t buffer"
.Fc
.Ft OM_uint32
.Fo gss_release_cred
.Fa "OM_uint32 * minor_status"
.Fa "gss_cred_id_t * cred_handle"
.Fc
.Ft OM_uint32
.Fo gss_release_name
.Fa "OM_uint32 * minor_status"
.Fa "gss_name_t * input_name"
.Fc
.Ft OM_uint32
.Fo gss_release_oid_set
.Fa "OM_uint32 * minor_status"
.Fa "gss_OID_set * set"
.Fc
.Ft OM_uint32
.Fo gss_seal
.Fa "OM_uint32 * minor_status"
.Fa "gss_ctx_id_t context_handle"
.Fa "int conf_req_flag"
.Fa "int qop_req"
.Fa "gss_buffer_t input_message_buffer"
.Fa "int * conf_state"
.Fa "gss_buffer_t output_message_buffer"
.Fc
.Ft OM_uint32
.Fo gss_sign
.Fa "OM_uint32 * minor_status"
.Fa "gss_ctx_id_t context_handle"
.Fa "int qop_req"
.Fa "gss_buffer_t message_buffer"
.Fa "gss_buffer_t message_token"
.Fc
.Ft OM_uint32
.Fo gss_test_oid_set_member
.Fa "OM_uint32 * minor_status"
.Fa "const gss_OID member"
.Fa "const gss_OID_set set"
.Fa "int * present"
.Fc
.Ft OM_uint32
.Fo gss_unseal
.Fa "OM_uint32 * minor_status"
.Fa "gss_ctx_id_t context_handle"
.Fa "gss_buffer_t input_message_buffer"
.Fa "gss_buffer_t output_message_buffer"
.Fa "int * conf_state"
.Fa "int * qop_state"
.Fc
.Ft OM_uint32
.Fo gss_unwrap
.Fa "OM_uint32 * minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "const gss_buffer_t input_message_buffer"
.Fa "gss_buffer_t output_message_buffer"
.Fa "int * conf_state"
.Fa "gss_qop_t * qop_state"
.Fc
.Ft OM_uint32
.Fo gss_verify
.Fa "OM_uint32 * minor_status"
.Fa "gss_ctx_id_t context_handle"
.Fa "gss_buffer_t message_buffer"
.Fa "gss_buffer_t token_buffer"
.Fa "int * qop_state"
.Fc
.Ft OM_uint32
.Fo gss_verify_mic
.Fa "OM_uint32 * minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "const gss_buffer_t message_buffer"
.Fa "const gss_buffer_t token_buffer"
.Fa "gss_qop_t * qop_state"
.Fc
.Ft OM_uint32
.Fo gss_wrap
.Fa "OM_uint32 * minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "int conf_req_flag"
.Fa "gss_qop_t qop_req"
.Fa "const gss_buffer_t input_message_buffer"
.Fa "int * conf_state"
.Fa "gss_buffer_t output_message_buffer"
.Fc
.Ft OM_uint32
.Fo gss_wrap_size_limit
.Fa "OM_uint32 * minor_status"
.Fa "const gss_ctx_id_t context_handle"
.Fa "int conf_req_flag"
.Fa "gss_qop_t qop_req"
.Fa "OM_uint32 req_output_size"
.Fa "OM_uint32 * max_input_size"
.Fc
.Sh DESCRIPTION
Generic Security Service API (GSS-API) version 2, and its C binding,
is described in
.Li RFC2743
and
.Li RFC2744 .
Version 1 (deprecated) of the C binding is described in
.Li RFC1509 .
.Pp
Heimdals GSS-API implementation supports the following mechanisms
.Bl -bullet
.It
.Li GSS_KRB5_MECHANISM
.It
.Li GSS_SPNEGO_MECHANISM
.El
.Pp
GSS-API have generic name types that all mechanism are supposed to
implement (if possible):
.Bl -bullet
.It
.Li GSS_C_NT_USER_NAME
.It
.Li GSS_C_NT_MACHINE_UID_NAME
.It
.Li GSS_C_NT_STRING_UID_NAME
.It
.Li GSS_C_NT_HOSTBASED_SERVICE
.It
.Li GSS_C_NT_ANONYMOUS
.It
.Li GSS_C_NT_EXPORT_NAME
.El
.Pp
GSS-API implementations that supports Kerberos 5 have some additional
name types:
.Bl -bullet
.It
.Li GSS_KRB5_NT_PRINCIPAL_NAME
.It
.Li GSS_KRB5_NT_USER_NAME
.It
.Li GSS_KRB5_NT_MACHINE_UID_NAME
.It
.Li GSS_KRB5_NT_STRING_UID_NAME
.El
.Pp
In GSS-API, names have two forms, internal names and contiguous string
names.
.Bl -bullet
.It
.Li Internal name and mechanism name
.Pp
Internal names are implementation specific representation of
a GSS-API name.
.Li Mechanism names
special form of internal names corresponds to one and only one mechanism.
.Pp
In GSS-API an internal name is stored in a
.Dv gss_name_t .
.It
.Li Contiguous string name and exported name
.Pp
Contiguous string names are gssapi names stored in a
.Dv OCTET STRING
that together with a name type identifier (OID) uniquely specifies a
gss-name.
A special form of the contiguous string name is the exported name that
have a OID embedded in the string to make it unique.
Exported name have the nametype
.Dv GSS_C_NT_EXPORT_NAME .
.Pp
In GSS-API an contiguous string name is stored in a
.Dv gss_buffer_t .
.Pp
Exported names also have the property that they are specified by the
mechanism itself and compatible between diffrent GSS-API
implementations.
.El
.Sh ACCESS CONTROL
There are two ways of comparing GSS-API names, either comparing two
internal names with each other or two contiguous string names with
either other.
.Pp
To compare two internal names with each other, import (if needed) the
names with
.Fn gss_import_name
into the GSS-API implementation and the compare the imported name with
.Fn gss_compare_name .
.Pp
Importing names can be slow, so when its possible to store exported
names in the access control list, comparing contiguous string name
might be better.
.Pp
when comparing contiguous string name, first export them into a
.Dv GSS_C_NT_EXPORT_NAME
name with
.Fn gss_export_name
and then compare with
.Xr memcmp 3 .
.Pp
Note that there are might be a difference between the two methods of
comparing names.
The first (using
.Fn gss_compare_name )
will compare to (unauthenticated) names are the same.
The second will compare if a mechanism will authenticate them as the
same principal.
.Pp
For example, if
.Fn gss_import_name
name was used with
.Dv GSS_C_NO_OID
the default syntax is used for all mechanism the GSS-API
implementation supports.
When compare the imported name of
.Dv GSS_C_NO_OID
it may match serveral mechanism names (MN).
.Pp
The resulting name from
.Fn gss_display_name
must not be used for acccess control.
.Sh FUNCTIONS
.Fn gss_display_name
takes the gss name in
.Fa input_name
and puts a printable form in
.Fa output_name_buffer .
.Fa output_name_buffer
should be freed when done using
.Fn gss_release_buffer .
.Fa output_name_type
can either be
.Dv NULL
or a pointer to a
.Li gss_OID
and will in the latter case contain the OID type of the name.
The name must only be used for printing.
If access control is needed, see section
.Sx ACCESS CONTROL .
.Pp
.Fn gss_inquire_context
returns information about the context.
Information is available even after the context have expired.
.Fa lifetime_rec
argument is set to
.Dv GSS_C_INDEFINITE
(dont expire) or the number of seconds that the context is still valid.
A value of 0 means that the context is expired.
.Fa mech_type
argument should be considered readonly and must not be released.
.Fa src_name
and
.Fn dest_name
are both mechanims names and must be released with
.Fn gss_release_name
when no longer used.
.Pp
.Nm gss_context_time
will return the amount of time (in seconds) of the context is still
valid.
If its expired
.Fa time_rec
will be set to 0 and
.Dv GSS_S_CONTEXT_EXPIRED
returned.
.Pp
.Fn gss_sign ,
.Fn gss_verify ,
.Fn gss_seal ,
and
.Fn gss_unseal
are part of the GSS-API V1 interface and are obsolete.
The functions should not be used for new applications.
They are provided so that version 1 applications can link against the
library.
.Sh EXTENSIONS
.Fn gss_krb5_ccache_name
sets the internal kerberos 5 credential cache name to
.Fa name .
The old name is returned in
.Fa old_name ,
and must not be freed.
The data allocated for
.Fa old_name
is free upon next call to
.Fn gss_krb5_ccache_name .
This function is not threadsafe if
.Fa old_name
argument is used.
.Pp
.Fn gss_krb5_copy_ccache
will extract the krb5 credentials that are transferred from the
initiator to the acceptor when using token delegation in the Kerberos
mechanism.
The acceptor receives the delegated token in the last argument to
.Fn gss_accept_sec_context .
.Pp
.Fn gss_krb5_import_cred
will import the krb5 credentials (both keytab and/or credential cache)
into gss credential so it can be used withing GSS-API.
The
.Fa ccache
is copied by reference and thus shared, so if the credential is destroyed
with
.Fa krb5_cc_destroy ,
all users of thep
.Fa gss_cred_id_t
returned by
.Fn gss_krb5_import_ccache
will fail.
.Pp
.Fn gsskrb5_register_acceptor_identity
sets the Kerberos 5 principal that the acceptor will use.
.Pp
.Fn gsskrb5_extract_authz_data_from_sec_context
extracts the Kerberos authorizationdata that may be stored within the
context.
Tha caller must free the returned buffer
.Fa ad_data
with
.Fn gss_release_buffer
upon success.
.Pp
.Fn gss_krb5_get_tkt_flags
return the ticket flags for the kerberos ticket receive when
authenticating the initiator.
Only valid on the acceptor context.
.Pp
.Fn gss_krb5_compat_des3_mic
turns on or off the compatibility with older version of Heimdal using
des3 get and verify mic, this is way to programmatically set the
[gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see
COMPATIBILITY section in
.Xr gssapi 3 ) .
If the CPP symbol
.Dv GSS_C_KRB5_COMPAT_DES3_MIC
is present,
.Fn gss_krb5_compat_des3_mic
exists.
.Fn gss_krb5_compat_des3_mic
will be removed in a later version of the GSS-API library.
.Sh SEE ALSO
.Xr gssapi 3 ,
.Xr krb5 3 ,
.Xr krb5_ccache 3 ,
.Xr kerberos 8

177
lib/gssapi/krb5/gssapi.3
View File

@@ -1,177 +0,0 @@
.\" Copyright (c) 2003 - 2005 Kungliga Tekniska H<>gskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd April 20, 2005
.Dt GSSAPI 3
.Os
.Sh NAME
.Nm gssapi
.Nd Generic Security Service Application Program Interface library
.Sh LIBRARY
GSS-API Library (libgssapi, -lgssapi)
.Sh DESCRIPTION
The Generic Security Service Application Program Interface (GSS-API)
provides security services to callers in a generic fashion,
supportable with a range of underlying mechanisms and technologies and
hence allowing source-level portability of applications to different
environments.
.Pp
The GSS-API implementation in Heimdal implements the Kerberos 5 and
the SPNEGO GSS-API security mechanisms.
.Sh LIST OF FUNCTIONS
These functions constitute the gssapi library,
.Em libgssapi .
Declarations for these functions may be obtained from the include file
.Pa gssapi.h .
.sp 2
.nf
.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u
\fIName/Page\fP \fIDescription\fP
.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC
.sp 5p
gss_accept_sec_context.3
gss_acquire_cred.3
gss_add_cred.3
gss_add_oid_set_member.3
gss_canonicalize_name.3
gss_compare_name.3
gss_context_time.3
gss_create_empty_oid_set.3
gss_delete_sec_context.3
gss_display_name.3
gss_display_status.3
gss_duplicate_name.3
gss_export_name.3
gss_export_sec_context.3
gss_get_mic.3
gss_import_name.3
gss_import_sec_context.3
gss_indicate_mechs.3
gss_init_sec_context.3
gss_inquire_context.3
gss_inquire_cred.3
gss_inquire_cred_by_mech.3
gss_inquire_mechs_for_name.3
gss_inquire_names_for_mech.3
gss_krb5_ccache_name.3
gss_krb5_compat_des3_mic.3
gss_krb5_copy_ccache.3
gss_krb5_extract_authz_data_from_sec_context.3
gss_krb5_import_ccache.3
gss_process_context_token.3
gss_release_buffer.3
gss_release_cred.3
gss_release_name.3
gss_release_oid_set.3
gss_seal.3
gss_sign.3
gss_test_oid_set_member.3
gss_unseal.3
gss_unwrap.3
gss_verify.3
gss_verify_mic.3
gss_wrap.3
gss_wrap_size_limit.3
.ta
.Fi
.Sh COMPATIBILITY
The
.Nm Heimdal
GSS-API implementation had a bug in releases before 0.6 that made it
fail to inter-operate when using DES3 with other GSS-API
implementations when using
.Fn gss_get_mic
/
.Fn gss_verify_mic .
It is possible to modify the behavior of the generator of the MIC with
the
.Pa krb5.conf
configuration file so that old clients/servers will still
work.
.Pp
New clients/servers will try both the old and new MIC in Heimdal 0.6.
In 0.7 it will check only if configured - the compatibility code will
be removed in 0.8.
.Pp
Heimdal 0.6 still generates by default the broken GSS-API DES3 mic,
this will change in 0.7 to generate correct des3 mic.
.Pp
To turn on compatibility with older clients and servers, change the
.Nm [gssapi]
.Ar broken_des3_mic
in
.Pa krb5.conf
that contains a list of globbing expressions that will be matched
against the server name.
To turn off generation of the old (incompatible) mic of the MIC use
.Nm [gssapi]
.Ar correct_des3_mic .
.Pp
If a match for a entry is in both
.Nm [gssapi]
.Ar correct_des3_mic
and
.Nm [gssapi]
.Ar broken_des3_mic ,
the later will override.
.Pp
This config option modifies behaviour for both clients and servers.
.Pp
Microsoft implemented SPNEGO to Windows2000, however, they manage to
get it wrong, their implementation didn't fill in the MechListMIC in
the reply token with the right content.
There is a work around for this problem, but not all implementation
support it.
.Pp
Heimdal defaults to correct SPNEGO when the the kerberos
implementation uses CFX, or when its configured by the user.
To turn on compatibility with peers, use option
.Nm [gssapi]
.Ar require_mechlist_mic .
.Sh EXAMPLES
.Bd -literal -offset indent
[gssapi]
broken_des3_mic = cvs/*@SU.SE
broken_des3_mic = host/*@E.KTH.SE
correct_des3_mic = host/*@SU.SE
require_mechlist_mic = host/*@SU.SE
.Ed
.Sh BUGS
All of 0.5.x versions of
.Nm heimdal
had broken token delegations in the client side, the server side was
correct.
.Sh SEE ALSO
.Xr krb5 3 ,
.Xr krb5.conf 5 ,
.Xr kerberos 8

