diff --git a/lib/gssapi/krb5/8003.c b/lib/gssapi/krb5/8003.c index c4661226e..2932486d4 100644 --- a/lib/gssapi/krb5/8003.c +++ b/lib/gssapi/krb5/8003.c @@ -31,12 +31,12 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); krb5_error_code -gssapi_encode_om_uint32(OM_uint32 n, u_char *p) +_gsskrb5_encode_om_uint32(OM_uint32 n, u_char *p) { p[0] = (n >> 0) & 0xFF; p[1] = (n >> 8) & 0xFF; @@ -46,7 +46,7 @@ gssapi_encode_om_uint32(OM_uint32 n, u_char *p) } krb5_error_code -gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p) +_gsskrb5_encode_be_om_uint32(OM_uint32 n, u_char *p) { p[0] = (n >> 24) & 0xFF; p[1] = (n >> 16) & 0xFF; @@ -56,7 +56,7 @@ gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p) } krb5_error_code -gssapi_decode_om_uint32(const void *ptr, OM_uint32 *n) +_gsskrb5_decode_om_uint32(const void *ptr, OM_uint32 *n) { const u_char *p = ptr; *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); @@ -64,7 +64,7 @@ gssapi_decode_om_uint32(const void *ptr, OM_uint32 *n) } krb5_error_code -gssapi_decode_be_om_uint32(const void *ptr, OM_uint32 *n) +_gsskrb5_decode_be_om_uint32(const void *ptr, OM_uint32 *n) { const u_char *p = ptr; *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0); @@ -79,23 +79,23 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, MD5_CTX md5; MD5_Init(&md5); - gssapi_encode_om_uint32 (b->initiator_addrtype, num); + _gsskrb5_encode_om_uint32 (b->initiator_addrtype, num); MD5_Update (&md5, num, sizeof(num)); - gssapi_encode_om_uint32 (b->initiator_address.length, num); + _gsskrb5_encode_om_uint32 (b->initiator_address.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->initiator_address.length) MD5_Update (&md5, b->initiator_address.value, b->initiator_address.length); - gssapi_encode_om_uint32 (b->acceptor_addrtype, num); + _gsskrb5_encode_om_uint32 (b->acceptor_addrtype, num); MD5_Update (&md5, num, sizeof(num)); - gssapi_encode_om_uint32 (b->acceptor_address.length, num); + _gsskrb5_encode_om_uint32 (b->acceptor_address.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->acceptor_address.length) MD5_Update (&md5, b->acceptor_address.value, b->acceptor_address.length); - gssapi_encode_om_uint32 (b->application_data.length, num); + _gsskrb5_encode_om_uint32 (b->application_data.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->application_data.length) MD5_Update (&md5, @@ -112,7 +112,7 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, */ OM_uint32 -gssapi_krb5_create_8003_checksum ( +_gsskrb5_create_8003_checksum ( OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, OM_uint32 flags, @@ -136,7 +136,7 @@ gssapi_krb5_create_8003_checksum ( } p = result->checksum.data; - gssapi_encode_om_uint32 (16, p); + _gsskrb5_encode_om_uint32 (16, p); p += 4; if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) { memset (p, 0, 16); @@ -144,7 +144,7 @@ gssapi_krb5_create_8003_checksum ( hash_input_chan_bindings (input_chan_bindings, p); } p += 16; - gssapi_encode_om_uint32 (flags, p); + _gsskrb5_encode_om_uint32 (flags, p); p += 4; if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) { @@ -167,7 +167,7 @@ gssapi_krb5_create_8003_checksum ( */ OM_uint32 -gssapi_krb5_verify_8003_checksum( +_gsskrb5_verify_8003_checksum( OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, const Checksum *cksum, @@ -192,7 +192,7 @@ gssapi_krb5_verify_8003_checksum( } p = cksum->checksum.data; - gssapi_decode_om_uint32(p, &length); + _gsskrb5_decode_om_uint32(p, &length); if(length != sizeof(hash)) { *minor_status = 0; return GSS_S_BAD_BINDINGS; @@ -214,7 +214,7 @@ gssapi_krb5_verify_8003_checksum( p += sizeof(hash); - gssapi_decode_om_uint32(p, flags); + _gsskrb5_decode_om_uint32(p, flags); p += 4; if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) { diff --git a/lib/gssapi/krb5/ChangeLog b/lib/gssapi/krb5/ChangeLog deleted file mode 100644 index b26bb1d7f..000000000 --- a/lib/gssapi/krb5/ChangeLog +++ /dev/null @@ -1,1566 +0,0 @@ -2006-06-22 Love Hörnquist Åstrand - - * gssapi.h: Add oid_to_str. - - * Makefile.am: add oid_to_str and test_oid - - * oid_to_str.c: Add gss_oid_to_str - - * test_oid.c: Add test for gss_oid_to_str() - -2006-05-13 Love Hörnquist Åstrand - - * verify_mic.c: Less pointer signedness warnings. - - * unwrap.c: Less pointer signedness warnings. - - * arcfour.c: Less pointer signedness warnings. - - * gssapi_locl.h: Use const void * to instead of unsigned char * to - avoid pointer signedness warnings. - - * encapsulate.c: Use const void * to instead of unsigned char * to - avoid pointer signedness warnings. - - * decapsulate.c: Use const void * to instead of unsigned char * to - avoid pointer signedness warnings. - - * decapsulate.c: Less pointer signedness warnings. - - * cfx.c: Less pointer signedness warnings. - - * init_sec_context.c: Less pointer signedness warnings (partly by - using the new asn.1 CHOICE decoder) - - * import_sec_context.c: Less pointer signedness warnings. - -2006-05-09 Love Hörnquist Åstrand - - * accept_sec_context.c (gsskrb5_is_cfx): always set is_cfx. From - Andrew Abartlet. - -2006-05-08 Love Hörnquist Åstrand - - * get_mic.c (mic_des3): make sure message_buffer doesn't point to - free()ed memory on failure. Pointed out by IBM checker. - -2006-05-05 Love Hörnquist Åstrand - - * Rename u_intXX_t to uintXX_t - -2006-05-04 Love Hörnquist Åstrand - - * cfx.c: Less pointer signedness warnings. - - * arcfour.c: Avoid pointer signedness warnings. - - * gssapi_locl.h (gssapi_decode_*): make data argument const void * - - * 8003.c (gssapi_decode_*): make data argument const void * - -2006-04-12 Love Hörnquist Åstrand - - * export_sec_context.c: Export sequence order element. From Wynn - Wilkes . - - * import_sec_context.c: Import sequence order element. From Wynn - Wilkes . - - * sequence.c (_gssapi_msg_order_import,_gssapi_msg_order_export): - New functions, used by {import,export}_sec_context. From Wynn - Wilkes . - - * test_sequence.c: Add test for import/export sequence. - -2006-04-09 Love Hörnquist Åstrand - - * add_cred.c: Check that cred != GSS_C_NO_CREDENTIAL, this is a - standard conformance failure, but much better then a crash. - -2006-04-02 Love Hörnquist Åstrand - - * get_mic.c (get_mic*)_: make sure message_token is cleaned on - error, found by IBM checker. - - * wrap.c (wrap*): Reset output_buffer on error, found by IBM - checker. - -2006-02-15 Love Hörnquist Åstrand - - * import_name.c: Accept both GSS_C_NT_HOSTBASED_SERVICE and - GSS_C_NT_HOSTBASED_SERVICE_X as nametype for hostbased names. - -2006-01-16 Love Hörnquist Åstrand - - * delete_sec_context.c (gss_delete_sec_context): if the context - handle is GSS_C_NO_CONTEXT, don't fall over. - -2005-12-12 Love Hörnquist Åstrand - - * gss_acquire_cred.3: Replace gss_krb5_import_ccache with - gss_krb5_import_cred and add more references - -2005-12-05 Love Hörnquist Åstrand - - * gssapi.h: Change gss_krb5_import_ccache to gss_krb5_import_cred, - it can handle keytabs too. - - * add_cred.c (gss_add_cred): avoid deadlock - - * context_time.c (gssapi_lifetime_left): define the 0 lifetime as - GSS_C_INDEFINITE. - -2005-12-01 Love Hörnquist Åstrand - - * acquire_cred.c (acquire_acceptor_cred): only check if principal - exists if we got called with principal as an argument. - - * acquire_cred.c (acquire_acceptor_cred): check that the acceptor - exists in the keytab before returning ok. - -2005-11-29 Love Hörnquist Åstrand - - * copy_ccache.c (gss_krb5_import_cred): fix buglet, from Andrew - Bartlett. - -2005-11-25 Love Hörnquist Åstrand - - * test_kcred.c: Rename gss_krb5_import_ccache to - gss_krb5_import_cred. - - * copy_ccache.c: Rename gss_krb5_import_ccache to - gss_krb5_import_cred and let it grow code to handle keytabs too. - -2005-11-02 Love Hörnquist Åstrand - - * init_sec_context.c: Change sematics of ok-as-delegate to match - windows if - [gssapi]realm/ok-as-delegate=true is set, otherwise keep old - sematics. - - * release_cred.c (gss_release_cred): use - GSS_CF_DESTROY_CRED_ON_RELEASE to decide if the cache should be - krb5_cc_destroy-ed - - * acquire_cred.c (acquire_initiator_cred): - GSS_CF_DESTROY_CRED_ON_RELEASE on created credentials. - - * accept_sec_context.c (gsskrb5_accept_delegated_token): rewrite - to use gss_krb5_import_ccache - -2005-11-01 Love Hörnquist Åstrand - - * arcfour.c: Remove signedness warnings. - -2005-10-31 Love Hörnquist Åstrand - - * gss_acquire_cred.3: Document that gss_krb5_import_ccache is copy - by reference. - - * copy_ccache.c (gss_krb5_import_ccache): Instead of making a copy - of the ccache, make a reference by getting the name and resolving - the name. This way the cache is shared, this flipp side is of - course that if someone calls krb5_cc_destroy the cache is lost for - everyone. - - * test_kcred.c: Remove memory leaks. - -2005-10-26 Love Hörnquist Åstrand - - * Makefile.am: build test_kcred - - * gss_acquire_cred.3: Document gss_krb5_import_ccache - - * gssapi.3: Sort and add gss_krb5_import_ccache. - - * acquire_cred.c (_gssapi_krb5_ccache_lifetime): break out code - used to extract lifetime from a credential cache - - * gssapi_locl.h: Add _gssapi_krb5_ccache_lifetime, used to extract - lifetime from a credential cache. - - * gssapi.h: add gss_krb5_import_ccache, reverse of - gss_krb5_copy_ccache - - * copy_ccache.c: add gss_krb5_import_ccache, reverse of - gss_krb5_copy_ccache - - * test_kcred.c: test gss_krb5_import_ccache - -2005-10-21 Love Hörnquist Åstrand - - * acquire_cred.c (acquire_initiator_cred): use krb5_cc_cache_match - to find a matching creditial cache, if that failes, fallback to - the default cache. - -2005-10-12 Love Hörnquist Åstrand - - * gssapi_locl.h: Add gssapi_krb5_set_status and - gssapi_krb5_clear_status - - * init_sec_context.c (spnego_reply): Don't pass back raw Kerberos - errors, use GSS-API errors instead. From Michael B Allen. - - * display_status.c: Add gssapi_krb5_clear_status, - gssapi_krb5_set_status for handling error messages. - -2005-08-23 Love Hörnquist Åstrand - - * external.c: Use rk_UNCONST to avoid const warning. - - * display_status.c: Constify strings to avoid warnings. - -2005-08-11 Love Hörnquist Åstrand - - * init_sec_context.c: avoid warnings, update (c) - -2005-07-13 Love Hörnquist Åstrand - - * init_sec_context.c (spnego_initial): use NegotiationToken - encoder now that we have one with the new asn1. compiler. - - * Makefile.am: the new asn.1 compiler includes the modules name in - the depend file - -2005-06-16 Love Hörnquist Åstrand - - * decapsulate.c: use rk_UNCONST - - * ccache_name.c: rename to avoid shadowing - - * gssapi_locl.h: give kret in GSSAPI_KRB5_INIT a more unique name - - * process_context_token.c: use rk_UNCONST to unconstify - - * test_cred.c: rename optind to optidx - -2005-05-30 Love Hörnquist Åstrand - - * init_sec_context.c (init_auth): honor ok-as-delegate if local - configuration approves - - * gssapi_locl.h: prototype for _gss_check_compat - - * compat.c: export check_compat as _gss_check_compat - -2005-05-29 Love Hörnquist Åstrand - - * init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid - problems with system headerfiles that pollute the name space. - - * accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid - problems with system headerfiles that pollute the name space. - -2005-05-17 Love Hörnquist Åstrand - - * init_sec_context.c (init_auth): set - KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility), - also while here, use krb5_auth_con_addflags - -2005-05-06 Love Hörnquist Åstrand - - * arcfour.c (_gssapi_wrap_arcfour): fix calculating the encap - length. From: Tom Maher - -2005-05-02 Dave Love - - * test_cred.c (main): Call setprogname. - -2005-04-27 Love Hörnquist Åstrand - - * prefix all sequence symbols with _, they are not part of the - GSS-API api. By comment from Wynn Wilkes - -2005-04-10 Love Hörnquist Åstrand - - * accept_sec_context.c: break out the processing of the delegated - credential to a separate function to make error handling easier, - move the credential handling to after other setup is done - - * test_sequence.c: make less verbose in case of success - - * Makefile.am: add test_sequence to TESTS - -2005-04-01 Love Hörnquist Åstrand - - * 8003.c (gssapi_krb5_verify_8003_checksum): check that cksum - isn't NULL From: Nicolas Pouvesle - -2005-03-21 Love Hörnquist Åstrand - - * Makefile.am: use $(LIB_roken) - -2005-03-16 Love Hörnquist Åstrand - - * display_status.c (gssapi_krb5_set_error_string): pass in the - krb5_context to krb5_free_error_string - -2005-03-15 Love Hörnquist Åstrand - - * display_status.c (gssapi_krb5_set_error_string): don't misuse - the krb5_get_error_string api - -2005-03-01 Love Hörnquist Åstrand - - * compat.c (_gss_DES3_get_mic_compat): don't unlock mutex - here. Bug reported by Stefan Metzmacher - -2005-02-21 Luke Howard - - * init_sec_context.c: don't call krb5_get_credentials() with - KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache - growing indefinitely as no key is found with KEYTYPE_NULL - - * compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is - no longer used (however the mechListMIC behaviour is broken, - rfc2478bis support requires the code in the mechglue branch) - - * init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG - - * gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG - -2005-01-05 Luke Howard - - * 8003.c: use symbolic name for checksum type - - * accept_sec_context.c: allow client to indicate - that subkey should be used - - * acquire_cred.c: plug leak - - * get_mic.c: use gss_krb5_get_subkey() instead - of gss_krb5_get_{local,remote}key(), support - KEYTYPE_ARCFOUR_56 - - * gssapi_local.c: use gss_krb5_get_subkey(), - support KEYTYPE_ARCFOUR_56 - - * import_sec_context.c: plug leak - - * unwrap.c: use gss_krb5_get_subkey(), - support KEYTYPE_ARCFOUR_56 - - * verify_mic.c: use gss_krb5_get_subkey(), - support KEYTYPE_ARCFOUR_56 - - * wrap.c: use gss_krb5_get_subkey(), - support KEYTYPE_ARCFOUR_56 - -2004-11-30 Love Hörnquist Åstrand - - * inquire_cred.c: Reverse order of HEIMDAL_MUTEX_unlock and - gss_release_cred to avoid deadlock, from Luke Howard - . - -2004-09-06 Love Hörnquist Åstrand - - * gss_acquire_cred.3: gss_krb5_extract_authz_data_from_sec_context - was renamed to gsskrb5_extract_authz_data_from_sec_context - -2004-08-07 Love Hörnquist Åstrand - - * unwrap.c: mutex buglet, From: Luke Howard - - * arcfour.c: mutex buglet, From: Luke Howard - -2004-05-06 Love Hörnquist Åstrand - - * gssapi.3: spelling from Josef El-Rayes while - here, write some text about the SPNEGO situation - -2004-04-08 Love Hörnquist Åstrand - - * cfx.c: s/CTXAcceptorSubkey/CFXAcceptorSubkey/ - -2004-04-07 Love Hörnquist Åstrand - - * gssapi.h: add GSS_C_EXPECTING_MECH_LIST_MIC_FLAG From: Luke - Howard - - * init_sec_context.c (spnego_reply): use - _gss_spnego_require_mechlist_mic to figure out if we need to check - MechListMIC; From: Luke Howard - - * accept_sec_context.c (send_accept): use - _gss_spnego_require_mechlist_mic to figure out if we need to send - MechListMIC; From: Luke Howard - - * gssapi_locl.h: add _gss_spnego_require_mechlist_mic - From: Luke Howard - - * compat.c: add _gss_spnego_require_mechlist_mic for compatibility - with MS SPNEGO, From: Luke Howard - -2004-04-05 Love Hörnquist Åstrand - - * accept_sec_context.c (gsskrb5_is_cfx): krb5_keyblock->keytype is - an enctype, not keytype - - * accept_sec_context.c: use ASN1_MALLOC_ENCODE - - * init_sec_context.c: avoid the malloc loop and just allocate the - propper amount of data - - * init_sec_context.c (spnego_initial): handle mech_token better - -2004-03-19 Love Hörnquist Åstrand - - * gssapi.h: add gss_krb5_get_tkt_flags - - * Makefile.am: add ticket_flags.c - - * ticket_flags.c: Get ticket-flags from acceptor ticket From: Luke - Howard - - * gss_acquire_cred.3: document gss_krb5_get_tkt_flags - -2004-03-14 Love Hörnquist Åstrand - - * acquire_cred.c (gss_acquire_cred): check usage before even - bothering to process it, add both keytab and initial tgt if - requested - - * wrap.c: support cfx, try to handle acceptor asserted subkey - - * unwrap.c: support cfx, try to handle acceptor asserted subkey - - * verify_mic.c: support cfx - - * get_mic.c: support cfx - - * test_sequence.c: handle changed signature of - gssapi_msg_order_create - - * import_sec_context.c: handle acceptor asserted subkey - - * init_sec_context.c: handle acceptor asserted subkey - - * accept_sec_context.c: handle acceptor asserted subkey - - * sequence.c: add dummy use_64 argument to gssapi_msg_order_create - - * gssapi_locl.h: add partial support for CFX - - * Makefile.am (noinst_PROGRAMS) += test_cred - - * test_cred.c: gssapi credential testing - - * test_acquire_cred.c: fix comment - -2004-03-07 Love Hörnquist Åstrand - - * arcfour.h: drop structures for message formats, no longer used - - * arcfour.c: comment describing message formats - - * accept_sec_context.c (spnego_accept_sec_context): make sure the - length of the choice element doesn't overrun us - - * init_sec_context.c (spnego_reply): make sure the length of the - choice element doesn't overrun us - - * spnego.asn1: move NegotiationToken to avoid warning - - * spnego.asn1: uncomment NegotiationToken - - * Makefile.am: spnego_files += asn1_NegotiationToken.x - -2004-01-25 Love Hörnquist Åstrand - - * gssapi.h: add gss_krb5_ccache_name - - * Makefile.am (libgssapi_la_SOURCES): += ccache_name.c - - * ccache_name.c (gss_krb5_ccache_name): help function enable to - set krb5 name, using out_name argument makes function no longer - thread-safe - - * gssapi.3: add missing gss_krb5_ references - - * gss_acquire_cred.3: document gss_krb5_ccache_name - -2003-12-12 Love Hörnquist Åstrand - - * cfx.c: make rrc a modulus operation if its longer then the - length of the message, noticed by Sam Hartman - -2003-12-07 Love Hörnquist Åstrand - - * accept_sec_context.c: use krb5_auth_con_addflags - -2003-12-05 Love Hörnquist Åstrand - - * cfx.c: Wrap token id was in wrong order, found by Sam Hartman - -2003-12-04 Love Hörnquist Åstrand - - * cfx.c: add AcceptorSubkey (but no code understand it yet) ignore - unknown token flags - -2003-11-22 Love Hörnquist Åstrand - - * accept_sec_context.c: Don't require timestamp to be set on - delegated token, its already protected by the outer token (and - windows doesn't alway send it) Pointed out by Zi-Bin Yang - on heimdal-discuss - -2003-11-14 Love Hörnquist Åstrand - - * cfx.c: fix {} error, pointed out by Liqiang Zhu - -2003-11-10 Love Hörnquist Åstrand - - * cfx.c: Sequence number should be stored in bigendian order From: - Luke Howard - -2003-11-09 Love Hörnquist Åstrand - - * delete_sec_context.c (gss_delete_sec_context): don't free - ticket, krb5_free_ticket does that now - -2003-11-06 Love Hörnquist Åstrand - - * cfx.c: checksum the header last in MIC token, update to -03 - From: Luke Howard - -2003-10-07 Love Hörnquist Åstrand - - * add_cred.c: If its a MEMORY cc, make a copy. We need to do this - since now gss_release_cred will destroy the cred. This should be - really be solved a better way. - - * acquire_cred.c (gss_release_cred): if its a mcc, destroy it - rather the just release it Found by: "Zi-Bin Yang" - - - * acquire_cred.c (acquire_initiator_cred): use kret instead of ret - where appropriate - -2003-09-30 Love Hörnquist Åstrand - - * gss_acquire_cred.3: spelling - From: jmc - -2003-09-23 Love Hörnquist Åstrand - - * cfx.c: - EC and RRC are big-endian, not little-endian - The - default is now to rotate regardless of GSS_C_DCE_STYLE. There are - no longer any references to GSS_C_DCE_STYLE. - rrc_rotate() - avoids allocating memory on the heap if rrc <= 256 - From: Luke Howard - -2003-09-22 Love Hörnquist Åstrand - - * cfx.[ch]: rrc_rotate() was untested and broken, fix it. - Set and verify wrap Token->Filler. - Correct token ID for wrap tokens, - were accidentally swapped with delete tokens. - From: Luke Howard - -2003-09-21 Love Hörnquist Åstrand - - * cfx.[ch]: no ASN.1-ish header on per-message tokens - From: Luke Howard - -2003-09-19 Love Hörnquist Åstrand - - * arcfour.h: remove depenency on gss_arcfour_mic_token and - gss_arcfour_warp_token - - * arcfour.c: remove depenency on gss_arcfour_mic_token and - gss_arcfour_warp_token - -2003-09-18 Love Hörnquist Åstrand - - * 8003.c: remove #if 0'ed code - -2003-09-17 Love Hörnquist Åstrand - - * accept_sec_context.c (gsskrb5_accept_sec_context): set sequence - number when not requesting mutual auth From: Luke Howard - - - * init_sec_context.c (init_auth): set sequence number when not - requesting mutual auth From: Luke Howard - -2003-09-16 Love Hörnquist Åstrand - - * arcfour.c (*): set minor_status - (gss_wrap): set conf_state to conf_req_flags on success - From: Luke Howard - - * wrap.c (gss_wrap_size_limit): use existing function From: Luke - Howard - -2003-09-12 Love Hörnquist Åstrand - - * indicate_mechs.c (gss_indicate_mechs): in case of error, free - mech_set - - * indicate_mechs.c (gss_indicate_mechs): add SPNEGO - -2003-09-10 Love Hörnquist Åstrand - - * init_sec_context.c (spnego_initial): catch errors and return - them - - * init_sec_context.c (spnego_initial): add #if 0 out version of - the CHOICE branch encoding, also where here, free no longer used - memory - -2003-09-09 Love Hörnquist Åstrand - - * gss_acquire_cred.3: support GSS_SPNEGO_MECHANISM - - * accept_sec_context.c: SPNEGO doesn't include gss wrapping on - SubsequentContextToken like the Kerberos 5 mech does. - - * init_sec_context.c (spnego_reply): SPNEGO doesn't include gss - wrapping on SubsequentContextToken like the Kerberos 5 mech - does. Lets check for it anyway. - - * accept_sec_context.c: Add support for SPNEGO on the initator - side. Implementation initially from Assar Westerlund, passes - though quite a lot of hands before I commited it. - - * init_sec_context.c: Add support for SPNEGO on the initator side. - Tested with ldap server on a Windows 2000 DC. Implementation - initially from Assar Westerlund, passes though quite a lot of - hands before I commited it. - - * gssapi.h: export GSS_SPNEGO_MECHANISM - - * gssapi_locl.h: include spnego_as.h add prototype for - gssapi_krb5_get_mech - - * decapsulate.c (gssapi_krb5_get_mech): make non static - - * Makefile.am: build SPNEGO file - -2003-09-08 Love Hörnquist Åstrand - - * external.c: SPENGO and IAKERB oids - - * spnego.asn1: SPENGO ASN1 - -2003-09-05 Love Hörnquist Åstrand - - * cfx.c: RRC also need to be zero before wraping them - From: Luke Howard - -2003-09-04 Love Hörnquist Åstrand - - * encapsulate.c (gssapi_krb5_encap_length): don't return void - -2003-09-03 Love Hörnquist Åstrand - - * verify_mic.c: switch from the des_ to the DES_ api - - * get_mic.c: switch from the des_ to the DES_ api - - * unwrap.c: switch from the des_ to the DES_ api - - * wrap.c: switch from the des_ to the DES_ api - - * cfx.c: EC is not included in the checksum since the length might - change depending on the data. From: Luke Howard - - * acquire_cred.c: use - krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free - -2003-09-01 Love Hörnquist Åstrand - - * copy_ccache.c: rename - gss_krb5_extract_authz_data_from_sec_context to - gsskrb5_extract_authz_data_from_sec_context - - * gssapi.h: rename gss_krb5_extract_authz_data_from_sec_context to - gsskrb5_extract_authz_data_from_sec_context - -2003-08-31 Love Hörnquist Åstrand - - * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context): - check that we have a ticket before we start to use it - - * gss_acquire_cred.3: document - gss_krb5_extract_authz_data_from_sec_context - - * gssapi.h (gss_krb5_extract_authz_data_from_sec_context): - return the kerberos authorizationdata, from idea of Luke Howard - - * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context): - return the kerberos authorizationdata, from idea of Luke Howard - - * verify_mic.c (gss_verify_mic_internal): switch type and key - argument - -2003-08-30 Love Hörnquist Åstrand - - * cfx.[ch]: draft-ietf-krb-wg-gssapi-cfx-01.txt implemetation - From: Luke Howard - -2003-08-28 Love Hörnquist Åstrand - - * arcfour.c (arcfour_mic_cksum): use free_Checksum to free the - checksum - - * arcfour.h: swap two last arguments to verify_mic for consistency - with des3 - - * wrap.c,unwrap.c,get_mic.c,verify_mic.c,cfx.c,cfx.h: - prefix cfx symbols with _gssapi_ - - * arcfour.c: release the right buffer - - * arcfour.c: rename token structure in consistency with rest of - GSS-API From: Luke Howard - - * unwrap.c (unwrap_des3): use _gssapi_verify_pad - (unwrap_des): use _gssapi_verify_pad - - * arcfour.c (_gssapi_wrap_arcfour): set the correct padding - (_gssapi_unwrap_arcfour): verify and strip padding - - * gssapi_locl.h: added _gssapi_verify_pad - - * decapsulate.c (_gssapi_verify_pad): verify padding of a gss - wrapped message and return its length - - * arcfour.c: support KEYTYPE_ARCFOUR_56 keys, from Luke Howard - - - * arcfour.c: use right seal alg, inherit keytype from parent key - - * arcfour.c: include the confounder in the checksum use the right - key usage number for warped/unwraped tokens - - * gssapi.h: add gss_krb5_nt_general_name as an mit compat glue - (same as GSS_KRB5_NT_PRINCIPAL_NAME) - - * unwrap.c: hook in arcfour unwrap - - * wrap.c: hook in arcfour wrap - - * verify_mic.c: hook in arcfour verify_mic - - * get_mic.c: hook in arcfour get_mic - - * arcfour.c: implement wrap/unwarp - - * gssapi_locl.h: add gssapi_{en,de}code_be_om_uint32 - - * 8003.c: add gssapi_{en,de}code_be_om_uint32 - -2003-08-27 Love Hörnquist Åstrand - - * arcfour.c (_gssapi_verify_mic_arcfour): Do the checksum on right - area. Swap filler check, it was reversed. - - * Makefile.am (libgssapi_la_SOURCES): += arcfour.c - - * gssapi_locl.h: include "arcfour.h" - - * arcfour.c: arcfour gss-api mech, get_mic/verify_mic working - - * arcfour.h: arcfour gss-api mech, get_mic/verify_mic working - -2003-08-26 Love Hörnquist Åstrand - - * gssapi_locl.h: always include cfx.h add prototype for - _gssapi_decapsulate - - * cfx.[ch]: Implementation of draft-ietf-krb-wg-gssapi-cfx-00.txt - from Luke Howard - - * decapsulate.c: add _gssapi_decapsulate, from Luke Howard - - -2003-08-25 Love Hörnquist Åstrand - - * unwrap.c: encap/decap now takes a oid if the enctype/keytype is - arcfour, return error add hook for cfx - - * verify_mic.c: encap/decap now takes a oid if the enctype/keytype - is arcfour, return error add hook for cfx - - * get_mic.c: encap/decap now takes a oid if the enctype/keytype is - arcfour, return error add hook for cfx - - * accept_sec_context.c: encap/decap now takes a oid - - * init_sec_context.c: encap/decap now takes a oid - - * gssapi_locl.h: include cfx.h if we need it lifetime is a - OM_uint32, depend on gssapi interface add all new encap/decap - functions - - * decapsulate.c: add decap functions that doesn't take the token - type also make all decap function take the oid mech that they - should use - - * encapsulate.c: add encap functions that doesn't take the token - type also make all encap function take the oid mech that they - should use - - * sequence.c (elem_insert): fix a off by one index counter - - * inquire_cred.c (gss_inquire_cred): handle cred_handle beeing - GSS_C_NO_CREDENTIAL and use the default cred then. - -2003-08-19 Love Hörnquist Åstrand - - * gss_acquire_cred.3: break out extensions and document - gsskrb5_register_acceptor_identity - -2003-08-18 Love Hörnquist Åstrand - - * test_acquire_cred.c (print_time): time is returned in seconds - from now, not unix time - -2003-08-17 Love Hörnquist Åstrand - - * compat.c (check_compat): avoid leaking principal when finding a - match - - * address_to_krb5addr.c: sa_size argument to krb5_addr2sockaddr is - a krb5_socklen_t - - * acquire_cred.c (gss_acquire_cred): 4th argument to - gss_test_oid_set_member is a int - -2003-07-22 Love Hörnquist Åstrand - - * init_sec_context.c (repl_mutual): don't set kerberos error where - there was no kerberos error - - * gssapi_locl.h: Add destruction/creation prototypes and structure - for the thread specific storage. - - * display_status.c: use thread specific storage to set/get the - kerberos error message - - * init.c: Provide locking around the creation of the global - krb5_context. Add destruction/creation functions for the thread - specific storage that the error string handling is using. - -2003-07-20 Love Hörnquist Åstrand - - * gss_acquire_cred.3: add missing prototype and missing .Ft - arguments - -2003-06-17 Love Hörnquist Åstrand - - * verify_mic.c: reorder code so sequence numbers can can be used - - * unwrap.c: reorder code so sequence numbers can can be used - - * sequence.c: remove unused function, indent, add - gssapi_msg_order_f that filter gss flags to gss_msg_order flags - - * gssapi_locl.h: prototypes for - gssapi_{encode_om_uint32,decode_om_uint32} add sequence number - verifier prototypes - - * delete_sec_context.c: destroy sequence number verifier - - * init_sec_context.c: remember to free data use sequence number - verifier - - * accept_sec_context.c: don't clear output_token twice remember to - free data use sequence number verifier - - * 8003.c: export and rename encode_om_uint32/decode_om_uint32 and - start to use them - -2003-06-09 Johan Danielsson - - * Makefile.am: can't have sequence.c in two different places - -2003-06-06 Love Hörnquist Åstrand - - * test_sequence.c: check rollover, print summery - - * wrap.c (sub_wrap_size): gss_wrap_size_limit() has - req_output_size and max_input_size around the wrong way -- it - returns the output token size for a given input size, rather than - the maximum input size for a given output token size. - - From: Luke Howard - -2003-06-05 Love Hörnquist Åstrand - - * gssapi_locl.h: add prototypes for sequence.c - - * Makefile.am (libgssapi_la_SOURCES): add sequence.c - (test_sequence): build - - * sequence.c: sequence number checks, order and replay - * test_sequence.c: sequence number checks, order and replay - -2003-06-03 Love Hörnquist Åstrand - - * accept_sec_context.c (gss_accept_sec_context): make sure time is - returned in seconds from now, not in kerberos time - - * acquire_cred.c (gss_aquire_cred): make sure time is returned in - seconds from now, not in kerberos time - - * init_sec_context.c (init_auth): if the cred is expired before we - tries to create a token, fail so the peer doesn't need reject us - (*): make sure time is returned in seconds from now, - not in kerberos time - (repl_mutual): remember to unlock the context mutex - - * context_time.c (gss_context_time): remove unused variable - - * verify_mic.c: make sure minor_status is always set, pointed out - by Luke Howard - -2003-05-21 Love Hörnquist Åstrand - - * *.