From 5c1c5cc77af8bde4d875ec19b6809134b4e25aa4 Mon Sep 17 00:00:00 2001 From: Heimdal SVN import Date: Thu, 16 Jun 2005 16:23:19 +0000 Subject: [PATCH] This commit was manufactured by cvs2svn to create tag 'heimdal-0-7'. git-svn-id: svn://svn.h5l.se/heimdal/tags/heimdal-release/heimdal-0-7@15407 ec53bebd-3082-4978-b11e-865c3cabbd6b --- ChangeLog | 10 + NEWS | 6 + cf/ChangeLog | 8 + cf/broken-getaddrinfo.m4 | 2 + cf/check-symbols.sh | 2 + cf/pthreads.m4 | 13 +- configure.in | 2 +- kdc/kerberos5.c | 14 +- lib/gssapi/krb5/8003.c | 246 ------ lib/gssapi/krb5/ChangeLog | 1330 ------------------------------ lib/gssapi/krb5/Makefile.am | 98 --- lib/gssapi/krb5/accept_sec_context.c | 974 ---------------------- lib/gssapi/krb5/acquire_cred.c | 327 -------- lib/gssapi/krb5/add_cred.c | 244 ------ lib/gssapi/krb5/add_oid_set_member.c | 69 -- lib/gssapi/krb5/address_to_krb5addr.c | 76 -- lib/gssapi/krb5/arcfour.c | 636 -------------- lib/gssapi/krb5/arcfour.h | 73 -- lib/gssapi/krb5/canonicalize_name.c | 46 -- lib/gssapi/krb5/ccache_name.c | 80 -- lib/gssapi/krb5/cfx.c | 841 ------------------- lib/gssapi/krb5/cfx.h | 104 --- lib/gssapi/krb5/compare_name.c | 51 -- lib/gssapi/krb5/compat.c | 154 ---- lib/gssapi/krb5/context_time.c | 87 -- lib/gssapi/krb5/copy_ccache.c | 106 --- lib/gssapi/krb5/create_emtpy_oid_set.c | 52 -- lib/gssapi/krb5/decapsulate.c | 209 ----- lib/gssapi/krb5/delete_sec_context.c | 74 -- lib/gssapi/krb5/display_name.c | 73 -- lib/gssapi/krb5/display_status.c | 208 ----- lib/gssapi/krb5/duplicate_name.c | 59 -- lib/gssapi/krb5/encapsulate.c | 153 ---- lib/gssapi/krb5/export_name.c | 94 --- lib/gssapi/krb5/export_sec_context.c | 231 ------ lib/gssapi/krb5/external.c | 270 ------ lib/gssapi/krb5/get_mic.c | 302 ------- lib/gssapi/krb5/gss_acquire_cred.3 | 650 --------------- lib/gssapi/krb5/gssapi.3 | 176 ---- lib/gssapi/krb5/gssapi.h | 797 ------------------ lib/gssapi/krb5/gssapi_locl.h | 279 ------- lib/gssapi/krb5/import_name.c | 229 ----- lib/gssapi/krb5/import_sec_context.c | 228 ----- lib/gssapi/krb5/indicate_mechs.c | 63 -- lib/gssapi/krb5/init.c | 111 --- lib/gssapi/krb5/init_sec_context.c | 1093 ------------------------ lib/gssapi/krb5/inquire_context.c | 97 --- lib/gssapi/krb5/inquire_cred.c | 123 --- lib/gssapi/krb5/inquire_cred_by_mech.c | 82 -- lib/gssapi/krb5/inquire_mechs_for_name.c | 57 -- lib/gssapi/krb5/inquire_names_for_mech.c | 80 -- lib/gssapi/krb5/process_context_token.c | 65 -- lib/gssapi/krb5/release_buffer.c | 48 -- lib/gssapi/krb5/release_cred.c | 73 -- lib/gssapi/krb5/release_name.c | 50 -- lib/gssapi/krb5/release_oid_set.c | 49 -- lib/gssapi/krb5/sequence.c | 189 ----- lib/gssapi/krb5/spkm.asn1 | 240 ------ lib/gssapi/krb5/spnego.asn1 | 42 - lib/gssapi/krb5/test_acquire_cred.c | 110 --- lib/gssapi/krb5/test_cred.c | 184 ----- lib/gssapi/krb5/test_oid_set_member.c | 55 -- lib/gssapi/krb5/test_sequence.c | 333 -------- lib/gssapi/krb5/ticket_flags.c | 60 -- lib/gssapi/krb5/unwrap.c | 413 ---------- lib/gssapi/krb5/v1.c | 104 --- lib/gssapi/krb5/verify_mic.c | 336 -------- lib/gssapi/krb5/wrap.c | 492 ----------- lib/krb5/cache.c | 6 +- 69 files changed, 49 insertions(+), 14189 deletions(-) delete mode 100644 lib/gssapi/krb5/8003.c delete mode 100644 lib/gssapi/krb5/ChangeLog delete mode 100644 lib/gssapi/krb5/Makefile.am delete mode 100644 lib/gssapi/krb5/accept_sec_context.c delete mode 100644 lib/gssapi/krb5/acquire_cred.c delete mode 100644 lib/gssapi/krb5/add_cred.c delete mode 100644 lib/gssapi/krb5/add_oid_set_member.c delete mode 100644 lib/gssapi/krb5/address_to_krb5addr.c delete mode 100644 lib/gssapi/krb5/arcfour.c delete mode 100644 lib/gssapi/krb5/arcfour.h delete mode 100644 lib/gssapi/krb5/canonicalize_name.c delete mode 100644 lib/gssapi/krb5/ccache_name.c delete mode 100644 lib/gssapi/krb5/cfx.c delete mode 100644 lib/gssapi/krb5/cfx.h delete mode 100644 lib/gssapi/krb5/compare_name.c delete mode 100644 lib/gssapi/krb5/compat.c delete mode 100644 lib/gssapi/krb5/context_time.c delete mode 100644 lib/gssapi/krb5/copy_ccache.c delete mode 100644 lib/gssapi/krb5/create_emtpy_oid_set.c delete mode 100644 lib/gssapi/krb5/decapsulate.c delete mode 100644 lib/gssapi/krb5/delete_sec_context.c delete mode 100644 lib/gssapi/krb5/display_name.c delete mode 100644 lib/gssapi/krb5/display_status.c delete mode 100644 lib/gssapi/krb5/duplicate_name.c delete mode 100644 lib/gssapi/krb5/encapsulate.c delete mode 100644 lib/gssapi/krb5/export_name.c delete mode 100644 lib/gssapi/krb5/export_sec_context.c delete mode 100644 lib/gssapi/krb5/external.c delete mode 100644 lib/gssapi/krb5/get_mic.c delete mode 100644 lib/gssapi/krb5/gss_acquire_cred.3 delete mode 100644 lib/gssapi/krb5/gssapi.3 delete mode 100644 lib/gssapi/krb5/gssapi.h delete mode 100644 lib/gssapi/krb5/gssapi_locl.h delete mode 100644 lib/gssapi/krb5/import_name.c delete mode 100644 lib/gssapi/krb5/import_sec_context.c delete mode 100644 lib/gssapi/krb5/indicate_mechs.c delete mode 100644 lib/gssapi/krb5/init.c delete mode 100644 lib/gssapi/krb5/init_sec_context.c delete mode 100644 lib/gssapi/krb5/inquire_context.c delete mode 100644 lib/gssapi/krb5/inquire_cred.c delete mode 100644 lib/gssapi/krb5/inquire_cred_by_mech.c delete mode 100644 lib/gssapi/krb5/inquire_mechs_for_name.c delete mode 100644 lib/gssapi/krb5/inquire_names_for_mech.c delete mode 100644 lib/gssapi/krb5/process_context_token.c delete mode 100644 lib/gssapi/krb5/release_buffer.c delete mode 100644 lib/gssapi/krb5/release_cred.c delete mode 100644 lib/gssapi/krb5/release_name.c delete mode 100644 lib/gssapi/krb5/release_oid_set.c delete mode 100644 lib/gssapi/krb5/sequence.c delete mode 100644 lib/gssapi/krb5/spkm.asn1 delete mode 100644 lib/gssapi/krb5/spnego.asn1 delete mode 100644 lib/gssapi/krb5/test_acquire_cred.c delete mode 100644 lib/gssapi/krb5/test_cred.c delete mode 100644 lib/gssapi/krb5/test_oid_set_member.c delete mode 100644 lib/gssapi/krb5/test_sequence.c delete mode 100644 lib/gssapi/krb5/ticket_flags.c delete mode 