811
lib/gssapi/krb5/gssapi.h
View File

@@ -1,811 +0,0 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifndef GSSAPI_H_
#define GSSAPI_H_
/*
* First, include stddef.h to get size_t defined.
*/
#include <stddef.h>
#include <krb5-types.h>
/*
* Now define the three implementation-dependent types.
*/
typedef uint32_t OM_uint32;
typedef uint32_t gss_uint32;
/*
* This is to avoid having to include <krb5.h>
*/
struct krb5_auth_context_data;
struct Principal;
/* typedef void *gss_name_t; */
typedef struct Principal *gss_name_t;
struct gss_ctx_id_t_desc_struct;
typedef struct gss_ctx_id_t_desc_struct *gss_ctx_id_t;
typedef struct gss_OID_desc_struct {
OM_uint32 length;
void *elements;
} gss_OID_desc, *gss_OID;
typedef struct gss_OID_set_desc_struct {
size_t count;
gss_OID elements;
} gss_OID_set_desc, *gss_OID_set;
struct krb5_keytab_data;
struct krb5_ccache_data;
typedef int gss_cred_usage_t;
struct gss_cred_id_t_desc_struct;
typedef struct gss_cred_id_t_desc_struct *gss_cred_id_t;
typedef struct gss_buffer_desc_struct {
size_t length;
void *value;
} gss_buffer_desc, *gss_buffer_t;
typedef struct gss_channel_bindings_struct {
OM_uint32 initiator_addrtype;
gss_buffer_desc initiator_address;
OM_uint32 acceptor_addrtype;
gss_buffer_desc acceptor_address;
gss_buffer_desc application_data;
} *gss_channel_bindings_t;
/*
* For now, define a QOP-type as an OM_uint32
*/
typedef OM_uint32 gss_qop_t;
/*
* Flag bits for context-level services.
*/
#define GSS_C_DELEG_FLAG 1
#define GSS_C_MUTUAL_FLAG 2
#define GSS_C_REPLAY_FLAG 4
#define GSS_C_SEQUENCE_FLAG 8
#define GSS_C_CONF_FLAG 16
#define GSS_C_INTEG_FLAG 32
#define GSS_C_ANON_FLAG 64
#define GSS_C_PROT_READY_FLAG 128
#define GSS_C_TRANS_FLAG 256
/*
* Credential usage options
*/
#define GSS_C_BOTH 0
#define GSS_C_INITIATE 1
#define GSS_C_ACCEPT 2
/*
* Status code types for gss_display_status
*/
#define GSS_C_GSS_CODE 1
#define GSS_C_MECH_CODE 2
/*
* The constant definitions for channel-bindings address families
*/
#define GSS_C_AF_UNSPEC 0
#define GSS_C_AF_LOCAL 1
#define GSS_C_AF_INET 2
#define GSS_C_AF_IMPLINK 3
#define GSS_C_AF_PUP 4
#define GSS_C_AF_CHAOS 5
#define GSS_C_AF_NS 6
#define GSS_C_AF_NBS 7
#define GSS_C_AF_ECMA 8
#define GSS_C_AF_DATAKIT 9
#define GSS_C_AF_CCITT 10
#define GSS_C_AF_SNA 11
#define GSS_C_AF_DECnet 12
#define GSS_C_AF_DLI 13
#define GSS_C_AF_LAT 14
#define GSS_C_AF_HYLINK 15
#define GSS_C_AF_APPLETALK 16
#define GSS_C_AF_BSC 17
#define GSS_C_AF_DSS 18
#define GSS_C_AF_OSI 19
#define GSS_C_AF_X25 21
#define GSS_C_AF_INET6 24
#define GSS_C_AF_NULLADDR 255
/*
* Various Null values
*/
#define GSS_C_NO_NAME ((gss_name_t) 0)
#define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
#define GSS_C_NO_OID ((gss_OID) 0)
#define GSS_C_NO_OID_SET ((gss_OID_set) 0)
#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
#define GSS_C_EMPTY_BUFFER {0, NULL}
/*
* Some alternate names for a couple of the above
* values. These are defined for V1 compatibility.
*/
#define GSS_C_NULL_OID GSS_C_NO_OID
#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
/*
* Define the default Quality of Protection for per-message
* services. Note that an implementation that offers multiple
* levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
* (as done here) to mean "default protection", or to a specific
* explicit QOP value. However, a value of 0 should always be
* interpreted by a GSSAPI implementation as a request for the
* default protection level.
*/
#define GSS_C_QOP_DEFAULT 0
#define GSS_KRB5_CONF_C_QOP_DES 0x0100
#define GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200
/*
* Expiration time of 2^32-1 seconds means infinite lifetime for a
* credential or security context
*/
#define GSS_C_INDEFINITE 0xfffffffful
#ifdef __cplusplus
extern "C" {
#endif
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x01"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) user_name(1)}. The constant
* GSS_C_NT_USER_NAME should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_USER_NAME;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x02"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
* The constant GSS_C_NT_MACHINE_UID_NAME should be
* initialized to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x03"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
* The constant GSS_C_NT_STRING_UID_NAME should be
* initialized to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_STRING_UID_NAME;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
* corresponding to an object-identifier value of
* {iso(1) org(3) dod(6) internet(1) security(5)
* nametypes(6) gss-host-based-services(2)). The constant
* GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
* to that gss_OID_desc. This is a deprecated OID value, and
* implementations wishing to support hostbased-service names
* should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
* defined below, to identify such names;
* GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
* for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
* parameter, but should not be emitted by GSS-API
* implementations
*/
extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x04"}, corresponding to an
* object-identifier value of {iso(1) member-body(2)
* Unites States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) service_name(4)}. The constant
* GSS_C_NT_HOSTBASED_SERVICE should be initialized
* to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\01\x05\x06\x03"},
* corresponding to an object identifier value of
* {1(iso), 3(org), 6(dod), 1(internet), 5(security),
* 6(nametypes), 3(gss-anonymous-name)}. The constant
* and GSS_C_NT_ANONYMOUS should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_ANONYMOUS;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
* corresponding to an object-identifier value of
* {1(iso), 3(org), 6(dod), 1(internet), 5(security),
* 6(nametypes), 4(gss-api-exported-name)}. The constant
* GSS_C_NT_EXPORT_NAME should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_EXPORT_NAME;
/*
* RFC2478, SPNEGO:
* The security mechanism of the initial
* negotiation token is identified by the Object Identifier
* iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
*/
extern gss_OID GSS_SPNEGO_MECHANISM;
/*
* This if for kerberos5 names.
*/
extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
extern gss_OID GSS_KRB5_NT_USER_NAME;
extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
extern gss_OID GSS_KRB5_NT_STRING_UID_NAME;
extern gss_OID GSS_KRB5_MECHANISM;
/* for compatibility with MIT api */
#define gss_mech_krb5 GSS_KRB5_MECHANISM
#define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME
/* Major status codes */
#define GSS_S_COMPLETE 0
/*
* Some "helper" definitions to make the status code macros obvious.
*/
#define GSS_C_CALLING_ERROR_OFFSET 24
#define GSS_C_ROUTINE_ERROR_OFFSET 16
#define GSS_C_SUPPLEMENTARY_OFFSET 0
#define GSS_C_CALLING_ERROR_MASK 0377ul
#define GSS_C_ROUTINE_ERROR_MASK 0377ul
#define GSS_C_SUPPLEMENTARY_MASK 0177777ul
/*
* The macros that test status codes for error conditions.
* Note that the GSS_ERROR() macro has changed slightly from
* the V1 GSSAPI so that it now evaluates its argument
* only once.
*/
#define GSS_CALLING_ERROR(x) \
(x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
#define GSS_ROUTINE_ERROR(x) \
(x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
#define GSS_SUPPLEMENTARY_INFO(x) \
(x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
#define GSS_ERROR(x) \
(x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
(GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
/*
* Now the actual status code definitions
*/
/*
* Calling errors:
*/
#define GSS_S_CALL_INACCESSIBLE_READ \
(1ul << GSS_C_CALLING_ERROR_OFFSET)
#define GSS_S_CALL_INACCESSIBLE_WRITE \
(2ul << GSS_C_CALLING_ERROR_OFFSET)
#define GSS_S_CALL_BAD_STRUCTURE \
(3ul << GSS_C_CALLING_ERROR_OFFSET)
/*
* Routine errors:
*/
#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_MIC GSS_S_BAD_SIG
#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
/*
* Supplementary info bits:
*/
#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
/*
* From RFC1964:
*
* 4.1.1. Non-Kerberos-specific codes
*/
#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1
/* "No @ in SERVICE-NAME name string" */
#define GSS_KRB5_S_G_BAD_STRING_UID 2
/* "STRING-UID-NAME contains nondigits" */
#define GSS_KRB5_S_G_NOUSER 3
/* "UID does not resolve to username" */
#define GSS_KRB5_S_G_VALIDATE_FAILED 4
/* "Validation error" */
#define GSS_KRB5_S_G_BUFFER_ALLOC 5
/* "Couldn't allocate gss_buffer_t data" */
#define GSS_KRB5_S_G_BAD_MSG_CTX 6
/* "Message context invalid" */
#define GSS_KRB5_S_G_WRONG_SIZE 7
/* "Buffer is the wrong size" */
#define GSS_KRB5_S_G_BAD_USAGE 8
/* "Credential usage type is unknown" */
#define GSS_KRB5_S_G_UNKNOWN_QOP 9
/* "Unknown quality of protection specified" */
/*
* 4.1.2. Kerberos-specific-codes
*/
#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10
/* "Principal in credential cache does not match desired name" */
#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11
/* "No principal in keytab matches desired name" */
#define GSS_KRB5_S_KG_TGT_MISSING 12
/* "Credential cache has no TGT" */
#define GSS_KRB5_S_KG_NO_SUBKEY 13
/* "Authenticator has no subkey" */
#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14
/* "Context is already fully established" */
#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15
/* "Unknown signature type in token" */
#define GSS_KRB5_S_KG_BAD_LENGTH 16
/* "Invalid field length in token" */
#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17
/* "Attempt to use incomplete security context" */
/*
* Finally, function prototypes for the GSS-API routines.
*/
OM_uint32 gss_acquire_cred
(OM_uint32 * /*minor_status*/,
const gss_name_t /*desired_name*/,
OM_uint32 /*time_req*/,
const gss_OID_set /*desired_mechs*/,
gss_cred_usage_t /*cred_usage*/,
gss_cred_id_t * /*output_cred_handle*/,
gss_OID_set * /*actual_mechs*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_release_cred
(OM_uint32 * /*minor_status*/,
gss_cred_id_t * /*cred_handle*/
);
OM_uint32 gss_init_sec_context
(OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*initiator_cred_handle*/,
gss_ctx_id_t * /*context_handle*/,
const gss_name_t /*target_name*/,
const gss_OID /*mech_type*/,
OM_uint32 /*req_flags*/,
OM_uint32 /*time_req*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
const gss_buffer_t /*input_token*/,
gss_OID * /*actual_mech_type*/,
gss_buffer_t /*output_token*/,
OM_uint32 * /*ret_flags*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_accept_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
const gss_cred_id_t /*acceptor_cred_handle*/,
const gss_buffer_t /*input_token_buffer*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
gss_name_t * /*src_name*/,
gss_OID * /*mech_type*/,
gss_buffer_t /*output_token*/,
OM_uint32 * /*ret_flags*/,
OM_uint32 * /*time_rec*/,
gss_cred_id_t * /*delegated_cred_handle*/
);
OM_uint32 gss_process_context_token
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*token_buffer*/
);
OM_uint32 gss_delete_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t /*output_token*/
);
OM_uint32 gss_context_time
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_get_mic
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/
);
OM_uint32 gss_verify_mic
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*message_buffer*/,
const gss_buffer_t /*token_buffer*/,
gss_qop_t * /*qop_state*/
);
OM_uint32 gss_wrap
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/
);
OM_uint32 gss_unwrap
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
gss_qop_t * /*qop_state*/
);
OM_uint32 gss_display_status
(OM_uint32 * /*minor_status*/,
OM_uint32 /*status_value*/,
int /*status_type*/,
const gss_OID /*mech_type*/,
OM_uint32 * /*message_context*/,
gss_buffer_t /*status_string*/
);
OM_uint32 gss_indicate_mechs
(OM_uint32 * /*minor_status*/,
gss_OID_set * /*mech_set*/
);
OM_uint32 gss_compare_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*name1*/,
const gss_name_t /*name2*/,
int * /*name_equal*/
);
OM_uint32 gss_display_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t /*output_name_buffer*/,
gss_OID * /*output_name_type*/
);
OM_uint32 gss_import_name
(OM_uint32 * /*minor_status*/,
const gss_buffer_t /*input_name_buffer*/,
const gss_OID /*input_name_type*/,
gss_name_t * /*output_name*/
);
OM_uint32 gss_export_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t /*exported_name*/
);
OM_uint32 gss_release_name
(OM_uint32 * /*minor_status*/,
gss_name_t * /*input_name*/
);
OM_uint32 gss_release_buffer
(OM_uint32 * /*minor_status*/,
gss_buffer_t /*buffer*/
);
OM_uint32 gss_release_oid_set
(OM_uint32 * /*minor_status*/,
gss_OID_set * /*set*/
);
OM_uint32 gss_inquire_cred
(OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
gss_name_t * /*name*/,
OM_uint32 * /*lifetime*/,
gss_cred_usage_t * /*cred_usage*/,
gss_OID_set * /*mechanisms*/
);
OM_uint32 gss_inquire_context (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_name_t * /*src_name*/,
gss_name_t * /*targ_name*/,
OM_uint32 * /*lifetime_rec*/,
gss_OID * /*mech_type*/,
OM_uint32 * /*ctx_flags*/,
int * /*locally_initiated*/,
int * /*open_context*/
);
OM_uint32 gss_wrap_size_limit (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
OM_uint32 /*req_output_size*/,
OM_uint32 * /*max_input_size*/
);
OM_uint32 gss_add_cred (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*input_cred_handle*/,
const gss_name_t /*desired_name*/,
const gss_OID /*desired_mech*/,
gss_cred_usage_t /*cred_usage*/,
OM_uint32 /*initiator_time_req*/,
OM_uint32 /*acceptor_time_req*/,
gss_cred_id_t * /*output_cred_handle*/,
gss_OID_set * /*actual_mechs*/,
OM_uint32 * /*initiator_time_rec*/,
OM_uint32 * /*acceptor_time_rec*/
);
OM_uint32 gss_inquire_cred_by_mech (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
const gss_OID /*mech_type*/,
gss_name_t * /*name*/,
OM_uint32 * /*initiator_lifetime*/,
OM_uint32 * /*acceptor_lifetime*/,
gss_cred_usage_t * /*cred_usage*/
);
OM_uint32 gss_export_sec_context (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t /*interprocess_token*/
);
OM_uint32 gss_import_sec_context (
OM_uint32 * /*minor_status*/,
const gss_buffer_t /*interprocess_token*/,
gss_ctx_id_t * /*context_handle*/
);
OM_uint32 gss_create_empty_oid_set (
OM_uint32 * /*minor_status*/,
gss_OID_set * /*oid_set*/
);
OM_uint32 gss_add_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member_oid*/,
gss_OID_set * /*oid_set*/
);
OM_uint32 gss_test_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member*/,
const gss_OID_set /*set*/,
int * /*present*/
);
OM_uint32 gss_inquire_names_for_mech (
OM_uint32 * /*minor_status*/,
const gss_OID /*mechanism*/,
gss_OID_set * /*name_types*/
);
OM_uint32 gss_inquire_mechs_for_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_OID_set * /*mech_types*/
);
OM_uint32 gss_canonicalize_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
const gss_OID /*mech_type*/,
gss_name_t * /*output_name*/
);
OM_uint32 gss_duplicate_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*src_name*/,
gss_name_t * /*dest_name*/
);
/*
* The following routines are obsolete variants of gss_get_mic,
* gss_verify_mic, gss_wrap and gss_unwrap. They should be
* provided by GSSAPI V2 implementations for backwards
* compatibility with V1 applications. Distinct entrypoints
* (as opposed to #defines) should be provided, both to allow
* GSSAPI V1 applications to link against GSSAPI V2 implementations,
* and to retain the slight parameter type differences between the
* obsolete versions of these routines and their current forms.
*/
OM_uint32 gss_sign
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*qop_req*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/
);
OM_uint32 gss_verify
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*token_buffer*/,
int * /*qop_state*/
);
OM_uint32 gss_seal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
int /*qop_req*/,
gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/
);
OM_uint32 gss_unseal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
int * /*qop_state*/
);
/*
* kerberos mechanism specific functions
*/
OM_uint32
gss_krb5_ccache_name(OM_uint32 * /*minor_status*/,
const char * /*name */,
const char ** /*out_name */);
OM_uint32 gsskrb5_register_acceptor_identity
(const char */*identity*/);
OM_uint32 gss_krb5_copy_ccache
(OM_uint32 */*minor*/,
gss_cred_id_t /*cred*/,
struct krb5_ccache_data */*out*/);
OM_uint32
gss_krb5_import_cred(OM_uint32 */*minor*/,
struct krb5_ccache_data * /*in*/,
struct Principal * /*keytab_principal*/,
struct krb5_keytab_data * /*keytab*/,
gss_cred_id_t */*out*/);
OM_uint32 gss_krb5_get_tkt_flags
(OM_uint32 */*minor*/,
gss_ctx_id_t /*context_handle*/,
OM_uint32 */*tkt_flags*/);
OM_uint32
gsskrb5_extract_authz_data_from_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*ad_type*/,
gss_buffer_t /*ad_data*/);
#define GSS_C_KRB5_COMPAT_DES3_MIC 1
OM_uint32
gss_krb5_compat_des3_mic(OM_uint32 *, gss_ctx_id_t, int);
OM_uint32
gss_oid_to_str
(OM_uint32 * /*minor_status*/,
gss_OID /* oid */,
gss_buffer_t /* str */);
#ifdef __cplusplus
}
#endif
#endif /* GSSAPI_H_ */