[ch]: do some basic locking (no reference counting so contexts - can be removed while still used) - - don't export gss_ctx_id_t_desc_struct and gss_cred_id_t_desc_struct - - make sure all lifetime are returned in seconds left until expired, - not in unix epoch - - * gss_acquire_cred.3: document argument lifetime_rec to function - gss_inquire_context - -2003-05-17 Love Hörnquist Åstrand - - * test_acquire_cred.c: test gss_add_cred more then once - -2003-05-06 Love Hörnquist Åstrand - - * gssapi.h: if __cplusplus, wrap the extern variable (just to be - safe) and functions in extern "C" { } - -2003-04-30 Love Hörnquist Åstrand - - * gssapi.3: more about the des3 mic mess - - * verify_mic.c (verify_mic_des3): always check if the mic is the - correct mic or the mic that old heimdal would have generated - -2003-04-28 Jacques Vidrine - - * verify_mic.c (verify_mic_des3): If MIC verification fails, - retry using the `old' MIC computation (with zero IV). - -2003-04-26 Love Hörnquist Åstrand - - * gss_acquire_cred.3: more about difference between comparing IN - and MN - - * gss_acquire_cred.3: more about name type and access control - -2003-04-25 Love Hörnquist Åstrand - - * gss_acquire_cred.3: document gss_context_time - - * context_time.c: if lifetime of context have expired, set - time_rec to 0 and return GSS_S_CONTEXT_EXPIRED - - * gssapi.3: document [gssapi]correct_des3_mic - [gssapi]broken_des3_mic - - * gss_acquire_cred.3: document gss_krb5_compat_des3_mic - - * compat.c (gss_krb5_compat_des3_mic): enable turning on/off des3 - mic compat - (_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too - - * gssapi.h (gss_krb5_compat_des3_mic): new function, turn on/off - des3 mic compat - (GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if - gss_krb5_compat_des3_mic exists - -2003-04-24 Love Hörnquist Åstrand - - * Makefile.am: (libgssapi_la_LDFLAGS): update major - version of gssapi for incompatiblity in 3des getmic support - -2003-04-23 Love Hörnquist Åstrand - - * Makefile.am: test_acquire_cred_LDADD: use libgssapi.la not - ./libgssapi.la (make make -jN work) - -2003-04-16 Love Hörnquist Åstrand - - * gssapi.3: spelling - - * gss_acquire_cred.3: Change .Fd #include to .In - header.h, from Thomas Klausner - - -2003-04-06 Love Hörnquist Åstrand - - * gss_acquire_cred.3: spelling - - * Makefile.am: remove stuff that sneaked in with last commit - - * acquire_cred.c (acquire_initiator_cred): if the requested name - isn't in the ccache, also check keytab. Extact the krbtgt for the - default realm to check how long the credentials will last. - - * add_cred.c (gss_add_cred): don't create a new ccache, just open - the old one; better check if output handle is compatible with new - (copied) handle - - * test_acquire_cred.c: test gss_add_cred too - -2003-04-03 Love Hörnquist Åstrand - - * Makefile.am: build test_acquire_cred - - * test_acquire_cred.c: simple gss_acquire_cred test - -2003-04-02 Love Hörnquist Åstrand - - * gss_acquire_cred.3: s/gssapi/GSS-API/ - -2003-03-19 Love Hörnquist Åstrand - - * gss_acquire_cred.3: document v1 interface (and that they are - obsolete) - -2003-03-18 Love Hörnquist Åstrand - - * gss_acquire_cred.3: list supported mechanism and nametypes - -2003-03-16 Love Hörnquist Åstrand - - * gss_acquire_cred.3: text about gss_display_name - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 3:6:2 - (libgssapi_la_SOURCES): add all new functions - - * gssapi.3: now that we have a functions, uncomment the missing - ones - - * gss_acquire_cred.3: now that we have a functions, uncomment the - missing ones - - * process_context_token.c: implement gss_process_context_token - - * inquire_names_for_mech.c: implement gss_inquire_names_for_mech - - * inquire_mechs_for_name.c: implement gss_inquire_mechs_for_name - - * inquire_cred_by_mech.c: implement gss_inquire_cred_by_mech - - * add_cred.c: implement gss_add_cred - - * acquire_cred.c (gss_acquire_cred): more testing of input - argument, make sure output arguments are ok, since we don't know - the time_rec (for now), set it to time_req - - * export_sec_context.c: send lifetime, also set minor_status - - * get_mic.c: set minor_status - - * import_sec_context.c (gss_import_sec_context): add error - checking, pick up lifetime (if there is no lifetime, use - GSS_C_INDEFINITE) - - * init_sec_context.c: take care to set export value to something - sane before we start so caller will have harmless values in them - if then function fails - - * release_buffer.c (gss_release_buffer): set minor_status - - * wrap.c: make sure minor_status get set - - * verify_mic.c (gss_verify_mic_internal): rename verify_mic to - gss_verify_mic_internal and let it take the type as an argument, - (gss_verify_mic): call gss_verify_mic_internal - set minor_status - - * unwrap.c: set minor_status - - * test_oid_set_member.c (gss_test_oid_set_member): use - gss_oid_equal - - * release_oid_set.c (gss_release_oid_set): set minor_status - - * release_name.c (gss_release_name): set minor_status - - * release_cred.c (gss_release_cred): set minor_status - - * add_oid_set_member.c (gss_add_oid_set_member): set minor_status - - * compare_name.c (gss_compare_name): set minor_status - - * compat.c (check_compat): make sure ret have a defined value - - * context_time.c (gss_context_time): set minor_status - - * copy_ccache.c (gss_krb5_copy_ccache): set minor_status - - * create_emtpy_oid_set.c (gss_create_empty_oid_set): set - minor_status - - * delete_sec_context.c (gss_delete_sec_context): set minor_status - - * display_name.c (gss_display_name): set minor_status - - * display_status.c (gss_display_status): use gss_oid_equal, handle - supplementary errors - - * duplicate_name.c (gss_duplicate_name): set minor_status - - * inquire_context.c (gss_inquire_context): set lifetime_rec now - when we know it, set minor_status - - * inquire_cred.c (gss_inquire_cred): take care to set export value - to something sane before we start so caller will have harmless - values in them if the function fails - - * accept_sec_context.c (gss_accept_sec_context): take care to set - export value to something sane before we start so caller will have - harmless values in them if then function fails, set lifetime from - ticket expiration date - - * indicate_mechs.c (gss_indicate_mechs): use - gss_create_empty_oid_set and gss_add_oid_set_member - - * gssapi.h (gss_ctx_id_t_desc): store the lifetime in the cred, - since there is no ticket transfered in the exported context - - * export_name.c (gss_export_name): export name with - GSS_C_NT_EXPORT_NAME wrapping, not just the principal - - * import_name.c (import_export_name): new function, parses a - GSS_C_NT_EXPORT_NAME - (import_krb5_name): factor out common code of parsing krb5 name - (gss_oid_equal): rename from oid_equal - - * gssapi_locl.h: add prototypes for gss_oid_equal and - gss_verify_mic_internal - - * gssapi.h: comment out the argument names - -2003-03-15 Love Hörnquist Åstrand - - * gssapi.3: add LIST OF FUNCTIONS and copyright/license - - * Makefile.am: s/gss_aquire_cred.3/gss_acquire_cred.3/ - - * Makefile.am: man_MANS += gss_aquire_cred.3 - -2003-03-14 Love Hörnquist Åstrand - - * gss_aquire_cred.3: the gssapi api manpage - -2003-03-03 Love Hörnquist Åstrand - - * inquire_context.c: (gss_inquire_context): rename argument open - to open_context - - * gssapi.h (gss_inquire_context): rename argument open to open_context - -2003-02-27 Love Hörnquist Åstrand - - * init_sec_context.c (do_delegation): remove unused variable - subkey - - * gssapi.3: all 0.5.x version had broken token delegation - -2003-02-21 Love Hörnquist Åstrand - - * (init_auth): only generate one subkey - -2003-01-27 Love Hörnquist Åstrand - - * verify_mic.c (verify_mic_des3): fix 3des verify_mic to conform - to rfc (and mit kerberos), provide backward compat hook - - * get_mic.c (mic_des3): fix 3des get_mic to conform to rfc (and - mit kerberos), provide backward compat hook - - * init_sec_context.c (init_auth): check if we need compat for - older get_mic/verify_mic - - * gssapi_locl.h: add prototype for _gss_DES3_get_mic_compat - - * gssapi.h (more_flags): add COMPAT_OLD_DES3 - - * Makefile.am: add gssapi.3 and compat.c - - * gssapi.3: add gssapi COMPATIBILITY documentation - - * accept_sec_context.c (gss_accept_sec_context): check if we need - compat for older get_mic/verify_mic - - * compat.c: check for compatiblity with other heimdal's 3des - get_mic/verify_mic - -2002-10-31 Johan Danielsson - - * check return value from gssapi_krb5_init - - * 8003.c (gssapi_krb5_verify_8003_checksum): check size of input - -2002-09-03 Johan Danielsson - - * wrap.c (wrap_des3): use ETYPE_DES3_CBC_NONE - - * unwrap.c (unwrap_des3): use ETYPE_DES3_CBC_NONE - -2002-09-02 Johan Danielsson - - * init_sec_context.c: we need to generate a local subkey here - -2002-08-20 Jacques Vidrine - - * acquire_cred.c, inquire_cred.c, release_cred.c: Use default - credential resolution if gss_acquire_cred is called with - GSS_C_NO_NAME. - -2002-06-20 Jacques Vidrine - - * import_name.c: Compare name types by value if pointers do - not match. Reported by: "Douglas E. Engert" - -2002-05-20 Jacques Vidrine - - * verify_mic.c (gss_verify_mic), unwrap.c (gss_unwrap): initialize - the qop_state parameter. from Doug Rabson - -2002-05-09 Jacques Vidrine - - * acquire_cred.c: handle GSS_C_INITIATE/GSS_C_ACCEPT/GSS_C_BOTH - -2002-05-08 Jacques Vidrine - - * acquire_cred.c: initialize gssapi; handle null desired_name - -2002-03-22 Johan Danielsson - - * Makefile.am: remove non-functional stuff accidentally committed - -2002-03-11 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:5:2 - * 8003.c (gssapi_krb5_verify_8003_checksum): handle zero channel - bindings - -2001-10-31 Jacques Vidrine - - * get_mic.c (mic_des3): MIC computation using DES3/SHA1 - was bogusly appending the message buffer to the result, - overwriting a heap buffer in the process. - -2001-08-29 Assar Westerlund - - * 8003.c (gssapi_krb5_verify_8003_checksum, - gssapi_krb5_create_8003_checksum): make more consistent by always - returning an gssapi error and setting minor status. update - callers - -2001-08-28 Jacques Vidrine - - * accept_sec_context.c: Create a cache for delegated credentials - when needed. - -2001-08-28 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:4:2 - -2001-08-23 Assar Westerlund - - * *.c: handle minor_status more consistently - - * display_status.c (gss_display_status): handle krb5_get_err_text - failing - -2001-08-15 Johan Danielsson - - * gssapi_locl.h: fix prototype for gssapi_krb5_init - -2001-08-13 Johan Danielsson - - * accept_sec_context.c (gsskrb5_register_acceptor_identity): init - context and check return value from kt_resolve - - * init.c: return error code - -2001-07-19 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): update to 3:3:2 - -2001-07-12 Assar Westerlund - - * Makefile.am (libgssapi_la_LIBADD): add required library - dependencies - -2001-07-06 Assar Westerlund - - * accept_sec_context.c (gsskrb5_register_acceptor_identity): set - the keytab to be used for gss_acquire_cred too' - -2001-07-03 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:2:2 - -2001-06-18 Assar Westerlund - - * wrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey - and gss_krb5_get_remotekey - * verify_mic.c: update krb5_auth_con function names use - gss_krb5_get_remotekey - * unwrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey - and gss_krb5_get_remotekey - * gssapi_locl.h (gss_krb5_get_remotekey, gss_krb5_get_localkey): - add prototypes - * get_mic.c: update krb5_auth_con function names. use - gss_krb5_get_localkey - * accept_sec_context.c: update krb5_auth_con function names - -2001-05-17 Assar Westerlund - - * Makefile.am: bump version to 3:1:2 - -2001-05-14 Assar Westerlund - - * address_to_krb5addr.c: adapt to new address functions - -2001-05-11 Assar Westerlund - - * try to return the error string from libkrb5 where applicable - -2001-05-08 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): remember to free - the memory used by the ticket itself. from - -2001-05-04 Assar Westerlund - - * gssapi_locl.h: add config.h for completeness - * gssapi.h: remove config.h, this is an installed header file - sys/types.h is not needed either - -2001-03-12 Assar Westerlund - - * acquire_cred.c (gss_acquire_cred): remove memory leaks. from - Jason R Thorpe - -2001-02-18 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): either return - gss_name NULL-ed or set - - * import_name.c: set minor_status in some cases where it was not - done - -2001-02-15 Assar Westerlund - - * wrap.c: use krb5_generate_random_block for the confounders - -2001-01-30 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:0:2 - * acquire_cred.c, init_sec_context.c, release_cred.c: add support - for getting creds from a keytab, from fvdl@netbsd.org - - * copy_ccache.c: add gss_krb5_copy_ccache - -2001-01-27 Assar Westerlund - - * get_mic.c: cast parameters to des function to non-const pointers - to handle the case where these functions actually take non-const - des_cblock * - -2001-01-09 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): use krb5_rd_cred2 - instead of krb5_rd_cred - -2000-12-11 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:3:1 - -2000-12-08 Assar Westerlund - - * wrap.c (wrap_des3): use the checksum as ivec when encrypting the - sequence number - * unwrap.c (unwrap_des3): use the checksum as ivec when encrypting - the sequence number - * init_sec_context.c (init_auth): always zero fwd_data - -2000-12-06 Johan Danielsson - - * accept_sec_context.c: de-pointerise auth_context parameter to - krb5_mk_rep - -2000-11-15 Assar Westerlund - - * init_sec_context.c (init_auth): update to new - krb5_build_authenticator - -2000-09-19 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:2:1 - -2000-08-27 Assar Westerlund - - * init_sec_context.c: actually pay attention to `time_req' - * init_sec_context.c: re-organize. leak less memory. - * gssapi_locl.h (gssapi_krb5_encapsulate, gss_krb5_getsomekey): - update prototypes add assert.h - * gssapi.h (GSS_KRB5_CONF_C_QOP_DES, GSS_KRB5_CONF_C_QOP_DES3_KD): - add - * verify_mic.c: re-organize and add 3DES code - * wrap.c: re-organize and add 3DES code - * unwrap.c: re-organize and add 3DES code - * get_mic.c: re-organize and add 3DES code - * encapsulate.c (gssapi_krb5_encapsulate): do not free `in_data', - let the caller do that. fix the callers. - -2000-08-16 Assar Westerlund - - * Makefile.am: bump version to 2:1:1 - -2000-07-29 Assar Westerlund - - * decapsulate.c (gssapi_krb5_verify_header): sanity-check length - -2000-07-25 Johan Danielsson - - * Makefile.am: bump version to 2:0:1 - -2000-07-22 Assar Westerlund - - * gssapi.h: update OID for GSS_C_NT_HOSTBASED_SERVICE and other - details from rfc2744 - -2000-06-29 Assar Westerlund - - * address_to_krb5addr.c (gss_address_to_krb5addr): actually use - `int' instead of `sa_family_t' for the address family. - -2000-06-21 Assar Westerlund - - * add support for token delegation. From Daniel Kouril - and Miroslav Ruda - -2000-05-15 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 1:1:1 - -2000-04-12 Assar Westerlund - - * release_oid_set.c (gss_release_oid_set): clear set for - robustness. From GOMBAS Gabor - * release_name.c (gss_release_name): reset input_name for - robustness. From GOMBAS Gabor - * release_buffer.c (gss_release_buffer): set value to NULL to be - more robust. From GOMBAS Gabor - * add_oid_set_member.c (gss_add_oid_set_member): actually check if - the oid is a member first. leave the oid_set unchanged if realloc - fails. - -2000-02-13 Assar Westerlund - - * Makefile.am: set version to 1:0:1 - -2000-02-12 Assar Westerlund - - * gssapi_locl.h: add flags for import/export - * import_sec_context.c (import_sec_context: add flags for what - fields are included. do not include the authenticator for now. - * export_sec_context.c (export_sec_context: add flags for what - fields are included. do not include the authenticator for now. - * accept_sec_context.c (gss_accept_sec_context): set target in - context_handle - -2000-02-11 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): set context to - GSS_C_NO_CONTEXT - - * Makefile.am: add {export,import}_sec_context.c - * export_sec_context.c: new file - * import_sec_context.c: new file - * accept_sec_context.c (gss_accept_sec_context): set trans flag - -2000-02-07 Assar Westerlund - - * Makefile.am: set version to 0:5:0 - -2000-01-26 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): handle a NULL - output_token - - * wrap.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * verify_mic.c: update to pseudo-standard APIs for md4,md5,sha. - some changes to libdes calls to make them more portable. - * unwrap.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * get_mic.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * 8003.c: update to pseudo-standard APIs for md4,md5,sha. - -2000-01-06 Assar Westerlund - - * Makefile.am: set version to 0:4:0 - -1999-12-26 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): always set - `output_token' - * init_sec_context.c (init_auth): always initialize `output_token' - * delete_sec_context.c (gss_delete_sec_context): always set - `output_token' - -1999-12-06 Assar Westerlund - - * Makefile.am: bump version to 0:3:0 - -1999-10-20 Assar Westerlund - - * Makefile.am: set version to 0:2:0 - -1999-09-21 Assar Westerlund - - * init_sec_context.c (gss_init_sec_context): initialize `ticket' - - * gssapi.h (gss_ctx_id_t_desc): add ticket in here. ick. - - * delete_sec_context.c (gss_delete_sec_context): free ticket - - * accept_sec_context.c (gss_accept_sec_context): stove away - `krb5_ticket' in context so that ugly programs such as - gss_nt_server can get at it. uck. - -1999-09-20 Johan Danielsson - - * accept_sec_context.c: set minor_status - -1999-08-04 Assar Westerlund - - * display_status.c (calling_error, routine_error): right shift the - code to make it possible to index into the arrays - -1999-07-28 Assar Westerlund - - * gssapi.h (GSS_C_AF_INET6): add - - * import_name.c (import_hostbased_name): set minor_status - -1999-07-26 Assar Westerlund - - * Makefile.am: set version to 0:1:0 - -Wed Apr 7 14:05:15 1999 Johan Danielsson - - * display_status.c: set minor_status - - * init_sec_context.c: set minor_status - - * lib/gssapi/init.c: remove donep (check gssapi_krb5_context - directly) - diff --git a/lib/gssapi/krb5/Makefile.am b/lib/gssapi/krb5/Makefile.am deleted file mode 100644 index b376924b4..000000000 --- a/lib/gssapi/krb5/Makefile.am +++ /dev/null @@ -1,99 +0,0 @@ -# $Id$ - -include $(top_srcdir)/Makefile.am.common - -AM_CPPFLAGS += -I$(srcdir)/../krb5 \ - -I${srcdir}/../asn1/include \ - $(INCLUDE_des) \ - $(INCLUDE_krb4) - -spnego_files = \ - asn1_ContextFlags.x \ - asn1_MechType.x \ - asn1_MechTypeList.x \ - asn1_NegotiationToken.x \ - asn1_NegTokenInit.x \ - asn1_NegTokenTarg.x - -BUILT_SOURCES = $(spnego_files:.x=.c) - -lib_LTLIBRARIES = libgssapi.la -libgssapi_la_LDFLAGS = -version-info 4:0:0 -libgssapi_la_LIBADD = \ - ../krb5/libkrb5.la \ - $(LIB_des) \ - ../asn1/libasn1.la \ - $(LIB_roken) - -man_MANS = gssapi.3 gss_acquire_cred.3 - -include_HEADERS = gssapi.h - -libgssapi_la_SOURCES = \ - $(BUILT_SOURCES) \ - 8003.c \ - accept_sec_context.c \ - acquire_cred.c \ - add_cred.c \ - add_oid_set_member.c \ - arcfour.c \ - canonicalize_name.c \ - ccache_name.c \ - cfx.c \ - compare_name.c \ - compat.c \ - context_time.c \ - copy_ccache.c \ - create_emtpy_oid_set.c \ - decapsulate.c \ - delete_sec_context.c \ - display_name.c \ - display_status.c \ - duplicate_name.c \ - encapsulate.c \ - export_sec_context.c \ - export_name.c \ - external.c \ - get_mic.c \ - gssapi.h \ - gssapi_locl.h \ - import_name.c \ - import_sec_context.c \ - indicate_mechs.c \ - init.c \ - init_sec_context.c \ - inquire_context.c \ - inquire_cred.c \ - inquire_cred_by_mech.c \ - inquire_mechs_for_name.c \ - inquire_names_for_mech.c \ - oid_to_str.c \ - process_context_token.c \ - release_buffer.c \ - release_cred.c \ - release_name.c \ - release_oid_set.c \ - sequence.c \ - test_oid_set_member.c \ - ticket_flags.c \ - unwrap.c \ - v1.c \ - verify_mic.c \ - wrap.c \ - address_to_krb5addr.c - -CLEANFILES = $(BUILT_SOURCES) $(spnego_files) spnego_asn1.h spnego_asn1_files - -$(spnego_files) spnego_asn1.h: spnego_asn1_files - -spnego_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego.asn1 - ../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego.asn1 spnego_asn1 - -$(libgssapi_la_OBJECTS): spnego_asn1.h - -TESTS = test_sequence test_oid - -check_PROGRAMS = test_acquire_cred $(TESTS) - -noinst_PROGRAMS = test_cred test_kcred -LDADD = libgssapi.la $(LIB_roken) diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c index b4d572676..b74617dab 100644 --- a/lib/gssapi/krb5/accept_sec_context.c +++ b/lib/gssapi/krb5/accept_sec_context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,30 +31,31 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; -krb5_keytab gssapi_krb5_keytab; +krb5_keytab _gsskrb5_keytab; +#if 0 OM_uint32 gsskrb5_register_acceptor_identity (const char *identity) { krb5_error_code ret; - ret = gssapi_krb5_init(); + ret = _gsskrb5_init(); if(ret) return GSS_S_FAILURE; HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); - if(gssapi_krb5_keytab != NULL) { - krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab); - gssapi_krb5_keytab = NULL; + if(_gsskrb5_keytab != NULL) { + krb5_kt_close(_gsskrb5_context, gssapi_krb5_keytab); + _gsskrb5_keytab = NULL; } if (identity == NULL) { - ret = krb5_kt_default(gssapi_krb5_context, &gssapi_krb5_keytab); + ret = krb5_kt_default(_gsskrb5_context, &gssapi_krb5_keytab); } else { char *p; @@ -63,7 +64,7 @@ gsskrb5_register_acceptor_identity (const char *identity) HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); return GSS_S_FAILURE; } - ret = krb5_kt_resolve(gssapi_krb5_context, p, &gssapi_krb5_keytab); + ret = krb5_kt_resolve(_gsskrb5_context, p, &gssapi_krb5_keytab); free(p); } HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); @@ -71,28 +72,29 @@ gsskrb5_register_acceptor_identity (const char *identity) return GSS_S_FAILURE; return GSS_S_COMPLETE; } +#endif void -gsskrb5_is_cfx(gss_ctx_id_t context_handle, int *is_cfx) +_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx) { krb5_keyblock *key; - int acceptor = (context_handle->more_flags & LOCAL) == 0; + int acceptor = (ctx->more_flags & LOCAL) == 0; *is_cfx = 0; if (acceptor) { - if (context_handle->auth_context->local_subkey) - key = context_handle->auth_context->local_subkey; + if (ctx->auth_context->local_subkey) + key = ctx->auth_context->local_subkey; else - key = context_handle->auth_context->remote_subkey; + key = ctx->auth_context->remote_subkey; } else { - if (context_handle->auth_context->remote_subkey) - key = context_handle->auth_context->remote_subkey; + if (ctx->auth_context->remote_subkey) + key = ctx->auth_context->remote_subkey; else - key = context_handle->auth_context->local_subkey; + key = ctx->auth_context->local_subkey; } if (key == NULL) - key = context_handle->auth_context->keyblock; + key = ctx->auth_context->keyblock; if (key == NULL) return; @@ -108,9 +110,9 @@ gsskrb5_is_cfx(gss_ctx_id_t context_handle, int *is_cfx) break; default : *is_cfx = 1; - if ((acceptor && context_handle->auth_context->local_subkey) || - (!acceptor && context_handle->auth_context->remote_subkey)) - context_handle->more_flags |= ACCEPTOR_SUBKEY; + if ((acceptor && ctx->auth_context->local_subkey) || + (!acceptor && ctx->auth_context->remote_subkey)) + ctx->more_flags |= ACCEPTOR_SUBKEY; break; } } @@ -119,7 +121,7 @@ gsskrb5_is_cfx(gss_ctx_id_t context_handle, int *is_cfx) static OM_uint32 gsskrb5_accept_delegated_token (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, + gsskrb5_ctx ctx, krb5_data *fwd_data, OM_uint32 *flags, krb5_principal principal, @@ -132,34 +134,36 @@ gsskrb5_accept_delegated_token *minor_status = 0; + *delegated_cred_handle = NULL; + /* XXX Create a new delegated_cred_handle? */ if (delegated_cred_handle == NULL) - kret = krb5_cc_default (gssapi_krb5_context, &ccache); + kret = krb5_cc_default (_gsskrb5_context, &ccache); else - kret = krb5_cc_gen_new (gssapi_krb5_context, &krb5_mcc_ops, &ccache); + kret = krb5_cc_gen_new (_gsskrb5_context, &krb5_mcc_ops, &ccache); if (kret) { *flags &= ~GSS_C_DELEG_FLAG; goto out; } - kret = krb5_cc_initialize(gssapi_krb5_context, ccache, principal); + kret = krb5_cc_initialize(_gsskrb5_context, ccache, principal); if (kret) { *flags &= ~GSS_C_DELEG_FLAG; goto out; } - krb5_auth_con_removeflags(gssapi_krb5_context, - (*context_handle)->auth_context, + krb5_auth_con_removeflags(_gsskrb5_context, + ctx->auth_context, KRB5_AUTH_CONTEXT_DO_TIME, &ac_flags); - kret = krb5_rd_cred2(gssapi_krb5_context, - (*context_handle)->auth_context, + kret = krb5_rd_cred2(_gsskrb5_context, + ctx->auth_context, ccache, fwd_data); if (kret) - gssapi_krb5_set_error_string(); - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, + _gsskrb5_set_error_string(); + krb5_auth_con_setflags(_gsskrb5_context, + ctx->auth_context, ac_flags); if (kret) { *flags &= ~GSS_C_DELEG_FLAG; @@ -169,7 +173,9 @@ gsskrb5_accept_delegated_token } if (delegated_cred_handle) { - ret = gss_krb5_import_cred(minor_status, + gsskrb5_cred handle; + + ret = _gsskrb5_import_cred(minor_status, ccache, NULL, NULL, @@ -177,35 +183,37 @@ gsskrb5_accept_delegated_token if (ret != GSS_S_COMPLETE) goto out; - (*delegated_cred_handle)->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; + handle = (gsskrb5_cred) *delegated_cred_handle; + + handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; ccache = NULL; } out: if (ccache) { if (delegated_cred_handle == NULL) - krb5_cc_close(gssapi_krb5_context, ccache); + krb5_cc_close(_gsskrb5_context, ccache); else - krb5_cc_destroy(gssapi_krb5_context, ccache); + krb5_cc_destroy(_gsskrb5_context, ccache); } return ret; } -static OM_uint32 -gsskrb5_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) +OM_uint32 +_gsskrb5_accept_sec_context +(OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + const gss_cred_id_t acceptor_cred_handle, + const gss_buffer_t input_token_buffer, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t * src_name, + gss_OID * mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec, + gss_cred_id_t * delegated_cred_handle + ) { krb5_error_code kret; OM_uint32 ret = GSS_S_COMPLETE; @@ -217,48 +225,54 @@ gsskrb5_accept_sec_context krb5_data fwd_data; OM_uint32 minor; int is_cfx = 0; + gsskrb5_ctx ctx = NULL; + gsskrb5_cred cred = (gsskrb5_cred)acceptor_cred_handle; GSSAPI_KRB5_INIT(); krb5_data_zero (&fwd_data); output_token->length = 0; output_token->value = NULL; + *minor_status = 0; if (src_name != NULL) *src_name = NULL; if (mech_type) *mech_type = GSS_KRB5_MECHANISM; - if (*context_handle == GSS_C_NO_CONTEXT) { - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == GSS_C_NO_CONTEXT) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } + if (*context_handle != GSS_C_NO_CONTEXT) { + *minor_status = 0; + return GSS_S_BAD_MECH; } - HEIMDAL_MUTEX_init(&(*context_handle)->ctx_id_mutex); - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->ticket = NULL; - (*context_handle)->lifetime = GSS_C_INDEFINITE; - (*context_handle)->order = NULL; + ctx = malloc(sizeof(*ctx)); + if (ctx == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); + HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); + ctx->auth_context = NULL; + ctx->source = NULL; + ctx->target = NULL; + ctx->flags = 0; + ctx->more_flags = 0; + ctx->ticket = NULL; + ctx->lifetime = GSS_C_INDEFINITE; + ctx->order = NULL; + + kret = krb5_auth_con_init (_gsskrb5_context, + &ctx->auth_context); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); goto failure; } if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS && input_chan_bindings->application_data.length == - 2 * sizeof((*context_handle)->auth_context->local_port) + 2 * sizeof(ctx->auth_context->local_port) ) { /* Port numbers are expected to be in application_data.value, @@ -269,43 +283,43 @@ gsskrb5_accept_sec_context memset(&initiator_addr, 0, sizeof(initiator_addr)); memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - (*context_handle)->auth_context->remote_port = + ctx->auth_context->remote_port = *(int16_t *) input_chan_bindings->application_data.value; - (*context_handle)->auth_context->local_port = + ctx->auth_context->local_port = *((int16_t *) input_chan_bindings->application_data.value + 1); - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - (*context_handle)->auth_context->local_port, - &acceptor_addr); + kret = _gsskrb5i_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, + &input_chan_bindings->acceptor_address, + ctx->auth_context->local_port, + &acceptor_addr); if (kret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; *minor_status = kret; goto failure; } - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - (*context_handle)->auth_context->remote_port, - &initiator_addr); + kret = _gsskrb5i_address_to_krb5addr(input_chan_bindings->initiator_addrtype, + &input_chan_bindings->initiator_address, + ctx->auth_context->remote_port, + &initiator_addr); if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - gssapi_krb5_set_error_string (); + krb5_free_address (_gsskrb5_context, &acceptor_addr); + _gsskrb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; *minor_status = kret; goto failure; } - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, - (*context_handle)->auth_context, + kret = krb5_auth_con_setaddrs(_gsskrb5_context, + ctx->auth_context, &acceptor_addr, /* local address */ &initiator_addr); /* remote address */ - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); + krb5_free_address (_gsskrb5_context, &initiator_addr); + krb5_free_address (_gsskrb5_context, &acceptor_addr); #if 0 free(input_chan_bindings->application_data.value); @@ -314,19 +328,19 @@ gsskrb5_accept_sec_context #endif if (kret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; *minor_status = kret; goto failure; } } - krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, + krb5_auth_con_addflags(_gsskrb5_context, + ctx->auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE, NULL); - ret = gssapi_krb5_decapsulate (minor_status, + ret = _gsskrb5_decapsulate (minor_status, input_token_buffer, &indata, "\x01\x00", @@ -336,19 +350,18 @@ gsskrb5_accept_sec_context HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); - if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { - if (gssapi_krb5_keytab != NULL) { - keytab = gssapi_krb5_keytab; + if (cred == NULL) { + if (_gsskrb5_keytab != NULL) { + keytab = _gsskrb5_keytab; } - } else if (acceptor_cred_handle->keytab != NULL) { - keytab = acceptor_cred_handle->keytab; + } else if (cred->keytab != NULL) { + keytab = cred->keytab; } - kret = krb5_rd_req (gssapi_krb5_context, - &(*context_handle)->auth_context, + kret = krb5_rd_req (_gsskrb5_context, + &ctx->auth_context, &indata, - (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL - : acceptor_cred_handle->principal, + (cred == NULL) ? NULL : cred->principal, keytab, &ap_options, &ticket); @@ -358,42 +371,42 @@ gsskrb5_accept_sec_context if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); goto failure; } - kret = krb5_copy_principal (gssapi_krb5_context, + kret = krb5_copy_principal (_gsskrb5_context, ticket->client, - &(*context_handle)->source); + &ctx->source); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); goto failure; } - kret = krb5_copy_principal (gssapi_krb5_context, + kret = krb5_copy_principal (_gsskrb5_context, ticket->server, - &(*context_handle)->target); + &ctx->target); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); goto failure; } - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); + ret = _gss_DES3_get_mic_compat(minor_status, ctx); if (ret) goto failure; if (src_name != NULL) { - kret = krb5_copy_principal (gssapi_krb5_context, + kret = krb5_copy_principal (_gsskrb5_context, ticket->client, src_name); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); goto failure; } } @@ -401,22 +414,22 @@ gsskrb5_accept_sec_context { krb5_authenticator authenticator; - kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, - (*context_handle)->auth_context, + kret = krb5_auth_con_getauthenticator(_gsskrb5_context, + ctx->auth_context, &authenticator); if(kret) { ret = GSS_S_FAILURE; *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); goto failure; } - ret = gssapi_krb5_verify_8003_checksum(minor_status, - input_chan_bindings, - authenticator->cksum, - &flags, - &fwd_data); - krb5_free_authenticator(gssapi_krb5_context, &authenticator); + ret = _gsskrb5_verify_8003_checksum(minor_status, + input_chan_bindings, + authenticator->cksum, + &flags, + &fwd_data); + krb5_free_authenticator(_gsskrb5_context, &authenticator); if (ret) goto failure; } @@ -425,45 +438,45 @@ gsskrb5_accept_sec_context if (ret_flags) *ret_flags = flags; - (*context_handle)->lifetime = ticket->ticket.endtime; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= OPEN; + ctx->lifetime = ticket->ticket.endtime; + ctx->flags = flags; + ctx->more_flags |= OPEN; if (mech_type) *mech_type = GSS_KRB5_MECHANISM; if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, + ret = _gsskrb5_lifetime_left(minor_status, + ctx->lifetime, time_rec); if (ret) goto failure; } - gsskrb5_is_cfx(*context_handle, &is_cfx); + _gsskrb5i_is_cfx(ctx, &is_cfx); if(flags & GSS_C_MUTUAL_FLAG) { krb5_data outbuf; if (is_cfx != 0 || (ap_options & AP_OPTS_USE_SUBKEY)) { - kret = krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, + kret = krb5_auth_con_addflags(_gsskrb5_context, + ctx->auth_context, KRB5_AUTH_CONTEXT_USE_SUBKEY, NULL); - (*context_handle)->more_flags |= ACCEPTOR_SUBKEY; + ctx->more_flags |= ACCEPTOR_SUBKEY; } - kret = krb5_mk_rep (gssapi_krb5_context, - (*context_handle)->auth_context, + kret = krb5_mk_rep (_gsskrb5_context, + ctx->auth_context, &outbuf); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); goto failure; } - ret = gssapi_krb5_encapsulate (minor_status, + ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token, (u_char *)"\x02\x00", @@ -473,24 +486,24 @@ gsskrb5_accept_sec_context goto failure; } - (*context_handle)->ticket = ticket; + ctx->ticket = ticket; { int32_t seq_number; - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - (*context_handle)->auth_context, + krb5_auth_getremoteseqnumber (_gsskrb5_context, + ctx->auth_context, &seq_number); ret = _gssapi_msg_order_create(minor_status, - &(*context_handle)->order, + &ctx->order, _gssapi_msg_order_f(flags), seq_number, 0, is_cfx); if (ret) goto failure; if ((flags & GSS_C_MUTUAL_FLAG) == 0 && _gssapi_msg_order_f(flags)) { - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - (*context_handle)->auth_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, + ctx->auth_context, seq_number); } } @@ -499,7 +512,7 @@ gsskrb5_accept_sec_context if (flags & GSS_C_DELEG_FLAG) { ret = gsskrb5_accept_delegated_token(minor_status, - context_handle, + ctx, &fwd_data, &flags, ticket->client, @@ -511,424 +524,32 @@ gsskrb5_accept_sec_context krb5_data_zero(&fwd_data); } + *context_handle = (gss_ctx_id_t)ctx; + *minor_status = 0; return GSS_S_COMPLETE; - failure: +failure: if (fwd_data.length > 0) free(fwd_data.data); if (ticket != NULL) - krb5_free_ticket (gssapi_krb5_context, ticket); - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - if((*context_handle)->order) - _gssapi_msg_order_destroy(&(*context_handle)->order); - HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); - free (*context_handle); + krb5_free_ticket (_gsskrb5_context, ticket); + krb5_auth_con_free (_gsskrb5_context, + ctx->auth_context); + if(ctx->source) + krb5_free_principal (_gsskrb5_context, + ctx->source); + if(ctx->target) + krb5_free_principal (_gsskrb5_context, + ctx->target); + if(ctx->order) + _gssapi_msg_order_destroy(&ctx->order); + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + free(ctx); if (src_name != NULL) { - gss_release_name (&minor, src_name); + _gsskrb5_release_name (&minor, src_name); *src_name = NULL; } *context_handle = GSS_C_NO_CONTEXT; return ret; } - -static OM_uint32 -code_NegTokenArg(OM_uint32 *minor_status, - const NegTokenTarg *targ, - krb5_data *data, - u_char **ret_buf) -{ - OM_uint32 ret; - u_char *buf; - size_t buf_size, buf_len; - - buf_size = 1024; - buf = malloc(buf_size); - if (buf == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - do { - ret = encode_NegTokenTarg(buf + buf_size - 1, - buf_size, - targ, &buf_len); - if (ret == 0) { - size_t tmp; - - ret = der_put_length_and_tag(buf + buf_size - buf_len - 1, - buf_size - buf_len, - buf_len, - ASN1_C_CONTEXT, - CONS, - 1, - &tmp); - if (ret == 0) - buf_len += tmp; - } - if (ret) { - if (ret == ASN1_OVERFLOW) { - u_char *tmp; - - buf_size *= 2; - tmp = realloc (buf, buf_size); - if (tmp == NULL) { - *minor_status = ENOMEM; - free(buf); - return GSS_S_FAILURE; - } - buf = tmp; - } else { - *minor_status = ret; - free(buf); - return GSS_S_FAILURE; - } - } - } while (ret == ASN1_OVERFLOW); - - data->data = buf + buf_size - buf_len; - data->length = buf_len; - *ret_buf = buf; - return GSS_S_COMPLETE; -} - -static OM_uint32 -send_reject (OM_uint32 *minor_status, - gss_buffer_t output_token) -{ - NegTokenTarg targ; - krb5_data data; - u_char *buf; - OM_uint32 ret; - - ALLOC(targ.negResult, 1); - if (targ.negResult == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - *(targ.negResult) = reject; - targ.supportedMech = NULL; - targ.responseToken = NULL; - targ.mechListMIC = NULL; - - ret = code_NegTokenArg (minor_status, &targ, &data, &buf); - free_NegTokenTarg(&targ); - if (ret) - return ret; - -#if 0 - ret = _gssapi_encapsulate(minor_status, - &data, - output_token, - GSS_SPNEGO_MECHANISM); -#else - output_token->value = malloc(data.length); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - ret = GSS_S_FAILURE; - } else { - output_token->length = data.length; - memcpy(output_token->value, data.data, output_token->length); - } -#endif - free(buf); - if (ret) - return ret; - return GSS_S_BAD_MECH; -} - -static OM_uint32 -send_accept (OM_uint32 *minor_status, - OM_uint32 major_status, - gss_buffer_t output_token, - gss_buffer_t mech_token, - gss_ctx_id_t context_handle, - const MechTypeList *mechtypelist) -{ - NegTokenTarg targ; - krb5_data data; - u_char *buf; - OM_uint32 ret; - gss_buffer_desc mech_buf, mech_mic_buf; - krb5_boolean require_mic; - - memset(&targ, 0, sizeof(targ)); - ALLOC(targ.negResult, 1); - if (targ.negResult == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - *(targ.negResult) = accept_completed; - - ALLOC(targ.supportedMech, 1); - if (targ.supportedMech == NULL) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ret = der_get_oid(GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length, - targ.supportedMech, - NULL); - if (ret) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - if (mech_token != NULL && mech_token->length != 0) { - ALLOC(targ.responseToken, 1); - if (targ.responseToken == NULL) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - targ.responseToken->length = mech_token->length; - targ.responseToken->data = mech_token->value; - mech_token->length = 0; - mech_token->value = NULL; - } else { - targ.responseToken = NULL; - } - - ret = _gss_spnego_require_mechlist_mic(minor_status, context_handle, - &require_mic); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - - if (major_status == GSS_S_COMPLETE && require_mic) { - size_t buf_len; - - ALLOC(targ.mechListMIC, 1); - if (targ.mechListMIC == NULL) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ASN1_MALLOC_ENCODE(MechTypeList, mech_buf.value, mech_buf.length, - mechtypelist, &buf_len, ret); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - if (mech_buf.length != buf_len) - abort(); - - ret = gss_get_mic(minor_status, context_handle, 0, &mech_buf, - &mech_mic_buf); - free (mech_buf.value); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - - targ.mechListMIC->length = mech_mic_buf.length; - targ.mechListMIC->data = mech_mic_buf.value; - } else - targ.mechListMIC = NULL; - - ret = code_NegTokenArg (minor_status, &targ, &data, &buf); - free_NegTokenTarg(&targ); - if (ret) - return ret; - -#if 0 - ret = _gssapi_encapsulate(minor_status, - &data, - output_token, - GSS_SPNEGO_MECHANISM); -#else - output_token->value = malloc(data.length); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - ret = GSS_S_FAILURE; - } else { - output_token->length = data.length; - memcpy(output_token->value, data.data, output_token->length); - } -#endif - free(buf); - if (ret) - return ret; - return GSS_S_COMPLETE; -} - -static OM_uint32 -spnego_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - OM_uint32 ret, ret2; - NegTokenInit ni; - size_t ni_len; - int i; - int found = 0; - krb5_data data; - size_t len, taglen; - - output_token->length = 0; - output_token->value = NULL; - - ret = _gssapi_decapsulate (minor_status, - input_token_buffer, - &data, - GSS_SPNEGO_MECHANISM); - if (ret) - return ret; - - ret = der_match_tag_and_length(data.data, data.length, - ASN1_C_CONTEXT, CONS, 0, &len, &taglen); - if (ret) - return ret; - - if(len > data.length - taglen) - return ASN1_OVERRUN; - - ret = decode_NegTokenInit((const unsigned char *)data.data + taglen, len, - &ni, &ni_len); - if (ret) - return GSS_S_DEFECTIVE_TOKEN; - - if (ni.mechTypes == NULL) { - free_NegTokenInit(&ni); - return send_reject (minor_status, output_token); - } - - for (i = 0; !found && i < ni.mechTypes->len; ++i) { - unsigned char mechbuf[17]; - size_t mech_len; - - ret = der_put_oid (mechbuf + sizeof(mechbuf) - 1, - sizeof(mechbuf), - &ni.mechTypes->val[i], - &mech_len); - if (ret) { - free_NegTokenInit(&ni); - return GSS_S_DEFECTIVE_TOKEN; - } - if (mech_len == GSS_KRB5_MECHANISM->length - && memcmp(GSS_KRB5_MECHANISM->elements, - mechbuf + sizeof(mechbuf) - mech_len, - mech_len) == 0) - found = 1; - } - if (found) { - gss_buffer_desc ibuf, obuf; - gss_buffer_t ot = NULL; - OM_uint32 minor; - - if (ni.mechToken != NULL) { - ibuf.length = ni.mechToken->length; - ibuf.value = ni.mechToken->data; - - ret = gsskrb5_accept_sec_context(&minor, - context_handle, - acceptor_cred_handle, - &ibuf, - input_chan_bindings, - src_name, - mech_type, - &obuf, - ret_flags, - time_rec, - delegated_cred_handle); - if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { - ot = &obuf; - } else { - free_NegTokenInit(&ni); - send_reject (minor_status, output_token); - return ret; - } - } - ret2 = send_accept (minor_status, ret, output_token, ot, - *context_handle, ni.mechTypes); - if (ret2 != GSS_S_COMPLETE) - ret = ret2; - if (ot != NULL) - gss_release_buffer(&minor, ot); - free_NegTokenInit(&ni); - return ret; - } else { - free_NegTokenInit(&ni); - return send_reject (minor_status, output_token); - } -} - -OM_uint32 -gss_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - OM_uint32 ret; - ssize_t mech_len; - const u_char *p; - - *minor_status = 0; - - mech_len = gssapi_krb5_get_mech (input_token_buffer->value, - input_token_buffer->length, - &p); - if (mech_len < 0) - return GSS_S_DEFECTIVE_TOKEN; - if (mech_len == GSS_KRB5_MECHANISM->length - && memcmp(p, GSS_KRB5_MECHANISM->elements, mech_len) == 0) - ret = gsskrb5_accept_sec_context(minor_status, - context_handle, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - else if (mech_len == GSS_SPNEGO_MECHANISM->length - && memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_len) == 0) - ret = spnego_accept_sec_context(minor_status, - context_handle, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - else - return GSS_S_BAD_MECH; - - return ret; -} diff --git a/lib/gssapi/krb5/acquire_cred.c b/lib/gssapi/krb5/acquire_cred.c index 8b50c4a54..316a7306c 100644 --- a/lib/gssapi/krb5/acquire_cred.c +++ b/lib/gssapi/krb5/acquire_cred.c @@ -31,12 +31,12 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); OM_uint32 -_gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status, +__gsskrb5_ccache_lifetime(OM_uint32 *minor_status, krb5_ccache id, krb5_principal principal, OM_uint32 *lifetime) @@ -48,32 +48,32 @@ _gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status, memset(&in_cred, 0, sizeof(in_cred)); in_cred.client = principal; - realm = krb5_principal_get_realm(gssapi_krb5_context, principal); + realm = krb5_principal_get_realm(_gsskrb5_context, principal); if (realm == NULL) { - gssapi_krb5_clear_status (); + _gsskrb5_clear_status (); *minor_status = KRB5_PRINC_NOMATCH; /* XXX */ return GSS_S_FAILURE; } - kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server, + kret = krb5_make_principal(_gsskrb5_context, &in_cred.server, realm, KRB5_TGS_NAME, realm, NULL); if (kret) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = kret; return GSS_S_FAILURE; } - kret = krb5_get_credentials(gssapi_krb5_context, 0, + kret = krb5_get_credentials(_gsskrb5_context, 0, id, &in_cred, &out_cred); - krb5_free_principal(gssapi_krb5_context, in_cred.server); + krb5_free_principal(_gsskrb5_context, in_cred.server); if (kret) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = kret; return GSS_S_FAILURE; } *lifetime = out_cred->times.endtime; - krb5_free_creds(gssapi_krb5_context, out_cred); + krb5_free_creds(_gsskrb5_context, out_cred); return GSS_S_COMPLETE; } @@ -89,14 +89,14 @@ get_keytab(krb5_keytab *keytab) HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); - if (gssapi_krb5_keytab != NULL) { - kret = krb5_kt_get_name(gssapi_krb5_context, - gssapi_krb5_keytab, + if (_gsskrb5_keytab != NULL) { + kret = krb5_kt_get_name(_gsskrb5_context, + _gsskrb5_keytab, kt_name, sizeof(kt_name)); if (kret == 0) - kret = krb5_kt_resolve(gssapi_krb5_context, kt_name, keytab); + kret = krb5_kt_resolve(_gsskrb5_context, kt_name, keytab); } else - kret = krb5_kt_default(gssapi_krb5_context, keytab); + kret = krb5_kt_default(_gsskrb5_context, keytab); HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); @@ -109,7 +109,7 @@ static OM_uint32 acquire_initiator_cred OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, - gss_cred_id_t handle, + gsskrb5_cred handle, gss_OID_set * actual_mechs, OM_uint32 * time_rec ) @@ -132,33 +132,33 @@ static OM_uint32 acquire_initiator_cred * caches, otherwise, fall back to default cache. Ignore * errors. */ if (handle->principal) - kret = krb5_cc_cache_match (gssapi_krb5_context, + kret = krb5_cc_cache_match (_gsskrb5_context, handle->principal, NULL, &ccache); if (ccache == NULL) { - kret = krb5_cc_default(gssapi_krb5_context, &ccache); + kret = krb5_cc_default(_gsskrb5_context, &ccache); if (kret) goto end; } - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, + kret = krb5_cc_get_principal(_gsskrb5_context, ccache, &def_princ); if (kret != 0) { /* we'll try to use a keytab below */ - krb5_cc_destroy(gssapi_krb5_context, ccache); + krb5_cc_destroy(_gsskrb5_context, ccache); ccache = NULL; kret = 0; } else if (handle->principal == NULL) { - kret = krb5_copy_principal(gssapi_krb5_context, def_princ, + kret = krb5_copy_principal(_gsskrb5_context, def_princ, &handle->principal); if (kret) goto end; } else if (handle->principal != NULL && - krb5_principal_compare(gssapi_krb5_context, handle->principal, + krb5_principal_compare(_gsskrb5_context, handle->principal, def_princ) == FALSE) { /* Before failing, lets check the keytab */ - krb5_free_principal(gssapi_krb5_context, def_princ); + krb5_free_principal(_gsskrb5_context, def_princ); def_princ = NULL; } if (def_princ == NULL) { @@ -166,7 +166,7 @@ static OM_uint32 acquire_initiator_cred * so attempt to get a TGT using a keytab. */ if (handle->principal == NULL) { - kret = krb5_get_default_principal(gssapi_krb5_context, + kret = krb5_get_default_principal(_gsskrb5_context, &handle->principal); if (kret) goto end; @@ -174,29 +174,29 @@ static OM_uint32 acquire_initiator_cred kret = get_keytab(&keytab); if (kret) goto end; - kret = krb5_get_init_creds_opt_alloc(gssapi_krb5_context, &opt); + kret = krb5_get_init_creds_opt_alloc(_gsskrb5_context, &opt); if (kret) goto end; - kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred, + kret = krb5_get_init_creds_keytab(_gsskrb5_context, &cred, handle->principal, keytab, 0, NULL, opt); krb5_get_init_creds_opt_free(opt); if (kret) goto end; - kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, + kret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops, &ccache); if (kret) goto end; - kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client); + kret = krb5_cc_initialize(_gsskrb5_context, ccache, cred.client); if (kret) goto end; - kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred); + kret = krb5_cc_store_cred(_gsskrb5_context, ccache, &cred); if (kret) goto end; handle->lifetime = cred.times.endtime; handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; } else { - ret = _gssapi_krb5_ccache_lifetime(minor_status, + ret = __gsskrb5_ccache_lifetime(minor_status, ccache, handle->principal, &handle->lifetime); @@ -210,17 +210,17 @@ static OM_uint32 acquire_initiator_cred end: if (cred.client != NULL) - krb5_free_cred_contents(gssapi_krb5_context, &cred); + krb5_free_cred_contents(_gsskrb5_context, &cred); if (def_princ != NULL) - krb5_free_principal(gssapi_krb5_context, def_princ); + krb5_free_principal(_gsskrb5_context, def_princ); if (keytab != NULL) - krb5_kt_close(gssapi_krb5_context, keytab); + krb5_kt_close(_gsskrb5_context, keytab); if (ret != GSS_S_COMPLETE) { if (ccache != NULL) - krb5_cc_close(gssapi_krb5_context, ccache); + krb5_cc_close(_gsskrb5_context, ccache); if (kret != 0) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); } } return (ret); @@ -232,7 +232,7 @@ static OM_uint32 acquire_acceptor_cred OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, - gss_cred_id_t handle, + gsskrb5_cred handle, gss_OID_set * actual_mechs, OM_uint32 * time_rec ) @@ -250,38 +250,38 @@ static OM_uint32 acquire_acceptor_cred if (handle->principal) { krb5_keytab_entry entry; - kret = krb5_kt_get_entry(gssapi_krb5_context, handle->keytab, + kret = krb5_kt_get_entry(_gsskrb5_context, handle->keytab, handle->principal, 0, 0, &entry); if (kret) goto end; - krb5_kt_free_entry(gssapi_krb5_context, &entry); + krb5_kt_free_entry(_gsskrb5_context, &entry); } ret = GSS_S_COMPLETE; end: if (ret != GSS_S_COMPLETE) { if (handle->keytab != NULL) - krb5_kt_close(gssapi_krb5_context, handle->keytab); + krb5_kt_close(_gsskrb5_context, handle->keytab); if (kret != 0) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); } } return (ret); } -OM_uint32 gss_acquire_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) +OM_uint32 _gsskrb5_acquire_cred +(OM_uint32 * minor_status, + const gss_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_cred_id_t * output_cred_handle, + gss_OID_set * actual_mechs, + OM_uint32 * time_rec + ) { - gss_cred_id_t handle; + gsskrb5_cred handle; OM_uint32 ret; if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) { @@ -300,8 +300,8 @@ OM_uint32 gss_acquire_cred if (desired_mechs) { int present = 0; - ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - desired_mechs, &present); + ret = _gsskrb5_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + desired_mechs, &present); if (ret) return ret; if (!present) { @@ -310,18 +310,17 @@ OM_uint32 gss_acquire_cred } } - handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { + handle = calloc(1, sizeof(*handle)); + if (handle == NULL) { *minor_status = ENOMEM; return (GSS_S_FAILURE); } - memset(handle, 0, sizeof (*handle)); HEIMDAL_MUTEX_init(&handle->cred_id_mutex); if (desired_name != GSS_C_NO_NAME) { - ret = gss_duplicate_name(minor_status, desired_name, - &handle->principal); + ret = _gsskrb5_duplicate_name(minor_status, desired_name, + &handle->principal); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); free(handle); @@ -330,42 +329,42 @@ OM_uint32 gss_acquire_cred } if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { ret = acquire_initiator_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); + desired_mechs, cred_usage, handle, actual_mechs, time_rec); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); free(handle); return (ret); } } if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { ret = acquire_acceptor_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); + desired_mechs, cred_usage, handle, actual_mechs, time_rec); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); free(handle); return (ret); } } - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); + ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms); if (ret == GSS_S_COMPLETE) - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); + ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + &handle->mechanisms); if (ret == GSS_S_COMPLETE) - ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL, - actual_mechs); + ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle, + NULL, time_rec, NULL, actual_mechs); if (ret != GSS_S_COMPLETE) { if (handle->mechanisms != NULL) - gss_release_oid_set(NULL, &handle->mechanisms); + _gsskrb5_release_oid_set(NULL, &handle->mechanisms); HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); free(handle); return (ret); } *minor_status = 0; if (time_rec) { - ret = gssapi_lifetime_left(minor_status, + ret = _gsskrb5_lifetime_left(minor_status, handle->lifetime, time_rec); @@ -373,6 +372,6 @@ OM_uint32 gss_acquire_cred return ret; } handle->usage = cred_usage; - *output_cred_handle = handle; + *output_cred_handle = (gss_cred_id_t)handle; return (GSS_S_COMPLETE); } diff --git a/lib/gssapi/krb5/add_cred.c b/lib/gssapi/krb5/add_cred.c index f015e40dc..f35b29003 100644 --- a/lib/gssapi/krb5/add_cred.c +++ b/lib/gssapi/krb5/add_cred.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_add_cred ( +OM_uint32 _gsskrb5_add_cred ( OM_uint32 *minor_status, const gss_cred_id_t input_cred_handle, const gss_name_t desired_name, @@ -49,22 +49,22 @@ OM_uint32 gss_add_cred ( OM_uint32 *acceptor_time_rec) { OM_uint32 ret, lifetime; - gss_cred_id_t cred, handle; + gsskrb5_cred cred, handle; handle = NULL; - cred = input_cred_handle; + cred = (gsskrb5_cred)input_cred_handle; if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) { *minor_status = 0; return GSS_S_BAD_MECH; } - if (cred == GSS_C_NO_CREDENTIAL && output_cred_handle == NULL) { + if (cred == NULL && output_cred_handle == NULL) { *minor_status = 0; return GSS_S_NO_CRED; } - if (cred == GSS_C_NO_CREDENTIAL) { /* XXX standard conformance failure */ + if (cred == NULL) { /* XXX standard conformance failure */ *minor_status = 0; return GSS_S_NO_CRED; } @@ -81,7 +81,7 @@ OM_uint32 gss_add_cred ( /* check that we have the same name */ if (desired_name != GSS_C_NO_NAME && - krb5_principal_compare(gssapi_krb5_context, desired_name, + krb5_principal_compare(_gsskrb5_context, desired_name, cred->principal) != FALSE) { if (output_cred_handle) HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); @@ -92,15 +92,13 @@ OM_uint32 gss_add_cred ( /* make a copy */ if (output_cred_handle) { - handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { + handle = calloc(1, sizeof(*handle)); + if (handle == NULL) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = ENOMEM; return (GSS_S_FAILURE); } - memset(handle, 0, sizeof (*handle)); - handle->usage = cred_usage; handle->lifetime = cred->lifetime; handle->principal = NULL; @@ -111,8 +109,8 @@ OM_uint32 gss_add_cred ( ret = GSS_S_FAILURE; - ret = gss_duplicate_name(minor_status, cred->principal, - &handle->principal); + ret = _gsskrb5_duplicate_name(minor_status, cred->principal, + &handle->principal); if (ret) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); free(handle); @@ -127,7 +125,7 @@ OM_uint32 gss_add_cred ( ret = GSS_S_FAILURE; - kret = krb5_kt_get_type(gssapi_krb5_context, cred->keytab, + kret = krb5_kt_get_type(_gsskrb5_context, cred->keytab, name, KRB5_KT_PREFIX_MAX_LEN); if (kret) { *minor_status = kret; @@ -136,7 +134,7 @@ OM_uint32 gss_add_cred ( len = strlen(name); name[len++] = ':'; - kret = krb5_kt_get_name(gssapi_krb5_context, cred->keytab, + kret = krb5_kt_get_name(_gsskrb5_context, cred->keytab, name + len, sizeof(name) - len); if (kret) { @@ -144,7 +142,7 @@ OM_uint32 gss_add_cred ( goto failure; } - kret = krb5_kt_resolve(gssapi_krb5_context, name, + kret = krb5_kt_resolve(_gsskrb5_context, name, &handle->keytab); if (kret){ *minor_status = kret; @@ -159,21 +157,21 @@ OM_uint32 gss_add_cred ( ret = GSS_S_FAILURE; - type = krb5_cc_get_type(gssapi_krb5_context, cred->ccache); + type = krb5_cc_get_type(_gsskrb5_context, cred->ccache); if (type == NULL){ *minor_status = ENOMEM; goto failure; } if (strcmp(type, "MEMORY") == 0) { - ret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, + ret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops, &handle->ccache); if (ret) { *minor_status = ret; goto failure; } - ret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, + ret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache, handle->ccache); if (ret) { *minor_status = ret; @@ -181,7 +179,7 @@ OM_uint32 gss_add_cred ( } } else { - name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache); + name = krb5_cc_get_name(_gsskrb5_context, cred->ccache); if (name == NULL) { *minor_status = ENOMEM; goto failure; @@ -193,7 +191,7 @@ OM_uint32 gss_add_cred ( goto failure; } - kret = krb5_cc_resolve(gssapi_krb5_context, type_name, + kret = krb5_cc_resolve(_gsskrb5_context, type_name, &handle->ccache); free(type_name); if (kret) { @@ -202,20 +200,20 @@ OM_uint32 gss_add_cred ( } } } - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); + ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms); if (ret) goto failure; - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); + ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + &handle->mechanisms); if (ret) goto failure; } HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - ret = gss_inquire_cred(minor_status, cred, NULL, &lifetime, - NULL, actual_mechs); + ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred, + NULL, &lifetime, NULL, actual_mechs); if (ret) goto failure; @@ -225,7 +223,7 @@ OM_uint32 gss_add_cred ( *acceptor_time_rec = lifetime; if (output_cred_handle) { - *output_cred_handle = handle; + *output_cred_handle = (gss_cred_id_t)handle; } *minor_status = 0; @@ -235,13 +233,13 @@ OM_uint32 gss_add_cred ( if (handle) { if (handle->principal) - gss_release_name(NULL, &handle->principal); + _gsskrb5_release_name(NULL, &handle->principal); if (handle->keytab) - krb5_kt_close(gssapi_krb5_context, handle->keytab); + krb5_kt_close(_gsskrb5_context, handle->keytab); if (handle->ccache) - krb5_cc_destroy(gssapi_krb5_context, handle->ccache); + krb5_cc_destroy(_gsskrb5_context, handle->ccache); if (handle->mechanisms) - gss_release_oid_set(NULL, &handle->mechanisms); + _gsskrb5_release_oid_set(NULL, &handle->mechanisms); free(handle); } if (output_cred_handle) diff --git a/lib/gssapi/krb5/add_oid_set_member.c b/lib/gssapi/krb5/add_oid_set_member.c index f768098bb..5a84dd079 100644 --- a/lib/gssapi/krb5/add_oid_set_member.c +++ b/lib/gssapi/krb5/add_oid_set_member.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_add_oid_set_member ( +OM_uint32 _gsskrb5_add_oid_set_member ( OM_uint32 * minor_status, const gss_OID member_oid, gss_OID_set * oid_set @@ -46,7 +46,8 @@ OM_uint32 gss_add_oid_set_member ( OM_uint32 res; int present; - res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present); + res = _gsskrb5_test_oid_set_member(minor_status, member_oid, + *oid_set, &present); if (res != GSS_S_COMPLETE) return res; diff --git a/lib/gssapi/krb5/address_to_krb5addr.c b/lib/gssapi/krb5/address_to_krb5addr.c index 13a6825f5..aaade2f5c 100644 --- a/lib/gssapi/krb5/address_to_krb5addr.c +++ b/lib/gssapi/krb5/address_to_krb5addr.c @@ -31,15 +31,15 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" #include krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address) +_gsskrb5i_address_to_krb5addr(OM_uint32 gss_addr_type, + gss_buffer_desc *gss_addr, + int16_t port, + krb5_address *address) { int addr_type; struct sockaddr sa; @@ -61,7 +61,7 @@ gss_address_to_krb5addr(OM_uint32 gss_addr_type, return GSS_S_FAILURE; } - problem = krb5_h_addr2sockaddr (gssapi_krb5_context, + problem = krb5_h_addr2sockaddr (_gsskrb5_context, addr_type, gss_addr->value, &sa, @@ -70,7 +70,7 @@ gss_address_to_krb5addr(OM_uint32 gss_addr_type, if (problem) return GSS_S_FAILURE; - problem = krb5_sockaddr2address (gssapi_krb5_context, &sa, address); + problem = krb5_sockaddr2address (_gsskrb5_context, &sa, address); return problem; } diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c index 3734ecfb0..b9a3eb20d 100644 --- a/lib/gssapi/krb5/arcfour.c +++ b/lib/gssapi/krb5/arcfour.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -127,13 +127,13 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, memcpy(ptr + l1, v2, l2); memcpy(ptr + l1 + l2, v3, l3); - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret) { free(ptr); return ret; } - ret = krb5_create_checksum(gssapi_krb5_context, + ret = krb5_create_checksum(_gsskrb5_context, crypto, usage, 0, @@ -144,7 +144,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz); free_Checksum(&CKSUM); } - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return ret; } @@ -152,7 +152,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, OM_uint32 _gssapi_get_mic_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, gss_qop_t qop_req, const gss_buffer_t message_buffer, gss_buffer_t message_token, @@ -164,7 +164,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status, u_char k6_data[16], *p0, *p; RC4_KEY rc4_key; - gssapi_krb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); message_token->length = total_len; message_token->value = malloc (total_len); @@ -195,28 +195,28 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status, message_buffer->value, message_buffer->length, NULL, 0); if (ret) { - gss_release_buffer(minor_status, message_token); + _gsskrb5_release_buffer(minor_status, message_token); *minor_status = ret; return GSS_S_FAILURE; } - ret = arcfour_mic_key(gssapi_krb5_context, key, + ret = arcfour_mic_key(_gsskrb5_context, key, p0 + 16, 8, /* SGN_CKSUM */ k6_data, sizeof(k6_data)); if (ret) { - gss_release_buffer(minor_status, message_token); + _gsskrb5_release_buffer(minor_status, message_token); *minor_status = ret; return GSS_S_FAILURE; } HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, context_handle->auth_context, &seq_number); p = p0 + 8; /* SND_SEQ */ - gssapi_encode_be_om_uint32(seq_number, p); + _gsskrb5_encode_be_om_uint32(seq_number, p); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, context_handle->auth_context, ++seq_number); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -236,7 +236,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status, OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, @@ -254,7 +254,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, *qop_state = 0; p = token_buffer->value; - omret = gssapi_krb5_verify_header (&p, + omret = _gsskrb5_verify_header (&p, token_buffer->length, (u_char *)type, GSS_KRB5_MECHANISM); @@ -278,7 +278,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, return GSS_S_FAILURE; } - ret = arcfour_mic_key(gssapi_krb5_context, key, + ret = arcfour_mic_key(_gsskrb5_context, key, cksum_data, sizeof(cksum_data), k6_data, sizeof(k6_data)); if (ret) { @@ -302,7 +302,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, memset(k6_data, 0, sizeof(k6_data)); } - gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); + _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); @@ -327,7 +327,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, OM_uint32 _gssapi_wrap_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, int conf_req_flag, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, @@ -377,13 +377,13 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, p = NULL; HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, context_handle->auth_context, &seq_number); - gssapi_encode_be_om_uint32(seq_number, p0 + 8); + _gsskrb5_encode_be_om_uint32(seq_number, p0 + 8); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, context_handle->auth_context, ++seq_number); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -407,7 +407,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, datalen); if (ret) { *minor_status = ret; - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } @@ -421,12 +421,12 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, for (i = 0; i < 16; i++) Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; } - ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, + ret = arcfour_mic_key(_gsskrb5_context, &Klocal, p0 + 8, 4, /* SND_SEQ */ k6_data, sizeof(k6_data)); memset(Klocaldata, 0, sizeof(Klocaldata)); if (ret) { - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = ret; return GSS_S_FAILURE; } @@ -442,11 +442,11 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, } memset(k6_data, 0, sizeof(k6_data)); - ret = arcfour_mic_key(gssapi_krb5_context, key, + ret = arcfour_mic_key(_gsskrb5_context, key, p0 + 16, 8, /* SGN_CKSUM */ k6_data, sizeof(k6_data)); if (ret) { - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = ret; return GSS_S_FAILURE; } @@ -468,7 +468,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, } OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int *conf_state, @@ -524,7 +524,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, return GSS_S_BAD_MIC; p = NULL; - ret = arcfour_mic_key(gssapi_krb5_context, key, + ret = arcfour_mic_key(_gsskrb5_context, key, p0 + 16, 8, /* SGN_CKSUM */ k6_data, sizeof(k6_data)); if (ret) { @@ -541,7 +541,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, memset(k6_data, 0, sizeof(k6_data)); } - gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); + _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); @@ -563,7 +563,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, for (i = 0; i < 16; i++) Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; } - ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, + ret = arcfour_mic_key(_gsskrb5_context, &Klocal, SND_SEQ, 4, k6_data, sizeof(k6_data)); memset(Klocaldata, 0, sizeof(Klocaldata)); @@ -597,7 +597,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen); if (ret) { - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = 0; return ret; } @@ -610,14 +610,14 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, output_message_buffer->value, output_message_buffer->length + padlen); if (ret) { - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = ret; return GSS_S_FAILURE; } cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ if (cmp) { - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = 0; return GSS_S_BAD_MIC; } diff --git a/lib/gssapi/krb5/canonicalize_name.c b/lib/gssapi/krb5/canonicalize_name.c index 9bd51e0d9..666758555 100644 --- a/lib/gssapi/krb5/canonicalize_name.c +++ b/lib/gssapi/krb5/canonicalize_name.c @@ -31,16 +31,16 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_canonicalize_name ( +OM_uint32 _gsskrb5_canonicalize_name ( OM_uint32 * minor_status, const gss_name_t input_name, const gss_OID mech_type, gss_name_t * output_name ) { - return gss_duplicate_name (minor_status, input_name, output_name); + return _gsskrb5_duplicate_name (minor_status, input_name, output_name); } diff --git a/lib/gssapi/krb5/ccache_name.c b/lib/gssapi/krb5/ccache_name.c index 8eb882484..e58f680a2 100644 --- a/lib/gssapi/krb5/ccache_name.c +++ b/lib/gssapi/krb5/ccache_name.c @@ -31,16 +31,16 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); char *last_out_name; OM_uint32 -gss_krb5_ccache_name(OM_uint32 *minor_status, - const char *name, - const char **out_name) +_gsskrb5_krb5_ccache_name(OM_uint32 *minor_status, + const char *name, + const char **out_name) { krb5_error_code kret; @@ -56,10 +56,10 @@ gss_krb5_ccache_name(OM_uint32 *minor_status, last_out_name = NULL; } - n = krb5_cc_default_name(gssapi_krb5_context); + n = krb5_cc_default_name(_gsskrb5_context); if (n == NULL) { *minor_status = ENOMEM; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); return GSS_S_FAILURE; } last_out_name = strdup(n); @@ -70,10 +70,10 @@ gss_krb5_ccache_name(OM_uint32 *minor_status, *out_name = last_out_name; } - kret = krb5_cc_set_default_name(gssapi_krb5_context, name); + kret = krb5_cc_set_default_name(_gsskrb5_context, name); if (kret) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); return GSS_S_FAILURE; } return GSS_S_COMPLETE; diff --git a/lib/gssapi/krb5/cfx.c b/lib/gssapi/krb5/cfx.c index 3ac42c178..9794f95f4 100644 --- a/lib/gssapi/krb5/cfx.c +++ b/lib/gssapi/krb5/cfx.