100644 lib/gssapi/krb5/unwrap.c delete mode 100644 lib/gssapi/krb5/v1.c delete mode 100644 lib/gssapi/krb5/verify_mic.c delete mode 100644 lib/gssapi/krb5/wrap.c diff --git a/ChangeLog b/ChangeLog index 2b54ef4fe..342251d65 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2005-06-15 Love Hörnquist Åstrand + + * Release 0.7 + + * lib/krb5/cache.c: 1.70: (_krb5_expand_default_cc_name): replace + strndup with inline copy + + * kdc/kerberos5.c: 1.176: replace strndup with inline copy, free + data on failure + 2005-06-14 Love Hörnquist Åstrand * lib/krb5/Makefile.am: TESTS += test_mem libkrb5_la_SOURCES += diff --git a/NEWS b/NEWS index bafb4178e..74d03caa1 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,12 @@ Changes in release 0.7 * Bug fixes +Changes in release 0.6.5 + + * fix vulnerabilities in telnetd + + * unbreak Kerberos 4 and kaserver + Changes in release 0.6.4 * fix vulnerabilities in telnet diff --git a/cf/ChangeLog b/cf/ChangeLog index 39ed07d83..ae34fd98c 100644 --- a/cf/ChangeLog +++ b/cf/ChangeLog @@ -1,3 +1,11 @@ +2005-06-16 Love Hörnquist Åstrand + + * pthreads.m4: 1.11: disable threads on aix because of utmp/utmpx + problems + + * broken-getaddrinfo.m4: 1.6: check for brokenness in getaddrinfo + on AIX that can't handle "0" as port number. + 2005-06-03 Love Hörnquist Åstrand * pthreads.m4: rework how pthreads support to turned on/off, diff --git a/cf/broken-getaddrinfo.m4 b/cf/broken-getaddrinfo.m4 index 75cbcb255..6d34f3b77 100644 --- a/cf/broken-getaddrinfo.m4 +++ b/cf/broken-getaddrinfo.m4 @@ -19,6 +19,8 @@ main(int argc, char **argv) hints.ai_family = PF_UNSPEC; if(getaddrinfo(NULL, "17", &hints, &ai) != 0) return 1; + if(getaddrinfo(NULL, "0", &hints, &ai) != 0) + return 1; return 0; } ]])],[ac_cv_func_getaddrinfo_numserv=yes],[ac_cv_func_getaddrinfo_numserv=no]))]) diff --git a/cf/check-symbols.sh b/cf/check-symbols.sh index 38e934a27..2660fabc4 100644 --- a/cf/check-symbols.sh +++ b/cf/check-symbols.sh @@ -5,6 +5,8 @@ LANG=C export LANG +exit 0 #disable test on release branch + esym= symbols= diff --git a/cf/pthreads.m4 b/cf/pthreads.m4 index 2a1bc0bc1..ec3f9d6de 100644 --- a/cf/pthreads.m4 +++ b/cf/pthreads.m4 @@ -37,16 +37,9 @@ case "$host" in esac ;; *-*-aix*) - if test "$GCC" = yes; then - native_pthread_support=yes - PTHREADS_LIBS="-pthread" - elif expr "$CC" : ".*_r" > /dev/null ; then - native_pthread_support=yes - PTHREADS_CFLAGS="" - PTHREADS_LIBS="" - else - native_pthread_support=no - fi + dnl AIX is disabled since we don't handle the utmp/utmpx + dnl problems that aix causes when compiling with pthread support + native_pthread_support=no ;; mips-sgi-irix6.[[5-9]]) # maybe works for earlier versions too native_pthread_support=yes diff --git a/configure.in b/configure.in index eaac0e260..b1dc994ed 100644 --- a/configure.in +++ b/configure.in @@ -2,7 +2,7 @@ dnl Process this file with autoconf to produce a configure script. AC_REVISION($Revision$) AC_PREREQ([2.59]) test -z "$CFLAGS" && CFLAGS="-g" -AC_INIT([Heimdal],[0.7rc2],[heimdal-bugs@pdc.kth.se]) +AC_INIT([Heimdal],[0.7],[heimdal-bugs@pdc.kth.se]) AC_CONFIG_SRCDIR([kuser/kinit.c]) AC_CONFIG_HEADERS(include/config.h) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 6e607d3ae..67d7ab5b7 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -415,7 +415,14 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key) ALLOC(ent->salt); if (ent->salt == NULL) return ENOMEM; - *ent->salt = strndup(key->salt->salt.data, key->salt->salt.length); + *ent->salt = malloc(key->salt->salt.length + 1); + if (*ent->salt == NULL) { + free(ent->salt); + ent->salt = NULL; + return ENOMEM; + } + memcpy(*ent->salt, key->salt->salt.data, key->salt->salt.length); + (*ent->salt)[key->salt->salt.length] = '\0'; } else ent->salt = NULL; @@ -429,8 +436,11 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key) return ENOMEM; ent->s2kparams->length = 4; ent->s2kparams->data = malloc(ent->s2kparams->length); - if (ent->s2kparams->data == NULL) + if (ent->s2kparams->data == NULL) { + free(ent->s2kparams); + ent->s2kparams = NULL; return ENOMEM; + } _krb5_put_int(ent->s2kparams->data, _krb5_AES_string_to_default_iterator, ent->s2kparams->length); diff --git a/lib/gssapi/krb5/8003.c b/lib/gssapi/krb5/8003.c deleted file mode 100644 index 283ac01a7..000000000 --- a/lib/gssapi/krb5/8003.c +++ /dev/null @@ -1,246 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -krb5_error_code -gssapi_encode_om_uint32(OM_uint32 n, u_char *p) -{ - p[0] = (n >> 0) & 0xFF; - p[1] = (n >> 8) & 0xFF; - p[2] = (n >> 16) & 0xFF; - p[3] = (n >> 24) & 0xFF; - return 0; -} - -krb5_error_code -gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p) -{ - p[0] = (n >> 24) & 0xFF; - p[1] = (n >> 16) & 0xFF; - p[2] = (n >> 8) & 0xFF; - p[3] = (n >> 0) & 0xFF; - return 0; -} - -krb5_error_code -gssapi_decode_om_uint32(u_char *p, OM_uint32 *n) -{ - *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); - return 0; -} - -krb5_error_code -gssapi_decode_be_om_uint32(u_char *p, OM_uint32 *n) -{ - *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0); - return 0; -} - -static krb5_error_code -hash_input_chan_bindings (const gss_channel_bindings_t b, - u_char *p) -{ - u_char num[4]; - MD5_CTX md5; - - MD5_Init(&md5); - gssapi_encode_om_uint32 (b->initiator_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); - gssapi_encode_om_uint32 (b->initiator_address.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->initiator_address.length) - MD5_Update (&md5, - b->initiator_address.value, - b->initiator_address.length); - gssapi_encode_om_uint32 (b->acceptor_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); - gssapi_encode_om_uint32 (b->acceptor_address.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->acceptor_address.length) - MD5_Update (&md5, - b->acceptor_address.value, - b->acceptor_address.length); - gssapi_encode_om_uint32 (b->application_data.