299
lib/gssapi/krb5/gssapi_locl.h
View File

@@ -1,299 +0,0 @@
/*
* Copyright (c) 1997 - 2004 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifndef GSSAPI_LOCL_H
#define GSSAPI_LOCL_H
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <krb5_locl.h>
#include <gssapi.h>
#include <assert.h>
#include "cfx.h"
#include "arcfour.h"
#include "spnego_asn1.h"
/*
*
*/
struct gss_msg_order;
typedef struct gss_ctx_id_t_desc_struct {
struct krb5_auth_context_data *auth_context;
gss_name_t source, target;
OM_uint32 flags;
enum { LOCAL = 1, OPEN = 2,
COMPAT_OLD_DES3 = 4,
COMPAT_OLD_DES3_SELECTED = 8,
ACCEPTOR_SUBKEY = 16
} more_flags;
struct krb5_ticket *ticket;
OM_uint32 lifetime;
HEIMDAL_MUTEX ctx_id_mutex;
struct gss_msg_order *order;
} gss_ctx_id_t_desc;
typedef struct gss_cred_id_t_desc_struct {
gss_name_t principal;
int cred_flags;
#define GSS_CF_DESTROY_CRED_ON_RELEASE 1
struct krb5_keytab_data *keytab;
OM_uint32 lifetime;
gss_cred_usage_t usage;
gss_OID_set mechanisms;
struct krb5_ccache_data *ccache;
HEIMDAL_MUTEX cred_id_mutex;
} gss_cred_id_t_desc;
/*
*
*/
extern krb5_context gssapi_krb5_context;
extern krb5_keytab gssapi_krb5_keytab;
extern HEIMDAL_MUTEX gssapi_keytab_mutex;
struct gssapi_thr_context {
HEIMDAL_MUTEX mutex;
char *error_string;
};
/*
* Prototypes
*/
krb5_error_code gssapi_krb5_init (void);
#define GSSAPI_KRB5_INIT() do { \
krb5_error_code kret_gss_init; \
if((kret_gss_init = gssapi_krb5_init ()) != 0) { \
*minor_status = kret_gss_init; \
return GSS_S_FAILURE; \
} \
} while (0)
struct gssapi_thr_context *
gssapi_get_thread_context(int);
void
gsskrb5_is_cfx(gss_ctx_id_t, int *);
OM_uint32
gssapi_krb5_create_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
OM_uint32 flags,
const krb5_data *fwd_data,
Checksum *result);
OM_uint32
gssapi_krb5_verify_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
const Checksum *cksum,
OM_uint32 *flags,
krb5_data *fwd_data);
void
_gssapi_encap_length (size_t data_len,
size_t *len,
size_t *total_len,
const gss_OID mech);
void
gssapi_krb5_encap_length (size_t data_len,
size_t *len,
size_t *total_len,
const gss_OID mech);
OM_uint32
_gssapi_encapsulate(OM_uint32 *minor_status,
const krb5_data *in_data,
gss_buffer_t output_token,
const gss_OID mech);
OM_uint32
gssapi_krb5_encapsulate(OM_uint32 *minor_status,
const krb5_data *in_data,
gss_buffer_t output_token,
const void *type,
const gss_OID mech);
OM_uint32
gssapi_krb5_decapsulate(OM_uint32 *minor_status,
gss_buffer_t input_token_buffer,
krb5_data *out_data,
const void *type,
gss_OID oid);
void *
gssapi_krb5_make_header (void *ptr,
size_t len,
const void *type,
const gss_OID mech);
void *
_gssapi_make_mech_header(void *ptr,
size_t len,
const gss_OID mech);
OM_uint32
_gssapi_verify_mech_header(u_char **str,
size_t total_len,
gss_OID oid);
OM_uint32
gssapi_krb5_verify_header(u_char **str,
size_t total_len,
const void *type,
gss_OID oid);
OM_uint32
_gssapi_decapsulate(OM_uint32 *minor_status,
gss_buffer_t input_token_buffer,
krb5_data *out_data,
const gss_OID mech);
ssize_t
gssapi_krb5_get_mech (const u_char *, size_t, const u_char **);
OM_uint32
_gssapi_verify_pad(gss_buffer_t, size_t, size_t *);
OM_uint32
gss_verify_mic_internal(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
char * type);
OM_uint32
gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
krb5_keyblock **key);
krb5_error_code
gss_address_to_krb5addr(OM_uint32 gss_addr_type,
gss_buffer_desc *gss_addr,
int16_t port,
krb5_address *address);
/* sec_context flags */
#define SC_LOCAL_ADDRESS 0x01
#define SC_REMOTE_ADDRESS 0x02
#define SC_KEYBLOCK 0x04
#define SC_LOCAL_SUBKEY 0x08
#define SC_REMOTE_SUBKEY 0x10
int
gss_oid_equal(const gss_OID a, const gss_OID b);
void
gssapi_krb5_clear_status (void);
void
gssapi_krb5_set_status (const char *fmt, ...);
void
gssapi_krb5_set_error_string (void);
char *
gssapi_krb5_get_error_string (void);
OM_uint32
_gss_DES3_get_mic_compat(OM_uint32 *, gss_ctx_id_t);
OM_uint32
_gss_spnego_require_mechlist_mic(OM_uint32 *, gss_ctx_id_t, krb5_boolean *);
krb5_error_code
_gss_check_compat(OM_uint32 *, gss_name_t, const char *,
krb5_boolean *, krb5_boolean);
OM_uint32
gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *);
OM_uint32
_gssapi_krb5_ccache_lifetime(OM_uint32 *, krb5_ccache,
krb5_principal, OM_uint32 *);
/* sequence */
OM_uint32
_gssapi_msg_order_create(OM_uint32 *, struct gss_msg_order **,
OM_uint32, OM_uint32, OM_uint32, int);
OM_uint32
_gssapi_msg_order_destroy(struct gss_msg_order **);
OM_uint32
_gssapi_msg_order_check(struct gss_msg_order *, OM_uint32);
OM_uint32
_gssapi_msg_order_f(OM_uint32);
OM_uint32
_gssapi_msg_order_import(OM_uint32 *, krb5_storage *,
struct gss_msg_order **);
krb5_error_code
_gssapi_msg_order_export(krb5_storage *, struct gss_msg_order *);
/* 8003 */
krb5_error_code
gssapi_encode_om_uint32(OM_uint32, u_char *);
krb5_error_code
gssapi_encode_be_om_uint32(OM_uint32, u_char *);
krb5_error_code
gssapi_decode_om_uint32(const void *, OM_uint32 *);
krb5_error_code
gssapi_decode_be_om_uint32(const void *, OM_uint32 *);
#endif