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -57,12 +57,12 @@ wrap_length_cfx(krb5_crypto crypto, *output_length = sizeof(gss_cfx_wrap_token_desc); *padlength = 0; - ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, crypto, &type); + ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type); if (ret) { return ret; } - ret = krb5_checksumsize(gssapi_krb5_context, type, cksumsize); + ret = krb5_checksumsize(_gsskrb5_context, type, cksumsize); if (ret) { return ret; } @@ -73,7 +73,7 @@ wrap_length_cfx(krb5_crypto crypto, /* Header is concatenated with data before encryption */ input_length += sizeof(gss_cfx_wrap_token_desc); - ret = krb5_crypto_getpadsize(gssapi_krb5_context, crypto, &padsize); + ret = krb5_crypto_getpadsize(_gsskrb5_context, crypto, &padsize); if (ret) { return ret; } @@ -85,7 +85,7 @@ wrap_length_cfx(krb5_crypto crypto, /* We add the pad ourselves (noted here for completeness only) */ input_length += *padlength; - *output_length += krb5_get_wrapped_length(gssapi_krb5_context, + *output_length += krb5_get_wrapped_length(_gsskrb5_context, crypto, input_length); } else { /* Checksum is concatenated with data */ @@ -98,7 +98,7 @@ wrap_length_cfx(krb5_crypto crypto, } OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, int conf_req_flag, gss_qop_t qop_req, OM_uint32 req_output_size, @@ -110,9 +110,9 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, uint16_t padlength; size_t output_length, cksumsize; - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; return GSS_S_FAILURE; } @@ -121,9 +121,9 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, req_output_size, &output_length, &cksumsize, &padlength); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -135,7 +135,7 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, *max_input_size = 0; } - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_COMPLETE; } @@ -185,7 +185,7 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate) } OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, int conf_req_flag, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, @@ -203,9 +203,9 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, int32_t seq_number; u_char *p; - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; return GSS_S_FAILURE; } @@ -214,9 +214,9 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, input_message_buffer->length, &wrapped_len, &cksumsize, &padlength); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -227,7 +227,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, output_message_buffer->value = malloc(output_message_buffer->length); if (output_message_buffer->value == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -277,12 +277,12 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, token->RRC[1] = 0; HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber(gssapi_krb5_context, + krb5_auth_con_getlocalseqnumber(_gsskrb5_context, context_handle->auth_context, &seq_number); - gssapi_encode_be_om_uint32(0, &token->SND_SEQ[0]); - gssapi_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); - krb5_auth_con_setlocalseqnumber(gssapi_krb5_context, + _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); + _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); + krb5_auth_con_setlocalseqnumber(_gsskrb5_context, context_handle->auth_context, ++seq_number); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -317,16 +317,16 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, memcpy(p + input_message_buffer->length + padlength, token, sizeof(*token)); - ret = krb5_encrypt(gssapi_krb5_context, crypto, + ret = krb5_encrypt(_gsskrb5_context, crypto, usage, p, input_message_buffer->length + padlength + sizeof(*token), &cipher); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } assert(sizeof(*token) + cipher.length == wrapped_len); @@ -335,10 +335,10 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } memcpy(p, cipher.data, cipher.length); @@ -350,23 +350,23 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, buf = malloc(input_message_buffer->length + sizeof(*token)); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } memcpy(buf, input_message_buffer->value, input_message_buffer->length); memcpy(buf + input_message_buffer->length, token, sizeof(*token)); - ret = krb5_create_checksum(gssapi_krb5_context, crypto, + ret = krb5_create_checksum(_gsskrb5_context, crypto, usage, 0, buf, input_message_buffer->length + sizeof(*token), &cksum); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); free(buf); return GSS_S_FAILURE; } @@ -387,17 +387,17 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, ret = rrc_rotate(p, input_message_buffer->length + cksum.checksum.length, rrc, FALSE); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); free_Checksum(&cksum); return GSS_S_FAILURE; } free_Checksum(&cksum); } - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); if (conf_state != NULL) { *conf_state = conf_req_flag; @@ -408,7 +408,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int *conf_state, @@ -471,8 +471,8 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* * Check sequence number */ - gssapi_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); - gssapi_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); + _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); + _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); if (seq_number_hi) { /* no support for 64-bit sequence numbers */ *minor_status = ERANGE; @@ -484,7 +484,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, if (ret != 0) { *minor_status = 0; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return ret; } HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -492,9 +492,9 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* * Decrypt and/or verify checksum */ - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; return GSS_S_FAILURE; } @@ -512,23 +512,23 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Rotate by RRC; bogus to do this in-place XXX */ *minor_status = rrc_rotate(p, len, rrc, TRUE); if (*minor_status != 0) { - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } if (token_flags & CFXSealed) { - ret = krb5_decrypt(gssapi_krb5_context, crypto, usage, + ret = krb5_decrypt(_gsskrb5_context, crypto, usage, p, len, &data); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_BAD_MIC; } /* Check that there is room for the pad and token header */ if (data.length < ec + sizeof(*token)) { - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); krb5_data_free(&data); return GSS_S_DEFECTIVE_TOKEN; } @@ -541,7 +541,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Check the integrity of the header */ if (memcmp(p, token, sizeof(*token)) != 0) { - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); krb5_data_free(&data); return GSS_S_BAD_MIC; } @@ -552,12 +552,12 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, Checksum cksum; /* Determine checksum type */ - ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, + ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &cksum.cksumtype); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -566,7 +566,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Check we have at least as much data as the checksum */ if (len < cksum.checksum.length) { *minor_status = ERANGE; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_BAD_MIC; } @@ -578,7 +578,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, output_message_buffer->value = malloc(len + sizeof(*token)); if (output_message_buffer->value == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -595,21 +595,21 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, token->RRC[0] = 0; token->RRC[1] = 0; - ret = krb5_verify_checksum(gssapi_krb5_context, crypto, + ret = krb5_verify_checksum(_gsskrb5_context, crypto, usage, output_message_buffer->value, len + sizeof(*token), &cksum); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_BAD_MIC; } } - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); if (qop_state != NULL) { *qop_state = GSS_C_QOP_DEFAULT; @@ -620,7 +620,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, gss_qop_t qop_req, const gss_buffer_t message_buffer, gss_buffer_t message_token, @@ -635,9 +635,9 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, size_t len; int32_t seq_number; - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; return GSS_S_FAILURE; } @@ -646,7 +646,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, buf = malloc(len); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -663,12 +663,12 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, memset(token->Filler, 0xFF, 5); HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber(gssapi_krb5_context, + krb5_auth_con_getlocalseqnumber(_gsskrb5_context, context_handle->auth_context, &seq_number); - gssapi_encode_be_om_uint32(0, &token->SND_SEQ[0]); - gssapi_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); - krb5_auth_con_setlocalseqnumber(gssapi_krb5_context, + _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); + _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); + krb5_auth_con_setlocalseqnumber(_gsskrb5_context, context_handle->auth_context, ++seq_number); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -679,16 +679,16 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; } - ret = krb5_create_checksum(gssapi_krb5_context, crypto, + ret = krb5_create_checksum(_gsskrb5_context, crypto, usage, 0, buf, len, &cksum); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); free(buf); return GSS_S_FAILURE; } - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); /* Determine MIC length */ message_token->length = sizeof(*token) + cksum.checksum.length; @@ -713,7 +713,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t *qop_state, @@ -764,8 +764,8 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, /* * Check sequence number */ - gssapi_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); - gssapi_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); + _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); + _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); if (seq_number_hi) { *minor_status = ERANGE; return GSS_S_UNSEQ_TOKEN; @@ -783,19 +783,19 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, /* * Verify checksum */ - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; return GSS_S_FAILURE; } - ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, crypto, + ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &cksum.cksumtype); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -811,21 +811,21 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, buf = malloc(message_buffer->length + sizeof(*token)); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } memcpy(buf, message_buffer->value, message_buffer->length); memcpy(buf + message_buffer->length, token, sizeof(*token)); - ret = krb5_verify_checksum(gssapi_krb5_context, crypto, + ret = krb5_verify_checksum(_gsskrb5_context, crypto, usage, buf, sizeof(*token) + message_buffer->length, &cksum); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); free(buf); return GSS_S_BAD_MIC; } diff --git a/lib/gssapi/krb5/cfx.h b/lib/gssapi/krb5/cfx.h index de94bdec9..c30ed0784 100644 --- a/lib/gssapi/krb5/cfx.h +++ b/lib/gssapi/krb5/cfx.h @@ -62,43 +62,4 @@ typedef struct gss_cfx_delete_token_desc_struct { u_char SND_SEQ[8]; } gss_cfx_delete_token_desc, *gss_cfx_delete_token; -OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size, - krb5_keyblock *key); - -OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key); - -OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key); - -OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key); - -OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key); - #endif /* GSSAPI_CFX_H_ */ diff --git a/lib/gssapi/krb5/compare_name.c b/lib/gssapi/krb5/compare_name.c index 2162b1d3f..ac73f733a 100644 --- a/lib/gssapi/krb5/compare_name.c +++ b/lib/gssapi/krb5/compare_name.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_compare_name +OM_uint32 _gsskrb5_compare_name (OM_uint32 * minor_status, const gss_name_t name1, const gss_name_t name2, @@ -44,7 +44,7 @@ OM_uint32 gss_compare_name { GSSAPI_KRB5_INIT(); - *name_equal = krb5_principal_compare (gssapi_krb5_context, + *name_equal = krb5_principal_compare (_gsskrb5_context, name1, name2); *minor_status = 0; return GSS_S_COMPLETE; diff --git a/lib/gssapi/krb5/compat.c b/lib/gssapi/krb5/compat.c index cc0f1150c..bc65286a3 100644 --- a/lib/gssapi/krb5/compat.c +++ b/lib/gssapi/krb5/compat.c @@ -31,42 +31,42 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -krb5_error_code -_gss_check_compat(OM_uint32 *minor_status, gss_name_t name, - const char *option, krb5_boolean *compat, - krb5_boolean match_val) +static krb5_error_code +check_compat(OM_uint32 *minor_status, gss_name_t name, + const char *option, krb5_boolean *compat, + krb5_boolean match_val) { krb5_error_code ret = 0; char **p, **q; krb5_principal match; - p = krb5_config_get_strings(gssapi_krb5_context, NULL, "gssapi", + p = krb5_config_get_strings(_gsskrb5_context, NULL, "gssapi", option, NULL); if(p == NULL) return 0; match = NULL; for(q = p; *q; q++) { - ret = krb5_parse_name(gssapi_krb5_context, *q, &match); + ret = krb5_parse_name(_gsskrb5_context, *q, &match); if (ret) break; - if (krb5_principal_match(gssapi_krb5_context, name, match)) { + if (krb5_principal_match(_gsskrb5_context, name, match)) { *compat = match_val; break; } - krb5_free_principal(gssapi_krb5_context, match); + krb5_free_principal(_gsskrb5_context, match); match = NULL; } if (match) - krb5_free_principal(gssapi_krb5_context, match); + krb5_free_principal(_gsskrb5_context, match); krb5_config_free_strings(p); if (ret) { @@ -83,18 +83,18 @@ _gss_check_compat(OM_uint32 *minor_status, gss_name_t name, */ OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx) +_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gsskrb5_ctx ctx) { krb5_boolean use_compat = FALSE; OM_uint32 ret; if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) { - ret = _gss_check_compat(minor_status, ctx->target, - "broken_des3_mic", &use_compat, TRUE); + ret = check_compat(minor_status, ctx->target, + "broken_des3_mic", &use_compat, TRUE); if (ret) return ret; - ret = _gss_check_compat(minor_status, ctx->target, - "correct_des3_mic", &use_compat, FALSE); + ret = check_compat(minor_status, ctx->target, + "correct_des3_mic", &use_compat, FALSE); if (ret) return ret; @@ -105,6 +105,7 @@ _gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx) return 0; } +#if 0 OM_uint32 gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on) { @@ -121,34 +122,4 @@ gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on) return 0; } - -/* - * For compatability with the Windows SPNEGO implementation, the - * default is to ignore the mechListMIC unless the initiator specified - * CFX or configured in krb5.conf with the option - * [gssapi]require_mechlist_mic=target-principal-pattern. - * The option is valid for both initiator and acceptor. - */ -OM_uint32 -_gss_spnego_require_mechlist_mic(OM_uint32 *minor_status, - gss_ctx_id_t ctx, - krb5_boolean *require_mic) -{ - OM_uint32 ret; - int is_cfx = 0; - - gsskrb5_is_cfx(ctx, &is_cfx); - if (is_cfx) { - /* CFX session key was used */ - *require_mic = TRUE; - } else { - *require_mic = FALSE; - ret = _gss_check_compat(minor_status, ctx->target, - "require_mechlist_mic", - require_mic, TRUE); - if (ret) - return ret; - } - *minor_status = 0; - return GSS_S_COMPLETE; -} +#endif diff --git a/lib/gssapi/krb5/context_time.c b/lib/gssapi/krb5/context_time.c index 403419d04..325d24fca 100644 --- a/lib/gssapi/krb5/context_time.c +++ b/lib/gssapi/krb5/context_time.c @@ -31,12 +31,12 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); OM_uint32 -gssapi_lifetime_left(OM_uint32 *minor_status, +_gsskrb5_lifetime_left(OM_uint32 *minor_status, OM_uint32 lifetime, OM_uint32 *lifetime_rec) { @@ -48,10 +48,10 @@ gssapi_lifetime_left(OM_uint32 *minor_status, return GSS_S_COMPLETE; } - kret = krb5_timeofday(gssapi_krb5_context, &timeret); + kret = krb5_timeofday(_gsskrb5_context, &timeret); if (kret) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); return GSS_S_FAILURE; } @@ -64,7 +64,7 @@ gssapi_lifetime_left(OM_uint32 *minor_status, } -OM_uint32 gss_context_time +OM_uint32 _gsskrb5_context_time (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, OM_uint32 * time_rec @@ -72,14 +72,15 @@ OM_uint32 gss_context_time { OM_uint32 lifetime; OM_uint32 major_status; + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; GSSAPI_KRB5_INIT (); - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - lifetime = context_handle->lifetime; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + lifetime = ctx->lifetime; + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - major_status = gssapi_lifetime_left(minor_status, lifetime, time_rec); + major_status = _gsskrb5_lifetime_left(minor_status, lifetime, time_rec); if (major_status != GSS_S_COMPLETE) return major_status; diff --git a/lib/gssapi/krb5/copy_ccache.c b/lib/gssapi/krb5/copy_ccache.c index 2088f7237..8304fd380 100644 --- a/lib/gssapi/krb5/copy_ccache.c +++ b/lib/gssapi/krb5/copy_ccache.c @@ -31,10 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); +#if 0 OM_uint32 gss_krb5_copy_ccache(OM_uint32 *minor_status, gss_cred_id_t cred, @@ -50,36 +51,37 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status, return GSS_S_FAILURE; } - kret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, out); + kret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache, out); HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); if (kret) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); return GSS_S_FAILURE; } *minor_status = 0; return GSS_S_COMPLETE; } +#endif OM_uint32 -gss_krb5_import_cred(OM_uint32 *minor_status, +_gsskrb5_import_cred(OM_uint32 *minor_status, krb5_ccache id, krb5_principal keytab_principal, krb5_keytab keytab, gss_cred_id_t *cred) { krb5_error_code kret; - gss_cred_id_t handle; + gsskrb5_cred handle; OM_uint32 ret; *cred = NULL; GSSAPI_KRB5_INIT (); - handle = (gss_cred_id_t)calloc(1, sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { - gssapi_krb5_clear_status (); + handle = calloc(1, sizeof(*handle)); + if (handle == NULL) { + _gsskrb5_clear_status (); *minor_status = ENOMEM; return (GSS_S_FAILURE); } @@ -92,11 +94,11 @@ gss_krb5_import_cred(OM_uint32 *minor_status, handle->usage |= GSS_C_INITIATE; - kret = krb5_cc_get_principal(gssapi_krb5_context, id, + kret = krb5_cc_get_principal(_gsskrb5_context, id, &handle->principal); if (kret) { free(handle); - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } @@ -104,34 +106,34 @@ gss_krb5_import_cred(OM_uint32 *minor_status, if (keytab_principal) { krb5_boolean match; - match = krb5_principal_compare(gssapi_krb5_context, + match = krb5_principal_compare(_gsskrb5_context, handle->principal, keytab_principal); if (match == FALSE) { - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); free(handle); - gssapi_krb5_clear_status (); + _gsskrb5_clear_status (); *minor_status = EINVAL; return GSS_S_FAILURE; } } - ret = _gssapi_krb5_ccache_lifetime(minor_status, + ret = __gsskrb5_ccache_lifetime(minor_status, id, handle->principal, &handle->lifetime); if (ret != GSS_S_COMPLETE) { - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); free(handle); return ret; } - kret = krb5_cc_get_full_name(gssapi_krb5_context, id, &str); + kret = krb5_cc_get_full_name(_gsskrb5_context, id, &str); if (kret) goto out; - kret = krb5_cc_resolve(gssapi_krb5_context, str, &handle->ccache); + kret = krb5_cc_resolve(_gsskrb5_context, str, &handle->ccache); free(str); if (kret) goto out; @@ -144,18 +146,18 @@ gss_krb5_import_cred(OM_uint32 *minor_status, handle->usage |= GSS_C_ACCEPT; if (keytab_principal && handle->principal == NULL) { - kret = krb5_copy_principal(gssapi_krb5_context, + kret = krb5_copy_principal(_gsskrb5_context, keytab_principal, &handle->principal); if (kret) goto out; } - kret = krb5_kt_get_full_name(gssapi_krb5_context, keytab, &str); + kret = krb5_kt_get_full_name(_gsskrb5_context, keytab, &str); if (kret) goto out; - kret = krb5_kt_resolve(gssapi_krb5_context, str, &handle->keytab); + kret = krb5_kt_resolve(_gsskrb5_context, str, &handle->keytab); free(str); if (kret) goto out; @@ -163,10 +165,10 @@ gss_krb5_import_cred(OM_uint32 *minor_status, if (id || keytab) { - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); + ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms); if (ret == GSS_S_COMPLETE) - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); + ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + &handle->mechanisms); if (ret != GSS_S_COMPLETE) { kret = *minor_status; goto out; @@ -174,13 +176,13 @@ gss_krb5_import_cred(OM_uint32 *minor_status, } *minor_status = 0; - *cred = handle; + *cred = (gss_cred_id_t)handle; return GSS_S_COMPLETE; out: - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); if (handle->principal) - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); free(handle); *minor_status = kret; @@ -189,29 +191,30 @@ out: OM_uint32 -gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - int ad_type, - gss_buffer_t ad_data) +_gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int ad_type, + gss_buffer_t ad_data) { + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; krb5_error_code ret; krb5_data data; ad_data->value = NULL; ad_data->length = 0; - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - if (context_handle->ticket == NULL) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + if (ctx->ticket == NULL) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); *minor_status = EINVAL; return GSS_S_FAILURE; } - ret = krb5_ticket_get_authorization_data_type(gssapi_krb5_context, - context_handle->ticket, + ret = krb5_ticket_get_authorization_data_type(_gsskrb5_context, + ctx->ticket, ad_type, &data); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); if (ret) { *minor_status = ret; return GSS_S_FAILURE; diff --git a/lib/gssapi/krb5/create_emtpy_oid_set.c b/lib/gssapi/krb5/create_emtpy_oid_set.c index 14b8757ac..a97ad637a 100644 --- a/lib/gssapi/krb5/create_emtpy_oid_set.c +++ b/lib/gssapi/krb5/create_emtpy_oid_set.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_create_empty_oid_set ( +OM_uint32 _gsskrb5_create_empty_oid_set ( OM_uint32 * minor_status, gss_OID_set * oid_set ) diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c index 078b4b072..c98cf1043 100644 --- a/lib/gssapi/krb5/decapsulate.c +++ b/lib/gssapi/krb5/decapsulate.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -41,7 +41,7 @@ RCSID("$Id$"); */ ssize_t -gssapi_krb5_get_mech (const u_char *ptr, +_gsskrb5_get_mech (const u_char *ptr, size_t total_len, const u_char **mech_ret) { @@ -76,7 +76,7 @@ _gssapi_verify_mech_header(u_char **str, const u_char *p; ssize_t mech_len; - mech_len = gssapi_krb5_get_mech (*str, total_len, &p); + mech_len = _gsskrb5_get_mech (*str, total_len, &p); if (mech_len < 0) return GSS_S_DEFECTIVE_TOKEN; @@ -92,7 +92,7 @@ _gssapi_verify_mech_header(u_char **str, } OM_uint32 -gssapi_krb5_verify_header(u_char **str, +_gsskrb5_verify_header(u_char **str, size_t total_len, const void *type, gss_OID oid) @@ -154,7 +154,7 @@ _gssapi_decapsulate( */ OM_uint32 -gssapi_krb5_decapsulate(OM_uint32 *minor_status, +_gsskrb5_decapsulate(OM_uint32 *minor_status, gss_buffer_t input_token_buffer, krb5_data *out_data, const void *type, @@ -164,7 +164,7 @@ gssapi_krb5_decapsulate(OM_uint32 *minor_status, OM_uint32 ret; p = input_token_buffer->value; - ret = gssapi_krb5_verify_header(&p, + ret = _gsskrb5_verify_header(&p, input_token_buffer->length, type, oid); diff --git a/lib/gssapi/krb5/delete_sec_context.c b/lib/gssapi/krb5/delete_sec_context.c index 1cdc16337..13c0eb2a8 100644 --- a/lib/gssapi/krb5/delete_sec_context.c +++ b/lib/gssapi/krb5/delete_sec_context.c @@ -31,16 +31,18 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_delete_sec_context +OM_uint32 _gsskrb5_delete_sec_context (OM_uint32 * minor_status, gss_ctx_id_t * context_handle, gss_buffer_t output_token ) { + gsskrb5_ctx ctx; + GSSAPI_KRB5_INIT (); *minor_status = 0; @@ -53,26 +55,28 @@ OM_uint32 gss_delete_sec_context if (*context_handle == GSS_C_NO_CONTEXT) return GSS_S_COMPLETE; - HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex); - - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - if ((*context_handle)->ticket) - krb5_free_ticket (gssapi_krb5_context, - (*context_handle)->ticket); - if((*context_handle)->order) - _gssapi_msg_order_destroy(&(*context_handle)->order); - - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); - memset(*context_handle, 0, sizeof(**context_handle)); - free (*context_handle); + ctx = (gsskrb5_ctx) *context_handle; *context_handle = GSS_C_NO_CONTEXT; + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + krb5_auth_con_free (_gsskrb5_context, + ctx->auth_context); + if(ctx->source) + krb5_free_principal (_gsskrb5_context, + ctx->source); + if(ctx->target) + krb5_free_principal (_gsskrb5_context, + ctx->target); + if (ctx->ticket) + krb5_free_ticket (_gsskrb5_context, + ctx->ticket); + if(ctx->order) + _gssapi_msg_order_destroy(&ctx->order); + + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + memset(ctx, 0, sizeof(*ctx)); + free (ctx); return GSS_S_COMPLETE; } diff --git a/lib/gssapi/krb5/display_name.c b/lib/gssapi/krb5/display_name.c index 0078d8224..1c6f918a8 100644 --- a/lib/gssapi/krb5/display_name.c +++ b/lib/gssapi/krb5/display_name.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_display_name +OM_uint32 _gsskrb5_display_name (OM_uint32 * minor_status, const gss_name_t input_name, gss_buffer_t output_name_buffer, @@ -47,12 +47,12 @@ OM_uint32 gss_display_name size_t len; GSSAPI_KRB5_INIT (); - kret = krb5_unparse_name (gssapi_krb5_context, + kret = krb5_unparse_name (_gsskrb5_context, input_name, &buf); if (kret) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); return GSS_S_FAILURE; } len = strlen (buf); diff --git a/lib/gssapi/krb5/display_status.c b/lib/gssapi/krb5/display_status.c index f3627198a..97eee6d49 100644 --- a/lib/gssapi/krb5/display_status.c +++ b/lib/gssapi/krb5/display_status.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -112,9 +112,9 @@ supplementary_error(OM_uint32 v) } void -gssapi_krb5_clear_status (void) +_gsskrb5_clear_status (void) { - struct gssapi_thr_context *ctx = gssapi_get_thread_context(1); + struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1); if (ctx == NULL) return; HEIMDAL_MUTEX_lock(&ctx->mutex); @@ -125,9 +125,9 @@ gssapi_krb5_clear_status (void) } void -gssapi_krb5_set_status (const char *fmt, ...) +_gsskrb5_set_status (const char *fmt, ...) { - struct gssapi_thr_context *ctx = gssapi_get_thread_context(1); + struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1); va_list args; if (ctx == NULL) @@ -143,22 +143,22 @@ gssapi_krb5_set_status (const char *fmt, ...) } void -gssapi_krb5_set_error_string (void) +_gsskrb5_set_error_string (void) { char *e; - e = krb5_get_error_string(gssapi_krb5_context); + e = krb5_get_error_string(_gsskrb5_context); if (e) { - gssapi_krb5_set_status("%s", e); - krb5_free_error_string(gssapi_krb5_context, e); + _gsskrb5_set_status("%s", e); + krb5_free_error_string(_gsskrb5_context, e); } else - gssapi_krb5_clear_status(); + _gsskrb5_clear_status(); } char * -gssapi_krb5_get_error_string (void) +_gsskrb5_get_error_string (void) { - struct gssapi_thr_context *ctx = gssapi_get_thread_context(0); + struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(0); char *ret; if (ctx == NULL) @@ -170,7 +170,7 @@ gssapi_krb5_get_error_string (void) return ret; } -OM_uint32 gss_display_status +OM_uint32 _gsskrb5_display_status (OM_uint32 *minor_status, OM_uint32 status_value, int status_type, @@ -200,9 +200,9 @@ OM_uint32 gss_display_status calling_error(GSS_CALLING_ERROR(status_value)), routine_error(GSS_ROUTINE_ERROR(status_value))); } else if (status_type == GSS_C_MECH_CODE) { - buf = gssapi_krb5_get_error_string (); + buf = _gsskrb5_get_error_string (); if (buf == NULL) { - const char *tmp = krb5_get_err_text (gssapi_krb5_context, + const char *tmp = krb5_get_err_text (_gsskrb5_context, status_value); if (tmp == NULL) asprintf(&buf, "unknown mech error-code %u", diff --git a/lib/gssapi/krb5/duplicate_name.c b/lib/gssapi/krb5/duplicate_name.c index 3c3a1cd1b..fd1c47f31 100644 --- a/lib/gssapi/krb5/duplicate_name.c +++ b/lib/gssapi/krb5/duplicate_name.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_duplicate_name ( +OM_uint32 _gsskrb5_duplicate_name ( OM_uint32 * minor_status, const gss_name_t src_name, gss_name_t * dest_name @@ -45,12 +45,12 @@ OM_uint32 gss_duplicate_name ( GSSAPI_KRB5_INIT (); - kret = krb5_copy_principal (gssapi_krb5_context, + kret = krb5_copy_principal (_gsskrb5_context, src_name, dest_name); if (kret) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); return GSS_S_FAILURE; } else { *minor_status = 0; diff --git a/lib/gssapi/krb5/encapsulate.c b/lib/gssapi/krb5/encapsulate.c index 4b348e7a5..54f1ee29f 100644 --- a/lib/gssapi/krb5/encapsulate.c +++ b/lib/gssapi/krb5/encapsulate.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -51,7 +51,7 @@ _gssapi_encap_length (size_t data_len, } void -gssapi_krb5_encap_length (size_t data_len, +_gsskrb5_encap_length (size_t data_len, size_t *len, size_t *total_len, const gss_OID mech) @@ -60,7 +60,7 @@ gssapi_krb5_encap_length (size_t data_len, } void * -gssapi_krb5_make_header (void *ptr, +_gsskrb5_make_header (void *ptr, size_t len, const void *type, const gss_OID mech) @@ -129,7 +129,7 @@ _gssapi_encapsulate( */ OM_uint32 -gssapi_krb5_encapsulate( +_gsskrb5_encapsulate( OM_uint32 *minor_status, const krb5_data *in_data, gss_buffer_t output_token, @@ -140,7 +140,7 @@ gssapi_krb5_encapsulate( size_t len, outer_len; u_char *p; - gssapi_krb5_encap_length (in_data->length, &len, &outer_len, mech); + _gsskrb5_encap_length (in_data->length, &len, &outer_len, mech); output_token->length = outer_len; output_token->value = malloc (outer_len); @@ -149,7 +149,7 @@ gssapi_krb5_encapsulate( return GSS_S_FAILURE; } - p = gssapi_krb5_make_header (output_token->value, len, type, mech); + p = _gsskrb5_make_header (output_token->value, len, type, mech); memcpy (p, in_data->data, in_data->length); return GSS_S_COMPLETE; } diff --git a/lib/gssapi/krb5/export_name.c b/lib/gssapi/krb5/export_name.c index 4d478c601..3e6b3e33a 100644 --- a/lib/gssapi/krb5/export_name.c +++ b/lib/gssapi/krb5/export_name.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_export_name +OM_uint32 _gsskrb5_export_name (OM_uint32 * minor_status, const gss_name_t input_name, gss_buffer_t exported_name @@ -46,12 +46,12 @@ OM_uint32 gss_export_name size_t len; GSSAPI_KRB5_INIT (); - kret = krb5_unparse_name (gssapi_krb5_context, + kret = krb5_unparse_name (_gsskrb5_context, input_name, &name); if (kret) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); return GSS_S_FAILURE; } len = strlen (name); diff --git a/lib/gssapi/krb5/export_sec_context.c b/lib/gssapi/krb5/export_sec_context.c index 7e4e30538..2e3d1ca67 100644 --- a/lib/gssapi/krb5/export_sec_context.c +++ b/lib/gssapi/krb5/export_sec_context.c @@ -31,17 +31,18 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); OM_uint32 -gss_export_sec_context ( +_gsskrb5_export_sec_context ( OM_uint32 * minor_status, gss_ctx_id_t * context_handle, gss_buffer_t interprocess_token ) { + const gsskrb5_ctx ctx = (const gsskrb5_ctx) *context_handle; krb5_storage *sp; krb5_auth_context ac; OM_uint32 ret = GSS_S_COMPLETE; @@ -53,21 +54,21 @@ gss_export_sec_context ( GSSAPI_KRB5_INIT (); - HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - if (!((*context_handle)->flags & GSS_C_TRANS_FLAG)) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); + if (!