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->application_data.length) - MD5_Update (&md5, - b->application_data.value, - b->application_data.length); - MD5_Final (p, &md5); - return 0; -} - -/* - * create a checksum over the chanel bindings in - * `input_chan_bindings', `flags' and `fwd_data' and return it in - * `result' - */ - -OM_uint32 -gssapi_krb5_create_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - OM_uint32 flags, - const krb5_data *fwd_data, - Checksum *result) -{ - u_char *p; - - /* - * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value - * field's format) */ - result->cksumtype = CKSUMTYPE_GSSAPI; - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) - result->checksum.length = 24 + 4 + fwd_data->length; - else - result->checksum.length = 24; - result->checksum.data = malloc (result->checksum.length); - if (result->checksum.data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = result->checksum.data; - gssapi_encode_om_uint32 (16, p); - p += 4; - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) { - memset (p, 0, 16); - } else { - hash_input_chan_bindings (input_chan_bindings, p); - } - p += 16; - gssapi_encode_om_uint32 (flags, p); - p += 4; - - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) { - - *p++ = (1 >> 0) & 0xFF; /* DlgOpt */ /* == 1 */ - *p++ = (1 >> 8) & 0xFF; /* DlgOpt */ /* == 0 */ - *p++ = (fwd_data->length >> 0) & 0xFF; /* Dlgth */ - *p++ = (fwd_data->length >> 8) & 0xFF; /* Dlgth */ - memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length); - - p += fwd_data->length; - } - - return GSS_S_COMPLETE; -} - -/* - * verify the checksum in `cksum' over `input_chan_bindings' - * returning `flags' and `fwd_data' - */ - -OM_uint32 -gssapi_krb5_verify_8003_checksum( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - const Checksum *cksum, - OM_uint32 *flags, - krb5_data *fwd_data) -{ - unsigned char hash[16]; - unsigned char *p; - OM_uint32 length; - int DlgOpt; - static unsigned char zeros[16]; - - if (cksum == NULL) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - /* XXX should handle checksums > 24 bytes */ - if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - p = cksum->checksum.data; - gssapi_decode_om_uint32(p, &length); - if(length != sizeof(hash)) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - p += 4; - - if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS - && memcmp(p, zeros, sizeof(zeros)) != 0) { - if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - if(memcmp(hash, p, sizeof(hash)) != 0) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - } - - p += sizeof(hash); - - gssapi_decode_om_uint32(p, flags); - p += 4; - - if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) { - if(cksum->checksum.length < 28) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - DlgOpt = (p[0] << 0) | (p[1] << 8); - p += 2; - if (DlgOpt != 1) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - fwd_data->length = (p[0] << 0) | (p[1] << 8); - p += 2; - if(cksum->checksum.length < 28 + fwd_data->length) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - fwd_data->data = malloc(fwd_data->length); - if (fwd_data->data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(fwd_data->data, p, fwd_data->length); - } - - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/ChangeLog b/lib/gssapi/krb5/ChangeLog deleted file mode 100644 index e8105e407..000000000 --- a/lib/gssapi/krb5/ChangeLog +++ /dev/null @@ -1,1330 +0,0 @@ -2005-05-30 Love Hörnquist Åstrand - - * init_sec_context.c (init_auth): honor ok-as-delegate if local - configuration approves - - * gssapi_locl.h: prototype for _gss_check_compat - - * compat.c: export check_compat as _gss_check_compat - -2005-05-29 Love Hörnquist Åstrand - - * init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid - problems with system headerfiles that pollute the name space. - - * accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid - problems with system headerfiles that pollute the name space. - -2005-05-17 Love Hörnquist Åstrand - - * init_sec_context.c (init_auth): set - KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility), - also while here, use krb5_auth_con_addflags - -2005-05-06 Love Hörnquist Åstrand - - * arcfour.c (_gssapi_wrap_arcfour): fix calculating the encap - length. From: Tom Maher - -2005-05-02 Dave Love - - * test_cred.c (main): Call setprogname. - -2005-04-27 Love Hörnquist Åstrand - - * prefix all sequence symbols with _, they are not part of the - GSS-API api. By comment from Wynn Wilkes - -2005-04-10 Love Hörnquist Åstrand - - * accept_sec_context.c: break out the processing of the delegated - credential to a separate function to make error handling easier, - move the credential handling to after other setup is done - - * test_sequence.c: make less verbose in case of success - - * Makefile.am: add test_sequence to TESTS - -2005-04-01 Love Hörnquist Åstrand - - * 8003.c (gssapi_krb5_verify_8003_checksum): check that cksum - isn't NULL From: Nicolas Pouvesle - -2005-03-21 Love Hörnquist Åstrand - - * Makefile.am: use $(LIB_roken) - -2005-03-16 Love Hörnquist Åstrand - - * display_status.c (gssapi_krb5_set_error_string): pass in the - krb5_context to krb5_free_error_string - -2005-03-15 Love Hörnquist Åstrand - - * display_status.c (gssapi_krb5_set_error_string): don't misuse - the krb5_get_error_string api - -2005-03-01 Love Hörnquist Åstrand - - * compat.c (_gss_DES3_get_mic_compat): don't unlock mutex - here. Bug reported by Stefan Metzmacher - -2005-02-21 Luke Howard - - * init_sec_context.c: don't call krb5_get_credentials() with - KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache - growing indefinitely as no key is found with KEYTYPE_NULL - - * compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is - no longer used (however the mechListMIC behaviour is broken, - rfc2478bis support requires the code in the mechglue branch) - - * init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG - - * gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG - -2005-01-05 Luke Howard - - * 8003.c: use symbolic name for checksum