114
lib/gssapi/krb5/arcfour.h → lib/gssapi/krb5/gsskrb5_locl.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2003 Kungliga Tekniska Högskolan
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,41 +33,91 @@
/* $Id$ */
#ifndef GSSAPI_ARCFOUR_H_
#define GSSAPI_ARCFOUR_H_ 1
#ifndef GSSAPI_LOCL_H
#define GSSAPI_LOCL_H
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <krb5_locl.h>
#include <gssapi.h>
#include <gssapi_mech.h>
#include <assert.h>
#include "cfx.h"
#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32
OM_uint32 _gssapi_wrap_arcfour(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
int *conf_state,
gss_buffer_t output_message_buffer,
krb5_keyblock *key);
/*
*
*/
OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
gss_qop_t *qop_state,
krb5_keyblock *key);
struct gss_msg_order;
OM_uint32 _gssapi_get_mic_arcfour(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
krb5_keyblock *key);
typedef struct {
struct krb5_auth_context_data *auth_context;
gss_name_t source, target;
OM_uint32 flags;
enum { LOCAL = 1, OPEN = 2,
COMPAT_OLD_DES3 = 4,
COMPAT_OLD_DES3_SELECTED = 8,
ACCEPTOR_SUBKEY = 16
} more_flags;
struct krb5_ticket *ticket;
OM_uint32 lifetime;
HEIMDAL_MUTEX ctx_id_mutex;
struct gss_msg_order *order;
} *gsskrb5_ctx;
OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t *qop_state,
krb5_keyblock *key,
char *type);
typedef struct {
gss_name_t principal;
int cred_flags;
#define GSS_CF_DESTROY_CRED_ON_RELEASE 1
struct krb5_keytab_data *keytab;
OM_uint32 lifetime;
gss_cred_usage_t usage;
gss_OID_set mechanisms;
struct krb5_ccache_data *ccache;
HEIMDAL_MUTEX cred_id_mutex;
} *gsskrb5_cred;
#endif /* GSSAPI_ARCFOUR_H_ */
/*
*
*/
extern krb5_context _gsskrb5_context;
extern krb5_keytab _gsskrb5_keytab;
extern HEIMDAL_MUTEX gssapi_keytab_mutex;
struct gssapi_thr_context {
HEIMDAL_MUTEX mutex;
char *error_string;
};
/*
* Prototypes
*/
krb5_error_code _gsskrb5_init (void);
#define GSSAPI_KRB5_INIT() do { \
krb5_error_code kret_gss_init; \
if((kret_gss_init = _gsskrb5_init ()) != 0) { \
*minor_status = kret_gss_init; \
return GSS_S_FAILURE; \
} \
} while (0)
#include <gsskrb5-private.h>
/* sec_context flags */
#define SC_LOCAL_ADDRESS 0x01
#define SC_REMOTE_ADDRESS 0x02
#define SC_KEYBLOCK 0x04
#define SC_LOCAL_SUBKEY 0x08
#define SC_REMOTE_SUBKEY 0x10
#endif

27
lib/gssapi/krb5/import_name.c
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
@@ -42,16 +42,16 @@ parse_krb5_name (OM_uint32 *minor_status,
{
krb5_error_code kerr;
kerr = krb5_parse_name (gssapi_krb5_context, name, output_name);
kerr = krb5_parse_name (_gsskrb5_context, name, output_name);
if (kerr == 0)
return GSS_S_COMPLETE;
else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kerr;
return GSS_S_BAD_NAME;
} else {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kerr;
return GSS_S_FAILURE;
}
@@ -117,7 +117,7 @@ import_hostbased_name (OM_uint32 *minor_status,
host = local_hostname;
}
kerr = krb5_sname_to_principal (gssapi_krb5_context,
kerr = krb5_sname_to_principal (_gsskrb5_context,
host,
tmp,
KRB5_NT_SRV_HST,
@@ -127,11 +127,11 @@ import_hostbased_name (OM_uint32 *minor_status,
if (kerr == 0)
return GSS_S_COMPLETE;
else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kerr;
return GSS_S_BAD_NAME;
} else {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kerr;
return GSS_S_FAILURE;
}
@@ -184,18 +184,7 @@ import_export_name (OM_uint32 *minor_status,
return ret;
}
int
gss_oid_equal(const gss_OID a, const gss_OID b)
{
if (a == b)
return 1;
else if (a == GSS_C_NO_OID || b == GSS_C_NO_OID || a->length != b->length)
return 0;
else
return memcmp(a->elements, b->elements, a->length) == 0;
}
OM_uint32 gss_import_name
OM_uint32 _gsskrb5_import_name
(OM_uint32 * minor_status,
const gss_buffer_t input_name_buffer,
const gss_OID input_name_type,

91
lib/gssapi/krb5/import_sec_context.c
View File

@@ -31,12 +31,12 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32
gss_import_sec_context (
_gsskrb5_import_sec_context (
OM_uint32 * minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t * context_handle
@@ -54,9 +54,12 @@ gss_import_sec_context (
int32_t tmp;
int32_t flags;
OM_uint32 minor;
gsskrb5_ctx ctx;
GSSAPI_KRB5_INIT ();
*context_handle = GSS_C_NO_CONTEXT;
localp = remotep = NULL;
sp = krb5_storage_from_mem (interprocess_token->value,
@@ -66,19 +69,18 @@ gss_import_sec_context (
return GSS_S_FAILURE;
}
*context_handle = malloc(sizeof(**context_handle));
if (*context_handle == NULL) {
ctx = calloc(1, sizeof(*ctx));
if (ctx == NULL) {
*minor_status = ENOMEM;
krb5_storage_free (sp);
return GSS_S_FAILURE;
}
memset (*context_handle, 0, sizeof(**context_handle));
HEIMDAL_MUTEX_init(&(*context_handle)->ctx_id_mutex);
HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
kret = krb5_auth_con_init (gssapi_krb5_context,
&(*context_handle)->auth_context);
kret = krb5_auth_con_init (_gsskrb5_context,
&ctx->auth_context);
if (kret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
@@ -93,7 +95,7 @@ gss_import_sec_context (
/* retrieve the auth context */
ac = (*context_handle)->auth_context;
ac = ctx->auth_context;
if (krb5_ret_uint32 (sp, &ac->flags) != 0)
goto failure;
if (flags & SC_LOCAL_ADDRESS) {
@@ -106,11 +108,11 @@ gss_import_sec_context (
goto failure;
}
krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep);
krb5_auth_con_setaddrs (_gsskrb5_context, ac, localp, remotep);
if (localp)
krb5_free_address (gssapi_krb5_context, localp);
krb5_free_address (_gsskrb5_context, localp);
if (remotep)
krb5_free_address (gssapi_krb5_context, remotep);
krb5_free_address (_gsskrb5_context, remotep);
localp = remotep = NULL;
if (krb5_ret_int16 (sp, &ac->local_port) != 0)
@@ -121,20 +123,20 @@ gss_import_sec_context (
if (flags & SC_KEYBLOCK) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock);
krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
krb5_auth_con_setkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
}
if (flags & SC_LOCAL_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock);
krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
krb5_auth_con_setlocalsubkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
}
if (flags & SC_REMOTE_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock);
krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
krb5_auth_con_setremotesubkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
}
if (krb5_ret_uint32 (sp, &ac->local_seqnumber))
goto failure;
@@ -155,11 +157,11 @@ gss_import_sec_context (
buffer.value = data.data;
buffer.length = data.length;
ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
&(*context_handle)->source);
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
&ctx->source);
if (ret) {
ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID,
&(*context_handle)->source);
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
&ctx->source);
if (ret) {
krb5_data_free (&data);
goto failure;
@@ -172,11 +174,11 @@ gss_import_sec_context (
buffer.value = data.data;
buffer.length = data.length;
ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
&(*context_handle)->target);
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
&ctx->target);
if (ret) {
ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID,
&(*context_handle)->target);
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
&ctx->target);
if (ret) {
krb5_data_free (&data);
goto failure;
@@ -186,37 +188,40 @@ gss_import_sec_context (
if (krb5_ret_int32 (sp, &tmp))
goto failure;
(*context_handle)->flags = tmp;
ctx->flags = tmp;
if (krb5_ret_int32 (sp, &tmp))
goto failure;
(*context_handle)->more_flags = tmp;
ctx->more_flags = tmp;
if (krb5_ret_int32 (sp, &tmp))
goto failure;
(*context_handle)->lifetime = tmp;
ctx->lifetime = tmp;
ret = _gssapi_msg_order_import(minor_status, sp, &(*context_handle)->order);
ret = _gssapi_msg_order_import(minor_status, sp, &ctx->order);
if (ret)
goto failure;
krb5_storage_free (sp);
*context_handle = (gss_ctx_id_t)ctx;
return GSS_S_COMPLETE;
failure:
krb5_auth_con_free (gssapi_krb5_context,
(*context_handle)->auth_context);
if ((*context_handle)->source != NULL)
gss_release_name(&minor, &(*context_handle)->source);
if ((*context_handle)->target != NULL)
gss_release_name(&minor, &(*context_handle)->target);
krb5_auth_con_free (_gsskrb5_context,
ctx->auth_context);
if (ctx->source != NULL)
_gsskrb5_release_name(&minor, &ctx->source);
if (ctx->target != NULL)
_gsskrb5_release_name(&minor, &ctx->target);
if (localp)
krb5_free_address (gssapi_krb5_context, localp);
krb5_free_address (_gsskrb5_context, localp);
if (remotep)
krb5_free_address (gssapi_krb5_context, remotep);
if((*context_handle)->order)
_gssapi_msg_order_destroy(&(*context_handle)->order);
HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex);
krb5_free_address (_gsskrb5_context, remotep);
if(ctx->order)
_gssapi_msg_order_destroy(&ctx->order);
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
krb5_storage_free (sp);
free (*context_handle);
free (ctx);
*context_handle = GSS_C_NO_CONTEXT;
return ret;
}

19
lib/gssapi/krb5/indicate_mechs.c
View File

@@ -31,30 +31,25 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_indicate_mechs
OM_uint32 _gsskrb5_indicate_mechs
(OM_uint32 * minor_status,
gss_OID_set * mech_set
)
{
OM_uint32 ret;
OM_uint32 ret, junk;
ret = gss_create_empty_oid_set(minor_status, mech_set);
ret = _gsskrb5_create_empty_oid_set(minor_status, mech_set);
if (ret)
return ret;
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, mech_set);
ret = _gsskrb5_add_oid_set_member(minor_status,
GSS_KRB5_MECHANISM, mech_set);
if (ret) {
gss_release_oid_set(NULL, mech_set);
return ret;
}
ret = gss_add_oid_set_member(minor_status, GSS_SPNEGO_MECHANISM, mech_set);
if (ret) {
gss_release_oid_set(NULL, mech_set);
_gsskrb5_release_oid_set(&junk, mech_set);
return ret;
}