(ctx->flags & GSS_C_TRANS_FLAG)) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); *minor_status = 0; return GSS_S_UNAVAILABLE; } sp = krb5_storage_emem (); if (sp == NULL) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); *minor_status = ENOMEM; return GSS_S_FAILURE; } - ac = (*context_handle)->auth_context; + ac = ctx->auth_context; /* flagging included fields */ @@ -165,19 +166,21 @@ gss_export_sec_context ( /* names */ - ret = gss_export_name (minor_status, (*context_handle)->source, &buffer); + ret = _gsskrb5_export_name (minor_status, + ctx->source, &buffer); if (ret) goto failure; data.data = buffer.value; data.length = buffer.length; kret = krb5_store_data (sp, data); - gss_release_buffer (&minor, &buffer); + _gsskrb5_release_buffer (&minor, &buffer); if (kret) { *minor_status = kret; goto failure; } - ret = gss_export_name (minor_status, (*context_handle)->target, &buffer); + ret = _gsskrb5_export_name (minor_status, + ctx->target, &buffer); if (ret) goto failure; data.data = buffer.value; @@ -186,28 +189,28 @@ gss_export_sec_context ( ret = GSS_S_FAILURE; kret = krb5_store_data (sp, data); - gss_release_buffer (&minor, &buffer); + _gsskrb5_release_buffer (&minor, &buffer); if (kret) { *minor_status = kret; goto failure; } - kret = krb5_store_int32 (sp, (*context_handle)->flags); + kret = krb5_store_int32 (sp, ctx->flags); if (kret) { *minor_status = kret; goto failure; } - kret = krb5_store_int32 (sp, (*context_handle)->more_flags); + kret = krb5_store_int32 (sp, ctx->more_flags); if (kret) { *minor_status = kret; goto failure; } - kret = krb5_store_int32 (sp, (*context_handle)->lifetime); + kret = krb5_store_int32 (sp, ctx->lifetime); if (kret) { *minor_status = kret; goto failure; } - kret = _gssapi_msg_order_export(sp, (*context_handle)->order); + kret = _gssapi_msg_order_export(sp, ctx->order); if (kret ) { *minor_status = kret; goto failure; @@ -216,21 +219,21 @@ gss_export_sec_context ( kret = krb5_storage_to_data (sp, &data); krb5_storage_free (sp); if (kret) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); *minor_status = kret; return GSS_S_FAILURE; } interprocess_token->length = data.length; interprocess_token->value = data.data; - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - ret = gss_delete_sec_context (minor_status, context_handle, - GSS_C_NO_BUFFER); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + ret = _gsskrb5_delete_sec_context (minor_status, context_handle, + GSS_C_NO_BUFFER); if (ret != GSS_S_COMPLETE) - gss_release_buffer (NULL, interprocess_token); + _gsskrb5_release_buffer (NULL, interprocess_token); *minor_status = 0; return ret; failure: - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); krb5_storage_free (sp); return ret; } diff --git a/lib/gssapi/krb5/external.c b/lib/gssapi/krb5/external.c index b2dbbfd76..e6953d7ac 100644 --- a/lib/gssapi/krb5/external.c +++ b/lib/gssapi/krb5/external.c @@ -31,7 +31,8 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" +#include RCSID("$Id$"); @@ -225,18 +226,6 @@ static gss_OID_desc gss_krb5_mechanism_oid_desc = gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; -/* - * RFC2478, SPNEGO: - * The security mechanism of the initial - * negotiation token is identified by the Object Identifier - * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). - */ - -static gss_OID_desc gss_spnego_mechanism_oid_desc = -{6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02")}; - -gss_OID GSS_SPNEGO_MECHANISM = &gss_spnego_mechanism_oid_desc; - /* * draft-ietf-cat-iakerb-09, IAKERB: * The mechanism ID for IAKERB proxy GSS-API Kerberos, in accordance @@ -260,8 +249,89 @@ static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc = gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc; +/* + * + */ + +static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc = +{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"}; + +gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc; + +/* + * GSS-API mechanism extensions + * {iso(1), org(3), dod(6), internet(1), private(4), enterprise(1), + * padl(5322), gssKrb5Extensions(19)} + */ +static gss_OID_desc gss_krb5_copy_ccache_x_oid_desc = +{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x01"}; + +gss_OID GSS_KRB5_COPY_CCACHE_X = &gss_krb5_copy_ccache_x_oid_desc; + +static gss_OID_desc gss_krb5_get_tkt_flags_x_oid_desc = +{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x02"}; + +gss_OID GSS_KRB5_GET_TKT_FLAGS_X = &gss_krb5_get_tkt_flags_x_oid_desc; + +static gss_OID_desc gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = +{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x03"}; + +gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc; + +static gss_OID_desc gss_krb5_compat_des3_mic_x_oid_desc = +{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"}; + +gss_OID GSS_KRB5_COMPAT_DES3_MIC_X = &gss_krb5_compat_des3_mic_x_oid_desc; + /* * Context for krb5 calls. */ -krb5_context gssapi_krb5_context; +krb5_context _gsskrb5_context; + +/* + * + */ + +static gssapi_mech_interface_desc krb5_mech = { + GMI_VERSION, + "kerberos 5", + {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }, + _gsskrb5_acquire_cred, + _gsskrb5_release_cred, + _gsskrb5_init_sec_context, + _gsskrb5_accept_sec_context, + _gsskrb5_process_context_token, + _gsskrb5_delete_sec_context, + _gsskrb5_context_time, + _gsskrb5_get_mic, + _gsskrb5_verify_mic, + _gsskrb5_wrap, + _gsskrb5_unwrap, + _gsskrb5_display_status, + _gsskrb5_indicate_mechs, + _gsskrb5_compare_name, + _gsskrb5_display_name, + _gsskrb5_import_name, + _gsskrb5_export_name, + _gsskrb5_release_name, + _gsskrb5_inquire_cred, + _gsskrb5_inquire_context, + _gsskrb5_wrap_size_limit, + _gsskrb5_add_cred, + _gsskrb5_inquire_cred_by_mech, + _gsskrb5_export_sec_context, + _gsskrb5_import_sec_context, + _gsskrb5_inquire_names_for_mech, + _gsskrb5_inquire_mechs_for_name, + _gsskrb5_canonicalize_name, + _gsskrb5_duplicate_name, + _gsskrb5_inquire_sec_context_by_oid, + _gsskrb5_inquire_cred_by_oid +}; + +gssapi_mech_interface +__gss_krb5_initialize(void) +{ + return &krb5_mech; +} diff --git a/lib/gssapi/krb5/get_mic.c b/lib/gssapi/krb5/get_mic.c index d0f82c5dd..4a6d4d4ad 100644 --- a/lib/gssapi/krb5/get_mic.c +++ b/lib/gssapi/krb5/get_mic.c @@ -31,14 +31,14 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); static OM_uint32 mic_des (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx ctx, gss_qop_t qop_req, const gss_buffer_t message_buffer, gss_buffer_t message_token, @@ -54,7 +54,7 @@ mic_des int32_t seq_number; size_t len, total_len; - gssapi_krb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); message_token->length = total_len; message_token->value = malloc (total_len); @@ -64,7 +64,7 @@ mic_des return GSS_S_FAILURE; } - p = gssapi_krb5_make_header(message_token->value, + p = _gsskrb5_make_header(message_token->value, len, "\x01\x01", /* TOK_ID */ GSS_KRB5_MECHANISM); @@ -92,10 +92,10 @@ mic_des &schedule, &zero); memcpy (p - 8, hash, 8); /* SGN_CKSUM */ - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, + ctx->auth_context, &seq_number); p -= 16; /* SND_SEQ */ @@ -104,17 +104,17 @@ mic_des p[2] = (seq_number >> 16) & 0xFF; p[3] = (seq_number >> 24) & 0xFF; memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, + (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); DES_set_key (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); memset (deskey, 0, sizeof(deskey)); memset (&schedule, 0, sizeof(schedule)); @@ -126,7 +126,7 @@ mic_des static OM_uint32 mic_des3 (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx ctx, gss_qop_t qop_req, const gss_buffer_t message_buffer, gss_buffer_t message_token, @@ -146,7 +146,7 @@ mic_des3 char *tmp; char ivec[8]; - gssapi_krb5_encap_length (36, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length (36, &len, &total_len, GSS_KRB5_MECHANISM); message_token->length = total_len; message_token->value = malloc (total_len); @@ -156,7 +156,7 @@ mic_des3 return GSS_S_FAILURE; } - p = gssapi_krb5_make_header(message_token->value, + p = _gsskrb5_make_header(message_token->value, len, "\x01\x01", /* TOK-ID */ GSS_KRB5_MECHANISM); @@ -180,18 +180,18 @@ mic_des3 memcpy (tmp, p - 8, 8); memcpy (tmp + 8, message_buffer->value, message_buffer->length); - kret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + kret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (kret) { free (message_token->value); message_token->value = NULL; message_token->length = 0; free (tmp); - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } - kret = krb5_create_checksum (gssapi_krb5_context, + kret = krb5_create_checksum (_gsskrb5_context, crypto, KRB5_KU_USAGE_SIGN, 0, @@ -199,22 +199,22 @@ mic_des3 message_buffer->length + 8, &cksum); free (tmp); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (kret) { free (message_token->value); message_token->value = NULL; message_token->length = 0; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, + ctx->auth_context, &seq_number); seq[0] = (seq_number >> 0) & 0xFF; @@ -222,35 +222,35 @@ mic_des3 seq[2] = (seq_number >> 16) & 0xFF; seq[3] = (seq_number >> 24) & 0xFF; memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, + (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); - kret = krb5_crypto_init(gssapi_krb5_context, key, + kret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (kret) { free (message_token->value); message_token->value = NULL; message_token->length = 0; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } - if (context_handle->more_flags & COMPAT_OLD_DES3) + if (ctx->more_flags & COMPAT_OLD_DES3) memset(ivec, 0, 8); else memcpy(ivec, p + 8, 8); - kret = krb5_encrypt_ivec (gssapi_krb5_context, + kret = krb5_encrypt_ivec (_gsskrb5_context, crypto, KRB5_KU_USAGE_SEQ, seq, 8, &encdata, ivec); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (kret) { free (message_token->value); message_token->value = NULL; message_token->length = 0; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } @@ -260,17 +260,17 @@ mic_des3 memcpy (p, encdata.data, encdata.length); krb5_data_free (&encdata); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); free_Checksum (&cksum); *minor_status = 0; return GSS_S_COMPLETE; } -OM_uint32 gss_get_mic +OM_uint32 _gsskrb5_get_mic (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, gss_qop_t qop_req, @@ -278,37 +278,38 @@ OM_uint32 gss_get_mic gss_buffer_t message_token ) { + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; krb5_keyblock *key; OM_uint32 ret; krb5_keytype keytype; - ret = gss_krb5_get_subkey(context_handle, &key); + ret = _gsskrb5i_get_subkey(ctx, &key); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : - ret = mic_des (minor_status, context_handle, qop_req, + ret = mic_des (minor_status, ctx, qop_req, message_buffer, message_token, key); break; case KEYTYPE_DES3 : - ret = mic_des3 (minor_status, context_handle, qop_req, + ret = mic_des3 (minor_status, ctx, qop_req, message_buffer, message_token, key); break; case KEYTYPE_ARCFOUR: case KEYTYPE_ARCFOUR_56: - ret = _gssapi_get_mic_arcfour (minor_status, context_handle, qop_req, + ret = _gssapi_get_mic_arcfour (minor_status, ctx, qop_req, message_buffer, message_token, key); break; default : - ret = _gssapi_mic_cfx (minor_status, context_handle, qop_req, + ret = _gssapi_mic_cfx (minor_status, ctx, qop_req, message_buffer, message_token, key); break; } - krb5_free_keyblock (gssapi_krb5_context, key); + krb5_free_keyblock (_gsskrb5_context, key); return ret; } diff --git a/lib/gssapi/krb5/gss_acquire_cred.3 b/lib/gssapi/krb5/gss_acquire_cred.3 deleted file mode 100644 index 3f366b9c5..000000000 --- a/lib/gssapi/krb5/gss_acquire_cred.3 +++ /dev/null @@ -1,681 +0,0 @@ -.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id$ -.\" -.Dd October 26, 2005 -.Dt GSS_ACQUIRE_CRED 3 -.Os HEIMDAL -.Sh NAME -.Nm gss_accept_sec_context , -.Nm gss_acquire_cred , -.Nm gss_add_cred , -.Nm gss_add_oid_set_member , -.Nm gss_canonicalize_name , -.Nm gss_compare_name , -.Nm gss_context_time , -.Nm gss_create_empty_oid_set , -.Nm gss_delete_sec_context , -.Nm gss_display_name , -.Nm gss_display_status , -.Nm gss_duplicate_name , -.Nm gss_export_name , -.Nm gss_export_sec_context , -.Nm gss_get_mic , -.Nm gss_import_name , -.Nm gss_import_sec_context , -.Nm gss_indicate_mechs , -.Nm gss_init_sec_context , -.Nm gss_inquire_context , -.Nm gss_inquire_cred , -.Nm gss_inquire_cred_by_mech , -.Nm gss_inquire_mechs_for_name , -.Nm gss_inquire_names_for_mech , -.Nm gss_krb5_ccache_name , -.Nm gss_krb5_compat_des3_mic , -.Nm gss_krb5_copy_ccache , -.Nm gss_krb5_import_cred -.Nm gsskrb5_extract_authz_data_from_sec_context , -.Nm gss_krb5_import_ccache , -.Nm gss_krb5_get_tkt_flags , -.Nm gss_process_context_token , -.Nm gss_release_buffer , -.Nm gss_release_cred , -.Nm gss_release_name , -.Nm gss_release_oid_set , -.Nm gss_seal , -.Nm gss_sign , -.Nm gss_test_oid_set_member , -.Nm gss_unseal , -.Nm gss_unwrap , -.Nm gss_verify , -.Nm gss_verify_mic , -.Nm gss_wrap , -.Nm gss_wrap_size_limit -.Nd Generic Security Service Application Program Interface library -.Sh LIBRARY -GSS-API library (libgssapi, -lgssapi) -.Sh SYNOPSIS -.In gssapi.h -.Pp -.Ft OM_uint32 -.Fo gss_accept_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "const gss_cred_id_t acceptor_cred_handle" -.Fa "const gss_buffer_t input_token_buffer" -.Fa "const gss_channel_bindings_t input_chan_bindings" -.Fa "gss_name_t * src_name" -.Fa "gss_OID * mech_type" -.Fa "gss_buffer_t output_token" -.Fa "OM_uint32 * ret_flags" -.Fa "OM_uint32 * time_rec" -.Fa "gss_cred_id_t * delegated_cred_handle" -.Fc -.Pp -.Ft OM_uint32 -.Fo gss_acquire_cred -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t desired_name" -.Fa "OM_uint32 time_req" -.Fa "const gss_OID_set desired_mechs" -.Fa "gss_cred_usage_t cred_usage" -.Fa "gss_cred_id_t * output_cred_handle" -.Fa "gss_OID_set * actual_mechs" -.Fa "OM_uint32 * time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_add_cred -.Fa "OM_uint32 *minor_status" -.Fa "const gss_cred_id_t input_cred_handle" -.Fa "const gss_name_t desired_name" -.Fa "const gss_OID desired_mech" -.Fa "gss_cred_usage_t cred_usage" -.Fa "OM_uint32 initiator_time_req" -.Fa "OM_uint32 acceptor_time_req" -.Fa "gss_cred_id_t *output_cred_handle" -.Fa "gss_OID_set *actual_mechs" -.Fa "OM_uint32 *initiator_time_rec" -.Fa "OM_uint32 *acceptor_time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_add_oid_set_member -.Fa "OM_uint32 * minor_status" -.Fa "const gss_OID member_oid" -.Fa "gss_OID_set * oid_set" -.Fc -.Ft OM_uint32 -.Fo gss_canonicalize_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "const gss_OID mech_type" -.Fa "gss_name_t * output_name" -.Fc -.Ft OM_uint32 -.Fo gss_compare_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t name1" -.Fa "const gss_name_t name2" -.Fa "int * name_equal" -.Fc -.Ft OM_uint32 -.Fo gss_context_time -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "OM_uint32 * time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_create_empty_oid_set -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * oid_set" -.Fc -.Ft OM_uint32 -.Fo gss_delete_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "gss_buffer_t output_token" -.Fc -.Ft OM_uint32 -.Fo gss_display_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "gss_buffer_t output_name_buffer" -.Fa "gss_OID * output_name_type" -.Fc -.Ft OM_uint32 -.Fo gss_display_status -.Fa "OM_uint32 *minor_status" -.Fa "OM_uint32 status_value" -.Fa "int status_type" -.Fa "const gss_OID mech_type" -.Fa "OM_uint32 *message_context" -.Fa "gss_buffer_t status_string" -.Fc -.Ft OM_uint32 -.Fo gss_duplicate_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t src_name" -.Fa "gss_name_t * dest_name" -.Fc -.Ft OM_uint32 -.Fo gss_export_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "gss_buffer_t exported_name" -.Fc -.Ft OM_uint32 -.Fo gss_export_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "gss_buffer_t interprocess_token" -.Fc -.Ft OM_uint32 -.Fo gss_get_mic -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "gss_qop_t qop_req" -.Fa "const gss_buffer_t message_buffer" -.Fa "gss_buffer_t message_token" -.Fc -.Ft OM_uint32 -.Fo gss_import_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_buffer_t input_name_buffer" -.Fa "const gss_OID input_name_type" -.Fa "gss_name_t * output_name" -.Fc -.Ft OM_uint32 -.Fo gss_import_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_buffer_t interprocess_token" -.Fa "gss_ctx_id_t * context_handle" -.Fc -.Ft OM_uint32 -.Fo gss_indicate_mechs -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * mech_set" -.Fc -.Ft OM_uint32 -.Fo gss_init_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_cred_id_t initiator_cred_handle" -.Fa "gss_ctx_id_t * context_handle" -.Fa "const gss_name_t target_name" -.Fa "const gss_OID mech_type" -.Fa "OM_uint32 req_flags" -.Fa "OM_uint32 time_req" -.Fa "const gss_channel_bindings_t input_chan_bindings" -.Fa "const gss_buffer_t input_token" -.Fa "gss_OID * actual_mech_type" -.Fa "gss_buffer_t output_token" -.Fa "OM_uint32 * ret_flags" -.Fa "OM_uint32 * time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "gss_name_t * src_name" -.Fa "gss_name_t * targ_name" -.Fa "OM_uint32 * lifetime_rec" -.Fa "gss_OID * mech_type" -.Fa "OM_uint32 * ctx_flags" -.Fa "int * locally_initiated" -.Fa "int * open_context" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_cred -.Fa "OM_uint32 * minor_status" -.Fa "const gss_cred_id_t cred_handle" -.Fa "gss_name_t * name" -.Fa "OM_uint32 * lifetime" -.Fa "gss_cred_usage_t * cred_usage" -.Fa "gss_OID_set * mechanisms" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_cred_by_mech -.Fa "OM_uint32 * minor_status" -.Fa "const gss_cred_id_t cred_handle" -.Fa "const gss_OID mech_type" -.Fa "gss_name_t * name" -.Fa "OM_uint32 * initiator_lifetime" -.Fa "OM_uint32 * acceptor_lifetime" -.Fa "gss_cred_usage_t * cred_usage" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_mechs_for_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "gss_OID_set * mech_types" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_names_for_mech -.Fa "OM_uint32 * minor_status" -.Fa "const gss_OID mechanism" -.Fa "gss_OID_set * name_types" -.Fc -.Ft OM_uint32 -.Fo gss_krb5_ccache_name -.Fa "OM_uint32 *minor" -.Fa "const char *name" -.Fa "const char **old_name" -.Fc -.Ft OM_uint32 -.Fo gss_krb5_copy_ccache -.Fa "OM_uint32 *minor" -.Fa "gss_cred_id_t cred" -.Fa "krb5_ccache out" -.Fc -.Ft OM_uint32 -.Fo gss_krb5_import_cred -.Fa "OM_uint32 *minor_status" -.Fa "krb5_ccache id" -.Fa "krb5_principal keytab_principal" -.Fa "krb5_keytab keytab" -.Fa "gss_cred_id_t *cred" -.Fc -.Ft OM_uint32 -.Fo gss_krb5_compat_des3_mic -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int onoff" -.Fc -.Ft OM_uint32 -.Fo gsskrb5_extract_authz_data_from_sec_context -.Fa "OM_uint32 *minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int ad_type" -.Fa "gss_buffer_t ad_data" -.Fc -.Ft OM_uint32 -.Fo gss_krb5_import_cache -.Fa "OM_uint32 *minor" -.Fa "krb5_ccache id" -.Fa "krb5_keytab keytab" -.Fa "gss_cred_id_t *cred" -.Fc -.Ft OM_uint32 -.Fo gss_krb5_get_tkt_flags -.Fa "OM_uint32 *minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "OM_uint32 *tkt_flags" -.Fc -.Ft OM_uint32 -.Fo gss_process_context_token -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "const gss_buffer_t token_buffer" -.Fc -.Ft OM_uint32 -.Fo gss_release_buffer -.Fa "OM_uint32 * minor_status" -.Fa "gss_buffer_t buffer" -.Fc -.Ft OM_uint32 -.Fo gss_release_cred -.Fa "OM_uint32 * minor_status" -.Fa "gss_cred_id_t * cred_handle" -.Fc -.Ft OM_uint32 -.Fo gss_release_name -.Fa "OM_uint32 * minor_status" -.Fa "gss_name_t * input_name" -.Fc -.Ft OM_uint32 -.Fo gss_release_oid_set -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * set" -.Fc -.Ft OM_uint32 -.Fo gss_seal -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "int qop_req" -.Fa "gss_buffer_t input_message_buffer" -.Fa "int * conf_state" -.Fa "gss_buffer_t output_message_buffer" -.Fc -.Ft OM_uint32 -.Fo gss_sign -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int qop_req" -.Fa "gss_buffer_t message_buffer" -.Fa "gss_buffer_t message_token" -.Fc -.Ft OM_uint32 -.Fo gss_test_oid_set_member -.Fa "OM_uint32 * minor_status" -.Fa "const gss_OID member" -.Fa "const gss_OID_set set" -.Fa "int * present" -.Fc -.Ft OM_uint32 -.Fo gss_unseal -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "gss_buffer_t input_message_buffer" -.Fa "gss_buffer_t output_message_buffer" -.Fa "int * conf_state" -.Fa "int * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_unwrap -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "const gss_buffer_t input_message_buffer" -.Fa "gss_buffer_t output_message_buffer" -.Fa "int * conf_state" -.Fa "gss_qop_t * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_verify -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "gss_buffer_t message_buffer" -.Fa "gss_buffer_t token_buffer" -.Fa "int * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_verify_mic -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "const gss_buffer_t message_buffer" -.Fa "const gss_buffer_t token_buffer" -.Fa "gss_qop_t * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_wrap -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "gss_qop_t qop_req" -.Fa "const gss_buffer_t input_message_buffer" -.Fa "int * conf_state" -.Fa "gss_buffer_t output_message_buffer" -.Fc -.Ft OM_uint32 -.Fo gss_wrap_size_limit -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "gss_qop_t qop_req" -.Fa "OM_uint32 req_output_size" -.Fa "OM_uint32 * max_input_size" -.Fc -.Sh DESCRIPTION -Generic Security Service API (GSS-API) version 2, and its C binding, -is described in -.Li RFC2743 -and -.Li RFC2744 . -Version 1 (deprecated) of the C binding is described in -.Li RFC1509 . -.Pp -Heimdals GSS-API implementation supports the following mechanisms -.Bl -bullet -.It -.Li GSS_KRB5_MECHANISM -.It -.Li GSS_SPNEGO_MECHANISM -.El -.Pp -GSS-API have generic name types that all mechanism are supposed to -implement (if possible): -.Bl -bullet -.It -.Li GSS_C_NT_USER_NAME -.It -.Li GSS_C_NT_MACHINE_UID_NAME -.It -.Li GSS_C_NT_STRING_UID_NAME -.It -.Li GSS_C_NT_HOSTBASED_SERVICE -.It -.Li GSS_C_NT_ANONYMOUS -.It -.Li GSS_C_NT_EXPORT_NAME -.El -.Pp -GSS-API implementations that supports Kerberos 5 have some additional -name types: -.Bl -bullet -.It -.Li GSS_KRB5_NT_PRINCIPAL_NAME -.It -.Li GSS_KRB5_NT_USER_NAME -.It -.Li GSS_KRB5_NT_MACHINE_UID_NAME -.It -.Li GSS_KRB5_NT_STRING_UID_NAME -.El -.Pp -In GSS-API, names have two forms, internal names and contiguous string -names. -.Bl -bullet -.It -.Li Internal name and mechanism name -.Pp -Internal names are implementation specific representation of -a GSS-API name. -.Li Mechanism names -special form of internal names corresponds to one and only one mechanism. -.Pp -In GSS-API an internal name is stored in a -.Dv gss_name_t . -.It -.Li Contiguous string name and exported name -.Pp -Contiguous string names are gssapi names stored in a -.Dv OCTET STRING -that together with a name type identifier (OID) uniquely specifies a -gss-name. -A special form of the contiguous string name is the exported name that -have a OID embedded in the string to make it unique. -Exported name have the nametype -.Dv GSS_C_NT_EXPORT_NAME . -.Pp -In GSS-API an contiguous string name is stored in a -.Dv gss_buffer_t . -.Pp -Exported names also have the property that they are specified by the -mechanism itself and compatible between diffrent GSS-API -implementations. -.El -.Sh ACCESS CONTROL -There are two ways of comparing GSS-API names, either comparing two -internal names with each other or two contiguous string names with -either other. -.Pp -To compare two internal names with each other, import (if needed) the -names with -.Fn gss_import_name -into the GSS-API implementation and the compare the imported name with -.Fn gss_compare_name . -.Pp -Importing names can be slow, so when its possible to store exported -names in the access control list, comparing contiguous string name -might be better. -.Pp -when comparing contiguous string name, first export them into a -.Dv GSS_C_NT_EXPORT_NAME -name with -.Fn gss_export_name -and then compare with -.Xr memcmp 3 . -.Pp -Note that there are might be a difference between the two methods of -comparing names. -The first (using -.Fn gss_compare_name ) -will compare to (unauthenticated) names are the same. -The second will compare if a mechanism will authenticate them as the -same principal. -.Pp -For example, if -.Fn gss_import_name -name was used with -.Dv GSS_C_NO_OID -the default syntax is used for all mechanism the GSS-API -implementation supports. -When compare the imported name of -.Dv GSS_C_NO_OID -it may match serveral mechanism names (MN). -.Pp -The resulting name from -.Fn gss_display_name -must not be used for acccess control. -.Sh FUNCTIONS -.Fn gss_display_name -takes the gss name in -.Fa input_name -and puts a printable form in -.Fa output_name_buffer . -.Fa output_name_buffer -should be freed when done using -.Fn gss_release_buffer . -.Fa output_name_type -can either be -.Dv NULL -or a pointer to a -.Li gss_OID -and will in the latter case contain the OID type of the name. -The name must only be used for printing. -If access control is needed, see section -.Sx ACCESS CONTROL . -.Pp -.Fn gss_inquire_context -returns information about the context. -Information is available even after the context have expired. -.Fa lifetime_rec -argument is set to -.Dv GSS_C_INDEFINITE -(dont expire) or the number of seconds that the context is still valid. -A value of 0 means that the context is expired. -.Fa mech_type -argument should be considered readonly and must not be released. -.Fa src_name -and -.Fn dest_name -are both mechanims names and must be released with -.Fn gss_release_name -when no longer used. -.Pp -.Nm gss_context_time -will return the amount of time (in seconds) of the context is still -valid. -If its expired -.Fa time_rec -will be set to 0 and -.Dv GSS_S_CONTEXT_EXPIRED -returned. -.Pp -.Fn gss_sign , -.Fn gss_verify , -.Fn gss_seal , -and -.Fn gss_unseal -are part of the GSS-API V1 interface and are obsolete. -The functions should not be used for new applications. -They are provided so that version 1 applications can link against the -library. -.Sh EXTENSIONS -.Fn gss_krb5_ccache_name -sets the internal kerberos 5 credential cache name to -.Fa name . -The old name is returned in -.Fa old_name , -and must not be freed. -The data allocated for -.Fa old_name -is free upon next call to -.Fn gss_krb5_ccache_name . -This function is not threadsafe if -.Fa old_name -argument is used. -.Pp -.Fn gss_krb5_copy_ccache -will extract the krb5 credentials that are transferred from the -initiator to the acceptor when using token delegation in the Kerberos -mechanism. -The acceptor receives the delegated token in the last argument to -.Fn gss_accept_sec_context . -.Pp -.Fn gss_krb5_import_cred -will import the krb5 credentials (both keytab and/or credential cache) -into gss credential so it can be used withing GSS-API. -The -.Fa ccache -is copied by reference and thus shared, so if the credential is destroyed -with -.Fa krb5_cc_destroy , -all users of thep -.Fa gss_cred_id_t -returned by -.Fn gss_krb5_import_ccache -will fail. -.Pp -.Fn gsskrb5_register_acceptor_identity -sets the Kerberos 5 principal that the acceptor will use. -.Pp -.Fn gsskrb5_extract_authz_data_from_sec_context -extracts the Kerberos authorizationdata that may be stored within the -context. -Tha caller must free the returned buffer -.Fa ad_data -with -.Fn gss_release_buffer -upon success. -.Pp -.Fn gss_krb5_get_tkt_flags -return the ticket flags for the kerberos ticket receive when -authenticating the initiator. -Only valid on the acceptor context. -.Pp -.Fn gss_krb5_compat_des3_mic -turns on or off the compatibility with older version of Heimdal using -des3 get and verify mic, this is way to programmatically set the -[gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see -COMPATIBILITY section in -.Xr gssapi 3 ) . -If the CPP symbol -.Dv GSS_C_KRB5_COMPAT_DES3_MIC -is present, -.Fn gss_krb5_compat_des3_mic -exists. -.Fn gss_krb5_compat_des3_mic -will be removed in a later version of the GSS-API library. -.Sh SEE ALSO -.Xr gssapi 3 , -.Xr krb5 3 , -.Xr krb5_ccache 3 , -.Xr kerberos 8 diff --git a/lib/gssapi/krb5/gssapi.3 b/lib/gssapi/krb5/gssapi.3 deleted file mode 100644 index c7c629f86..000000000 --- a/lib/gssapi/krb5/gssapi.3 +++ /dev/null @@ -1,177 +0,0 @@ -.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id$ -.\" -.Dd April 20, 2005 -.Dt GSSAPI 3 -.Os -.Sh NAME -.Nm gssapi -.Nd Generic Security Service Application Program Interface library -.Sh LIBRARY -GSS-API Library (libgssapi, -lgssapi) -.Sh DESCRIPTION -The Generic Security Service Application Program Interface (GSS-API) -provides security services to callers in a generic fashion, -supportable with a range of underlying mechanisms and technologies and -hence allowing source-level portability of applications to different -environments. -.Pp -The GSS-API implementation in Heimdal implements the Kerberos 5 and -the SPNEGO GSS-API security mechanisms. -.Sh LIST OF FUNCTIONS -These functions constitute the gssapi library, -.Em libgssapi . -Declarations for these functions may be obtained from the include file -.Pa gssapi.h . -.sp 2 -.nf -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u -\fIName/Page\fP \fIDescription\fP -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC -.sp 5p -gss_accept_sec_context.3 -gss_acquire_cred.3 -gss_add_cred.3 -gss_add_oid_set_member.3 -gss_canonicalize_name.3 -gss_compare_name.3 -gss_context_time.3 -gss_create_empty_oid_set.3 -gss_delete_sec_context.3 -gss_display_name.3 -gss_display_status.3 -gss_duplicate_name.3 -gss_export_name.3 -gss_export_sec_context.3 -gss_get_mic.3 -gss_import_name.3 -gss_import_sec_context.3 -gss_indicate_mechs.3 -gss_init_sec_context.3 -gss_inquire_context.3 -gss_inquire_cred.3 -gss_inquire_cred_by_mech.3 -gss_inquire_mechs_for_name.3 -gss_inquire_names_for_mech.3 -gss_krb5_ccache_name.3 -gss_krb5_compat_des3_mic.3 -gss_krb5_copy_ccache.3 -gss_krb5_extract_authz_data_from_sec_context.3 -gss_krb5_import_ccache.3 -gss_process_context_token.3 -gss_release_buffer.3 -gss_release_cred.3 -gss_release_name.3 -gss_release_oid_set.3 -gss_seal.3 -gss_sign.3 -gss_test_oid_set_member.3 -gss_unseal.3 -gss_unwrap.3 -gss_verify.3 -gss_verify_mic.3 -gss_wrap.3 -gss_wrap_size_limit.3 -.ta -.Fi -.Sh COMPATIBILITY -The -.Nm Heimdal -GSS-API implementation had a bug in releases before 0.6 that made it -fail to inter-operate when using DES3 with other GSS-API -implementations when using -.Fn gss_get_mic -/ -.Fn gss_verify_mic . -It is possible to modify the behavior of the generator of the MIC with -the -.Pa krb5.conf -configuration file so that old clients/servers will still -work. -.Pp -New clients/servers will try both the old and new MIC in Heimdal 0.6. -In 0.7 it will check only if configured - the compatibility code will -be removed in 0.8. -.Pp -Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, -this will change in 0.7 to generate correct des3 mic. -.Pp -To turn on compatibility with older clients and servers, change the -.Nm [gssapi] -.Ar broken_des3_mic -in -.Pa krb5.conf -that contains a list of globbing expressions that will be matched -against the server name. -To turn off generation of the old (incompatible) mic of the MIC use -.Nm [gssapi] -.Ar correct_des3_mic . -.Pp -If a match for a entry is in both -.Nm [gssapi] -.Ar correct_des3_mic -and -.Nm [gssapi] -.Ar broken_des3_mic , -the later will override. -.Pp -This config option modifies behaviour for both clients and servers. -.Pp -Microsoft implemented SPNEGO to Windows2000, however, they manage to -get it wrong, their implementation didn't fill in the MechListMIC in -the reply token with the right content. -There is a work around for this problem, but not all implementation -support it. -.Pp -Heimdal defaults to correct SPNEGO when the the kerberos -implementation uses CFX, or when its configured by the user. -To turn on compatibility with peers, use option -.Nm [gssapi] -.Ar require_mechlist_mic . -.Sh EXAMPLES -.Bd -literal -offset indent -[gssapi] - broken_des3_mic = cvs/*@SU.SE - broken_des3_mic = host/*@E.KTH.SE - correct_des3_mic = host/*@SU.SE - require_mechlist_mic = host/*@SU.SE -.Ed -.Sh BUGS -All of 0.5.x versions of -.Nm heimdal -had broken token delegations in the client side, the server side was -correct. -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/lib/gssapi/krb5/gssapi.h b/lib/gssapi/krb5/gssapi.h deleted file mode 100644 index 8e940327c..000000000 --- a/lib/gssapi/krb5/gssapi.h +++ /dev/null @@ -1,811 +0,0 @@ -/* - * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id$ */ - -#ifndef GSSAPI_H_ -#define GSSAPI_H_ - -/* - * First, include stddef.h to get size_t defined. - */ -#include - -#include - -/* - * Now define the three implementation-dependent types. - */ - -typedef uint32_t OM_uint32; - -typedef uint32_t gss_uint32; - -/* - * This is to avoid having to include - */ - -struct krb5_auth_context_data; - -struct Principal; - -/* typedef void *gss_name_t; */ - -typedef struct Principal *gss_name_t; - -struct gss_ctx_id_t_desc_struct; -typedef struct gss_ctx_id_t_desc_struct *gss_ctx_id_t; - -typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; -} gss_OID_desc, *gss_OID; - -typedef struct gss_OID_set_desc_struct { - size_t count; - gss_OID elements; -} gss_OID_set_desc, *gss_OID_set; - -struct krb5_keytab_data; - -struct krb5_ccache_data; - -typedef int gss_cred_usage_t; - -struct gss_cred_id_t_desc_struct; -typedef struct gss_cred_id_t_desc_struct *gss_cred_id_t; - -typedef struct gss_buffer_desc_struct { - size_t length; - void *value; -} gss_buffer_desc, *gss_buffer_t; - -typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; -} *gss_channel_bindings_t; - -/* - * For now, define a QOP-type as an OM_uint32 - */ -typedef OM_uint32 gss_qop_t; - -/* - * Flag bits for context-level services. - */ -#define GSS_C_DELEG_FLAG 1 -#define GSS_C_MUTUAL_FLAG 2 -#define GSS_C_REPLAY_FLAG 4 -#define GSS_C_SEQUENCE_FLAG 8 -#define GSS_C_CONF_FLAG 16 -#define GSS_C_INTEG_FLAG 32 -#define GSS_C_ANON_FLAG 64 -#define GSS_C_PROT_READY_FLAG 128 -#define GSS_C_TRANS_FLAG 256 - -/* - * Credential usage options - */ -#define GSS_C_BOTH 0 -#define GSS_C_INITIATE 1 -#define GSS_C_ACCEPT 2 - -/* - * Status code types for gss_display_status - */ -#define GSS_C_GSS_CODE 1 -#define GSS_C_MECH_CODE 2 - -/* - * The constant definitions for channel-bindings address families - */ -#define GSS_C_AF_UNSPEC 0 -#define GSS_C_AF_LOCAL 1 -#define GSS_C_AF_INET 2 -#define GSS_C_AF_IMPLINK 3 -#define GSS_C_AF_PUP 4 -#define GSS_C_AF_CHAOS 5 -#define GSS_C_AF_NS 6 -#define GSS_C_AF_NBS 7 -#define GSS_C_AF_ECMA 8 -#define GSS_C_AF_DATAKIT 9 -#define GSS_C_AF_CCITT 10 -#define GSS_C_AF_SNA 11 -#define GSS_C_AF_DECnet 12 -#define GSS_C_AF_DLI 13 -#define GSS_C_AF_LAT 14 -#define GSS_C_AF_HYLINK 15 -#define GSS_C_AF_APPLETALK 16 -#define GSS_C_AF_BSC 17 -#define GSS_C_AF_DSS 18 -#define GSS_C_AF_OSI 19 -#define GSS_C_AF_X25 21 -#define GSS_C_AF_INET6 24 - -#define GSS_C_AF_NULLADDR 255 - -/* - * Various Null values - */ -#define GSS_C_NO_NAME ((gss_name_t) 0) -#define GSS_C_NO_BUFFER ((gss_buffer_t) 0) -#define GSS_C_NO_OID ((gss_OID) 0) -#define GSS_C_NO_OID_SET ((gss_OID_set) 0) -#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) -#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) -#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) -#define GSS_C_EMPTY_BUFFER {0, NULL} - -/* - * Some alternate names for a couple of the above - * values. These are defined for V1 compatibility. - */ -#define GSS_C_NULL_OID GSS_C_NO_OID -#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET - -/* - * Define the default Quality of Protection for per-message - * services. Note that an implementation that offers multiple - * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero - * (as done here) to mean "default protection", or to a specific - * explicit QOP value. However, a value of 0 should always be - * interpreted by a GSSAPI implementation as a request for the - * default protection level. - */ -#define GSS_C_QOP_DEFAULT 0 - -#define GSS_KRB5_CONF_C_QOP_DES 0x0100 -#define GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 - -/* - * Expiration time of 2^32-1 seconds means infinite lifetime for a - * credential or security context - */ -#define GSS_C_INDEFINITE 0xfffffffful - -#ifdef __cplusplus -extern "C" { -#endif - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_USER_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_MACHINE_UID_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_STRING_UID_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_ANONYMOUS; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_EXPORT_NAME; - -/* - * RFC2478, SPNEGO: - * The security mechanism of the initial - * negotiation token is identified by the Object Identifier - * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). - */ -extern gss_OID GSS_SPNEGO_MECHANISM; - -/* - * This if for kerberos5 names. - */ - -extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME; -extern gss_OID GSS_KRB5_NT_USER_NAME; -extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME; -extern gss_OID GSS_KRB5_NT_STRING_UID_NAME; - -extern gss_OID GSS_KRB5_MECHANISM; - -/* for compatibility with MIT api */ - -#define gss_mech_krb5 GSS_KRB5_MECHANISM -#define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME - -/* Major status codes */ - -#define GSS_S_COMPLETE 0 - -/* - * Some "helper" definitions to make the status code macros obvious. - */ -#define GSS_C_CALLING_ERROR_OFFSET 24 -#define GSS_C_ROUTINE_ERROR_OFFSET 16 -#define GSS_C_SUPPLEMENTARY_OFFSET 0 -#define GSS_C_CALLING_ERROR_MASK 0377ul -#define GSS_C_ROUTINE_ERROR_MASK 0377ul -#define GSS_C_SUPPLEMENTARY_MASK 0177777ul - -/* - * The macros that test status codes for error conditions. - * Note that the GSS_ERROR() macro has changed slightly from - * the V1 GSSAPI so that it now evaluates its argument - * only once. - */ -#define GSS_CALLING_ERROR(x) \ - (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) -#define GSS_ROUTINE_ERROR(x) \ - (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) -#define GSS_SUPPLEMENTARY_INFO(x) \ - (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) -#define GSS_ERROR(x) \ - (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \ - (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))) - -/* - * Now the actual status code definitions - */ - -/* - * Calling errors: - */ -#define GSS_S_CALL_INACCESSIBLE_READ \ - (1ul << GSS_C_CALLING_ERROR_OFFSET) -#define GSS_S_CALL_INACCESSIBLE_WRITE \ - (2ul << GSS_C_CALLING_ERROR_OFFSET) -#define GSS_S_CALL_BAD_STRUCTURE \ - (3ul << GSS_C_CALLING_ERROR_OFFSET) - -/* - * Routine errors: - */ -#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) - -#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_MIC GSS_S_BAD_SIG -#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET) - -/* - * Supplementary info bits: - */ -#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) -#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) -#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) -#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) -#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4)) - -/* - * From RFC1964: - * - * 4.1.1. Non-Kerberos-specific codes - */ - -#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1 - /* "No @ in SERVICE-NAME name string" */ -#define GSS_KRB5_S_G_BAD_STRING_UID 2 - /* "STRING-UID-NAME contains nondigits" */ -#define GSS_KRB5_S_G_NOUSER 3 - /* "UID does not resolve to username" */ -#define GSS_KRB5_S_G_VALIDATE_FAILED 4 - /* "Validation error" */ -#define GSS_KRB5_S_G_BUFFER_ALLOC 5 - /* "Couldn't allocate gss_buffer_t data" */ -#define GSS_KRB5_S_G_BAD_MSG_CTX 6 - /* "Message context invalid" */ -#define GSS_KRB5_S_G_WRONG_SIZE 7 - /* "Buffer is the wrong size" */ -#define GSS_KRB5_S_G_BAD_USAGE 8 - /* "Credential usage type is unknown" */ -#define GSS_KRB5_S_G_UNKNOWN_QOP 9 - /* "Unknown quality of protection specified" */ - - /* - * 4.1.2. Kerberos-specific-codes - */ - -#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10 - /* "Principal in credential cache does not match desired name" */ -#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11 - /* "No principal in keytab matches desired name" */ -#define GSS_KRB5_S_KG_TGT_MISSING 12 - /* "Credential cache has no TGT" */ -#define GSS_KRB5_S_KG_NO_SUBKEY 13 - /* "Authenticator has no subkey" */ -#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14 - /* "Context is already fully established" */ -#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15 - /* "Unknown signature type in token" */ -#define GSS_KRB5_S_KG_BAD_LENGTH 16 - /* "Invalid field length in token" */ -#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17 - /* "Attempt to use incomplete security context" */ - -/* - * Finally, function prototypes for the GSS-API routines. - */ - -OM_uint32 gss_acquire_cred - (OM_uint32 * /*minor_status*/, - const gss_name_t /*desired_name*/, - OM_uint32 /*time_req*/, - const gss_OID_set /*desired_mechs*/, - gss_cred_usage_t /*cred_usage*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_release_cred - (OM_uint32 * /*minor_status*/, - gss_cred_id_t * /*cred_handle*/ - ); - -OM_uint32 gss_init_sec_context - (OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*initiator_cred_handle*/, - gss_ctx_id_t * /*context_handle*/, - const gss_name_t /*target_name*/, - const gss_OID /*mech_type*/, - OM_uint32 /*req_flags*/, - OM_uint32 /*time_req*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - const gss_buffer_t /*input_token*/, - gss_OID * /*actual_mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_accept_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - const gss_cred_id_t /*acceptor_cred_handle*/, - const gss_buffer_t /*input_token_buffer*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - gss_name_t * /*src_name*/, - gss_OID * /*mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * /*time_rec*/, - gss_cred_id_t * /*delegated_cred_handle*/ - ); - -OM_uint32 gss_process_context_token - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*token_buffer*/ - ); - -OM_uint32 gss_delete_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t /*output_token*/ - ); - -OM_uint32 gss_context_time - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_get_mic - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/ - ); - -OM_uint32 gss_verify_mic - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*message_buffer*/, - const gss_buffer_t /*token_buffer*/, - gss_qop_t * /*qop_state*/ - ); - -OM_uint32 gss_wrap - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t /*output_message_buffer*/ - ); - -OM_uint32 gss_unwrap - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - gss_qop_t * /*qop_state*/ - ); - -OM_uint32 gss_display_status - (OM_uint32 * /*minor_status*/, - OM_uint32 /*status_value*/, - int /*status_type*/, - const gss_OID /*mech_type*/, - OM_uint32 * /*message_context*/, - gss_buffer_t /*status_string*/ - ); - -OM_uint32 gss_indicate_mechs - (OM_uint32 * /*minor_status*/, - gss_OID_set * /*mech_set*/ - ); - -OM_uint32 gss_compare_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*name1*/, - const gss_name_t /*name2*/, - int * /*name_equal*/ - ); - -OM_uint32 gss_display_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t /*output_name_buffer*/, - gss_OID * /*output_name_type*/ - ); - -OM_uint32 gss_import_name - (OM_uint32 * /*minor_status*/, - const gss_buffer_t /*input_name_buffer*/, - const gss_OID /*input_name_type*/, - gss_name_t * /*output_name*/ - ); - -OM_uint32 gss_export_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t /*exported_name*/ - ); - -OM_uint32 gss_release_name - (OM_uint32 * /*minor_status*/, - gss_name_t * /*input_name*/ - ); - -OM_uint32 gss_release_buffer - (OM_uint32 * /*minor_status*/, - gss_buffer_t /*buffer*/ - ); - -OM_uint32 gss_release_oid_set - (OM_uint32 * /*minor_status*/, - gss_OID_set * /*set*/ - ); - -OM_uint32 gss_inquire_cred - (OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - gss_name_t * /*name*/, - OM_uint32 * /*lifetime*/, - gss_cred_usage_t * /*cred_usage*/, - gss_OID_set * /*mechanisms*/ - ); - -OM_uint32 gss_inquire_context ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_name_t * /*src_name*/, - gss_name_t * /*targ_name*/, - OM_uint32 * /*lifetime_rec*/, - gss_OID * /*mech_type*/, - OM_uint32 * /*ctx_flags*/, - int * /*locally_initiated*/, - int * /*open_context*/ - ); - -OM_uint32 gss_wrap_size_limit ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - OM_uint32 /*req_output_size*/, - OM_uint32 * /*max_input_size*/ - ); - -OM_uint32 gss_add_cred ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*input_cred_handle*/, - const gss_name_t /*desired_name*/, - const gss_OID /*desired_mech*/, - gss_cred_usage_t /*cred_usage*/, - OM_uint32 /*initiator_time_req*/, - OM_uint32 /*acceptor_time_req*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * /*initiator_time_rec*/, - OM_uint32 * /*acceptor_time_rec*/ - ); - -OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - const gss_OID /*mech_type*/, - gss_name_t * /*name*/, - OM_uint32 * /*initiator_lifetime*/, - OM_uint32 * /*acceptor_lifetime*/, - gss_cred_usage_t * /*cred_usage*/ - ); - -OM_uint32 gss_export_sec_context ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t /*interprocess_token*/ - ); - -OM_uint32 gss_import_sec_context ( - OM_uint32 * /*minor_status*/, - const gss_buffer_t /*interprocess_token*/, - gss_ctx_id_t * /*context_handle*/ - ); - -OM_uint32 gss_create_empty_oid_set ( - OM_uint32 * /*minor_status*/, - gss_OID_set * /*oid_set*/ - ); - -OM_uint32 gss_add_oid_set_member ( - OM_uint32 * /*minor_status*/, - const gss_OID /*member_oid*/, - gss_OID_set * /*oid_set*/ - ); - -OM_uint32 gss_test_oid_set_member ( - OM_uint32 * /*minor_status*/, - const gss_OID /*member*/, - const gss_OID_set /*set*/, - int * /*present*/ - ); - -OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 * /*minor_status*/, - const gss_OID /*mechanism*/, - gss_OID_set * /*name_types*/ - ); - -OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_OID_set * /*mech_types*/ - ); - -OM_uint32 gss_canonicalize_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - const gss_OID /*mech_type*/, - gss_name_t * /*output_name*/ - ); - -OM_uint32 gss_duplicate_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*src_name*/, - gss_name_t * /*dest_name*/ - ); - -/* - * The following routines are obsolete variants of gss_get_mic, - * gss_verify_mic, gss_wrap and gss_unwrap. They should be - * provided by GSSAPI V2 implementations for backwards - * compatibility with V1 applications. Distinct entrypoints - * (as opposed to #defines) should be provided, both to allow - * GSSAPI V1 applications to link against GSSAPI V2 implementations, - * and to retain the slight parameter type differences between the - * obsolete versions of these routines and their current forms. - */ - -OM_uint32 gss_sign - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*qop_req*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/ - ); - -OM_uint32 gss_verify - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*token_buffer*/, - int * /*qop_state*/ - ); - -OM_uint32 gss_seal - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - int /*qop_req*/, - gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t /*output_message_buffer*/ - ); - -OM_uint32 gss_unseal - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - int * /*qop_state*/ - ); - -/* - * kerberos mechanism specific functions - */ - -OM_uint32 -gss_krb5_ccache_name(OM_uint32 * /*minor_status*/, - const char * /*name */, - const char ** /*out_name */); - -OM_uint32 gsskrb5_register_acceptor_identity - (const char */*identity*/); - -OM_uint32 gss_krb5_copy_ccache - (OM_uint32 */*minor*/, - gss_cred_id_t /*cred*/, - struct krb5_ccache_data */*out*/); - -OM_uint32 -gss_krb5_import_cred(OM_uint32 */*minor*/, - struct krb5_ccache_data * /*in*/, - struct Principal * /*keytab_principal*/, - struct krb5_keytab_data * /*keytab*/, - gss_cred_id_t */*out*/); - -OM_uint32 gss_krb5_get_tkt_flags - (OM_uint32 */*minor*/, - gss_ctx_id_t /*context_handle*/, - OM_uint32 */*tkt_flags*/); - -OM_uint32 -gsskrb5_extract_authz_data_from_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*ad_type*/, - gss_buffer_t /*ad_data*/); - -#define GSS_C_KRB5_COMPAT_DES3_MIC 1 - -OM_uint32 -gss_krb5_compat_des3_mic(OM_uint32 *, gss_ctx_id_t, int); - -OM_uint32 -gss_oid_to_str - (OM_uint32 * /*minor_status*/, - gss_OID /* oid */, - gss_buffer_t /* str */); - - -#ifdef __cplusplus -} -#endif - -#endif /* GSSAPI_H_ */ diff --git a/lib/gssapi/krb5/gssapi_locl.h b/lib/gssapi/krb5/gssapi_locl.h deleted file mode 100644 index 478b4f663..000000000 --- a/lib/gssapi/krb5/gssapi_locl.h +++ /dev/null @@ -1,299 +0,0 @@ -/* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id$ */ - -#ifndef GSSAPI_LOCL_H -#define GSSAPI_LOCL_H - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include - -#include "cfx.h" -#include "arcfour.h" - -#include "spnego_asn1.h" - -/* - * - */ - -struct gss_msg_order; - -typedef struct gss_ctx_id_t_desc_struct { - struct krb5_auth_context_data *auth_context; - gss_name_t source, target; - OM_uint32 flags; - enum { LOCAL = 1, OPEN = 2, - COMPAT_OLD_DES3 = 4, - COMPAT_OLD_DES3_SELECTED = 8, - ACCEPTOR_SUBKEY = 16 - } more_flags; - struct krb5_ticket *ticket; - OM_uint32 lifetime; - HEIMDAL_MUTEX ctx_id_mutex; - struct gss_msg_order *order; -} gss_ctx_id_t_desc; - -typedef struct gss_cred_id_t_desc_struct { - gss_name_t principal; - int cred_flags; -#define GSS_CF_DESTROY_CRED_ON_RELEASE 1 - struct krb5_keytab_data *keytab; - OM_uint32 lifetime; - gss_cred_usage_t usage; - gss_OID_set mechanisms; - struct krb5_ccache_data *ccache; - HEIMDAL_MUTEX cred_id_mutex; -} gss_cred_id_t_desc; - -/* - * - */ - -extern krb5_context gssapi_krb5_context; - -extern krb5_keytab gssapi_krb5_keytab; -extern HEIMDAL_MUTEX gssapi_keytab_mutex; - -struct gssapi_thr_context { - HEIMDAL_MUTEX mutex; - char *error_string; -}; - -/* - * Prototypes - */ - -krb5_error_code gssapi_krb5_init (void); - -#define GSSAPI_KRB5_INIT() do { \ - krb5_error_code kret_gss_init; \ - if((kret_gss_init = gssapi_krb5_init ()) != 0) { \ - *minor_status = kret_gss_init; \ - return GSS_S_FAILURE; \ - } \ -} while (0) - -struct gssapi_thr_context * -gssapi_get_thread_context(int); - -void -gsskrb5_is_cfx(gss_ctx_id_t, int *); - -OM_uint32 -gssapi_krb5_create_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - OM_uint32 flags, - const krb5_data *fwd_data, - Checksum *result); - -OM_uint32 -gssapi_krb5_verify_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - const Checksum *cksum, - OM_uint32 *flags, - krb5_data *fwd_data); - -void -_gssapi_encap_length (size_t data_len, - size_t *len, - size_t *total_len, - const gss_OID mech); - -void -gssapi_krb5_encap_length (size_t data_len, - size_t *len, - size_t *total_len, - const gss_OID mech); - - - -OM_uint32 -_gssapi_encapsulate(OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - const gss_OID mech); - - -OM_uint32 -gssapi_krb5_encapsulate(OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - const void *type, - const gss_OID mech); - -OM_uint32 -gssapi_krb5_decapsulate(OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - const void *type, - gss_OID oid); - -void * -gssapi_krb5_make_header (void *ptr, - size_t len, - const void *type, - const gss_OID mech); - -void * -_gssapi_make_mech_header(void *ptr, - size_t len, - const gss_OID mech); - -OM_uint32 -_gssapi_verify_mech_header(u_char **str, - size_t total_len, - gss_OID oid); - -OM_uint32 -gssapi_krb5_verify_header(u_char **str, - size_t total_len, - const void *type, - gss_OID oid); - -OM_uint32 -_gssapi_decapsulate(OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - const gss_OID mech); - - -ssize_t -gssapi_krb5_get_mech (const u_char *, size_t, const u_char **); - -OM_uint32 -_gssapi_verify_pad(gss_buffer_t, size_t, size_t *); - -OM_uint32 -gss_verify_mic_internal(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - char * type); - -OM_uint32 -gss_krb5_get_subkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key); - -krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address); - -/* sec_context flags */ - -#define SC_LOCAL_ADDRESS 0x01 -#define SC_REMOTE_ADDRESS 0x02 -#define SC_KEYBLOCK 0x04 -#define SC_LOCAL_SUBKEY 0x08 -#define SC_REMOTE_SUBKEY 0x10 - -int -gss_oid_equal(const gss_OID a, const gss_OID b); - -void -gssapi_krb5_clear_status (void); - -void -gssapi_krb5_set_status (const char *fmt, ...); - -void -gssapi_krb5_set_error_string (void); - -char * -gssapi_krb5_get_error_string (void); - -OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *, gss_ctx_id_t); - -OM_uint32 -_gss_spnego_require_mechlist_mic(OM_uint32 *, gss_ctx_id_t, krb5_boolean *); - -krb5_error_code -_gss_check_compat(OM_uint32 *, gss_name_t, const char *, - krb5_boolean *, krb5_boolean); - -OM_uint32 -gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *); - -OM_uint32 -_gssapi_krb5_ccache_lifetime(OM_uint32 *, krb5_ccache, - krb5_principal, OM_uint32 *); - -/* sequence */ - -OM_uint32 -_gssapi_msg_order_create(OM_uint32 *, struct gss_msg_order **, - OM_uint32, OM_uint32, OM_uint32, int); -OM_uint32 -_gssapi_msg_order_destroy(struct gss_msg_order **); - -OM_uint32 -_gssapi_msg_order_check(struct gss_msg_order *, OM_uint32); - -OM_uint32 -_gssapi_msg_order_f(OM_uint32); - -OM_uint32 -_gssapi_msg_order_import(OM_uint32 *, krb5_storage *, - struct gss_msg_order **); - -krb5_error_code -_gssapi_msg_order_export(krb5_storage *, struct gss_msg_order *); - - -/* 8003 */ - -krb5_error_code -gssapi_encode_om_uint32(OM_uint32, u_char *); - -krb5_error_code -gssapi_encode_be_om_uint32(OM_uint32, u_char *); - -krb5_error_code -gssapi_decode_om_uint32(const void *, OM_uint32 *); - -krb5_error_code -gssapi_decode_be_om_uint32(const void *, OM_uint32 *); - -#endif diff --git a/lib/gssapi/krb5/arcfour.h b/lib/gssapi/krb5/gsskrb5_locl.h similarity index 50% rename from lib/gssapi/krb5/arcfour.h rename to lib/gssapi/krb5/gsskrb5_locl.h index 582359151..7b14f6487 100644 --- a/lib/gssapi/krb5/arcfour.h +++ b/lib/gssapi/krb5/gsskrb5_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,41 +33,91 @@ /* $Id$ */ -#ifndef GSSAPI_ARCFOUR_H_ -#define GSSAPI_ARCFOUR_H_ 1 +#ifndef GSSAPI_LOCL_H +#define GSSAPI_LOCL_H + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include + +#include "cfx.h" #define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32 -OM_uint32 _gssapi_wrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key); +/* + * + */ -OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key); +struct gss_msg_order; -OM_uint32 _gssapi_get_mic_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key); +typedef struct { + struct krb5_auth_context_data *auth_context; + gss_name_t source, target; + OM_uint32 flags; + enum { LOCAL = 1, OPEN = 2, + COMPAT_OLD_DES3 = 4, + COMPAT_OLD_DES3_SELECTED = 8, + ACCEPTOR_SUBKEY = 16 + } more_flags; + struct krb5_ticket *ticket; + OM_uint32 lifetime; + HEIMDAL_MUTEX ctx_id_mutex; + struct gss_msg_order *order; +} *gsskrb5_ctx; -OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key, - char *type); +typedef struct { + gss_name_t principal; + int cred_flags; +#define GSS_CF_DESTROY_CRED_ON_RELEASE 1 + struct krb5_keytab_data *keytab; + OM_uint32 lifetime; + gss_cred_usage_t usage; + gss_OID_set mechanisms; + struct krb5_ccache_data *ccache; + HEIMDAL_MUTEX cred_id_mutex; +} *gsskrb5_cred; -#endif /* GSSAPI_ARCFOUR_H_ */ +/* + * + */ + +extern krb5_context _gsskrb5_context; + +extern krb5_keytab _gsskrb5_keytab; +extern HEIMDAL_MUTEX gssapi_keytab_mutex; + +struct gssapi_thr_context { + HEIMDAL_MUTEX mutex; + char *error_string; +}; + +/* + * Prototypes + */ + +krb5_error_code _gsskrb5_init (void); + +#define GSSAPI_KRB5_INIT() do { \ + krb5_error_code kret_gss_init; \ + if((kret_gss_init = _gsskrb5_init ()) != 0) { \ + *minor_status = kret_gss_init; \ + return GSS_S_FAILURE; \ + } \ +} while (0) + +#include + +/* sec_context flags */ + +#define SC_LOCAL_ADDRESS 0x01 +#define SC_REMOTE_ADDRESS 0x02 +#define SC_KEYBLOCK 0x04 +#define SC_LOCAL_SUBKEY 0x08 +#define SC_REMOTE_SUBKEY 0x10 + +#endif diff --git a/lib/gssapi/krb5/import_name.c b/lib/gssapi/krb5/import_name.c index 57390946a..4b974d5ca 100644 --- a/lib/gssapi/krb5/import_name.c +++ b/lib/gssapi/krb5/import_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -42,16 +42,16 @@ parse_krb5_name (OM_uint32 *minor_status, { krb5_error_code kerr; - kerr = krb5_parse_name (gssapi_krb5_context, name, output_name); + kerr = krb5_parse_name (_gsskrb5_context, name, output_name); if (kerr == 0) return GSS_S_COMPLETE; else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kerr; return GSS_S_BAD_NAME; } else { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kerr; return GSS_S_FAILURE; } @@ -117,7 +117,7 @@ import_hostbased_name (OM_uint32 *minor_status, host = local_hostname; } - kerr = krb5_sname_to_principal (gssapi_krb5_context, + kerr = krb5_sname_to_principal (_gsskrb5_context, host, tmp, KRB5_NT_SRV_HST, @@ -127,11 +127,11 @@ import_hostbased_name (OM_uint32 *minor_status, if (kerr == 0) return GSS_S_COMPLETE; else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kerr; return GSS_S_BAD_NAME; } else { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kerr; return GSS_S_FAILURE; } @@ -184,18 +184,7 @@ import_export_name (OM_uint32 *minor_status, return ret; } -int -gss_oid_equal(const gss_OID a, const gss_OID b) -{ - if (a == b) - return 1; - else if (a == GSS_C_NO_OID || b == GSS_C_NO_OID || a->length != b->length) - return 0; - else - return memcmp(a->elements, b->elements, a->length) == 0; -} - -OM_uint32 gss_import_name +OM_uint32 _gsskrb5_import_name (OM_uint32 * minor_status, const gss_buffer_t input_name_buffer, const gss_OID input_name_type, diff --git a/lib/gssapi/krb5/import_sec_context.c b/lib/gssapi/krb5/import_sec_context.c index ff702dfdb..43b221f59 100644 --- a/lib/gssapi/krb5/import_sec_context.c +++ b/lib/gssapi/krb5/import_sec_context.c @@ -31,12 +31,12 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); OM_uint32 -gss_import_sec_context ( +_gsskrb5_import_sec_context ( OM_uint32 * minor_status, const gss_buffer_t interprocess_token, gss_ctx_id_t * context_handle @@ -54,9 +54,12 @@ gss_import_sec_context ( int32_t tmp; int32_t flags; OM_uint32 minor; + gsskrb5_ctx ctx; GSSAPI_KRB5_INIT (); + *context_handle = GSS_C_NO_CONTEXT; + localp = remotep = NULL; sp = krb5_storage_from_mem (interprocess_token->value, @@ -66,19 +69,18 @@ gss_import_sec_context ( return GSS_S_FAILURE; } - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == NULL) { + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { *minor_status = ENOMEM; krb5_storage_free (sp); return GSS_S_FAILURE; } - memset (*context_handle, 0, sizeof(**context_handle)); - HEIMDAL_MUTEX_init(&(*context_handle)->ctx_id_mutex); + HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); + kret = krb5_auth_con_init (_gsskrb5_context, + &ctx->auth_context); if (kret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; @@ -93,7 +95,7 @@ gss_import_sec_context ( /* retrieve the auth context */ - ac = (*context_handle)->auth_context; + ac = ctx->auth_context; if (krb5_ret_uint32 (sp, &ac->flags) != 0) goto failure; if (flags & SC_LOCAL_ADDRESS) { @@ -106,11 +108,11 @@ gss_import_sec_context ( goto failure; } - krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep); + krb5_auth_con_setaddrs (_gsskrb5_context, ac, localp, remotep); if (localp) - krb5_free_address (gssapi_krb5_context, localp); + krb5_free_address (_gsskrb5_context, localp); if (remotep) - krb5_free_address (gssapi_krb5_context, remotep); + krb5_free_address (_gsskrb5_context, remotep); localp = remotep = NULL; if (krb5_ret_int16 (sp, &ac->local_port) != 0) @@ -121,20 +123,20 @@ gss_import_sec_context ( if (flags & SC_KEYBLOCK) { if (krb5_ret_keyblock (sp, &keyblock) != 0) goto failure; - krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); + krb5_auth_con_setkey (_gsskrb5_context, ac, &keyblock); + krb5_free_keyblock_contents (_gsskrb5_context, &keyblock); } if (flags & SC_LOCAL_SUBKEY) { if (krb5_ret_keyblock (sp, &keyblock) != 0) goto failure; - krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); + krb5_auth_con_setlocalsubkey (_gsskrb5_context, ac, &keyblock); + krb5_free_keyblock_contents (_gsskrb5_context, &keyblock); } if (flags & SC_REMOTE_SUBKEY) { if (krb5_ret_keyblock (sp, &keyblock) != 0) goto failure; - krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); + krb5_auth_con_setremotesubkey (_gsskrb5_context, ac, &keyblock); + krb5_free_keyblock_contents (_gsskrb5_context, &keyblock); } if (krb5_ret_uint32 (sp, &ac->local_seqnumber)) goto failure; @@ -155,11 +157,11 @@ gss_import_sec_context ( buffer.value = data.data; buffer.length = data.length; - ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &(*context_handle)->source); + ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, + &ctx->source); if (ret) { - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, - &(*context_handle)->source); + ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID, + &ctx->source); if (ret) { krb5_data_free (&data); goto failure; @@ -172,11 +174,11 @@ gss_import_sec_context ( buffer.value = data.data; buffer.length = data.length; - ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &(*context_handle)->target); + ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, + &ctx->target); if (ret) { - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, - &(*context_handle)->target); + ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID, + &ctx->target); if (ret) { krb5_data_free (&data); goto failure; @@ -186,37 +188,40 @@ gss_import_sec_context ( if (krb5_ret_int32 (sp, &tmp)) goto failure; - (*context_handle)->flags = tmp; + ctx->flags = tmp; if (krb5_ret_int32 (sp, &tmp)) goto failure; - (*context_handle)->more_flags = tmp; + ctx->more_flags = tmp; if (krb5_ret_int32 (sp, &tmp)) goto failure; - (*context_handle)->lifetime = tmp; + ctx->lifetime = tmp; - ret = _gssapi_msg_order_import(minor_status, sp, &(*context_handle)->order); + ret = _gssapi_msg_order_import(minor_status, sp, &ctx->order); if (ret) goto failure; krb5_storage_free (sp); + + *context_handle = (gss_ctx_id_t)ctx; + return GSS_S_COMPLETE; failure: - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if ((*context_handle)->source != NULL) - gss_release_name(&minor, &(*context_handle)->source); - if ((*context_handle)->target != NULL) - gss_release_name(&minor, &(*context_handle)->target); + krb5_auth_con_free (_gsskrb5_context, + ctx->auth_context); + if (ctx->source != NULL) + _gsskrb5_release_name(&minor, &ctx->source); + if (ctx->target != NULL) + _gsskrb5_release_name(&minor, &ctx->target); if (localp) - krb5_free_address (gssapi_krb5_context, localp); + krb5_free_address (_gsskrb5_context, localp); if (remotep) - krb5_free_address (gssapi_krb5_context, remotep); - if((*context_handle)->order) - _gssapi_msg_order_destroy(&(*context_handle)->order); - HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); + krb5_free_address (_gsskrb5_context, remotep); + if(ctx->order) + _gssapi_msg_order_destroy(&ctx->order); + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); krb5_storage_free (sp); - free (*context_handle); + free (ctx); *context_handle = GSS_C_NO_CONTEXT; return ret; } diff --git a/lib/gssapi/krb5/indicate_mechs.c b/lib/gssapi/krb5/indicate_mechs.c index 338f0e33f..299f53c5c 100644 --- a/lib/gssapi/krb5/indicate_mechs.c +++ b/lib/gssapi/krb5/indicate_mechs.c @@ -31,30 +31,25 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_indicate_mechs +OM_uint32 _gsskrb5_indicate_mechs (OM_uint32 * minor_status, gss_OID_set * mech_set ) { - OM_uint32 ret; + OM_uint32 ret, junk; - ret = gss_create_empty_oid_set(minor_status, mech_set); + ret = _gsskrb5_create_empty_oid_set(minor_status, mech_set); if (ret) return ret; - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, mech_set); + ret = _gsskrb5_add_oid_set_member(minor_status, + GSS_KRB5_MECHANISM, mech_set); if (ret) { - gss_release_oid_set(NULL, mech_set); - return ret; - } - - ret = gss_add_oid_set_member(minor_status, GSS_SPNEGO_MECHANISM, mech_set); - if (ret) { - gss_release_oid_set(NULL, mech_set); + _gsskrb5_release_oid_set(&junk, mech_set); return ret; } diff --git a/lib/gssapi/krb5/init.c b/lib/gssapi/krb5/init.c index c036b3e5a..d6114e07e 100644 --- a/lib/gssapi/krb5/init.c +++ b/lib/gssapi/krb5/init.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -static HEIMDAL_MUTEX gssapi_krb5_context_mutex = HEIMDAL_MUTEX_INITIALIZER; +static HEIMDAL_MUTEX _gsskrb5_context_mutex = HEIMDAL_MUTEX_INITIALIZER; static int created_key; static HEIMDAL_thread_key gssapi_context_key; @@ -54,12 +54,12 @@ gssapi_destroy_thread_context(void *ptr) struct gssapi_thr_context * -gssapi_get_thread_context(int createp) +_gsskrb5_get_thread_context(int createp) { struct gssapi_thr_context *ctx; int ret; - HEIMDAL_MUTEX_lock(&gssapi_krb5_context_mutex); + HEIMDAL_MUTEX_lock(&_gsskrb5_context_mutex); if (!created_key) abort(); @@ -76,36 +76,36 @@ gssapi_get_thread_context(int createp) if (ret) goto fail; } - HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex); + HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex); return ctx; fail: - HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex); + HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex); if (ctx) free(ctx); return NULL; } krb5_error_code -gssapi_krb5_init (void) +_gsskrb5_init (void) { krb5_error_code ret = 0; - HEIMDAL_MUTEX_lock(&gssapi_krb5_context_mutex); + HEIMDAL_MUTEX_lock(&_gsskrb5_context_mutex); - if(gssapi_krb5_context == NULL) - ret = krb5_init_context (&gssapi_krb5_context); + if(_gsskrb5_context == NULL) + ret = krb5_init_context (&_gsskrb5_context); if (ret == 0 && !created_key) { HEIMDAL_key_create(&gssapi_context_key, gssapi_destroy_thread_context, ret); if (ret) { - krb5_free_context(gssapi_krb5_context); - gssapi_krb5_context = NULL; + krb5_free_context(_gsskrb5_context); + _gsskrb5_context = NULL; } else created_key = 1; } - HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex); + HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex); return ret; } diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c index 5064045fb..17795561d 100644 --- a/lib/gssapi/krb5/init_sec_context.c +++ b/lib/gssapi/krb5/init_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -64,29 +64,29 @@ set_addresses (krb5_auth_context ac, ac->remote_port = *((int16_t *) input_chan_bindings->application_data.value + 1); - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - ac->remote_port, - &acceptor_addr); + kret = _gsskrb5i_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, + &input_chan_bindings->acceptor_address, + ac->remote_port, + &acceptor_addr); if (kret) return kret; - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - ac->local_port, - &initiator_addr); + kret = _gsskrb5i_address_to_krb5addr(input_chan_bindings->initiator_addrtype, + &input_chan_bindings->initiator_address, + ac->local_port, + &initiator_addr); if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); + krb5_free_address (_gsskrb5_context, &acceptor_addr); return kret; } - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, + kret = krb5_auth_con_setaddrs(_gsskrb5_context, ac, &initiator_addr, /* local address */ &acceptor_addr); /* remote address */ - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); + krb5_free_address (_gsskrb5_context, &initiator_addr); + krb5_free_address (_gsskrb5_context, &acceptor_addr); #if 0 free(input_chan_bindings->application_data.value); @@ -116,11 +116,11 @@ do_delegation (krb5_auth_context ac, memset (&creds, 0, sizeof(creds)); krb5_data_zero (fwd_data); - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, &creds.client); + kret = krb5_cc_get_principal(_gsskrb5_context, ccache, &creds.client); if (kret) goto out; - kret = krb5_build_principal(gssapi_krb5_context, + kret = krb5_build_principal(_gsskrb5_context, &creds.server, strlen(creds.client->realm), creds.client->realm, @@ -140,7 +140,7 @@ do_delegation (krb5_auth_context ac, target_name->name.name_string.len < 2) goto out; - kret = krb5_get_forwarded_creds(gssapi_krb5_context, + kret = krb5_get_forwarded_creds(_gsskrb5_context, ac, ccache, fwd_flags.i, @@ -155,9 +155,9 @@ do_delegation (krb5_auth_context ac, *flags |= GSS_C_DELEG_FLAG; if (creds.client) - krb5_free_principal(gssapi_krb5_context, creds.client); + krb5_free_principal(_gsskrb5_context, creds.client); if (creds.server) - krb5_free_principal(gssapi_krb5_context, creds.server); + krb5_free_principal(_gsskrb5_context, creds.server); } /* @@ -167,7 +167,7 @@ do_delegation (krb5_auth_context ac, static OM_uint32 init_auth (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, + gsskrb5_cred initiator_cred_handle, gss_ctx_id_t * context_handle, const gss_name_t target_name, const gss_OID mech_type, @@ -193,38 +193,39 @@ init_auth krb5_enctype enctype; krb5_data fwd_data; OM_uint32 lifetime_rec; + gsskrb5_ctx ctx; krb5_data_zero(&outbuf); krb5_data_zero(&fwd_data); *minor_status = 0; - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == NULL) { + ctx = malloc(sizeof(*ctx)); + if (ctx == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; } - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->ticket = NULL; - (*context_handle)->lifetime = GSS_C_INDEFINITE; - (*context_handle)->order = NULL; - HEIMDAL_MUTEX_init(&(*context_handle)->ctx_id_mutex); + ctx->auth_context = NULL; + ctx->source = NULL; + ctx->target = NULL; + ctx->flags = 0; + ctx->more_flags = 0; + ctx->ticket = NULL; + ctx->lifetime = GSS_C_INDEFINITE; + ctx->order = NULL; + HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); + kret = krb5_auth_con_init (_gsskrb5_context, + &ctx->auth_context); if (kret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } - kret = set_addresses ((*context_handle)->auth_context, + kret = set_addresses (ctx->auth_context, input_chan_bindings); if (kret) { *minor_status = kret; @@ -232,8 +233,8 @@ init_auth goto failure; } - krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, + krb5_auth_con_addflags(_gsskrb5_context, + ctx->auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, NULL); @@ -241,10 +242,10 @@ init_auth if (actual_mech_type) *actual_mech_type = GSS_KRB5_MECHANISM; - if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) { - kret = krb5_cc_default (gssapi_krb5_context, &ccache); + if (initiator_cred_handle == NULL) { + kret = krb5_cc_default (_gsskrb5_context, &ccache); if (kret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; @@ -252,60 +253,60 @@ init_auth } else ccache = initiator_cred_handle->ccache; - kret = krb5_cc_get_principal (gssapi_krb5_context, + kret = krb5_cc_get_principal (_gsskrb5_context, ccache, - &(*context_handle)->source); + &ctx->source); if (kret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } - kret = krb5_copy_principal (gssapi_krb5_context, + kret = krb5_copy_principal (_gsskrb5_context, target_name, - &(*context_handle)->target); + &ctx->target); if (kret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); + ret = _gss_DES3_get_mic_compat(minor_status, ctx); if (ret) goto failure; memset(&this_cred, 0, sizeof(this_cred)); - this_cred.client = (*context_handle)->source; - this_cred.server = (*context_handle)->target; + this_cred.client = ctx->source; + this_cred.server = ctx->target; if (time_req && time_req != GSS_C_INDEFINITE) { krb5_timestamp ts; - krb5_timeofday (gssapi_krb5_context, &ts); + krb5_timeofday (_gsskrb5_context, &ts); this_cred.times.endtime = ts + time_req; } else this_cred.times.endtime = 0; this_cred.session.keytype = KEYTYPE_NULL; - kret = krb5_get_credentials (gssapi_krb5_context, + kret = krb5_get_credentials (_gsskrb5_context, 0, ccache, &this_cred, &cred); if (kret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } - (*context_handle)->lifetime = cred->times.endtime; + ctx->lifetime = cred->times.endtime; - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, + ret = _gsskrb5_lifetime_left(minor_status, + ctx->lifetime, &lifetime_rec); if (ret) { goto failure; @@ -317,15 +318,15 @@ init_auth goto failure; } - krb5_auth_con_setkey(gssapi_krb5_context, - (*context_handle)->auth_context, + krb5_auth_con_setkey(_gsskrb5_context, + ctx->auth_context, &cred->session); - kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, - (*context_handle)->auth_context, + kret = krb5_auth_con_generatelocalsubkey(_gsskrb5_context, + ctx->auth_context, &cred->session); if(kret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; @@ -341,7 +342,7 @@ init_auth if (!cred->flags.b.ok_as_delegate) { krb5_boolean delegate; - krb5_appdefault_boolean(gssapi_krb5_context, + krb5_appdefault_boolean(_gsskrb5_context, "gssapi", target_name->realm, "ok-as-delegate", FALSE, &delegate); if (delegate) @@ -351,7 +352,7 @@ init_auth flags = 0; ap_options = 0; if (req_flags & GSS_C_DELEG_FLAG) - do_delegation ((*context_handle)->auth_context, + do_delegation (ctx->auth_context, ccache, cred, target_name, &fwd_data, &flags); if (req_flags & GSS_C_MUTUAL_FLAG) { @@ -371,22 +372,22 @@ init_auth if (ret_flags) *ret_flags = flags; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= LOCAL; + ctx->flags = flags; + ctx->more_flags |= LOCAL; - ret = gssapi_krb5_create_8003_checksum (minor_status, - input_chan_bindings, - flags, - &fwd_data, - &cksum); + ret = _gsskrb5_create_8003_checksum (minor_status, + input_chan_bindings, + flags, + &fwd_data, + &cksum); krb5_data_free (&fwd_data); if (ret) goto failure; - enctype = (*context_handle)->auth_context->keyblock->keytype; + enctype = ctx->auth_context->keyblock->keytype; - kret = krb5_build_authenticator (gssapi_krb5_context, - (*context_handle)->auth_context, + kret = krb5_build_authenticator (_gsskrb5_context, + ctx->auth_context, enctype, cred, &cksum, @@ -395,13 +396,13 @@ init_auth KRB5_KU_AP_REQ_AUTH); if (kret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } - kret = krb5_build_ap_req (gssapi_krb5_context, + kret = krb5_build_ap_req (_gsskrb5_context, enctype, cred, ap_options, @@ -409,37 +410,38 @@ init_auth &outbuf); if (kret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } - ret = gssapi_krb5_encapsulate (minor_status, &outbuf, output_token, + ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token, (u_char *)"\x01\x00", GSS_KRB5_MECHANISM); if (ret) goto failure; krb5_data_free (&outbuf); - krb5_free_creds(gssapi_krb5_context, cred); + krb5_free_creds(_gsskrb5_context, cred); free_Checksum(&cksum); - if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) - krb5_cc_close(gssapi_krb5_context, ccache); + if (initiator_cred_handle == NULL) + krb5_cc_close(_gsskrb5_context, ccache); if (flags & GSS_C_MUTUAL_FLAG) { + *context_handle = (gss_ctx_id_t)ctx; return GSS_S_CONTINUE_NEEDED; } else { int32_t seq_number; int is_cfx = 0; - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - (*context_handle)->auth_context, + krb5_auth_getremoteseqnumber (_gsskrb5_context, + ctx->auth_context, &seq_number); - gsskrb5_is_cfx(*context_handle, &is_cfx); + _gsskrb5i_is_cfx(ctx, &is_cfx); ret = _gssapi_msg_order_create(minor_status, - &(*context_handle)->order, + &ctx->order, _gssapi_msg_order_f(flags), seq_number, 0, is_cfx); if (ret) @@ -448,28 +450,29 @@ init_auth if (time_rec) *time_rec = lifetime_rec; - (*context_handle)->more_flags |= OPEN; + ctx->more_flags |= OPEN; + *context_handle = (gss_ctx_id_t)ctx; return GSS_S_COMPLETE; } - failure: - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); +failure: + krb5_auth_con_free (_gsskrb5_context, + ctx->auth_context); krb5_data_free (&outbuf); if(cred) - krb5_free_creds(gssapi_krb5_context, cred); - if (ccache && initiator_cred_handle == GSS_C_NO_CREDENTIAL) - krb5_cc_close(gssapi_krb5_context, ccache); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - if((*context_handle)->order) - _gssapi_msg_order_destroy(&(*context_handle)->order); - HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); - free (*context_handle); + krb5_free_creds(_gsskrb5_context, cred); + if (ccache && initiator_cred_handle == NULL) + krb5_cc_close(_gsskrb5_context, ccache); + if(ctx->source) + krb5_free_principal (_gsskrb5_context, + ctx->source); + if(ctx->target) + krb5_free_principal (_gsskrb5_context, + ctx->target); + if(ctx->order) + _gssapi_msg_order_destroy(&ctx->order); + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + free(ctx); *context_handle = GSS_C_NO_CONTEXT; return ret; } @@ -477,7 +480,7 @@ init_auth static OM_uint32 repl_mutual (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, + const gsskrb5_cred initiator_cred_handle, gss_ctx_id_t * context_handle, const gss_name_t target_name, const gss_OID mech_type, @@ -497,508 +500,91 @@ repl_mutual krb5_data indata; krb5_ap_rep_enc_part *repl; int is_cfx = 0; + gsskrb5_ctx ctx = (gsskrb5_ctx) *context_handle; output_token->length = 0; output_token->value = NULL; - HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); if (actual_mech_type) *actual_mech_type = GSS_KRB5_MECHANISM; - ret = gssapi_krb5_decapsulate (minor_status, input_token, &indata, + ret = _gsskrb5_decapsulate (minor_status, input_token, &indata, "\x02\x00", GSS_KRB5_MECHANISM); if (ret) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); /* XXX - Handle AP_ERROR */ return ret; } - kret = krb5_rd_rep (gssapi_krb5_context, - (*context_handle)->auth_context, + kret = krb5_rd_rep (_gsskrb5_context, + ctx->auth_context, &indata, &repl); if (kret) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - gssapi_krb5_set_error_string (); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + _gsskrb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } - krb5_free_ap_rep_enc_part (gssapi_krb5_context, + krb5_free_ap_rep_enc_part (_gsskrb5_context, repl); - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - (*context_handle)->auth_context, + krb5_auth_getremoteseqnumber (_gsskrb5_context, + ctx->auth_context, &seq_number); - gsskrb5_is_cfx(*context_handle, &is_cfx); + _gsskrb5i_is_cfx(ctx, &is_cfx); ret = _gssapi_msg_order_create(minor_status, - &(*context_handle)->order, - _gssapi_msg_order_f((*context_handle)->flags), + &ctx->order, + _gssapi_msg_order_f(ctx->flags), seq_number, 0, is_cfx); if (ret) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return ret; } - (*context_handle)->more_flags |= OPEN; + ctx->more_flags |= OPEN; *minor_status = 0; if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, + ret = _gsskrb5_lifetime_left(minor_status, + ctx->lifetime, time_rec); } else { ret = GSS_S_COMPLETE; } if (ret_flags) - *ret_flags = (*context_handle)->flags; - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); + *ret_flags = ctx->flags; + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return ret; } -static OM_uint32 -gsskrb5_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) - return init_auth (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else - return repl_mutual(minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); -} - -static OM_uint32 -spnego_reply - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_data indata; - NegotiationToken token; - NegTokenTarg *targ; - u_char oidbuf[17]; - size_t oidlen; - gss_buffer_desc sub_token; - ssize_t mech_len; - const u_char *p; - krb5_boolean require_mic; - - output_token->length = 0; - output_token->value = NULL; - - /* - * SPNEGO doesn't include gss wrapping on SubsequentContextToken - * like the Kerberos 5 mech does. But lets check for it anyway. - */ - - mech_len = gssapi_krb5_get_mech (input_token->value, - input_token->length, - &p); - - if (mech_len < 0) { - indata.data = input_token->value; - indata.length = input_token->length; - } else if (mech_len == GSS_KRB5_MECHANISM->length - && memcmp(GSS_KRB5_MECHANISM->elements, p, mech_len) == 0) - return gsskrb5_init_sec_context (minor_status, - initiator_cred_handle, - context_handle, - target_name, - GSS_KRB5_MECHANISM, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else if (mech_len == GSS_SPNEGO_MECHANISM->length - && memcmp(GSS_SPNEGO_MECHANISM->elements, p, mech_len) == 0){ - ret = _gssapi_decapsulate (minor_status, - input_token, - &indata, - GSS_SPNEGO_MECHANISM); - if (ret) - return ret; - } else - return GSS_S_BAD_MECH; - - ret = decode_NegotiationToken(indata.data, indata.length, &token, NULL); - if (ret) { - gssapi_krb5_set_status("Failed to decode NegotiationToken"); - *minor_status = ret; - return GSS_S_FAILURE; - } - - if(token.element != choice_NegotiationToken_negTokenTarg ) { - gssapi_krb5_set_status("NegotiationToken not a NegTokenTarg"); - *minor_status = ASN1_OVERRUN; - return GSS_S_FAILURE; - } - targ = &token.u.negTokenTarg; - - if (targ->negResult == NULL - || *(targ->negResult) == reject - || targ->supportedMech == NULL) { - free_NegotiationToken(&token); - return GSS_S_BAD_MECH; - } - - ret = der_put_oid(oidbuf + sizeof(oidbuf) - 1, - sizeof(oidbuf), - targ->supportedMech, - &oidlen); - if (ret || oidlen != GSS_KRB5_MECHANISM->length - || memcmp(oidbuf + sizeof(oidbuf) - oidlen, - GSS_KRB5_MECHANISM->elements, - oidlen) != 0) { - free_NegotiationToken(&token); - return GSS_S_BAD_MECH; - } - - if (targ->responseToken != NULL) { - sub_token.length = targ->responseToken->length; - sub_token.value = targ->responseToken->data; - } else { - sub_token.length = 0; - sub_token.value = NULL; - } - - ret = gsskrb5_init_sec_context(minor_status, - initiator_cred_handle, - context_handle, - target_name, - GSS_KRB5_MECHANISM, - req_flags, - time_req, - input_chan_bindings, - &sub_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - if (ret) { - free_NegotiationToken(&token); - return ret; - } - - /* - * Verify the mechListMIC if CFX was used; or if local policy - * dictated so. - */ - ret = _gss_spnego_require_mechlist_mic(minor_status, *context_handle, - &require_mic); - if (ret) { - free_NegotiationToken(&token); - return ret; - } - - if (require_mic) { - MechTypeList mechlist; - MechType m0; - size_t buf_len; - gss_buffer_desc mic_buf, mech_buf; - - if (targ->mechListMIC == NULL) { - free_NegotiationToken(&token); - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - mechlist.len = 1; - mechlist.val = &m0; - - ret = der_get_oid(GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length, - &m0, - NULL); - if (ret) { - free_NegotiationToken(&token); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ASN1_MALLOC_ENCODE(MechTypeList, mech_buf.value, mech_buf.length, - &mechlist, &buf_len, ret); - if (ret) { - free_NegotiationToken(&token); - free_oid(&m0); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - if (mech_buf.length != buf_len) - abort(); - - mic_buf.length = targ->mechListMIC->length; - mic_buf.value = targ->mechListMIC->data; - - ret = gss_verify_mic(minor_status, *context_handle, - &mech_buf, &mic_buf, NULL); - free(mech_buf.value); - free_oid(&m0); - } - free_NegotiationToken(&token); - return ret; -} - -static OM_uint32 -spnego_initial - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - NegTokenInit ni; - int ret; - OM_uint32 sub, minor; - gss_buffer_desc mech_token; - u_char *buf; - size_t buf_size, buf_len; - krb5_data data; - - memset (&ni, 0, sizeof(ni)); - - ALLOC(ni.mechTypes, 1); - if (ni.mechTypes == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ALLOC_SEQ(ni.mechTypes, 1); - if (ni.mechTypes->val == NULL) { - free_NegTokenInit(&ni); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ret = der_get_oid(GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length, - &ni.mechTypes->val[0], - NULL); - if (ret) { - free_NegTokenInit(&ni); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - -#if 0 - ALLOC(ni.reqFlags, 1); - if (ni.reqFlags == NULL) { - free_NegTokenInit(&ni); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ni.reqFlags->delegFlag = req_flags & GSS_C_DELEG_FLAG; - ni.reqFlags->mutualFlag = req_flags & GSS_C_MUTUAL_FLAG; - ni.reqFlags->replayFlag = req_flags & GSS_C_REPLAY_FLAG; - ni.reqFlags->sequenceFlag = req_flags & GSS_C_SEQUENCE_FLAG; - ni.reqFlags->anonFlag = req_flags & GSS_C_ANON_FLAG; - ni.reqFlags->confFlag = req_flags & GSS_C_CONF_FLAG; - ni.reqFlags->integFlag = req_flags & GSS_C_INTEG_FLAG; -#else - ni.reqFlags = NULL; -#endif - - sub = gsskrb5_init_sec_context(&minor, - initiator_cred_handle, - context_handle, - target_name, - GSS_KRB5_MECHANISM, - req_flags, - time_req, - input_chan_bindings, - GSS_C_NO_BUFFER, - actual_mech_type, - &mech_token, - ret_flags, - time_rec); - if (GSS_ERROR(sub)) { - free_NegTokenInit(&ni); - return sub; - } - if (mech_token.length != 0) { - ALLOC(ni.mechToken, 1); - if (ni.mechToken == NULL) { - free_NegTokenInit(&ni); - gss_release_buffer(&minor, &mech_token); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ni.mechToken->length = mech_token.length; - ni.mechToken->data = malloc(mech_token.length); - if (ni.mechToken->data == NULL && mech_token.length != 0) { - free_NegTokenInit(&ni); - gss_release_buffer(&minor, &mech_token); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(ni.mechToken->data, mech_token.value, mech_token.length); - gss_release_buffer(&minor, &mech_token); - } else - ni.mechToken = NULL; - - /* XXX ignore mech list mic for now */ - ni.mechListMIC = NULL; - - - { - NegotiationToken nt; - - nt.element = choice_NegotiationToken_negTokenInit; - nt.u.negTokenInit = ni; - - ASN1_MALLOC_ENCODE(NegotiationToken, buf, buf_size, - &nt, &buf_len, ret); - if (ret == 0 && buf_size != buf_len) - abort(); - } - - data.data = buf; - data.length = buf_size; - - free_NegTokenInit(&ni); - if (ret) - return ret; - - sub = _gssapi_encapsulate(minor_status, - &data, - output_token, - GSS_SPNEGO_MECHANISM); - free (buf); - - if (sub) - return sub; - - return GSS_S_CONTINUE_NEEDED; -} - -static OM_uint32 -spnego_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) - return spnego_initial (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else - return spnego_reply (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); -} - /* * gss_init_sec_context */ -OM_uint32 gss_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) +OM_uint32 _gsskrb5_init_sec_context +(OM_uint32 * minor_status, + const gss_cred_id_t initiator_cred_handle, + gss_ctx_id_t * context_handle, + const gss_name_t target_name, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec + ) { + gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle; + GSSAPI_KRB5_INIT (); output_token->length = 0; @@ -1016,35 +602,37 @@ OM_uint32 gss_init_sec_context return GSS_S_BAD_NAME; } - if (mech_type == GSS_C_NO_OID || - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM)) - return gsskrb5_init_sec_context(minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else if (gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM)) - return spnego_init_sec_context (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else + if (mech_type != GSS_C_NO_OID && + !gss_oid_equal(mech_type, GSS_KRB5_MECHANISM)) return GSS_S_BAD_MECH; + + + if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) + return init_auth (minor_status, + cred, + context_handle, + target_name, + mech_type, + req_flags, + time_req, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); + else + return repl_mutual(minor_status, + cred, + context_handle, + target_name, + mech_type, + req_flags, + time_req, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); } diff --git a/lib/gssapi/krb5/inquire_context.c b/lib/gssapi/krb5/inquire_context.c index 4fddfd379..2ba41646c 100644 --- a/lib/gssapi/krb5/inquire_context.c +++ b/lib/gssapi/krb5/inquire_context.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_inquire_context ( +OM_uint32 _gsskrb5_inquire_context ( OM_uint32 * minor_status, const gss_ctx_id_t context_handle, gss_name_t * src_name, @@ -48,28 +48,29 @@ OM_uint32 gss_inquire_context ( ) { OM_uint32 ret; + gsskrb5_ctx ctx = (gsskrb5_ctx)context_handle; - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); if (src_name) { - ret = gss_duplicate_name (minor_status, - context_handle->source, - src_name); + ret = _gsskrb5_duplicate_name (minor_status, + ctx->source, + src_name); if (ret) goto failed; } if (targ_name) { - ret = gss_duplicate_name (minor_status, - context_handle->target, - targ_name); + ret = _gsskrb5_duplicate_name (minor_status, + ctx->target, + targ_name); if (ret) goto failed; } if (lifetime_rec) { - ret = gssapi_lifetime_left(minor_status, - context_handle->lifetime, + ret = _gsskrb5_lifetime_left(minor_status, + ctx->lifetime, lifetime_rec); if (ret) goto failed; @@ -79,19 +80,19 @@ OM_uint32 gss_inquire_context ( *mech_type = GSS_KRB5_MECHANISM; if (ctx_flags) - *ctx_flags = context_handle->flags; + *ctx_flags = ctx->flags; if (locally_initiated) - *locally_initiated = context_handle->more_flags & LOCAL; + *locally_initiated = ctx->more_flags & LOCAL; if (open_context) - *open_context = context_handle->more_flags & OPEN; + *open_context = ctx->more_flags & OPEN; *minor_status = 0; ret = GSS_S_COMPLETE; failed: - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return ret; } diff --git a/lib/gssapi/krb5/inquire_cred.c b/lib/gssapi/krb5/inquire_cred.c index 1663d2cb1..9abc3a07c 100644 --- a/lib/gssapi/krb5/inquire_cred.c +++ b/lib/gssapi/krb5/inquire_cred.c @@ -31,20 +31,21 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_inquire_cred - (OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - gss_name_t * name, - OM_uint32 * lifetime, - gss_cred_usage_t * cred_usage, - gss_OID_set * mechanisms - ) +OM_uint32 _gsskrb5_inquire_cred +(OM_uint32 * minor_status, + const gss_cred_id_t cred_handle, + gss_name_t * name, + OM_uint32 * lifetime, + gss_cred_usage_t * cred_usage, + gss_OID_set * mechanisms + ) { - gss_cred_id_t cred; + gss_cred_id_t aqcred = GSS_C_NO_CREDENTIAL; + gsskrb5_cred cred; OM_uint32 ret; *minor_status = 0; @@ -55,37 +56,38 @@ OM_uint32 gss_inquire_cred *mechanisms = GSS_C_NO_OID_SET; if (cred_handle == GSS_C_NO_CREDENTIAL) { - ret = gss_acquire_cred(minor_status, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - GSS_C_BOTH, - &cred, - NULL, - NULL); + ret = _gsskrb5_acquire_cred(minor_status, + GSS_C_NO_NAME, + GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, + GSS_C_BOTH, + &aqcred, + NULL, + NULL); if (ret) return ret; + cred = (gsskrb5_cred)aqcred; } else - cred = (gss_cred_id_t)cred_handle; + cred = (gsskrb5_cred)cred_handle; HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); if (name != NULL) { if (cred->principal != NULL) { - ret = gss_duplicate_name(minor_status, cred->principal, - name); + ret = _gsskrb5_duplicate_name(minor_status, cred->principal, + name); if (ret) goto out; } else if (cred->usage == GSS_C_ACCEPT) { - *minor_status = krb5_sname_to_principal(gssapi_krb5_context, NULL, - NULL, KRB5_NT_SRV_HST, name); + *minor_status = krb5_sname_to_principal(_gsskrb5_context, NULL, + NULL, KRB5_NT_SRV_HST, name); if (*minor_status) { ret = GSS_S_FAILURE; goto out; } } else { - *minor_status = krb5_get_default_principal(gssapi_krb5_context, - name); + *minor_status = krb5_get_default_principal(_gsskrb5_context, + name); if (*minor_status) { ret = GSS_S_FAILURE; goto out; @@ -93,7 +95,7 @@ OM_uint32 gss_inquire_cred } } if (lifetime != NULL) { - ret = gssapi_lifetime_left(minor_status, + ret = _gsskrb5_lifetime_left(minor_status, cred->lifetime, lifetime); if (ret) @@ -103,21 +105,21 @@ OM_uint32 gss_inquire_cred *cred_usage = cred->usage; if (mechanisms != NULL) { - ret = gss_create_empty_oid_set(minor_status, mechanisms); + ret = _gsskrb5_create_empty_oid_set(minor_status, mechanisms); if (ret) goto out; - ret = gss_add_oid_set_member(minor_status, - &cred->mechanisms->elements[0], - mechanisms); + ret = _gsskrb5_add_oid_set_member(minor_status, + &cred->mechanisms->elements[0], + mechanisms); if (ret) goto out; } ret = GSS_S_COMPLETE; - out: +out: HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - if (cred_handle == GSS_C_NO_CREDENTIAL) - ret = gss_release_cred(minor_status, &cred); + if (aqcred != GSS_C_NO_CREDENTIAL) + ret = _gsskrb5_release_cred(minor_status, &aqcred); return ret; } diff --git a/lib/gssapi/krb5/inquire_cred_by_mech.c b/lib/gssapi/krb5/inquire_cred_by_mech.c index 9d0dfae61..a91f8d741 100644 --- a/lib/gssapi/krb5/inquire_cred_by_mech.c +++ b/lib/gssapi/krb5/inquire_cred_by_mech.c @@ -31,18 +31,18 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - const gss_OID mech_type, - gss_name_t * name, - OM_uint32 * initiator_lifetime, - OM_uint32 * acceptor_lifetime, - gss_cred_usage_t * cred_usage +OM_uint32 _gsskrb5_inquire_cred_by_mech ( + OM_uint32 * minor_status, + const gss_cred_id_t cred_handle, + const gss_OID mech_type, + gss_name_t * name, + OM_uint32 * initiator_lifetime, + OM_uint32 * acceptor_lifetime, + gss_cred_usage_t * cred_usage ) { OM_uint32 ret; @@ -54,19 +54,20 @@ OM_uint32 gss_inquire_cred_by_mech ( return GSS_S_BAD_MECH; } - ret = gss_inquire_cred (minor_status, - cred_handle, - name, - &lifetime, - cred_usage, - NULL); + ret = _gsskrb5_inquire_cred (minor_status, + cred_handle, + name, + &lifetime, + cred_usage, + NULL); if (ret == 0 && cred_handle != GSS_C_NO_CREDENTIAL) { + gsskrb5_cred cred = (gsskrb5_cred)cred_handle; gss_cred_usage_t usage; - HEIMDAL_MUTEX_lock(&cred_handle->cred_id_mutex); - usage = cred_handle->usage; - HEIMDAL_MUTEX_unlock(&cred_handle->cred_id_mutex); + HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); + usage = cred->usage; + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); if (initiator_lifetime) { if (usage == GSS_C_INITIATE || usage == GSS_C_BOTH) diff --git a/lib/gssapi/krb5/inquire_cred_by_oid.c b/lib/gssapi/krb5/inquire_cred_by_oid.c new file mode 100644 index 000000000..c408eaeff --- /dev/null +++ b/lib/gssapi/krb5/inquire_cred_by_oid.c @@ -0,0 +1,90 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gsskrb5_locl.h" + +RCSID("$Id$"); + +OM_uint32 _gsskrb5_inquire_cred_by_oid + (OM_uint32 * minor_status, + const gss_cred_id_t cred_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + gsskrb5_cred cred = (gsskrb5_cred)cred_handle; + krb5_error_code kret; + krb5_ccache_data ccache; + gss_buffer_desc ccache_ops_buf; + gss_buffer_desc ccache_data_buf; + OM_uint32 ret; + + if (gss_oid_equal(desired_object, GSS_KRB5_COPY_CCACHE_X) == 0) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); + + if (cred->ccache == NULL) { + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + kret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache, &ccache); + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + if (kret) { + *minor_status = kret; + _gsskrb5_set_error_string (); + return GSS_S_FAILURE; + } + + ccache_ops_buf.value = (void *)ccache.ops->prefix; + ccache_ops_buf.length = strlen(ccache.ops->prefix); + + ccache_data_buf.value = ccache.data.data; + ccache_data_buf.length = ccache.data.length; + + ret = gss_add_buffer_set_member(minor_status, + &ccache_ops_buf, + data_set); + if (ret == 0) { + ret = gss_add_buffer_set_member(minor_status, + &ccache_data_buf, + data_set); + } + + krb5_cc_close(_gsskrb5_context, &ccache); + + return GSS_S_COMPLETE; +} + diff --git a/lib/gssapi/krb5/inquire_mechs_for_name.c b/lib/gssapi/krb5/inquire_mechs_for_name.c index fb3709f93..9ffce6846 100644 --- a/lib/gssapi/krb5/inquire_mechs_for_name.c +++ b/lib/gssapi/krb5/inquire_mechs_for_name.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_inquire_mechs_for_name ( +OM_uint32 _gsskrb5_inquire_mechs_for_name ( OM_uint32 * minor_status, const gss_name_t input_name, gss_OID_set * mech_types @@ -43,15 +43,15 @@ OM_uint32 gss_inquire_mechs_for_name ( { OM_uint32 ret; - ret = gss_create_empty_oid_set(minor_status, mech_types); + ret = _gsskrb5_create_empty_oid_set(minor_status, mech_types); if (ret) return ret; - ret = gss_add_oid_set_member(minor_status, - GSS_KRB5_MECHANISM, - mech_types); + ret = _gsskrb5_add_oid_set_member(minor_status, + GSS_KRB5_MECHANISM, + mech_types); if (ret) - gss_release_oid_set(NULL, mech_types); + _gsskrb5_release_oid_set(NULL, mech_types); return ret; } diff --git a/lib/gssapi/krb5/inquire_names_for_mech.c b/lib/gssapi/krb5/inquire_names_for_mech.c index 7441d99b9..40c4d6b4a 100644 --- a/lib/gssapi/krb5/inquire_names_for_mech.c +++ b/lib/gssapi/krb5/inquire_names_for_mech.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -44,7 +44,7 @@ static gss_OID *name_list[] = { NULL }; -OM_uint32 gss_inquire_names_for_mech ( +OM_uint32 _gsskrb5_inquire_names_for_mech ( OM_uint32 * minor_status, const gss_OID mechanism, gss_OID_set * name_types @@ -61,20 +61,20 @@ OM_uint32 gss_inquire_names_for_mech ( return GSS_S_BAD_MECH; } - ret = gss_create_empty_oid_set(minor_status, name_types); + ret = _gsskrb5_create_empty_oid_set(minor_status, name_types); if (ret != GSS_S_COMPLETE) return ret; for (i = 0; name_list[i] != NULL; i++) { - ret = gss_add_oid_set_member(minor_status, - *(name_list[i]), - name_types); + ret = _gsskrb5_add_oid_set_member(minor_status, + *(name_list[i]), + name_types); if (ret != GSS_S_COMPLETE) break; } if (ret != GSS_S_COMPLETE) - gss_release_oid_set(NULL, name_types); + _gsskrb5_release_oid_set(NULL, name_types); return GSS_S_COMPLETE; } diff --git a/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/lib/gssapi/krb5/inquire_sec_context_by_oid.c new file mode 100644 index 000000000..a16f45b08 --- /dev/null +++ b/lib/gssapi/krb5/inquire_sec_context_by_oid.c @@ -0,0 +1,214 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gsskrb5_locl.h" + +RCSID("$Id$"); + +static int +oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix) +{ + int ret; + heim_oid oid; + heim_oid prefix; + + *suffix = 0; + + ret = der_get_oid(oid_enc->elements, oid_enc->length, + &oid, NULL); + if (ret) { + return 0; + } + + ret = der_get_oid(prefix_enc->elements, prefix_enc->length, + &prefix, NULL); + if (ret) { + free_oid(&oid); + return 0; + } + + ret = 0; + + if (oid.length - 1 == prefix.length) { + *suffix = oid.components[oid.length - 1]; + oid.length--; + ret = (heim_oid_cmp(&oid, &prefix) == 0); + oid.length++; + } + + free_oid(&oid); + free_oid(&prefix); + + return ret; +} + +static OM_uint32 inquire_sec_context_tkt_flags + (OM_uint32 *minor_status, + const gsskrb5_ctx context_handle, + gss_buffer_set_t *data_set) +{ + OM_uint32 tkt_flags; + unsigned char buf[4]; + gss_buffer_desc value; + + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + + if (context_handle->ticket == NULL) { + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + *minor_status = EINVAL; + return GSS_S_BAD_MECH; + } + + tkt_flags = TicketFlags2int(context_handle->ticket->ticket.flags); + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + + _gsskrb5_encode_om_uint32(tkt_flags, buf); + value.length = sizeof(buf); + value.value = buf; + + return gss_add_buffer_set_member(minor_status, + &value, + data_set); +} + +static OM_uint32 inquire_sec_context_authz_data + (OM_uint32 *minor_status, + const gsskrb5_ctx context_handle, + unsigned ad_type, + gss_buffer_set_t *data_set) +{ + krb5_data data; + gss_buffer_desc ad_data; + OM_uint32 ret; + + *minor_status = 0; + *data_set = GSS_C_NO_BUFFER_SET; + + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + if (context_handle->ticket == NULL) { + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + ret = krb5_ticket_get_authorization_data_type(_gsskrb5_context, + context_handle->ticket, + ad_type, + &data); + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + ad_data.value = data.data; + ad_data.length = data.length; + + ret = gss_add_buffer_set_member(minor_status, + &ad_data, + data_set); + + krb5_data_free(&data); + + return ret; +} + +static OM_uint32 inquire_sec_context_has_updated_spnego + (OM_uint32 *minor_status, + const gsskrb5_ctx context_handle, + gss_buffer_set_t *data_set) +{ + int is_updated = 0; + + *minor_status = 0; + *data_set = GSS_C_NO_BUFFER_SET; + + /* + * For Windows SPNEGO implementations, both the initiator and the + * acceptor are assumed to have been updated if a "newer" [CLAR] or + * different enctype is negotiated for use by the Kerberos GSS-API + * mechanism. + */ + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + _gsskrb5i_is_cfx(context_handle, &is_updated); + if (is_updated == 0) { + krb5_keyblock *acceptor_subkey; + + if (context_handle->more_flags & LOCAL) + acceptor_subkey = context_handle->auth_context->remote_subkey; + else + acceptor_subkey = context_handle->auth_context->local_subkey; + + if (acceptor_subkey != NULL) + is_updated = (acceptor_subkey->keytype != + context_handle->auth_context->keyblock->keytype); + } + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + + return is_updated ? GSS_S_COMPLETE : GSS_S_FAILURE; +} + +OM_uint32 _gsskrb5_inquire_sec_context_by_oid + (OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; + unsigned suffix; + + if (ctx == NULL) { + *minor_status = EINVAL; + return GSS_S_NO_CONTEXT; + } + + if (gss_oid_equal(desired_object, GSS_KRB5_GET_TKT_FLAGS_X)) { + return inquire_sec_context_tkt_flags(minor_status, + ctx, + data_set); + } else if (gss_oid_equal(desired_object, GSS_C_PEER_HAS_UPDATED_SPNEGO)) { + return inquire_sec_context_has_updated_spnego(minor_status, + ctx, + data_set); + } else if (oid_prefix_equal(desired_object, + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X, + &suffix)) { + return inquire_sec_context_authz_data(minor_status, + ctx, + suffix, + data_set); + } else { + *minor_status = 0; + return GSS_S_FAILURE; + } +} + diff --git a/lib/gssapi/krb5/oid_to_str.c b/lib/gssapi/krb5/oid_to_str.c deleted file mode 100644 index b2bf41dda..000000000 --- a/lib/gssapi/krb5/oid_to_str.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str) -{ - krb5_error_code ret; - size_t size; - heim_oid o; - char *p; - - oid_str->value = NULL; - oid_str->length = 0; - - ret = der_get_oid (oid->elements, oid->length, &o, &size); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = der_print_heim_oid(&o, &p); - free_oid(&o); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - oid_str->value = p; - oid_str->length = strlen(p) + 1; - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/process_context_token.c b/lib/gssapi/krb5/process_context_token.c index 70108ec1a..e5632665f 100644 --- a/lib/gssapi/krb5/process_context_token.c +++ b/lib/gssapi/krb5/process_context_token.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_process_context_token ( +OM_uint32 _gsskrb5_process_context_token ( OM_uint32 *minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t token_buffer @@ -50,14 +50,15 @@ OM_uint32 gss_process_context_token ( qop_state = GSS_C_QOP_DEFAULT; - ret = gss_verify_mic_internal(minor_status, context_handle, - token_buffer, &empty_buffer, - GSS_C_QOP_DEFAULT, "\x01\x02"); + ret = _gsskrb5_verify_mic_internal(minor_status, + (gsskrb5_ctx)context_handle, + token_buffer, &empty_buffer, + GSS_C_QOP_DEFAULT, "\x01\x02"); if (ret == GSS_S_COMPLETE) - ret = gss_delete_sec_context(minor_status, - rk_UNCONST(&context_handle), - GSS_C_NO_BUFFER); + ret = _gsskrb5_delete_sec_context(minor_status, + rk_UNCONST(&context_handle), + GSS_C_NO_BUFFER); if (ret == GSS_S_COMPLETE) *minor_status = 0; diff --git a/lib/gssapi/krb5/release_buffer.c b/lib/gssapi/krb5/release_buffer.c index 60782bff7..3d074ea9b 100644 --- a/lib/gssapi/krb5/release_buffer.c +++ b/lib/gssapi/krb5/release_buffer.