type - - * accept_sec_context.c: allow client to indicate - that subkey should be used - - * acquire_cred.c: plug leak - - * get_mic.c: use gss_krb5_get_subkey() instead - of gss_krb5_get_{local,remote}key(), support - KEYTYPE_ARCFOUR_56 - - * gssapi_local.c: use gss_krb5_get_subkey(), - support KEYTYPE_ARCFOUR_56 - - * import_sec_context.c: plug leak - - * unwrap.c: use gss_krb5_get_subkey(), - support KEYTYPE_ARCFOUR_56 - - * verify_mic.c: use gss_krb5_get_subkey(), - support KEYTYPE_ARCFOUR_56 - - * wrap.c: use gss_krb5_get_subkey(), - support KEYTYPE_ARCFOUR_56 - -2004-11-30 Love Hörnquist Åstrand - - * inquire_cred.c: Reverse order of HEIMDAL_MUTEX_unlock and - gss_release_cred to avoid deadlock, from Luke Howard - . - -2004-09-06 Love Hörnquist Åstrand - - * gss_acquire_cred.3: gss_krb5_extract_authz_data_from_sec_context - was renamed to gsskrb5_extract_authz_data_from_sec_context - -2004-08-07 Love Hörnquist Åstrand - - * unwrap.c: mutex buglet, From: Luke Howard - - * arcfour.c: mutex buglet, From: Luke Howard - -2004-05-06 Love Hörnquist Åstrand - - * gssapi.3: spelling from Josef El-Rayes while - here, write some text about the SPNEGO situation - -2004-04-08 Love Hörnquist Åstrand - - * cfx.c: s/CTXAcceptorSubkey/CFXAcceptorSubkey/ - -2004-04-07 Love Hörnquist Åstrand - - * gssapi.h: add GSS_C_EXPECTING_MECH_LIST_MIC_FLAG From: Luke - Howard - - * init_sec_context.c (spnego_reply): use - _gss_spnego_require_mechlist_mic to figure out if we need to check - MechListMIC; From: Luke Howard - - * accept_sec_context.c (send_accept): use - _gss_spnego_require_mechlist_mic to figure out if we need to send - MechListMIC; From: Luke Howard - - * gssapi_locl.h: add _gss_spnego_require_mechlist_mic - From: Luke Howard - - * compat.c: add _gss_spnego_require_mechlist_mic for compatibility - with MS SPNEGO, From: Luke Howard - -2004-04-05 Love Hörnquist Åstrand - - * accept_sec_context.c (gsskrb5_is_cfx): krb5_keyblock->keytype is - an enctype, not keytype - - * accept_sec_context.c: use ASN1_MALLOC_ENCODE - - * init_sec_context.c: avoid the malloc loop and just allocate the - propper amount of data - - * init_sec_context.c (spnego_initial): handle mech_token better - -2004-03-19 Love Hörnquist Åstrand - - * gssapi.h: add gss_krb5_get_tkt_flags - - * Makefile.am: add ticket_flags.c - - * ticket_flags.c: Get ticket-flags from acceptor ticket From: Luke - Howard - - * gss_acquire_cred.3: document gss_krb5_get_tkt_flags - -2004-03-14 Love Hörnquist Åstrand - - * acquire_cred.c (gss_acquire_cred): check usage before even - bothering to process it, add both keytab and initial tgt if - requested - - * wrap.c: support cfx, try to handle acceptor asserted subkey - - * unwrap.c: support cfx, try to handle acceptor asserted subkey - - * verify_mic.c: support cfx - - * get_mic.c: support cfx - - * test_sequence.c: handle changed signature of - gssapi_msg_order_create - - * import_sec_context.c: handle acceptor asserted subkey - - * init_sec_context.c: handle acceptor asserted subkey - - * accept_sec_context.c: handle acceptor asserted subkey - - * sequence.c: add dummy use_64 argument to gssapi_msg_order_create - - * gssapi_locl.h: add partial support for CFX - - * Makefile.am (noinst_PROGRAMS) += test_cred - - * test_cred.c: gssapi credential testing - - * test_acquire_cred.c: fix comment - -2004-03-07 Love Hörnquist Åstrand - - * arcfour.h: drop structures for message formats, no longer used - - * arcfour.c: comment describing message formats - - * accept_sec_context.c (spnego_accept_sec_context): make sure the - length of the choice element doesn't overrun us - - * init_sec_context.c (spnego_reply): make sure the length of the - choice element doesn't overrun us - - * spnego.asn1: move NegotiationToken to avoid warning - - * spnego.asn1: uncomment NegotiationToken - - * Makefile.am: spnego_files += asn1_NegotiationToken.x - -2004-01-25 Love Hörnquist Åstrand - - * gssapi.h: add gss_krb5_ccache_name - - * Makefile.am (libgssapi_la_SOURCES): += ccache_name.c - - * ccache_name.c (gss_krb5_ccache_name): help function enable to - set krb5 name, using out_name argument makes function no longer - thread-safe - - * gssapi.3: add missing gss_krb5_ references - - * gss_acquire_cred.3: document gss_krb5_ccache_name - -2003-12-12 Love Hörnquist Åstrand - - * cfx.c: make rrc a modulus operation if its longer then the - length of the message, noticed by Sam Hartman - -2003-12-07 Love Hörnquist Åstrand - - * accept_sec_context.c: use krb5_auth_con_addflags - -2003-12-05 Love Hörnquist Åstrand - - * cfx.c: Wrap token id was in wrong order, found by Sam Hartman - -2003-12-04 Love Hörnquist Åstrand - - * cfx.c: add AcceptorSubkey (but no code understand it yet) ignore - unknown token flags - -2003-11-22 Love Hörnquist Åstrand - - * accept_sec_context.c: Don't require timestamp to be set on - delegated token, its already protected by the outer token (and - windows doesn't alway send it) Pointed out by Zi-Bin Yang - on heimdal-discuss - -2003-11-14 Love Hörnquist Åstrand - - * cfx.c: fix {} error, pointed out by Liqiang Zhu - -2003-11-10 Love Hörnquist Åstrand - - * cfx.c: Sequence number should be stored in bigendian order From: - Luke Howard - -2003-11-09 Love Hörnquist Åstrand - - * delete_sec_context.c (gss_delete_sec_context): don't free - ticket, krb5_free_ticket does that now - -2003-11-06 Love Hörnquist Åstrand - - * cfx.c: checksum the header last in MIC token, update to -03 - From: Luke Howard - -2003-10-07 Love Hörnquist Åstrand - - * add_cred.c: If its a MEMORY cc, make a copy. We need to do this - since now gss_release_cred will destroy the cred. This should be - really be solved a better way. - - * acquire_cred.c (gss_release_cred): if its a mcc, destroy it - rather the just release it Found by: "Zi-Bin Yang" - - - * acquire_cred.c (acquire_initiator_cred): use kret instead of ret - where appropriate - -2003-09-30 Love Hörnquist Åstrand - - * gss_acquire_cred.3: spelling - From: jmc - -2003-09-23 Love Hörnquist Åstrand - - * cfx.c: - EC and RRC are big-endian, not little-endian - The - default is now to rotate regardless of GSS_C_DCE_STYLE. There are - no longer any references to GSS_C_DCE_STYLE. - rrc_rotate() - avoids allocating memory on the heap if rrc <= 256 - From: Luke Howard - -2003-09-22 Love Hörnquist Åstrand - - * cfx.