26
lib/gssapi/krb5/init.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
static HEIMDAL_MUTEX gssapi_krb5_context_mutex = HEIMDAL_MUTEX_INITIALIZER;
static HEIMDAL_MUTEX _gsskrb5_context_mutex = HEIMDAL_MUTEX_INITIALIZER;
static int created_key;
static HEIMDAL_thread_key gssapi_context_key;
@@ -54,12 +54,12 @@ gssapi_destroy_thread_context(void *ptr)
struct gssapi_thr_context *
gssapi_get_thread_context(int createp)
_gsskrb5_get_thread_context(int createp)
{
struct gssapi_thr_context *ctx;
int ret;
HEIMDAL_MUTEX_lock(&gssapi_krb5_context_mutex);
HEIMDAL_MUTEX_lock(&_gsskrb5_context_mutex);
if (!created_key)
abort();
@@ -76,36 +76,36 @@ gssapi_get_thread_context(int createp)
if (ret)
goto fail;
}
HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex);
HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex);
return ctx;
fail:
HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex);
HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex);
if (ctx)
free(ctx);
return NULL;
}
krb5_error_code
gssapi_krb5_init (void)
_gsskrb5_init (void)
{
krb5_error_code ret = 0;
HEIMDAL_MUTEX_lock(&gssapi_krb5_context_mutex);
HEIMDAL_MUTEX_lock(&_gsskrb5_context_mutex);
if(gssapi_krb5_context == NULL)
ret = krb5_init_context (&gssapi_krb5_context);
if(_gsskrb5_context == NULL)
ret = krb5_init_context (&_gsskrb5_context);
if (ret == 0 && !created_key) {
HEIMDAL_key_create(&gssapi_context_key,
gssapi_destroy_thread_context,
ret);
if (ret) {
krb5_free_context(gssapi_krb5_context);
gssapi_krb5_context = NULL;
krb5_free_context(_gsskrb5_context);
_gsskrb5_context = NULL;
} else
created_key = 1;
}
HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex);
HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex);
return ret;
}

756
lib/gssapi/krb5/init_sec_context.c
View File

File diff suppressed because it is too large Load Diff

31
lib/gssapi/krb5/inquire_context.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_inquire_context (
OM_uint32 _gsskrb5_inquire_context (
OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
gss_name_t * src_name,
@@ -48,28 +48,29 @@ OM_uint32 gss_inquire_context (
)
{
OM_uint32 ret;
gsskrb5_ctx ctx = (gsskrb5_ctx)context_handle;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (src_name) {
ret = gss_duplicate_name (minor_status,
context_handle->source,
src_name);
ret = _gsskrb5_duplicate_name (minor_status,
ctx->source,
src_name);
if (ret)
goto failed;
}
if (targ_name) {
ret = gss_duplicate_name (minor_status,
context_handle->target,
targ_name);
ret = _gsskrb5_duplicate_name (minor_status,
ctx->target,
targ_name);
if (ret)
goto failed;
}
if (lifetime_rec) {
ret = gssapi_lifetime_left(minor_status,
context_handle->lifetime,
ret = _gsskrb5_lifetime_left(minor_status,
ctx->lifetime,
lifetime_rec);
if (ret)
goto failed;
@@ -79,19 +80,19 @@ OM_uint32 gss_inquire_context (
*mech_type = GSS_KRB5_MECHANISM;
if (ctx_flags)
*ctx_flags = context_handle->flags;
*ctx_flags = ctx->flags;
if (locally_initiated)
*locally_initiated = context_handle->more_flags & LOCAL;
*locally_initiated = ctx->more_flags & LOCAL;
if (open_context)
*open_context = context_handle->more_flags & OPEN;
*open_context = ctx->more_flags & OPEN;
*minor_status = 0;
ret = GSS_S_COMPLETE;
failed:
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return ret;
}

68
lib/gssapi/krb5/inquire_cred.c
View File

@@ -31,20 +31,21 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_inquire_cred
(OM_uint32 * minor_status,
const gss_cred_id_t cred_handle,
gss_name_t * name,
OM_uint32 * lifetime,
gss_cred_usage_t * cred_usage,
gss_OID_set * mechanisms
)
OM_uint32 _gsskrb5_inquire_cred
(OM_uint32 * minor_status,
const gss_cred_id_t cred_handle,
gss_name_t * name,
OM_uint32 * lifetime,
gss_cred_usage_t * cred_usage,
gss_OID_set * mechanisms
)
{
gss_cred_id_t cred;
gss_cred_id_t aqcred = GSS_C_NO_CREDENTIAL;
gsskrb5_cred cred;
OM_uint32 ret;
*minor_status = 0;
@@ -55,37 +56,38 @@ OM_uint32 gss_inquire_cred
*mechanisms = GSS_C_NO_OID_SET;
if (cred_handle == GSS_C_NO_CREDENTIAL) {
ret = gss_acquire_cred(minor_status,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_BOTH,
&cred,
NULL,
NULL);
ret = _gsskrb5_acquire_cred(minor_status,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_BOTH,
&aqcred,
NULL,
NULL);
if (ret)
return ret;
cred = (gsskrb5_cred)aqcred;
} else
cred = (gss_cred_id_t)cred_handle;
cred = (gsskrb5_cred)cred_handle;
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if (name != NULL) {
if (cred->principal != NULL) {
ret = gss_duplicate_name(minor_status, cred->principal,
name);
ret = _gsskrb5_duplicate_name(minor_status, cred->principal,
name);
if (ret)
goto out;
} else if (cred->usage == GSS_C_ACCEPT) {
*minor_status = krb5_sname_to_principal(gssapi_krb5_context, NULL,
NULL, KRB5_NT_SRV_HST, name);
*minor_status = krb5_sname_to_principal(_gsskrb5_context, NULL,
NULL, KRB5_NT_SRV_HST, name);
if (*minor_status) {
ret = GSS_S_FAILURE;
goto out;
}
} else {
*minor_status = krb5_get_default_principal(gssapi_krb5_context,
name);
*minor_status = krb5_get_default_principal(_gsskrb5_context,
name);
if (*minor_status) {
ret = GSS_S_FAILURE;
goto out;
@@ -93,7 +95,7 @@ OM_uint32 gss_inquire_cred
}
}
if (lifetime != NULL) {
ret = gssapi_lifetime_left(minor_status,
ret = _gsskrb5_lifetime_left(minor_status,
cred->lifetime,
lifetime);
if (ret)
@@ -103,21 +105,21 @@ OM_uint32 gss_inquire_cred
*cred_usage = cred->usage;
if (mechanisms != NULL) {
ret = gss_create_empty_oid_set(minor_status, mechanisms);
ret = _gsskrb5_create_empty_oid_set(minor_status, mechanisms);
if (ret)
goto out;
ret = gss_add_oid_set_member(minor_status,
&cred->mechanisms->elements[0],
mechanisms);
ret = _gsskrb5_add_oid_set_member(minor_status,
&cred->mechanisms->elements[0],
mechanisms);
if (ret)
goto out;
}
ret = GSS_S_COMPLETE;
out:
out:
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
if (cred_handle == GSS_C_NO_CREDENTIAL)
ret = gss_release_cred(minor_status, &cred);
if (aqcred != GSS_C_NO_CREDENTIAL)
ret = _gsskrb5_release_cred(minor_status, &aqcred);
return ret;
}

37
lib/gssapi/krb5/inquire_cred_by_mech.c
View File

@@ -31,18 +31,18 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_inquire_cred_by_mech (
OM_uint32 * minor_status,
const gss_cred_id_t cred_handle,
const gss_OID mech_type,
gss_name_t * name,
OM_uint32 * initiator_lifetime,
OM_uint32 * acceptor_lifetime,
gss_cred_usage_t * cred_usage
OM_uint32 _gsskrb5_inquire_cred_by_mech (
OM_uint32 * minor_status,
const gss_cred_id_t cred_handle,
const gss_OID mech_type,
gss_name_t * name,
OM_uint32 * initiator_lifetime,
OM_uint32 * acceptor_lifetime,
gss_cred_usage_t * cred_usage
)
{
OM_uint32 ret;
@@ -54,19 +54,20 @@ OM_uint32 gss_inquire_cred_by_mech (
return GSS_S_BAD_MECH;
}
ret = gss_inquire_cred (minor_status,
cred_handle,
name,
&lifetime,
cred_usage,
NULL);
ret = _gsskrb5_inquire_cred (minor_status,
cred_handle,
name,
&lifetime,
cred_usage,
NULL);
if (ret == 0 && cred_handle != GSS_C_NO_CREDENTIAL) {
gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
gss_cred_usage_t usage;
HEIMDAL_MUTEX_lock(&cred_handle->cred_id_mutex);
usage = cred_handle->usage;
HEIMDAL_MUTEX_unlock(&cred_handle->cred_id_mutex);
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
usage = cred->usage;
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
if (initiator_lifetime) {
if (usage == GSS_C_INITIATE || usage == GSS_C_BOTH)

90
lib/gssapi/krb5/inquire_cred_by_oid.c Normal file
View File

@@ -0,0 +1,90 @@
/*
* Copyright (c) 2004, PADL Software Pty Ltd.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of PADL Software nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 _gsskrb5_inquire_cred_by_oid
(OM_uint32 * minor_status,
const gss_cred_id_t cred_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set)
{
gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
krb5_error_code kret;
krb5_ccache_data ccache;
gss_buffer_desc ccache_ops_buf;
gss_buffer_desc ccache_data_buf;
OM_uint32 ret;
if (gss_oid_equal(desired_object, GSS_KRB5_COPY_CCACHE_X) == 0) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if (cred->ccache == NULL) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
kret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache, &ccache);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
ccache_ops_buf.value = (void *)ccache.ops->prefix;
ccache_ops_buf.length = strlen(ccache.ops->prefix);
ccache_data_buf.value = ccache.data.data;
ccache_data_buf.length = ccache.data.length;
ret = gss_add_buffer_set_member(minor_status,
&ccache_ops_buf,
data_set);
if (ret == 0) {
ret = gss_add_buffer_set_member(minor_status,
&ccache_data_buf,
data_set);
}
krb5_cc_close(_gsskrb5_context, &ccache);
return GSS_S_COMPLETE;
}

14
lib/gssapi/krb5/inquire_mechs_for_name.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_inquire_mechs_for_name (
OM_uint32 _gsskrb5_inquire_mechs_for_name (
OM_uint32 * minor_status,
const gss_name_t input_name,
gss_OID_set * mech_types
@@ -43,15 +43,15 @@ OM_uint32 gss_inquire_mechs_for_name (
{
OM_uint32 ret;
ret = gss_create_empty_oid_set(minor_status, mech_types);
ret = _gsskrb5_create_empty_oid_set(minor_status, mech_types);
if (ret)
return ret;
ret = gss_add_oid_set_member(minor_status,
GSS_KRB5_MECHANISM,
mech_types);
ret = _gsskrb5_add_oid_set_member(minor_status,
GSS_KRB5_MECHANISM,
mech_types);
if (ret)
gss_release_oid_set(NULL, mech_types);
_gsskrb5_release_oid_set(NULL, mech_types);
return ret;
}

14
lib/gssapi/krb5/inquire_names_for_mech.c
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
@@ -44,7 +44,7 @@ static gss_OID *name_list[] = {
NULL
};
OM_uint32 gss_inquire_names_for_mech (
OM_uint32 _gsskrb5_inquire_names_for_mech (
OM_uint32 * minor_status,
const gss_OID mechanism,
gss_OID_set * name_types
@@ -61,20 +61,20 @@ OM_uint32 gss_inquire_names_for_mech (
return GSS_S_BAD_MECH;
}
ret = gss_create_empty_oid_set(minor_status, name_types);
ret = _gsskrb5_create_empty_oid_set(minor_status, name_types);
if (ret != GSS_S_COMPLETE)
return ret;
for (i = 0; name_list[i] != NULL; i++) {
ret = gss_add_oid_set_member(minor_status,
*(name_list[i]),
name_types);
ret = _gsskrb5_add_oid_set_member(minor_status,
*(name_list[i]),
name_types);
if (ret != GSS_S_COMPLETE)
break;
}
if (ret != GSS_S_COMPLETE)
gss_release_oid_set(NULL, name_types);
_gsskrb5_release_oid_set(NULL, name_types);
return GSS_S_COMPLETE;
}