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_release_buffer +OM_uint32 _gsskrb5_release_buffer (OM_uint32 * minor_status, gss_buffer_t buffer ) diff --git a/lib/gssapi/krb5/release_cred.c b/lib/gssapi/krb5/release_cred.c index f21acad83..eede19ea0 100644 --- a/lib/gssapi/krb5/release_cred.c +++ b/lib/gssapi/krb5/release_cred.c @@ -31,43 +31,46 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_release_cred +OM_uint32 _gsskrb5_release_cred (OM_uint32 * minor_status, gss_cred_id_t * cred_handle ) { + gsskrb5_cred cred; + *minor_status = 0; - if (*cred_handle == GSS_C_NO_CREDENTIAL) { + if (*cred_handle == NULL) return GSS_S_COMPLETE; - } + + cred = (gsskrb5_cred)*cred_handle; + *cred_handle = GSS_C_NO_CREDENTIAL; GSSAPI_KRB5_INIT (); - HEIMDAL_MUTEX_lock(&(*cred_handle)->cred_id_mutex); + HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); - if ((*cred_handle)->principal != NULL) - krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); - if ((*cred_handle)->keytab != NULL) - krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab); - if ((*cred_handle)->ccache != NULL) { + if (cred->principal != NULL) + krb5_free_principal(_gsskrb5_context, cred->principal); + if (cred->keytab != NULL) + krb5_kt_close(_gsskrb5_context, cred->keytab); + if (cred->ccache != NULL) { const krb5_cc_ops *ops; - ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache); - if ((*cred_handle)->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE) - krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache); + ops = krb5_cc_get_ops(_gsskrb5_context, cred->ccache); + if (cred->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE) + krb5_cc_destroy(_gsskrb5_context, cred->ccache); else - krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); + krb5_cc_close(_gsskrb5_context, cred->ccache); } - gss_release_oid_set(NULL, &(*cred_handle)->mechanisms); - HEIMDAL_MUTEX_unlock(&(*cred_handle)->cred_id_mutex); - HEIMDAL_MUTEX_destroy(&(*cred_handle)->cred_id_mutex); - memset(*cred_handle, 0, sizeof(**cred_handle)); - free(*cred_handle); - *cred_handle = GSS_C_NO_CREDENTIAL; + _gsskrb5_release_oid_set(NULL, &cred->mechanisms); + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + HEIMDAL_MUTEX_destroy(&cred->cred_id_mutex); + memset(cred, 0, sizeof(*cred)); + free(cred); return GSS_S_COMPLETE; } diff --git a/lib/gssapi/krb5/release_name.c b/lib/gssapi/krb5/release_name.c index 042153a48..235eef54e 100644 --- a/lib/gssapi/krb5/release_name.c +++ b/lib/gssapi/krb5/release_name.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_release_name +OM_uint32 _gsskrb5_release_name (OM_uint32 * minor_status, gss_name_t * input_name ) @@ -43,7 +43,7 @@ OM_uint32 gss_release_name GSSAPI_KRB5_INIT (); if (minor_status) *minor_status = 0; - krb5_free_principal(gssapi_krb5_context, + krb5_free_principal(_gsskrb5_context, *input_name); *input_name = GSS_C_NO_NAME; return GSS_S_COMPLETE; diff --git a/lib/gssapi/krb5/release_oid_set.c b/lib/gssapi/krb5/release_oid_set.c index 4bdcf4285..17a919a57 100644 --- a/lib/gssapi/krb5/release_oid_set.c +++ b/lib/gssapi/krb5/release_oid_set.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_release_oid_set +OM_uint32 _gsskrb5_release_oid_set (OM_uint32 * minor_status, gss_OID_set * set ) diff --git a/lib/gssapi/krb5/sequence.c b/lib/gssapi/krb5/sequence.c index 431a43efb..47313eeb3 100644 --- a/lib/gssapi/krb5/sequence.c +++ b/lib/gssapi/krb5/sequence.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/lib/gssapi/krb5/set_sec_context_option.c b/lib/gssapi/krb5/set_sec_context_option.c new file mode 100644 index 000000000..f8dec47a6 --- /dev/null +++ b/lib/gssapi/krb5/set_sec_context_option.c @@ -0,0 +1,94 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * glue routine for _gsskrb5_inquire_sec_context_by_oid + */ + +#include "gsskrb5_locl.h" + +RCSID("$Id$"); + +static OM_uint32 +set_compat_des3_mic_context_option + (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_buffer_t value) +{ + gsskrb5_ctx ctx; + const char *p; + + if (*context_handle == GSS_C_NO_CONTEXT) { + *minor_status = EINVAL; + return GSS_S_NO_CONTEXT; + } + + if (value->value == NULL || value->length != 1) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + p = (const char *)value->value; + + ctx = (gsskrb5_ctx)*context_handle; + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + if (*p) { + ctx->more_flags |= COMPAT_OLD_DES3; + } else { + ctx->more_flags &= ~COMPAT_OLD_DES3; + } + ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + + return GSS_S_COMPLETE; +} + +OM_uint32 +_gsskrb5_set_sec_context_option + (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_OID desired_object, + const gss_buffer_t value) +{ + if (value == GSS_C_NO_BUFFER) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (gss_oid_equal(desired_object, GSS_KRB5_COMPAT_DES3_MIC_X)) { + return set_compat_des3_mic_context_option(minor_status, + context_handle, + value); + } + + *minor_status = EINVAL; + return GSS_S_FAILURE; +} diff --git a/lib/gssapi/krb5/spkm.asn1 b/lib/gssapi/krb5/spkm.asn1 deleted file mode 100644 index 5c14196a4..000000000 --- a/lib/gssapi/krb5/spkm.asn1 +++ /dev/null @@ -1,240 +0,0 @@ --- from rfc2025 --- $Id$ - -SpkmGssTokens DEFINITIONS ::= -BEGIN - -IMPORTS AlgorithmIdentifier, Validity, - Attribute, Certificate, CertificateList, CertificatePair, Name - FROM rfc2459 - AuthorizationData FROM krb5; - -SPKM-REQ ::= SEQUENCE { - requestToken REQ-TOKEN, - certif-data [0] CertificationData OPTIONAL, - auth-data [1] AuthorizationData OPTIONAL -} - - -CertificationData ::= SEQUENCE { - certificationPath [0] CertificationPath OPTIONAL, - certificateRevocationList [1] CertificateList OPTIONAL -} -- at least one of the above shall be present - - -CertificationPath ::= SEQUENCE { - userKeyId [0] OCTET STRING OPTIONAL, - userCertif [1] Certificate OPTIONAL, - verifKeyId [2] OCTET STRING OPTIONAL, - userVerifCertif [3] Certificate OPTIONAL, - theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL -} -- Presence of [2] or [3] implies that [0] or [1] must also be - -- present. Presence of [4] implies that at least one of [0], [1], - -- [2], and [3] must also be present. - -REQ-TOKEN ::= SEQUENCE { - req-contents Req-contents, - algId AlgorithmIdentifier, - req-integrity Integrity -- "token" is Req-contents -} - -Integrity ::= BIT STRING - -- If corresponding algId specifies a signing algorithm, - -- "Integrity" holds the result of applying the signing procedure - -- specified in algId to the BER-encoded octet string which results - -- from applying the hashing procedure (also specified in algId) to - -- the DER-encoded octets of "token". - -- Alternatively, if corresponding algId specifies a MACing - -- algorithm, "Integrity" holds the result of applying the MACing - -- procedure specified in algId to the DER-encoded octets of - -- "token" - -Req-contents ::= SEQUENCE { - tok-id INTEGER --(256)--, -- shall contain 0100 (hex) - context-id Random-Integer, - pvno BIT STRING, - timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2 - randSrc Random-Integer, - targ-name Name, - src-name [0] Name OPTIONAL, - req-data Context-Data, - validity [1] Validity OPTIONAL, - key-estb-set Key-Estb-Algs, - key-estb-req BIT STRING OPTIONAL, - key-src-bind OCTET STRING OPTIONAL - -- This field must be present for the case of SPKM-2 - -- unilateral authen. if the K-ALG in use does not provide - -- such a binding (but is optional for all other cases). - -- The octet string holds the result of applying the - -- mandatory hashing procedure (in MANDATORY I-ALG; - -- see Section 2.1) as follows: MD5(src || context_key), - -- where "src" is the DER-encoded octets of src-name, - -- "context-key" is the symmetric key (i.e., the - -- unprotected version of what is transmitted in - -- key-estb-req), and "||" is the concatenation operation. -} - -Random-Integer ::= BIT STRING - -Context-Data ::= SEQUENCE { - channelId ChannelId OPTIONAL, - seq-number INTEGER OPTIONAL, - options Options, - conf-alg Conf-Algs, - intg-alg Intg-Algs, - owf-alg OWF-Algs -} - -ChannelId ::= OCTET STRING - -Options ::= BIT STRING { - delegation-state (0), - mutual-state (1), - replay-det-state (2), - sequence-state (3), - conf-avail (4), - integ-avail (5), - target-certif-data-required (6) -} - -Conf-Algs ::= CHOICE { - algs [0] SEQUENCE OF AlgorithmIdentifier, - null [1] NULL -} - -Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier - -OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier - -Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier - - -SPKM-REP-TI ::= SEQUENCE { - responseToken REP-TI-TOKEN, - certif-data CertificationData OPTIONAL - -- present if target-certif-data-required option was -} -- set to TRUE in SPKM-REQ - -REP-TI-TOKEN ::= SEQUENCE { - rep-ti-contents Rep-ti-contents, - algId AlgorithmIdentifier, - rep-ti-integ Integrity -- "token" is Rep-ti-contents -} - -Rep-ti-contents ::= SEQUENCE { - tok-id INTEGER --(512)--, -- shall contain 0200 (hex) - context-id Random-Integer, - pvno [0] BIT STRING OPTIONAL, - timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2 - randTarg Random-Integer, - src-name [1] Name OPTIONAL, - targ-name Name, - randSrc Random-Integer, - rep-data Context-Data, - validity [2] Validity OPTIONAL, - key-estb-id AlgorithmIdentifier OPTIONAL, - key-estb-str BIT STRING OPTIONAL -} - -SPKM-REP-IT ::= SEQUENCE { - responseToken REP-IT-TOKEN, - algId AlgorithmIdentifier, - rep-it-integ Integrity -- "token" is REP-IT-TOKEN -} - -REP-IT-TOKEN ::= SEQUENCE { - tok-id INTEGER --(768)--, -- shall contain 0300 (hex) - context-id Random-Integer, - randSrc Random-Integer, - randTarg Random-Integer, - targ-name Name, - src-name Name OPTIONAL, - key-estb-rep BIT STRING OPTIONAL -} - -SPKM-ERROR ::= SEQUENCE { - errorToken ERROR-TOKEN, - algId AlgorithmIdentifier, - integrity Integrity -- "token" is ERROR-TOKEN -} - -ERROR-TOKEN ::= SEQUENCE { - tok-id INTEGER --(1024)--, -- shall contain 0400 (hex) - context-id Random-Integer -} - -SPKM-MIC ::= SEQUENCE { - mic-header Mic-Header, - int-cksum BIT STRING -} - -Mic-Header ::= SEQUENCE { - tok-id INTEGER --(257)--, -- shall contain 0101 (hex) - context-id Random-Integer, - int-alg [0] AlgorithmIdentifier OPTIONAL, - snd-seq [1] SeqNum OPTIONAL -} - -SeqNum ::= SEQUENCE { - num INTEGER, - dir-ind BOOLEAN -} - -SPKM-WRAP ::= SEQUENCE { - wrap-header Wrap-Header, - wrap-body Wrap-Body -} - -Wrap-Header ::= SEQUENCE { - tok-id INTEGER --(513)--, -- shall contain 0201 (hex) - context-id Random-Integer, - int-alg [0] AlgorithmIdentifier OPTIONAL, - conf-alg [1] Conf-Alg OPTIONAL, - snd-seq [2] SeqNum OPTIONAL -} - -Wrap-Body ::= SEQUENCE { - int-cksum BIT STRING, - data BIT STRING -} - -Conf-Alg ::= CHOICE { - algId [0] AlgorithmIdentifier, - null [1] NULL -} - - -SPKM-DEL ::= SEQUENCE { - del-header Del-Header, - int-cksum BIT STRING -} - -Del-Header ::= SEQUENCE { - tok-id INTEGER --(769)--, -- shall contain 0301 (hex) - context-id Random-Integer, - int-alg [0] AlgorithmIdentifier OPTIONAL, - snd-seq [1] SeqNum OPTIONAL -} - - --- other types -- - -MechType ::= OBJECT IDENTIFIER - -SPKMInnerContextToken ::= CHOICE { - req [0] SPKM-REQ, - rep-ti [1] SPKM-REP-TI, - rep-it [2] SPKM-REP-IT, - error [3] SPKM-ERROR, - mic [4] SPKM-MIC, - wrap [5] SPKM-WRAP, - del [6] SPKM-DEL -} - -InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType, - innerContextToken SPKMInnerContextToken -} -- when thisMech is SPKM-1 or SPKM-2 - - -END diff --git a/lib/gssapi/krb5/spnego.asn1 b/lib/gssapi/krb5/spnego.asn1 deleted file mode 100644 index 27d9b951e..000000000 --- a/lib/gssapi/krb5/spnego.asn1 +++ /dev/null @@ -1,42 +0,0 @@ --- $Id$ - -SPNEGO DEFINITIONS ::= -BEGIN - -MechType::= OBJECT IDENTIFIER - -MechTypeList ::= SEQUENCE OF MechType - -ContextFlags ::= BIT STRING { - delegFlag (0), - mutualFlag (1), - replayFlag (2), - sequenceFlag (3), - anonFlag (4), - confFlag (5), - integFlag (6) -} - -NegTokenInit ::= SEQUENCE { - mechTypes [0] MechTypeList OPTIONAL, - reqFlags [1] ContextFlags OPTIONAL, - mechToken [2] OCTET STRING OPTIONAL, - mechListMIC [3] OCTET STRING OPTIONAL - } - -NegTokenTarg ::= SEQUENCE { - negResult [0] ENUMERATED { - accept_completed (0), - accept_incomplete (1), - reject (2) } OPTIONAL, - supportedMech [1] MechType OPTIONAL, - responseToken [2] OCTET STRING OPTIONAL, - mechListMIC [3] OCTET STRING OPTIONAL -} - -NegotiationToken ::= CHOICE { - negTokenInit[0] NegTokenInit, - negTokenTarg[1] NegTokenTarg -} - -END diff --git a/lib/gssapi/krb5/test_acquire_cred.c b/lib/gssapi/krb5/test_acquire_cred.c index 7e7eeb89f..47dc5b713 100644 --- a/lib/gssapi/krb5/test_acquire_cred.c +++ b/lib/gssapi/krb5/test_acquire_cred.c @@ -31,7 +31,7 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" #include RCSID("$Id$"); diff --git a/lib/gssapi/krb5/test_cred.c b/lib/gssapi/krb5/test_cred.c index 06c84c000..fab2cd283 100644 --- a/lib/gssapi/krb5/test_cred.c +++ b/lib/gssapi/krb5/test_cred.c @@ -31,7 +31,7 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" #include #include diff --git a/lib/gssapi/krb5/test_kcred.c b/lib/gssapi/krb5/test_kcred.c index b8bb3e4a3..9e7cd5d25 100644 --- a/lib/gssapi/krb5/test_kcred.c +++ b/lib/gssapi/krb5/test_kcred.c @@ -31,7 +31,7 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" #include #include diff --git a/lib/gssapi/krb5/test_oid.c b/lib/gssapi/krb5/test_oid.c index 5cbb455f8..e4a42feda 100644 --- a/lib/gssapi/krb5/test_oid.c +++ b/lib/gssapi/krb5/test_oid.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/lib/gssapi/krb5/test_oid_set_member.c b/lib/gssapi/krb5/test_oid_set_member.c index cc15d78b8..e626397e8 100644 --- a/lib/gssapi/krb5/test_oid_set_member.c +++ b/lib/gssapi/krb5/test_oid_set_member.c @@ -31,25 +31,25 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); -OM_uint32 gss_test_oid_set_member ( - OM_uint32 * minor_status, +OM_uint32 _gsskrb5_test_oid_set_member + (OM_uint32 * minor_status, const gss_OID member, const gss_OID_set set, int * present ) { - size_t i; + size_t i; - *minor_status = 0; - *present = 0; - for (i = 0; i < set->count; ++i) - if (gss_oid_equal(member, &set->elements[i]) != 0) { - *present = 1; - break; - } - return GSS_S_COMPLETE; + *minor_status = 0; + *present = 0; + for (i = 0; i < set->count; ++i) + if (gss_oid_equal(member, &set->elements[i]) != 0) { + *present = 1; + break; + } + return GSS_S_COMPLETE; } diff --git a/lib/gssapi/krb5/test_sequence.c b/lib/gssapi/krb5/test_sequence.c index ee11bd86d..313d64ee6 100644 --- a/lib/gssapi/krb5/test_sequence.c +++ b/lib/gssapi/krb5/test_sequence.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/lib/gssapi/krb5/ticket_flags.c b/lib/gssapi/krb5/ticket_flags.c index 06105e13c..c48873c46 100644 --- a/lib/gssapi/krb5/ticket_flags.c +++ b/lib/gssapi/krb5/ticket_flags.c @@ -31,29 +31,29 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); OM_uint32 -gss_krb5_get_tkt_flags(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, +_gsskrb5_get_tkt_flags(OM_uint32 *minor_status, + gsskrb5_ctx ctx, OM_uint32 *tkt_flags) { - if (context_handle == GSS_C_NO_CONTEXT) { + if (ctx == NULL) { *minor_status = EINVAL; return GSS_S_NO_CONTEXT; } - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - if (context_handle->ticket == NULL) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + if (ctx->ticket == NULL) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); *minor_status = EINVAL; return GSS_S_BAD_MECH; } - *tkt_flags = TicketFlags2int(context_handle->ticket->ticket.flags); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + *tkt_flags = TicketFlags2int(ctx->ticket->ticket.flags); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); *minor_status = 0; return GSS_S_COMPLETE; diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c index 3072fca50..716dbd183 100644 --- a/lib/gssapi/krb5/unwrap.c +++ b/lib/gssapi/krb5/unwrap.c @@ -31,14 +31,14 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); static OM_uint32 unwrap_des (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int * conf_state, @@ -61,7 +61,7 @@ unwrap_des int cmp; p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, + ret = _gsskrb5_verify_header (&p, input_message_buffer->length, "\x02\x01", GSS_KRB5_MECHANISM); @@ -138,7 +138,7 @@ unwrap_des memset (&schedule, 0, sizeof(schedule)); seq = p; - gssapi_decode_om_uint32(seq, &seq_number); + _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); @@ -174,7 +174,7 @@ unwrap_des static OM_uint32 unwrap_des3 (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int * conf_state, @@ -196,7 +196,7 @@ unwrap_des3 int cmp; p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, + ret = _gsskrb5_verify_header (&p, input_message_buffer->length, "\x02\x01", GSS_KRB5_MECHANISM); @@ -226,18 +226,18 @@ unwrap_des3 /* decrypt data */ krb5_data tmp; - ret = krb5_crypto_init(gssapi_krb5_context, key, + ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - ret = krb5_decrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, + ret = krb5_decrypt(_gsskrb5_context, crypto, KRB5_KU_USAGE_SEAL, p, input_message_buffer->length - len, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } @@ -259,10 +259,10 @@ unwrap_des3 p -= 28; - ret = krb5_crypto_init(gssapi_krb5_context, key, + ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); return GSS_S_FAILURE; @@ -271,15 +271,15 @@ unwrap_des3 DES_cblock ivec; memcpy(&ivec, p + 8, 8); - ret = krb5_decrypt_ivec (gssapi_krb5_context, + ret = krb5_decrypt_ivec (_gsskrb5_context, crypto, KRB5_KU_USAGE_SEQ, p, 8, &seq_data, &ivec); } - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); return GSS_S_FAILURE; @@ -292,7 +292,7 @@ unwrap_des3 } seq = seq_data.data; - gssapi_decode_om_uint32(seq, &seq_number); + _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); @@ -325,21 +325,21 @@ unwrap_des3 csum.checksum.length = 20; csum.checksum.data = cksum; - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, + ret = krb5_verify_checksum (_gsskrb5_context, crypto, KRB5_KU_USAGE_SIGN, p + 20, input_message_buffer->length - len + 8, &csum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } @@ -357,7 +357,7 @@ unwrap_des3 return GSS_S_COMPLETE; } -OM_uint32 gss_unwrap +OM_uint32 _gsskrb5_unwrap (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t input_message_buffer, @@ -369,45 +369,46 @@ OM_uint32 gss_unwrap krb5_keyblock *key; OM_uint32 ret; krb5_keytype keytype; + gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; output_message_buffer->value = NULL; output_message_buffer->length = 0; if (qop_state != NULL) *qop_state = GSS_C_QOP_DEFAULT; - ret = gss_krb5_get_subkey(context_handle, &key); + ret = _gsskrb5i_get_subkey(ctx, &key); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype); *minor_status = 0; switch (keytype) { case KEYTYPE_DES : - ret = unwrap_des (minor_status, context_handle, + ret = unwrap_des (minor_status, ctx, input_message_buffer, output_message_buffer, conf_state, qop_state, key); break; case KEYTYPE_DES3 : - ret = unwrap_des3 (minor_status, context_handle, + ret = unwrap_des3 (minor_status, ctx, input_message_buffer, output_message_buffer, conf_state, qop_state, key); break; case KEYTYPE_ARCFOUR: case KEYTYPE_ARCFOUR_56: - ret = _gssapi_unwrap_arcfour (minor_status, context_handle, + ret = _gssapi_unwrap_arcfour (minor_status, ctx, input_message_buffer, output_message_buffer, conf_state, qop_state, key); break; default : - ret = _gssapi_unwrap_cfx (minor_status, context_handle, + ret = _gssapi_unwrap_cfx (minor_status, ctx, input_message_buffer, output_message_buffer, conf_state, qop_state, key); break; } - krb5_free_keyblock (gssapi_krb5_context, key); + krb5_free_keyblock (_gsskrb5_context, key); return ret; } diff --git a/lib/gssapi/krb5/v1.c b/lib/gssapi/krb5/v1.c index 781a87881..b861ba3a4 100644 --- a/lib/gssapi/krb5/v1.c +++ b/lib/gssapi/krb5/v1.c @@ -31,13 +31,13 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); /* These functions are for V1 compatibility */ -OM_uint32 gss_sign +OM_uint32 _gsskrb5_sign (OM_uint32 * minor_status, gss_ctx_id_t context_handle, int qop_req, @@ -45,14 +45,14 @@ OM_uint32 gss_sign gss_buffer_t message_token ) { - return gss_get_mic(minor_status, + return _gsskrb5_get_mic(minor_status, context_handle, (gss_qop_t)qop_req, message_buffer, message_token); } -OM_uint32 gss_verify +OM_uint32 _gsskrb5_verify (OM_uint32 * minor_status, gss_ctx_id_t context_handle, gss_buffer_t message_buffer, @@ -60,14 +60,14 @@ OM_uint32 gss_verify int * qop_state ) { - return gss_verify_mic(minor_status, + return _gsskrb5_verify_mic(minor_status, context_handle, message_buffer, token_buffer, (gss_qop_t *)qop_state); } -OM_uint32 gss_seal +OM_uint32 _gsskrb5_seal (OM_uint32 * minor_status, gss_ctx_id_t context_handle, int conf_req_flag, @@ -77,7 +77,7 @@ OM_uint32 gss_seal gss_buffer_t output_message_buffer ) { - return gss_wrap(minor_status, + return _gsskrb5_wrap(minor_status, context_handle, conf_req_flag, (gss_qop_t)qop_req, @@ -86,7 +86,7 @@ OM_uint32 gss_seal output_message_buffer); } -OM_uint32 gss_unseal +OM_uint32 _gsskrb5_unseal (OM_uint32 * minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer, @@ -95,7 +95,7 @@ OM_uint32 gss_unseal int * qop_state ) { - return gss_unwrap(minor_status, + return _gsskrb5_unwrap(minor_status, context_handle, input_message_buffer, output_message_buffer, diff --git a/lib/gssapi/krb5/verify_mic.c b/lib/gssapi/krb5/verify_mic.c index da5599de7..b8738c0c1 100644 --- a/lib/gssapi/krb5/verify_mic.c +++ b/lib/gssapi/krb5/verify_mic.c @@ -31,14 +31,14 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); static OM_uint32 verify_mic_des (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, @@ -57,7 +57,7 @@ verify_mic_des int cmp; p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, + ret = _gsskrb5_verify_header (&p, token_buffer->length, type, GSS_KRB5_MECHANISM); @@ -104,7 +104,7 @@ verify_mic_des memset (&schedule, 0, sizeof(schedule)); seq = p; - gssapi_decode_om_uint32(seq, &seq_number); + _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); @@ -130,7 +130,7 @@ verify_mic_des static OM_uint32 verify_mic_des3 (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, @@ -150,7 +150,7 @@ verify_mic_des3 char ivec[8]; p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, + ret = _gsskrb5_verify_header (&p, token_buffer->length, type, GSS_KRB5_MECHANISM); @@ -164,10 +164,10 @@ verify_mic_des3 return GSS_S_BAD_MIC; p += 4; - ret = krb5_crypto_init(gssapi_krb5_context, key, + ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (ret){ - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } @@ -180,14 +180,14 @@ retry: else memcpy(ivec, p + 8, 8); - ret = krb5_decrypt_ivec (gssapi_krb5_context, + ret = krb5_decrypt_ivec (_gsskrb5_context, crypto, KRB5_KU_USAGE_SEQ, p, 8, &seq_data, ivec); if (ret) { if (docompat++) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + _gsskrb5_set_error_string (); + krb5_crypto_destroy (_gsskrb5_context, crypto); *minor_status = ret; return GSS_S_FAILURE; } else @@ -197,7 +197,7 @@ retry: if (seq_data.length != 8) { krb5_data_free (&seq_data); if (docompat++) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); return GSS_S_BAD_MIC; } else goto retry; @@ -206,7 +206,7 @@ retry: HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); seq = seq_data.data; - gssapi_decode_om_uint32(seq, &seq_number); + _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); @@ -215,7 +215,7 @@ retry: krb5_data_free (&seq_data); if (cmp != 0) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); *minor_status = 0; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); return GSS_S_BAD_MIC; @@ -223,7 +223,7 @@ retry: ret = _gssapi_msg_order_check(context_handle->order, seq_number); if (ret) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); *minor_status = 0; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); return ret; @@ -233,7 +233,7 @@ retry: tmp = malloc (message_buffer->length + 8); if (tmp == NULL) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); *minor_status = ENOMEM; return GSS_S_FAILURE; @@ -246,28 +246,28 @@ retry: csum.checksum.length = 20; csum.checksum.data = p + 8; - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, + ret = krb5_verify_checksum (_gsskrb5_context, crypto, KRB5_KU_USAGE_SIGN, tmp, message_buffer->length + 8, &csum); free (tmp); if (ret) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + _gsskrb5_set_error_string (); + krb5_crypto_destroy (_gsskrb5_context, crypto); *minor_status = ret; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); return GSS_S_BAD_MIC; } HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); return GSS_S_COMPLETE; } OM_uint32 -gss_verify_mic_internal +_gsskrb5_verify_mic_internal (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, @@ -278,14 +278,14 @@ gss_verify_mic_internal OM_uint32 ret; krb5_keytype keytype; - ret = gss_krb5_get_subkey(context_handle, &key); + ret = _gsskrb5i_get_subkey(context_handle, &key); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } *minor_status = 0; - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : ret = verify_mic_des (minor_status, context_handle, @@ -309,13 +309,13 @@ gss_verify_mic_internal key); break; } - krb5_free_keyblock (gssapi_krb5_context, key); + krb5_free_keyblock (_gsskrb5_context, key); return ret; } OM_uint32 -gss_verify_mic +_gsskrb5_verify_mic (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t message_buffer, @@ -328,9 +328,10 @@ gss_verify_mic if (qop_state != NULL) *qop_state = GSS_C_QOP_DEFAULT; - ret = gss_verify_mic_internal(minor_status, context_handle, - message_buffer, token_buffer, - qop_state, "\x01\x01"); + ret = _gsskrb5_verify_mic_internal(minor_status, + (gsskrb5_ctx)context_handle, + message_buffer, token_buffer, + qop_state, "\x01\x01"); return ret; } diff --git a/lib/gssapi/krb5/wrap.c b/lib/gssapi/krb5/wrap.c index e14727b73..a7695373b 100644 --- a/lib/gssapi/krb5/wrap.c +++ b/lib/gssapi/krb5/wrap.c @@ -31,24 +31,24 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); OM_uint32 -gss_krb5_get_subkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key) +_gsskrb5i_get_subkey(const gsskrb5_ctx ctx, + krb5_keyblock **key) { krb5_keyblock *skey = NULL; - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - if (context_handle->more_flags & LOCAL) { - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + if (ctx->more_flags & LOCAL) { + krb5_auth_con_getremotesubkey(_gsskrb5_context, + ctx->auth_context, &skey); } else { - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_getlocalsubkey(_gsskrb5_context, + ctx->auth_context, &skey); } /* @@ -56,22 +56,22 @@ gss_krb5_get_subkey(const gss_ctx_id_t context_handle, * an acceptor subkey was not required. */ if (skey == NULL && - (context_handle->more_flags & ACCEPTOR_SUBKEY) == 0) { - if (context_handle->more_flags & LOCAL) { - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, + (ctx->more_flags & ACCEPTOR_SUBKEY) == 0) { + if (ctx->more_flags & LOCAL) { + krb5_auth_con_getlocalsubkey(_gsskrb5_context, + ctx->auth_context, &skey); } else { - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_getremotesubkey(_gsskrb5_context, + ctx->auth_context, &skey); } if(skey == NULL) - krb5_auth_con_getkey(gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_getkey(_gsskrb5_context, + ctx->auth_context, &skey); } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); if(skey == NULL) return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ *key = skey; @@ -90,7 +90,7 @@ sub_wrap_size ( len = 8 + req_output_size + blocksize + extrasize; - gssapi_krb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); total_len -= req_output_size; /* token length */ if (total_len < req_output_size) { @@ -103,7 +103,7 @@ sub_wrap_size ( } OM_uint32 -gss_wrap_size_limit ( +_gsskrb5_wrap_size_limit ( OM_uint32 * minor_status, const gss_ctx_id_t context_handle, int conf_req_flag, @@ -115,14 +115,15 @@ gss_wrap_size_limit ( krb5_keyblock *key; OM_uint32 ret; krb5_keytype keytype; + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; - ret = gss_krb5_get_subkey(context_handle, &key); + ret = _gsskrb5i_get_subkey(ctx, &key); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : @@ -134,12 +135,12 @@ gss_wrap_size_limit ( ret = sub_wrap_size(req_output_size, max_input_size, 8, 34); break; default : - ret = _gssapi_wrap_size_cfx(minor_status, context_handle, + ret = _gssapi_wrap_size_cfx(minor_status, ctx, conf_req_flag, qop_req, req_output_size, max_input_size, key); break; } - krb5_free_keyblock (gssapi_krb5_context, key); + krb5_free_keyblock (_gsskrb5_context, key); *minor_status = 0; return ret; } @@ -147,7 +148,7 @@ gss_wrap_size_limit ( static OM_uint32 wrap_des (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx ctx, int conf_req_flag, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, @@ -169,7 +170,7 @@ wrap_des padlength = 8 - (input_message_buffer->length % 8); datalen = input_message_buffer->length + padlength + 8; len = datalen + 22; - gssapi_krb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); output_message_buffer->length = total_len; output_message_buffer->value = malloc (total_len); @@ -179,7 +180,7 @@ wrap_des return GSS_S_FAILURE; } - p = gssapi_krb5_make_header(output_message_buffer->value, + p = _gsskrb5_make_header(output_message_buffer->value, len, "\x02\x01", /* TOK_ID */ GSS_KRB5_MECHANISM); @@ -221,9 +222,9 @@ wrap_des memcpy (p - 8, hash, 8); /* sequence number */ - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, + ctx->auth_context, &seq_number); p -= 16; @@ -232,17 +233,17 @@ wrap_des p[2] = (seq_number >> 16) & 0xFF; p[3] = (seq_number >> 24) & 0xFF; memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, + (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); DES_set_key (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); /* encrypt the data */ p += 16; @@ -273,7 +274,7 @@ wrap_des static OM_uint32 wrap_des3 (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx ctx, int conf_req_flag, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, @@ -294,7 +295,7 @@ wrap_des3 padlength = 8 - (input_message_buffer->length % 8); datalen = input_message_buffer->length + padlength + 8; len = datalen + 34; - gssapi_krb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); output_message_buffer->length = total_len; output_message_buffer->value = malloc (total_len); @@ -304,7 +305,7 @@ wrap_des3 return GSS_S_FAILURE; } - p = gssapi_krb5_make_header(output_message_buffer->value, + p = _gsskrb5_make_header(output_message_buffer->value, len, "\x02\x01", /* TOK_ID */ GSS_KRB5_MECHANISM); @@ -330,9 +331,9 @@ wrap_des3 input_message_buffer->length); memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength); - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); free (output_message_buffer->value); output_message_buffer->length = 0; output_message_buffer->value = NULL; @@ -340,16 +341,16 @@ wrap_des3 return GSS_S_FAILURE; } - ret = krb5_create_checksum (gssapi_krb5_context, + ret = krb5_create_checksum (_gsskrb5_context, crypto, KRB5_KU_USAGE_SIGN, 0, p + 20, datalen + 8, &cksum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); free (output_message_buffer->value); output_message_buffer->length = 0; output_message_buffer->value = NULL; @@ -363,10 +364,10 @@ wrap_des3 memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); free_Checksum (&cksum); - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, + ctx->auth_context, &seq_number); seq[0] = (seq_number >> 0) & 0xFF; @@ -374,11 +375,11 @@ wrap_des3 seq[2] = (seq_number >> 16) & 0xFF; seq[3] = (seq_number >> 24) & 0xFF; memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, + (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); - ret = krb5_crypto_init(gssapi_krb5_context, key, ETYPE_DES3_CBC_NONE, + ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (ret) { free (output_message_buffer->value); @@ -392,15 +393,15 @@ wrap_des3 DES_cblock ivec; memcpy (&ivec, p + 8, 8); - ret = krb5_encrypt_ivec (gssapi_krb5_context, + ret = krb5_encrypt_ivec (_gsskrb5_context, crypto, KRB5_KU_USAGE_SEQ, seq, 8, &encdata, &ivec); } - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); free (output_message_buffer->value); output_message_buffer->length = 0; output_message_buffer->value = NULL; @@ -413,10 +414,10 @@ wrap_des3 memcpy (p, encdata.data, encdata.length); krb5_data_free (&encdata); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); /* encrypt the data */ p += 28; @@ -424,21 +425,21 @@ wrap_des3 if(conf_req_flag) { krb5_data tmp; - ret = krb5_crypto_init(gssapi_krb5_context, key, + ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); free (output_message_buffer->value); output_message_buffer->length = 0; output_message_buffer->value = NULL; *minor_status = ret; return GSS_S_FAILURE; } - ret = krb5_encrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, + ret = krb5_encrypt(_gsskrb5_context, crypto, KRB5_KU_USAGE_SEAL, p, datalen, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); free (output_message_buffer->value); output_message_buffer->length = 0; output_message_buffer->value = NULL; @@ -456,7 +457,7 @@ wrap_des3 return GSS_S_COMPLETE; } -OM_uint32 gss_wrap +OM_uint32 _gsskrb5_wrap (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, int conf_req_flag, @@ -469,38 +470,39 @@ OM_uint32 gss_wrap krb5_keyblock *key; OM_uint32 ret; krb5_keytype keytype; + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; - ret = gss_krb5_get_subkey(context_handle, &key); + ret = _gsskrb5i_get_subkey(ctx, &key); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : - ret = wrap_des (minor_status, context_handle, conf_req_flag, + ret = wrap_des (minor_status, ctx, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, key); break; case KEYTYPE_DES3 : - ret = wrap_des3 (minor_status, context_handle, conf_req_flag, + ret = wrap_des3 (minor_status, ctx, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, key); break; case KEYTYPE_ARCFOUR: case KEYTYPE_ARCFOUR_56: - ret = _gssapi_wrap_arcfour (minor_status, context_handle, conf_req_flag, + ret = _gssapi_wrap_arcfour (minor_status, ctx, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, key); break; default : - ret = _gssapi_wrap_cfx (minor_status, context_handle, conf_req_flag, + ret = _gssapi_wrap_cfx (minor_status, ctx, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, key); break; } - krb5_free_keyblock (gssapi_krb5_context, key); + krb5_free_keyblock (_gsskrb5_context, key); return ret; }