[ch]: rrc_rotate() was untested and broken, fix it. - Set and verify wrap Token->Filler. - Correct token ID for wrap tokens, - were accidentally swapped with delete tokens. - From: Luke Howard - -2003-09-21 Love Hörnquist Åstrand - - * cfx.[ch]: no ASN.1-ish header on per-message tokens - From: Luke Howard - -2003-09-19 Love Hörnquist Åstrand - - * arcfour.h: remove depenency on gss_arcfour_mic_token and - gss_arcfour_warp_token - - * arcfour.c: remove depenency on gss_arcfour_mic_token and - gss_arcfour_warp_token - -2003-09-18 Love Hörnquist Åstrand - - * 8003.c: remove #if 0'ed code - -2003-09-17 Love Hörnquist Åstrand - - * accept_sec_context.c (gsskrb5_accept_sec_context): set sequence - number when not requesting mutual auth From: Luke Howard - - - * init_sec_context.c (init_auth): set sequence number when not - requesting mutual auth From: Luke Howard - -2003-09-16 Love Hörnquist Åstrand - - * arcfour.c (*): set minor_status - (gss_wrap): set conf_state to conf_req_flags on success - From: Luke Howard - - * wrap.c (gss_wrap_size_limit): use existing function From: Luke - Howard - -2003-09-12 Love Hörnquist Åstrand - - * indicate_mechs.c (gss_indicate_mechs): in case of error, free - mech_set - - * indicate_mechs.c (gss_indicate_mechs): add SPNEGO - -2003-09-10 Love Hörnquist Åstrand - - * init_sec_context.c (spnego_initial): catch errors and return - them - - * init_sec_context.c (spnego_initial): add #if 0 out version of - the CHOICE branch encoding, also where here, free no longer used - memory - -2003-09-09 Love Hörnquist Åstrand - - * gss_acquire_cred.3: support GSS_SPNEGO_MECHANISM - - * accept_sec_context.c: SPNEGO doesn't include gss wrapping on - SubsequentContextToken like the Kerberos 5 mech does. - - * init_sec_context.c (spnego_reply): SPNEGO doesn't include gss - wrapping on SubsequentContextToken like the Kerberos 5 mech - does. Lets check for it anyway. - - * accept_sec_context.c: Add support for SPNEGO on the initator - side. Implementation initially from Assar Westerlund, passes - though quite a lot of hands before I commited it. - - * init_sec_context.c: Add support for SPNEGO on the initator side. - Tested with ldap server on a Windows 2000 DC. Implementation - initially from Assar Westerlund, passes though quite a lot of - hands before I commited it. - - * gssapi.h: export GSS_SPNEGO_MECHANISM - - * gssapi_locl.h: include spnego_as.h add prototype for - gssapi_krb5_get_mech - - * decapsulate.c (gssapi_krb5_get_mech): make non static - - * Makefile.am: build SPNEGO file - -2003-09-08 Love Hörnquist Åstrand - - * external.c: SPENGO and IAKERB oids - - * spnego.asn1: SPENGO ASN1 - -2003-09-05 Love Hörnquist Åstrand - - * cfx.c: RRC also need to be zero before wraping them - From: Luke Howard - -2003-09-04 Love Hörnquist Åstrand - - * encapsulate.c (gssapi_krb5_encap_length): don't return void - -2003-09-03 Love Hörnquist Åstrand - - * verify_mic.c: switch from the des_ to the DES_ api - - * get_mic.c: switch from the des_ to the DES_ api - - * unwrap.c: switch from the des_ to the DES_ api - - * wrap.c: switch from the des_ to the DES_ api - - * cfx.c: EC is not included in the checksum since the length might - change depending on the data. From: Luke Howard - - * acquire_cred.c: use - krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free - -2003-09-01 Love Hörnquist Åstrand - - * copy_ccache.c: rename - gss_krb5_extract_authz_data_from_sec_context to - gsskrb5_extract_authz_data_from_sec_context - - * gssapi.h: rename gss_krb5_extract_authz_data_from_sec_context to - gsskrb5_extract_authz_data_from_sec_context - -2003-08-31 Love Hörnquist Åstrand - - * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context): - check that we have a ticket before we start to use it - - * gss_acquire_cred.3: document - gss_krb5_extract_authz_data_from_sec_context - - * gssapi.h (gss_krb5_extract_authz_data_from_sec_context): - return the kerberos authorizationdata, from idea of Luke Howard - - * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context): - return the kerberos authorizationdata, from idea of Luke Howard - - * verify_mic.c (gss_verify_mic_internal): switch type and key - argument - -2003-08-30 Love Hörnquist Åstrand - - * cfx.[ch]: draft-ietf-krb-wg-gssapi-cfx-01.txt implemetation - From: Luke Howard - -2003-08-28 Love Hörnquist Åstrand - - * arcfour.c (arcfour_mic_cksum): use free_Checksum to free the - checksum - - * arcfour.h: swap two last arguments to verify_mic for consistency - with des3 - - * wrap.c,unwrap.c,get_mic.c,verify_mic.c,cfx.c,cfx.h: - prefix cfx symbols with _gssapi_ - - * arcfour.c: release the right buffer - - * arcfour.c: rename token structure in consistency with rest of - GSS-API From: Luke Howard - - * unwrap.c (unwrap_des3): use _gssapi_verify_pad - (unwrap_des): use _gssapi_verify_pad - - * arcfour.c (_gssapi_wrap_arcfour): set the correct padding - (_gssapi_unwrap_arcfour): verify and strip padding - - * gssapi_locl.h: added _gssapi_verify_pad - - * decapsulate.c (_gssapi_verify_pad): verify padding of a gss - wrapped message and return its length - - * arcfour.c: support KEYTYPE_ARCFOUR_56 keys, from Luke Howard - - - * arcfour.c: use right seal alg, inherit keytype from parent key - - * arcfour.c: include the confounder in the checksum use the right - key usage number for warped/unwraped tokens - - * gssapi.h: add gss_krb5_nt_general_name as an mit compat glue - (same as GSS_KRB5_NT_PRINCIPAL_NAME) - - * unwrap.c: hook in arcfour unwrap - - * wrap.c: hook in arcfour wrap - - * verify_mic.c: hook in arcfour verify_mic - - * get_mic.c: hook in arcfour get_mic - - * arcfour.c: implement wrap/unwarp - - * gssapi_locl.h: add gssapi_{en,de}code_be_om_uint32 - - * 8003.c: add gssapi_{en,de}code_be_om_uint32 - -2003-08-27 Love Hörnquist Åstrand - - * arcfour.c (_gssapi_verify_mic_arcfour): Do the checksum on right - area. Swap filler check, it was reversed. - - * Makefile.am (libgssapi_la_SOURCES): += arcfour.c - - * gssapi_locl.h: include "arcfour.h" - - * arcfour.c: arcfour gss-api mech, get_mic/verify_mic working - - * arcfour.h: arcfour gss-api mech, get_mic/verify_mic working - -2003-08-26 Love Hörnquist Åstrand - - * gssapi_locl.h: always include cfx.h add prototype for - _gssapi_decapsulate - - * cfx.