214
lib/gssapi/krb5/inquire_sec_context_by_oid.c Normal file
View File

@@ -0,0 +1,214 @@
/*
* Copyright (c) 2004, PADL Software Pty Ltd.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of PADL Software nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "gsskrb5_locl.h"
RCSID("$Id$");
static int
oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix)
{
int ret;
heim_oid oid;
heim_oid prefix;
*suffix = 0;
ret = der_get_oid(oid_enc->elements, oid_enc->length,
&oid, NULL);
if (ret) {
return 0;
}
ret = der_get_oid(prefix_enc->elements, prefix_enc->length,
&prefix, NULL);
if (ret) {
free_oid(&oid);
return 0;
}
ret = 0;
if (oid.length - 1 == prefix.length) {
*suffix = oid.components[oid.length - 1];
oid.length--;
ret = (heim_oid_cmp(&oid, &prefix) == 0);
oid.length++;
}
free_oid(&oid);
free_oid(&prefix);
return ret;
}
static OM_uint32 inquire_sec_context_tkt_flags
(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
gss_buffer_set_t *data_set)
{
OM_uint32 tkt_flags;
unsigned char buf[4];
gss_buffer_desc value;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
if (context_handle->ticket == NULL) {
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
*minor_status = EINVAL;
return GSS_S_BAD_MECH;
}
tkt_flags = TicketFlags2int(context_handle->ticket->ticket.flags);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
_gsskrb5_encode_om_uint32(tkt_flags, buf);
value.length = sizeof(buf);
value.value = buf;
return gss_add_buffer_set_member(minor_status,
&value,
data_set);
}
static OM_uint32 inquire_sec_context_authz_data
(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
unsigned ad_type,
gss_buffer_set_t *data_set)
{
krb5_data data;
gss_buffer_desc ad_data;
OM_uint32 ret;
*minor_status = 0;
*data_set = GSS_C_NO_BUFFER_SET;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
if (context_handle->ticket == NULL) {
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
ret = krb5_ticket_get_authorization_data_type(_gsskrb5_context,
context_handle->ticket,
ad_type,
&data);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ad_data.value = data.data;
ad_data.length = data.length;
ret = gss_add_buffer_set_member(minor_status,
&ad_data,
data_set);
krb5_data_free(&data);
return ret;
}
static OM_uint32 inquire_sec_context_has_updated_spnego
(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
gss_buffer_set_t *data_set)
{
int is_updated = 0;
*minor_status = 0;
*data_set = GSS_C_NO_BUFFER_SET;
/*
* For Windows SPNEGO implementations, both the initiator and the
* acceptor are assumed to have been updated if a "newer" [CLAR] or
* different enctype is negotiated for use by the Kerberos GSS-API
* mechanism.
*/
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
_gsskrb5i_is_cfx(context_handle, &is_updated);
if (is_updated == 0) {
krb5_keyblock *acceptor_subkey;
if (context_handle->more_flags & LOCAL)
acceptor_subkey = context_handle->auth_context->remote_subkey;
else
acceptor_subkey = context_handle->auth_context->local_subkey;
if (acceptor_subkey != NULL)
is_updated = (acceptor_subkey->keytype !=
context_handle->auth_context->keyblock->keytype);
}
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return is_updated ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
OM_uint32 _gsskrb5_inquire_sec_context_by_oid
(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set)
{
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
unsigned suffix;
if (ctx == NULL) {
*minor_status = EINVAL;
return GSS_S_NO_CONTEXT;
}
if (gss_oid_equal(desired_object, GSS_KRB5_GET_TKT_FLAGS_X)) {
return inquire_sec_context_tkt_flags(minor_status,
ctx,
data_set);
} else if (gss_oid_equal(desired_object, GSS_C_PEER_HAS_UPDATED_SPNEGO)) {
return inquire_sec_context_has_updated_spnego(minor_status,
ctx,
data_set);
} else if (oid_prefix_equal(desired_object,
GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X,
&suffix)) {
return inquire_sec_context_authz_data(minor_status,
ctx,
suffix,
data_set);
} else {
*minor_status = 0;
return GSS_S_FAILURE;
}
}

67
lib/gssapi/krb5/oid_to_str.c
View File

@@ -1,67 +0,0 @@
/*
* Copyright (c) 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
RCSID("$Id$");
OM_uint32
gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str)
{
krb5_error_code ret;
size_t size;
heim_oid o;
char *p;
oid_str->value = NULL;
oid_str->length = 0;
ret = der_get_oid (oid->elements, oid->length, &o, &size);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = der_print_heim_oid(&o, &p);
free_oid(&o);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
oid_str->value = p;
oid_str->length = strlen(p) + 1;
*minor_status = 0;
return GSS_S_COMPLETE;
}

17
lib/gssapi/krb5/process_context_token.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_process_context_token (
OM_uint32 _gsskrb5_process_context_token (
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t token_buffer
@@ -50,14 +50,15 @@ OM_uint32 gss_process_context_token (
qop_state = GSS_C_QOP_DEFAULT;
ret = gss_verify_mic_internal(minor_status, context_handle,
token_buffer, &empty_buffer,
GSS_C_QOP_DEFAULT, "\x01\x02");
ret = _gsskrb5_verify_mic_internal(minor_status,
(gsskrb5_ctx)context_handle,
token_buffer, &empty_buffer,
GSS_C_QOP_DEFAULT, "\x01\x02");
if (ret == GSS_S_COMPLETE)
ret = gss_delete_sec_context(minor_status,
rk_UNCONST(&context_handle),
GSS_C_NO_BUFFER);
ret = _gsskrb5_delete_sec_context(minor_status,
rk_UNCONST(&context_handle),
GSS_C_NO_BUFFER);
if (ret == GSS_S_COMPLETE)
*minor_status = 0;

4
lib/gssapi/krb5/release_buffer.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_release_buffer
OM_uint32 _gsskrb5_release_buffer
(OM_uint32 * minor_status,
gss_buffer_t buffer
)

43
lib/gssapi/krb5/release_cred.c
View File

@@ -31,43 +31,46 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_release_cred
OM_uint32 _gsskrb5_release_cred
(OM_uint32 * minor_status,
gss_cred_id_t * cred_handle
)
{
gsskrb5_cred cred;
*minor_status = 0;
if (*cred_handle == GSS_C_NO_CREDENTIAL) {
if (*cred_handle == NULL)
return GSS_S_COMPLETE;
}
cred = (gsskrb5_cred)*cred_handle;
*cred_handle = GSS_C_NO_CREDENTIAL;
GSSAPI_KRB5_INIT ();
HEIMDAL_MUTEX_lock(&(*cred_handle)->cred_id_mutex);
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if ((*cred_handle)->principal != NULL)
krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
if ((*cred_handle)->keytab != NULL)
krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab);
if ((*cred_handle)->ccache != NULL) {
if (cred->principal != NULL)
krb5_free_principal(_gsskrb5_context, cred->principal);
if (cred->keytab != NULL)
krb5_kt_close(_gsskrb5_context, cred->keytab);
if (cred->ccache != NULL) {
const krb5_cc_ops *ops;
ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache);
if ((*cred_handle)->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE)
krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache);
ops = krb5_cc_get_ops(_gsskrb5_context, cred->ccache);
if (cred->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE)
krb5_cc_destroy(_gsskrb5_context, cred->ccache);
else
krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache);
krb5_cc_close(_gsskrb5_context, cred->ccache);
}
gss_release_oid_set(NULL, &(*cred_handle)->mechanisms);
HEIMDAL_MUTEX_unlock(&(*cred_handle)->cred_id_mutex);
HEIMDAL_MUTEX_destroy(&(*cred_handle)->cred_id_mutex);
memset(*cred_handle, 0, sizeof(**cred_handle));
free(*cred_handle);
*cred_handle = GSS_C_NO_CREDENTIAL;
_gsskrb5_release_oid_set(NULL, &cred->mechanisms);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
HEIMDAL_MUTEX_destroy(&cred->cred_id_mutex);
memset(cred, 0, sizeof(*cred));
free(cred);
return GSS_S_COMPLETE;
}

6
lib/gssapi/krb5/release_name.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_release_name
OM_uint32 _gsskrb5_release_name
(OM_uint32 * minor_status,
gss_name_t * input_name
)
@@ -43,7 +43,7 @@ OM_uint32 gss_release_name
GSSAPI_KRB5_INIT ();
if (minor_status)
*minor_status = 0;
krb5_free_principal(gssapi_krb5_context,
krb5_free_principal(_gsskrb5_context,
*input_name);
*input_name = GSS_C_NO_NAME;
return GSS_S_COMPLETE;

4
lib/gssapi/krb5/release_oid_set.c
View File

@@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_release_oid_set
OM_uint32 _gsskrb5_release_oid_set
(OM_uint32 * minor_status,
gss_OID_set * set
)

2
lib/gssapi/krb5/sequence.c
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");

94
lib/gssapi/krb5/set_sec_context_option.c Normal file
View File

@@ -0,0 +1,94 @@
/*
* Copyright (c) 2004, PADL Software Pty Ltd.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of PADL Software nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* glue routine for _gsskrb5_inquire_sec_context_by_oid
*/
#include "gsskrb5_locl.h"
RCSID("$Id$");
static OM_uint32
set_compat_des3_mic_context_option
(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_buffer_t value)
{
gsskrb5_ctx ctx;
const char *p;
if (*context_handle == GSS_C_NO_CONTEXT) {
*minor_status = EINVAL;
return GSS_S_NO_CONTEXT;
}
if (value->value == NULL || value->length != 1) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
p = (const char *)value->value;
ctx = (gsskrb5_ctx)*context_handle;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (*p) {
ctx->more_flags |= COMPAT_OLD_DES3;
} else {
ctx->more_flags &= ~COMPAT_OLD_DES3;
}
ctx->more_flags |= COMPAT_OLD_DES3_SELECTED;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_COMPLETE;
}
OM_uint32
_gsskrb5_set_sec_context_option
(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_OID desired_object,
const gss_buffer_t value)
{
if (value == GSS_C_NO_BUFFER) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
if (gss_oid_equal(desired_object, GSS_KRB5_COMPAT_DES3_MIC_X)) {
return set_compat_des3_mic_context_option(minor_status,
context_handle,
value);
}
*minor_status = EINVAL;
return GSS_S_FAILURE;
}

240
lib/gssapi/krb5/spkm.asn1
View File

@@ -1,240 +0,0 @@
-- from rfc2025
-- $Id$
SpkmGssTokens DEFINITIONS ::=
BEGIN
IMPORTS AlgorithmIdentifier, Validity,
Attribute, Certificate, CertificateList, CertificatePair, Name
FROM rfc2459
AuthorizationData FROM krb5;
SPKM-REQ ::= SEQUENCE {
requestToken REQ-TOKEN,
certif-data [0] CertificationData OPTIONAL,
auth-data [1] AuthorizationData OPTIONAL
}
CertificationData ::= SEQUENCE {
certificationPath [0] CertificationPath OPTIONAL,
certificateRevocationList [1] CertificateList OPTIONAL
} -- at least one of the above shall be present
CertificationPath ::= SEQUENCE {
userKeyId [0] OCTET STRING OPTIONAL,
userCertif [1] Certificate OPTIONAL,
verifKeyId [2] OCTET STRING OPTIONAL,
userVerifCertif [3] Certificate OPTIONAL,
theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL
} -- Presence of [2] or [3] implies that [0] or [1] must also be
-- present. Presence of [4] implies that at least one of [0], [1],
-- [2], and [3] must also be present.
REQ-TOKEN ::= SEQUENCE {
req-contents Req-contents,
algId AlgorithmIdentifier,
req-integrity Integrity -- "token" is Req-contents
}
Integrity ::= BIT STRING
-- If corresponding algId specifies a signing algorithm,
-- "Integrity" holds the result of applying the signing procedure
-- specified in algId to the BER-encoded octet string which results
-- from applying the hashing procedure (also specified in algId) to
-- the DER-encoded octets of "token".
-- Alternatively, if corresponding algId specifies a MACing
-- algorithm, "Integrity" holds the result of applying the MACing
-- procedure specified in algId to the DER-encoded octets of
-- "token"
Req-contents ::= SEQUENCE {
tok-id INTEGER --(256)--, -- shall contain 0100 (hex)
context-id Random-Integer,
pvno BIT STRING,
timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2
randSrc Random-Integer,
targ-name Name,
src-name [0] Name OPTIONAL,
req-data Context-Data,
validity [1] Validity OPTIONAL,
key-estb-set Key-Estb-Algs,
key-estb-req BIT STRING OPTIONAL,
key-src-bind OCTET STRING OPTIONAL
-- This field must be present for the case of SPKM-2
-- unilateral authen. if the K-ALG in use does not provide
-- such a binding (but is optional for all other cases).
-- The octet string holds the result of applying the
-- mandatory hashing procedure (in MANDATORY I-ALG;
-- see Section 2.1) as follows: MD5(src || context_key),
-- where "src" is the DER-encoded octets of src-name,
-- "context-key" is the symmetric key (i.e., the
-- unprotected version of what is transmitted in
-- key-estb-req), and "||" is the concatenation operation.
}
Random-Integer ::= BIT STRING
Context-Data ::= SEQUENCE {
channelId ChannelId OPTIONAL,
seq-number INTEGER OPTIONAL,
options Options,
conf-alg Conf-Algs,
intg-alg Intg-Algs,
owf-alg OWF-Algs
}
ChannelId ::= OCTET STRING
Options ::= BIT STRING {
delegation-state (0),
mutual-state (1),
replay-det-state (2),
sequence-state (3),
conf-avail (4),
integ-avail (5),
target-certif-data-required (6)
}
Conf-Algs ::= CHOICE {
algs [0] SEQUENCE OF AlgorithmIdentifier,
null [1] NULL
}
Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier
OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier
Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier
SPKM-REP-TI ::= SEQUENCE {
responseToken REP-TI-TOKEN,
certif-data CertificationData OPTIONAL
-- present if target-certif-data-required option was
} -- set to TRUE in SPKM-REQ
REP-TI-TOKEN ::= SEQUENCE {
rep-ti-contents Rep-ti-contents,
algId AlgorithmIdentifier,
rep-ti-integ Integrity -- "token" is Rep-ti-contents
}
Rep-ti-contents ::= SEQUENCE {
tok-id INTEGER --(512)--, -- shall contain 0200 (hex)
context-id Random-Integer,
pvno [0] BIT STRING OPTIONAL,
timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2
randTarg Random-Integer,
src-name [1] Name OPTIONAL,
targ-name Name,
randSrc Random-Integer,
rep-data Context-Data,
validity [2] Validity OPTIONAL,
key-estb-id AlgorithmIdentifier OPTIONAL,
key-estb-str BIT STRING OPTIONAL
}
SPKM-REP-IT ::= SEQUENCE {
responseToken REP-IT-TOKEN,
algId AlgorithmIdentifier,
rep-it-integ Integrity -- "token" is REP-IT-TOKEN
}
REP-IT-TOKEN ::= SEQUENCE {
tok-id INTEGER --(768)--, -- shall contain 0300 (hex)
context-id Random-Integer,
randSrc Random-Integer,
randTarg Random-Integer,
targ-name Name,
src-name Name OPTIONAL,
key-estb-rep BIT STRING OPTIONAL
}
SPKM-ERROR ::= SEQUENCE {
errorToken ERROR-TOKEN,
algId AlgorithmIdentifier,
integrity Integrity -- "token" is ERROR-TOKEN
}
ERROR-TOKEN ::= SEQUENCE {
tok-id INTEGER --(1024)--, -- shall contain 0400 (hex)
context-id Random-Integer
}
SPKM-MIC ::= SEQUENCE {
mic-header Mic-Header,
int-cksum BIT STRING
}
Mic-Header ::= SEQUENCE {
tok-id INTEGER --(257)--, -- shall contain 0101 (hex)
context-id Random-Integer,
int-alg [0] AlgorithmIdentifier OPTIONAL,
snd-seq [1] SeqNum OPTIONAL
}
SeqNum ::= SEQUENCE {
num INTEGER,
dir-ind BOOLEAN
}
SPKM-WRAP ::= SEQUENCE {
wrap-header Wrap-Header,
wrap-body Wrap-Body
}
Wrap-Header ::= SEQUENCE {
tok-id INTEGER --(513)--, -- shall contain 0201 (hex)
context-id Random-Integer,
int-alg [0] AlgorithmIdentifier OPTIONAL,
conf-alg [1] Conf-Alg OPTIONAL,
snd-seq [2] SeqNum OPTIONAL
}
Wrap-Body ::= SEQUENCE {
int-cksum BIT STRING,
data BIT STRING
}
Conf-Alg ::= CHOICE {
algId [0] AlgorithmIdentifier,
null [1] NULL
}
SPKM-DEL ::= SEQUENCE {
del-header Del-Header,
int-cksum BIT STRING
}
Del-Header ::= SEQUENCE {
tok-id INTEGER --(769)--, -- shall contain 0301 (hex)
context-id Random-Integer,
int-alg [0] AlgorithmIdentifier OPTIONAL,
snd-seq [1] SeqNum OPTIONAL
}
-- other types --
MechType ::= OBJECT IDENTIFIER
SPKMInnerContextToken ::= CHOICE {
req [0] SPKM-REQ,
rep-ti [1] SPKM-REP-TI,
rep-it [2] SPKM-REP-IT,
error [3] SPKM-ERROR,
mic [4] SPKM-MIC,
wrap [5] SPKM-WRAP,
del [6] SPKM-DEL
}
InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE {
thisMech MechType,
innerContextToken SPKMInnerContextToken
} -- when thisMech is SPKM-1 or SPKM-2
END

42
lib/gssapi/krb5/spnego.asn1
View File

@@ -1,42 +0,0 @@
-- $Id$
SPNEGO DEFINITIONS ::=
BEGIN
MechType::= OBJECT IDENTIFIER
MechTypeList ::= SEQUENCE OF MechType
ContextFlags ::= BIT STRING {
delegFlag (0),
mutualFlag (1),
replayFlag (2),
sequenceFlag (3),
anonFlag (4),
confFlag (5),
integFlag (6)
}
NegTokenInit ::= SEQUENCE {
mechTypes [0] MechTypeList OPTIONAL,
reqFlags [1] ContextFlags OPTIONAL,
mechToken [2] OCTET STRING OPTIONAL,
mechListMIC [3] OCTET STRING OPTIONAL
}
NegTokenTarg ::= SEQUENCE {
negResult [0] ENUMERATED {
accept_completed (0),
accept_incomplete (1),
reject (2) } OPTIONAL,
supportedMech [1] MechType OPTIONAL,
responseToken [2] OCTET STRING OPTIONAL,
mechListMIC [3] OCTET STRING OPTIONAL
}
NegotiationToken ::= CHOICE {
negTokenInit[0] NegTokenInit,
negTokenTarg[1] NegTokenTarg
}
END

2
lib/gssapi/krb5/test_acquire_cred.c
View File

@@ -31,7 +31,7 @@
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
#include <err.h>
RCSID("$Id$");

2
lib/gssapi/krb5/test_cred.c
View File

@@ -31,7 +31,7 @@
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
#include <err.h>
#include <getarg.h>

2
lib/gssapi/krb5/test_kcred.c
View File

@@ -31,7 +31,7 @@
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
#include <err.h>
#include <getarg.h>

2
lib/gssapi/krb5/test_oid.c
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");

24
lib/gssapi/krb5/test_oid_set_member.c
View File

@@ -31,25 +31,25 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32 gss_test_oid_set_member (
OM_uint32 * minor_status,
OM_uint32 _gsskrb5_test_oid_set_member
(OM_uint32 * minor_status,
const gss_OID member,
const gss_OID_set set,
int * present
)
{
size_t i;
size_t i;
*minor_status = 0;
*present = 0;
for (i = 0; i < set->count; ++i)
if (gss_oid_equal(member, &set->elements[i]) != 0) {
*present = 1;
break;
}
return GSS_S_COMPLETE;
*minor_status = 0;
*present = 0;
for (i = 0; i < set->count; ++i)
if (gss_oid_equal(member, &set->elements[i]) != 0) {
*present = 1;
break;
}
return GSS_S_COMPLETE;
}

2
lib/gssapi/krb5/test_sequence.c
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");

18
lib/gssapi/krb5/ticket_flags.c
View File

@@ -31,29 +31,29 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32
gss_krb5_get_tkt_flags(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
_gsskrb5_get_tkt_flags(OM_uint32 *minor_status,
gsskrb5_ctx ctx,
OM_uint32 *tkt_flags)
{
if (context_handle == GSS_C_NO_CONTEXT) {
if (ctx == NULL) {
*minor_status = EINVAL;
return GSS_S_NO_CONTEXT;
}
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (context_handle->ticket == NULL) {
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ctx->ticket == NULL) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
*minor_status = EINVAL;
return GSS_S_BAD_MECH;
}
*tkt_flags = TicketFlags2int(context_handle->ticket->ticket.flags);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
*tkt_flags = TicketFlags2int(ctx->ticket->ticket.flags);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
*minor_status = 0;
return GSS_S_COMPLETE;

63
lib/gssapi/krb5/unwrap.c
View File

@@ -31,14 +31,14 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
static OM_uint32
unwrap_des
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int * conf_state,
@@ -61,7 +61,7 @@ unwrap_des
int cmp;
p = input_message_buffer->value;
ret = gssapi_krb5_verify_header (&p,
ret = _gsskrb5_verify_header (&p,
input_message_buffer->length,
"\x02\x01",
GSS_KRB5_MECHANISM);
@@ -138,7 +138,7 @@ unwrap_des
memset (&schedule, 0, sizeof(schedule));
seq = p;
gssapi_decode_om_uint32(seq, &seq_number);
_gsskrb5_decode_om_uint32(seq, &seq_number);
if (context_handle->more_flags & LOCAL)
cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
@@ -174,7 +174,7 @@ unwrap_des
static OM_uint32
unwrap_des3
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int * conf_state,
@@ -196,7 +196,7 @@ unwrap_des3
int cmp;
p = input_message_buffer->value;
ret = gssapi_krb5_verify_header (&p,
ret = _gsskrb5_verify_header (&p,
input_message_buffer->length,
"\x02\x01",
GSS_KRB5_MECHANISM);
@@ -226,18 +226,18 @@ unwrap_des3
/* decrypt data */
krb5_data tmp;
ret = krb5_crypto_init(gssapi_krb5_context, key,
ret = krb5_crypto_init(_gsskrb5_context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_decrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL,
ret = krb5_decrypt(_gsskrb5_context, crypto, KRB5_KU_USAGE_SEAL,
p, input_message_buffer->length - len, &tmp);
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -259,10 +259,10 @@ unwrap_des3
p -= 28;
ret = krb5_crypto_init(gssapi_krb5_context, key,
ret = krb5_crypto_init(_gsskrb5_context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_FAILURE;
@@ -271,15 +271,15 @@ unwrap_des3
DES_cblock ivec;
memcpy(&ivec, p + 8, 8);
ret = krb5_decrypt_ivec (gssapi_krb5_context,
ret = krb5_decrypt_ivec (_gsskrb5_context,
crypto,
KRB5_KU_USAGE_SEQ,
p, 8, &seq_data,
&ivec);
}
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_FAILURE;
@@ -292,7 +292,7 @@ unwrap_des3
}
seq = seq_data.data;
gssapi_decode_om_uint32(seq, &seq_number);
_gsskrb5_decode_om_uint32(seq, &seq_number);
if (context_handle->more_flags & LOCAL)
cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
@@ -325,21 +325,21 @@ unwrap_des3
csum.checksum.length = 20;
csum.checksum.data = cksum;
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_verify_checksum (gssapi_krb5_context, crypto,
ret = krb5_verify_checksum (_gsskrb5_context, crypto,
KRB5_KU_USAGE_SIGN,
p + 20,
input_message_buffer->length - len + 8,
&csum);
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -357,7 +357,7 @@ unwrap_des3
return GSS_S_COMPLETE;
}
OM_uint32 gss_unwrap
OM_uint32 _gsskrb5_unwrap
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t input_message_buffer,
@@ -369,45 +369,46 @@ OM_uint32 gss_unwrap
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle;
output_message_buffer->value = NULL;
output_message_buffer->length = 0;
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
ret = gss_krb5_get_subkey(context_handle, &key);
ret = _gsskrb5i_get_subkey(ctx, &key);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
*minor_status = 0;
switch (keytype) {
case KEYTYPE_DES :
ret = unwrap_des (minor_status, context_handle,
ret = unwrap_des (minor_status, ctx,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
case KEYTYPE_DES3 :
ret = unwrap_des3 (minor_status, context_handle,
ret = unwrap_des3 (minor_status, ctx,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_unwrap_arcfour (minor_status, context_handle,
ret = _gssapi_unwrap_arcfour (minor_status, ctx,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
default :
ret = _gssapi_unwrap_cfx (minor_status, context_handle,
ret = _gssapi_unwrap_cfx (minor_status, ctx,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
}
krb5_free_keyblock (gssapi_krb5_context, key);
krb5_free_keyblock (_gsskrb5_context, key);
return ret;
}

18
lib/gssapi/krb5/v1.c
View File

@@ -31,13 +31,13 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
/* These functions are for V1 compatibility */
OM_uint32 gss_sign
OM_uint32 _gsskrb5_sign
(OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
int qop_req,
@@ -45,14 +45,14 @@ OM_uint32 gss_sign
gss_buffer_t message_token
)
{
return gss_get_mic(minor_status,
return _gsskrb5_get_mic(minor_status,
context_handle,
(gss_qop_t)qop_req,
message_buffer,
message_token);
}
OM_uint32 gss_verify
OM_uint32 _gsskrb5_verify
(OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t message_buffer,
@@ -60,14 +60,14 @@ OM_uint32 gss_verify
int * qop_state
)
{
return gss_verify_mic(minor_status,
return _gsskrb5_verify_mic(minor_status,
context_handle,
message_buffer,
token_buffer,
(gss_qop_t *)qop_state);
}
OM_uint32 gss_seal
OM_uint32 _gsskrb5_seal
(OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,
@@ -77,7 +77,7 @@ OM_uint32 gss_seal
gss_buffer_t output_message_buffer
)
{
return gss_wrap(minor_status,
return _gsskrb5_wrap(minor_status,
context_handle,
conf_req_flag,
(gss_qop_t)qop_req,
@@ -86,7 +86,7 @@ OM_uint32 gss_seal
output_message_buffer);
}
OM_uint32 gss_unseal
OM_uint32 _gsskrb5_unseal
(OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t input_message_buffer,
@@ -95,7 +95,7 @@ OM_uint32 gss_unseal
int * qop_state
)
{
return gss_unwrap(minor_status,
return _gsskrb5_unwrap(minor_status,
context_handle,
input_message_buffer,
output_message_buffer,