[ch]: Implementation of draft-ietf-krb-wg-gssapi-cfx-00.txt - from Luke Howard - - * decapsulate.c: add _gssapi_decapsulate, from Luke Howard - - -2003-08-25 Love Hörnquist Åstrand - - * unwrap.c: encap/decap now takes a oid if the enctype/keytype is - arcfour, return error add hook for cfx - - * verify_mic.c: encap/decap now takes a oid if the enctype/keytype - is arcfour, return error add hook for cfx - - * get_mic.c: encap/decap now takes a oid if the enctype/keytype is - arcfour, return error add hook for cfx - - * accept_sec_context.c: encap/decap now takes a oid - - * init_sec_context.c: encap/decap now takes a oid - - * gssapi_locl.h: include cfx.h if we need it lifetime is a - OM_uint32, depend on gssapi interface add all new encap/decap - functions - - * decapsulate.c: add decap functions that doesn't take the token - type also make all decap function take the oid mech that they - should use - - * encapsulate.c: add encap functions that doesn't take the token - type also make all encap function take the oid mech that they - should use - - * sequence.c (elem_insert): fix a off by one index counter - - * inquire_cred.c (gss_inquire_cred): handle cred_handle beeing - GSS_C_NO_CREDENTIAL and use the default cred then. - -2003-08-19 Love Hörnquist Åstrand - - * gss_acquire_cred.3: break out extensions and document - gsskrb5_register_acceptor_identity - -2003-08-18 Love Hörnquist Åstrand - - * test_acquire_cred.c (print_time): time is returned in seconds - from now, not unix time - -2003-08-17 Love Hörnquist Åstrand - - * compat.c (check_compat): avoid leaking principal when finding a - match - - * address_to_krb5addr.c: sa_size argument to krb5_addr2sockaddr is - a krb5_socklen_t - - * acquire_cred.c (gss_acquire_cred): 4th argument to - gss_test_oid_set_member is a int - -2003-07-22 Love Hörnquist Åstrand - - * init_sec_context.c (repl_mutual): don't set kerberos error where - there was no kerberos error - - * gssapi_locl.h: Add destruction/creation prototypes and structure - for the thread specific storage. - - * display_status.c: use thread specific storage to set/get the - kerberos error message - - * init.c: Provide locking around the creation of the global - krb5_context. Add destruction/creation functions for the thread - specific storage that the error string handling is using. - -2003-07-20 Love Hörnquist Åstrand - - * gss_acquire_cred.3: add missing prototype and missing .Ft - arguments - -2003-06-17 Love Hörnquist Åstrand - - * verify_mic.c: reorder code so sequence numbers can can be used - - * unwrap.c: reorder code so sequence numbers can can be used - - * sequence.c: remove unused function, indent, add - gssapi_msg_order_f that filter gss flags to gss_msg_order flags - - * gssapi_locl.h: prototypes for - gssapi_{encode_om_uint32,decode_om_uint32} add sequence number - verifier prototypes - - * delete_sec_context.c: destroy sequence number verifier - - * init_sec_context.c: remember to free data use sequence number - verifier - - * accept_sec_context.c: don't clear output_token twice remember to - free data use sequence number verifier - - * 8003.c: export and rename encode_om_uint32/decode_om_uint32 and - start to use them - -2003-06-09 Johan Danielsson - - * Makefile.am: can't have sequence.c in two different places - -2003-06-06 Love Hörnquist Åstrand - - * test_sequence.c: check rollover, print summery - - * wrap.c (sub_wrap_size): gss_wrap_size_limit() has - req_output_size and max_input_size around the wrong way -- it - returns the output token size for a given input size, rather than - the maximum input size for a given output token size. - - From: Luke Howard - -2003-06-05 Love Hörnquist Åstrand - - * gssapi_locl.h: add prototypes for sequence.c - - * Makefile.am (libgssapi_la_SOURCES): add sequence.c - (test_sequence): build - - * sequence.c: sequence number checks, order and replay - * test_sequence.c: sequence number checks, order and replay - -2003-06-03 Love Hörnquist Åstrand - - * accept_sec_context.c (gss_accept_sec_context): make sure time is - returned in seconds from now, not in kerberos time - - * acquire_cred.c (gss_aquire_cred): make sure time is returned in - seconds from now, not in kerberos time - - * init_sec_context.c (init_auth): if the cred is expired before we - tries to create a token, fail so the peer doesn't need reject us - (*): make sure time is returned in seconds from now, - not in kerberos time - (repl_mutual): remember to unlock the context mutex - - * context_time.c (gss_context_time): remove unused variable - - * verify_mic.c: make sure minor_status is always set, pointed out - by Luke Howard - -2003-05-21 Love Hörnquist Åstrand - - * *.