61
lib/gssapi/krb5/verify_mic.c
View File

@@ -31,14 +31,14 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
static OM_uint32
verify_mic_des
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -57,7 +57,7 @@ verify_mic_des
int cmp;
p = token_buffer->value;
ret = gssapi_krb5_verify_header (&p,
ret = _gsskrb5_verify_header (&p,
token_buffer->length,
type,
GSS_KRB5_MECHANISM);
@@ -104,7 +104,7 @@ verify_mic_des
memset (&schedule, 0, sizeof(schedule));
seq = p;
gssapi_decode_om_uint32(seq, &seq_number);
_gsskrb5_decode_om_uint32(seq, &seq_number);
if (context_handle->more_flags & LOCAL)
cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
@@ -130,7 +130,7 @@ verify_mic_des
static OM_uint32
verify_mic_des3
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -150,7 +150,7 @@ verify_mic_des3
char ivec[8];
p = token_buffer->value;
ret = gssapi_krb5_verify_header (&p,
ret = _gsskrb5_verify_header (&p,
token_buffer->length,
type,
GSS_KRB5_MECHANISM);
@@ -164,10 +164,10 @@ verify_mic_des3
return GSS_S_BAD_MIC;
p += 4;
ret = krb5_crypto_init(gssapi_krb5_context, key,
ret = krb5_crypto_init(_gsskrb5_context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret){
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -180,14 +180,14 @@ retry:
else
memcpy(ivec, p + 8, 8);
ret = krb5_decrypt_ivec (gssapi_krb5_context,
ret = krb5_decrypt_ivec (_gsskrb5_context,
crypto,
KRB5_KU_USAGE_SEQ,
p, 8, &seq_data, ivec);
if (ret) {
if (docompat++) {
gssapi_krb5_set_error_string ();
krb5_crypto_destroy (gssapi_krb5_context, crypto);
_gsskrb5_set_error_string ();
krb5_crypto_destroy (_gsskrb5_context, crypto);
*minor_status = ret;
return GSS_S_FAILURE;
} else
@@ -197,7 +197,7 @@ retry:
if (seq_data.length != 8) {
krb5_data_free (&seq_data);
if (docompat++) {
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
return GSS_S_BAD_MIC;
} else
goto retry;
@@ -206,7 +206,7 @@ retry:
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
seq = seq_data.data;
gssapi_decode_om_uint32(seq, &seq_number);
_gsskrb5_decode_om_uint32(seq, &seq_number);
if (context_handle->more_flags & LOCAL)
cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
@@ -215,7 +215,7 @@ retry:
krb5_data_free (&seq_data);
if (cmp != 0) {
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_BAD_MIC;
@@ -223,7 +223,7 @@ retry:
ret = _gssapi_msg_order_check(context_handle->order, seq_number);
if (ret) {
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return ret;
@@ -233,7 +233,7 @@ retry:
tmp = malloc (message_buffer->length + 8);
if (tmp == NULL) {
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
@@ -246,28 +246,28 @@ retry:
csum.checksum.length = 20;
csum.checksum.data = p + 8;
ret = krb5_verify_checksum (gssapi_krb5_context, crypto,
ret = krb5_verify_checksum (_gsskrb5_context, crypto,
KRB5_KU_USAGE_SIGN,
tmp, message_buffer->length + 8,
&csum);
free (tmp);
if (ret) {
gssapi_krb5_set_error_string ();
krb5_crypto_destroy (gssapi_krb5_context, crypto);
_gsskrb5_set_error_string ();
krb5_crypto_destroy (_gsskrb5_context, crypto);
*minor_status = ret;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_BAD_MIC;
}
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
return GSS_S_COMPLETE;
}
OM_uint32
gss_verify_mic_internal
_gsskrb5_verify_mic_internal
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -278,14 +278,14 @@ gss_verify_mic_internal
OM_uint32 ret;
krb5_keytype keytype;
ret = gss_krb5_get_subkey(context_handle, &key);
ret = _gsskrb5i_get_subkey(context_handle, &key);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
*minor_status = 0;
krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
ret = verify_mic_des (minor_status, context_handle,
@@ -309,13 +309,13 @@ gss_verify_mic_internal
key);
break;
}
krb5_free_keyblock (gssapi_krb5_context, key);
krb5_free_keyblock (_gsskrb5_context, key);
return ret;
}
OM_uint32
gss_verify_mic
_gsskrb5_verify_mic
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t message_buffer,
@@ -328,9 +328,10 @@ gss_verify_mic
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
ret = gss_verify_mic_internal(minor_status, context_handle,
message_buffer, token_buffer,
qop_state, "\x01\x01");
ret = _gsskrb5_verify_mic_internal(minor_status,
(gsskrb5_ctx)context_handle,
message_buffer, token_buffer,
qop_state, "\x01\x01");
return ret;
}

138
lib/gssapi/krb5/wrap.c
View File

@@ -31,24 +31,24 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "gsskrb5_locl.h"
RCSID("$Id$");
OM_uint32
gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
krb5_keyblock **key)
_gsskrb5i_get_subkey(const gsskrb5_ctx ctx,
krb5_keyblock **key)
{
krb5_keyblock *skey = NULL;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
if (context_handle->more_flags & LOCAL) {
krb5_auth_con_getremotesubkey(gssapi_krb5_context,
context_handle->auth_context,
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (ctx->more_flags & LOCAL) {
krb5_auth_con_getremotesubkey(_gsskrb5_context,
ctx->auth_context,
&skey);
} else {
krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_getlocalsubkey(_gsskrb5_context,
ctx->auth_context,
&skey);
}
/*
@@ -56,22 +56,22 @@ gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
* an acceptor subkey was not required.
*/
if (skey == NULL &&
(context_handle->more_flags & ACCEPTOR_SUBKEY) == 0) {
if (context_handle->more_flags & LOCAL) {
krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
context_handle->auth_context,
(ctx->more_flags & ACCEPTOR_SUBKEY) == 0) {
if (ctx->more_flags & LOCAL) {
krb5_auth_con_getlocalsubkey(_gsskrb5_context,
ctx->auth_context,
&skey);
} else {
krb5_auth_con_getremotesubkey(gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_getremotesubkey(_gsskrb5_context,
ctx->auth_context,
&skey);
}
if(skey == NULL)
krb5_auth_con_getkey(gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_getkey(_gsskrb5_context,
ctx->auth_context,
&skey);
}
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if(skey == NULL)
return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
*key = skey;
@@ -90,7 +90,7 @@ sub_wrap_size (
len = 8 + req_output_size + blocksize + extrasize;
gssapi_krb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
_gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
total_len -= req_output_size; /* token length */
if (total_len < req_output_size) {
@@ -103,7 +103,7 @@ sub_wrap_size (
}
OM_uint32
gss_wrap_size_limit (
_gsskrb5_wrap_size_limit (
OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
@@ -115,14 +115,15 @@ gss_wrap_size_limit (
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
ret = gss_krb5_get_subkey(context_handle, &key);
ret = _gsskrb5i_get_subkey(ctx, &key);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
@@ -134,12 +135,12 @@ gss_wrap_size_limit (
ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
break;
default :
ret = _gssapi_wrap_size_cfx(minor_status, context_handle,
ret = _gssapi_wrap_size_cfx(minor_status, ctx,
conf_req_flag, qop_req,
req_output_size, max_input_size, key);
break;
}
krb5_free_keyblock (gssapi_krb5_context, key);
krb5_free_keyblock (_gsskrb5_context, key);
*minor_status = 0;
return ret;
}
@@ -147,7 +148,7 @@ gss_wrap_size_limit (
static OM_uint32
wrap_des
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx ctx,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -169,7 +170,7 @@ wrap_des
padlength = 8 - (input_message_buffer->length % 8);
datalen = input_message_buffer->length + padlength + 8;
len = datalen + 22;
gssapi_krb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
_gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
output_message_buffer->length = total_len;
output_message_buffer->value = malloc (total_len);
@@ -179,7 +180,7 @@ wrap_des
return GSS_S_FAILURE;
}
p = gssapi_krb5_make_header(output_message_buffer->value,
p = _gsskrb5_make_header(output_message_buffer->value,
len,
"\x02\x01", /* TOK_ID */
GSS_KRB5_MECHANISM);
@@ -221,9 +222,9 @@ wrap_des
memcpy (p - 8, hash, 8);
/* sequence number */
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
&seq_number);
p -= 16;
@@ -232,17 +233,17 @@ wrap_des
p[2] = (seq_number >> 16) & 0xFF;
p[3] = (seq_number >> 24) & 0xFF;
memset (p + 4,
(context_handle->more_flags & LOCAL) ? 0 : 0xFF,
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
DES_set_key (&deskey, &schedule);
DES_cbc_encrypt ((void *)p, (void *)p, 8,
&schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
/* encrypt the data */
p += 16;
@@ -273,7 +274,7 @@ wrap_des
static OM_uint32
wrap_des3
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx ctx,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -294,7 +295,7 @@ wrap_des3
padlength = 8 - (input_message_buffer->length % 8);
datalen = input_message_buffer->length + padlength + 8;
len = datalen + 34;
gssapi_krb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
_gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
output_message_buffer->length = total_len;
output_message_buffer->value = malloc (total_len);
@@ -304,7 +305,7 @@ wrap_des3
return GSS_S_FAILURE;
}
p = gssapi_krb5_make_header(output_message_buffer->value,
p = _gsskrb5_make_header(output_message_buffer->value,
len,
"\x02\x01", /* TOK_ID */
GSS_KRB5_MECHANISM);
@@ -330,9 +331,9 @@ wrap_des3
input_message_buffer->length);
memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength);
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -340,16 +341,16 @@ wrap_des3
return GSS_S_FAILURE;
}
ret = krb5_create_checksum (gssapi_krb5_context,
ret = krb5_create_checksum (_gsskrb5_context,
crypto,
KRB5_KU_USAGE_SIGN,
0,
p + 20,
datalen + 8,
&cksum);
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -363,10 +364,10 @@ wrap_des3
memcpy (p + 8, cksum.checksum.data, cksum.checksum.length);
free_Checksum (&cksum);
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
&seq_number);
seq[0] = (seq_number >> 0) & 0xFF;
@@ -374,11 +375,11 @@ wrap_des3
seq[2] = (seq_number >> 16) & 0xFF;
seq[3] = (seq_number >> 24) & 0xFF;
memset (seq + 4,
(context_handle->more_flags & LOCAL) ? 0 : 0xFF,
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
ret = krb5_crypto_init(gssapi_krb5_context, key, ETYPE_DES3_CBC_NONE,
ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE,
&crypto);
if (ret) {
free (output_message_buffer->value);
@@ -392,15 +393,15 @@ wrap_des3
DES_cblock ivec;
memcpy (&ivec, p + 8, 8);
ret = krb5_encrypt_ivec (gssapi_krb5_context,
ret = krb5_encrypt_ivec (_gsskrb5_context,
crypto,
KRB5_KU_USAGE_SEQ,
seq, 8, &encdata,
&ivec);
}
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -413,10 +414,10 @@ wrap_des3
memcpy (p, encdata.data, encdata.length);
krb5_data_free (&encdata);
krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
/* encrypt the data */
p += 28;
@@ -424,21 +425,21 @@ wrap_des3
if(conf_req_flag) {
krb5_data tmp;
ret = krb5_crypto_init(gssapi_krb5_context, key,
ret = krb5_crypto_init(_gsskrb5_context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_encrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL,
ret = krb5_encrypt(_gsskrb5_context, crypto, KRB5_KU_USAGE_SEAL,
p, datalen, &tmp);
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -456,7 +457,7 @@ wrap_des3
return GSS_S_COMPLETE;
}
OM_uint32 gss_wrap
OM_uint32 _gsskrb5_wrap
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
@@ -469,38 +470,39 @@ OM_uint32 gss_wrap
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
ret = gss_krb5_get_subkey(context_handle, &key);
ret = _gsskrb5i_get_subkey(ctx, &key);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
ret = wrap_des (minor_status, context_handle, conf_req_flag,
ret = wrap_des (minor_status, ctx, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
case KEYTYPE_DES3 :
ret = wrap_des3 (minor_status, context_handle, conf_req_flag,
ret = wrap_des3 (minor_status, ctx, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_wrap_arcfour (minor_status, context_handle, conf_req_flag,
ret = _gssapi_wrap_arcfour (minor_status, ctx, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
default :
ret = _gssapi_wrap_cfx (minor_status, context_handle, conf_req_flag,
ret = _gssapi_wrap_cfx (minor_status, ctx, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
}
krb5_free_keyblock (gssapi_krb5_context, key);
krb5_free_keyblock (_gsskrb5_context, key);
return ret;
}