[ch]: do some basic locking (no reference counting so contexts - can be removed while still used) - - don't export gss_ctx_id_t_desc_struct and gss_cred_id_t_desc_struct - - make sure all lifetime are returned in seconds left until expired, - not in unix epoch - - * gss_acquire_cred.3: document argument lifetime_rec to function - gss_inquire_context - -2003-05-17 Love Hörnquist Åstrand - - * test_acquire_cred.c: test gss_add_cred more then once - -2003-05-06 Love Hörnquist Åstrand - - * gssapi.h: if __cplusplus, wrap the extern variable (just to be - safe) and functions in extern "C" { } - -2003-04-30 Love Hörnquist Åstrand - - * gssapi.3: more about the des3 mic mess - - * verify_mic.c (verify_mic_des3): always check if the mic is the - correct mic or the mic that old heimdal would have generated - -2003-04-28 Jacques Vidrine - - * verify_mic.c (verify_mic_des3): If MIC verification fails, - retry using the `old' MIC computation (with zero IV). - -2003-04-26 Love Hörnquist Åstrand - - * gss_acquire_cred.3: more about difference between comparing IN - and MN - - * gss_acquire_cred.3: more about name type and access control - -2003-04-25 Love Hörnquist Åstrand - - * gss_acquire_cred.3: document gss_context_time - - * context_time.c: if lifetime of context have expired, set - time_rec to 0 and return GSS_S_CONTEXT_EXPIRED - - * gssapi.3: document [gssapi]correct_des3_mic - [gssapi]broken_des3_mic - - * gss_acquire_cred.3: document gss_krb5_compat_des3_mic - - * compat.c (gss_krb5_compat_des3_mic): enable turning on/off des3 - mic compat - (_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too - - * gssapi.h (gss_krb5_compat_des3_mic): new function, turn on/off - des3 mic compat - (GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if - gss_krb5_compat_des3_mic exists - -2003-04-24 Love Hörnquist Åstrand - - * Makefile.am: (libgssapi_la_LDFLAGS): update major - version of gssapi for incompatiblity in 3des getmic support - -2003-04-23 Love Hörnquist Åstrand - - * Makefile.am: test_acquire_cred_LDADD: use libgssapi.la not - ./libgssapi.la (make make -jN work) - -2003-04-16 Love Hörnquist Åstrand - - * gssapi.3: spelling - - * gss_acquire_cred.3: Change .Fd #include to .In - header.h, from Thomas Klausner - - -2003-04-06 Love Hörnquist Åstrand - - * gss_acquire_cred.3: spelling - - * Makefile.am: remove stuff that sneaked in with last commit - - * acquire_cred.c (acquire_initiator_cred): if the requested name - isn't in the ccache, also check keytab. Extact the krbtgt for the - default realm to check how long the credentials will last. - - * add_cred.c (gss_add_cred): don't create a new ccache, just open - the old one; better check if output handle is compatible with new - (copied) handle - - * test_acquire_cred.c: test gss_add_cred too - -2003-04-03 Love Hörnquist Åstrand - - * Makefile.am: build test_acquire_cred - - * test_acquire_cred.c: simple gss_acquire_cred test - -2003-04-02 Love Hörnquist Åstrand - - * gss_acquire_cred.3: s/gssapi/GSS-API/ - -2003-03-19 Love Hörnquist Åstrand - - * gss_acquire_cred.3: document v1 interface (and that they are - obsolete) - -2003-03-18 Love Hörnquist Åstrand - - * gss_acquire_cred.3: list supported mechanism and nametypes - -2003-03-16 Love Hörnquist Åstrand - - * gss_acquire_cred.3: text about gss_display_name - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 3:6:2 - (libgssapi_la_SOURCES): add all new functions - - * gssapi.3: now that we have a functions, uncomment the missing - ones - - * gss_acquire_cred.3: now that we have a functions, uncomment the - missing ones - - * process_context_token.c: implement gss_process_context_token - - * inquire_names_for_mech.c: implement gss_inquire_names_for_mech - - * inquire_mechs_for_name.c: implement gss_inquire_mechs_for_name - - * inquire_cred_by_mech.c: implement gss_inquire_cred_by_mech - - * add_cred.c: implement gss_add_cred - - * acquire_cred.c (gss_acquire_cred): more testing of input - argument, make sure output arguments are ok, since we don't know - the time_rec (for now), set it to time_req - - * export_sec_context.c: send lifetime, also set minor_status - - * get_mic.c: set minor_status - - * import_sec_context.c (gss_import_sec_context): add error - checking, pick up lifetime (if there is no lifetime, use - GSS_C_INDEFINITE) - - * init_sec_context.c: take care to set export value to something - sane before we start so caller will have harmless values in them - if then function fails - - * release_buffer.c (gss_release_buffer): set minor_status - - * wrap.c: make sure minor_status get set - - * verify_mic.c (gss_verify_mic_internal): rename verify_mic to - gss_verify_mic_internal and let it take the type as an argument, - (gss_verify_mic): call gss_verify_mic_internal - set minor_status - - * unwrap.c: set minor_status - - * test_oid_set_member.c (gss_test_oid_set_member): use - gss_oid_equal - - * release_oid_set.c (gss_release_oid_set): set minor_status - - * release_name.c (gss_release_name): set minor_status - - * release_cred.c (gss_release_cred): set minor_status - - * add_oid_set_member.c (gss_add_oid_set_member): set minor_status - - * compare_name.c (gss_compare_name): set minor_status - - * compat.c (check_compat): make sure ret have a defined value - - * context_time.c (gss_context_time): set minor_status - - * copy_ccache.c (gss_krb5_copy_ccache): set minor_status - - * create_emtpy_oid_set.c (gss_create_empty_oid_set): set - minor_status - - * delete_sec_context.c (gss_delete_sec_context): set minor_status - - * display_name.c (gss_display_name): set minor_status - - * display_status.c (gss_display_status): use gss_oid_equal, handle - supplementary errors - - * duplicate_name.c (gss_duplicate_name): set minor_status - - * inquire_context.c (gss_inquire_context): set lifetime_rec now - when we know it, set minor_status - - * inquire_cred.c (gss_inquire_cred): take care to set export value - to something sane before we start so caller will have harmless - values in them if the function fails - - * accept_sec_context.c (gss_accept_sec_context): take care to set - export value to something sane before we start so caller will have - harmless values in them if then function fails, set lifetime from - ticket expiration date - - * indicate_mechs.c (gss_indicate_mechs): use - gss_create_empty_oid_set and gss_add_oid_set_member - - * gssapi.h (gss_ctx_id_t_desc): store the lifetime in the cred, - since there is no ticket transfered in the exported context - - * export_name.c (gss_export_name): export name with - GSS_C_NT_EXPORT_NAME wrapping, not just the principal - - * import_name.c (import_export_name): new function, parses a - GSS_C_NT_EXPORT_NAME - (import_krb5_name): factor out common code of parsing krb5 name - (gss_oid_equal): rename from oid_equal - - * gssapi_locl.h: add prototypes for gss_oid_equal and - gss_verify_mic_internal - - * gssapi.h: comment out the argument names - -2003-03-15 Love Hörnquist Åstrand - - * gssapi.3: add LIST OF FUNCTIONS and copyright/license - - * Makefile.am: s/gss_aquire_cred.3/gss_acquire_cred.3/ - - * Makefile.am: man_MANS += gss_aquire_cred.3 - -2003-03-14 Love Hörnquist Åstrand - - * gss_aquire_cred.3: the gssapi api manpage - -2003-03-03 Love Hörnquist Åstrand - - * inquire_context.c: (gss_inquire_context): rename argument open - to open_context - - * gssapi.h (gss_inquire_context): rename argument open to open_context - -2003-02-27 Love Hörnquist Åstrand - - * init_sec_context.c (do_delegation): remove unused variable - subkey - - * gssapi.3: all 0.5.x version had broken token delegation - -2003-02-21 Love Hörnquist Åstrand - - * (init_auth): only generate one subkey - -2003-01-27 Love Hörnquist Åstrand - - * verify_mic.c (verify_mic_des3): fix 3des verify_mic to conform - to rfc (and mit kerberos), provide backward compat hook - - * get_mic.c (mic_des3): fix 3des get_mic to conform to rfc (and - mit kerberos), provide backward compat hook - - * init_sec_context.c (init_auth): check if we need compat for - older get_mic/verify_mic - - * gssapi_locl.h: add prototype for _gss_DES3_get_mic_compat - - * gssapi.h (more_flags): add COMPAT_OLD_DES3 - - * Makefile.am: add gssapi.3 and compat.c - - * gssapi.3: add gssapi COMPATIBILITY documentation - - * accept_sec_context.c (gss_accept_sec_context): check if we need - compat for older get_mic/verify_mic - - * compat.c: check for compatiblity with other heimdal's 3des - get_mic/verify_mic - -2002-10-31 Johan Danielsson - - * check return value from gssapi_krb5_init - - * 8003.c (gssapi_krb5_verify_8003_checksum): check size of input - -2002-09-03 Johan Danielsson - - * wrap.c (wrap_des3): use ETYPE_DES3_CBC_NONE - - * unwrap.c (unwrap_des3): use ETYPE_DES3_CBC_NONE - -2002-09-02 Johan Danielsson - - * init_sec_context.c: we need to generate a local subkey here - -2002-08-20 Jacques Vidrine - - * acquire_cred.c, inquire_cred.c, release_cred.c: Use default - credential resolution if gss_acquire_cred is called with - GSS_C_NO_NAME. - -2002-06-20 Jacques Vidrine - - * import_name.c: Compare name types by value if pointers do - not match. Reported by: "Douglas E. Engert" - -2002-05-20 Jacques Vidrine - - * verify_mic.c (gss_verify_mic), unwrap.c (gss_unwrap): initialize - the qop_state parameter. from Doug Rabson - -2002-05-09 Jacques Vidrine - - * acquire_cred.c: handle GSS_C_INITIATE/GSS_C_ACCEPT/GSS_C_BOTH - -2002-05-08 Jacques Vidrine - - * acquire_cred.c: initialize gssapi; handle null desired_name - -2002-03-22 Johan Danielsson - - * Makefile.am: remove non-functional stuff accidentally committed - -2002-03-11 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:5:2 - * 8003.c (gssapi_krb5_verify_8003_checksum): handle zero channel - bindings - -2001-10-31 Jacques Vidrine - - * get_mic.c (mic_des3): MIC computation using DES3/SHA1 - was bogusly appending the message buffer to the result, - overwriting a heap buffer in the process. - -2001-08-29 Assar Westerlund - - * 8003.c (gssapi_krb5_verify_8003_checksum, - gssapi_krb5_create_8003_checksum): make more consistent by always - returning an gssapi error and setting minor status. update - callers - -2001-08-28 Jacques Vidrine - - * accept_sec_context.c: Create a cache for delegated credentials - when needed. - -2001-08-28 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:4:2 - -2001-08-23 Assar Westerlund - - * *.c: handle minor_status more consistently - - * display_status.c (gss_display_status): handle krb5_get_err_text - failing - -2001-08-15 Johan Danielsson - - * gssapi_locl.h: fix prototype for gssapi_krb5_init - -2001-08-13 Johan Danielsson - - * accept_sec_context.c (gsskrb5_register_acceptor_identity): init - context and check return value from kt_resolve - - * init.c: return error code - -2001-07-19 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): update to 3:3:2 - -2001-07-12 Assar Westerlund - - * Makefile.am (libgssapi_la_LIBADD): add required library - dependencies - -2001-07-06 Assar Westerlund - - * accept_sec_context.c (gsskrb5_register_acceptor_identity): set - the keytab to be used for gss_acquire_cred too' - -2001-07-03 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:2:2 - -2001-06-18 Assar Westerlund - - * wrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey - and gss_krb5_get_remotekey - * verify_mic.c: update krb5_auth_con function names use - gss_krb5_get_remotekey - * unwrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey - and gss_krb5_get_remotekey - * gssapi_locl.h (gss_krb5_get_remotekey, gss_krb5_get_localkey): - add prototypes - * get_mic.c: update krb5_auth_con function names. use - gss_krb5_get_localkey - * accept_sec_context.c: update krb5_auth_con function names - -2001-05-17 Assar Westerlund - - * Makefile.am: bump version to 3:1:2 - -2001-05-14 Assar Westerlund - - * address_to_krb5addr.c: adapt to new address functions - -2001-05-11 Assar Westerlund - - * try to return the error string from libkrb5 where applicable - -2001-05-08 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): remember to free - the memory used by the ticket itself. from - -2001-05-04 Assar Westerlund - - * gssapi_locl.h: add config.h for completeness - * gssapi.h: remove config.h, this is an installed header file - sys/types.h is not needed either - -2001-03-12 Assar Westerlund - - * acquire_cred.c (gss_acquire_cred): remove memory leaks. from - Jason R Thorpe - -2001-02-18 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): either return - gss_name NULL-ed or set - - * import_name.c: set minor_status in some cases where it was not - done - -2001-02-15 Assar Westerlund - - * wrap.c: use krb5_generate_random_block for the confounders - -2001-01-30 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:0:2 - * acquire_cred.c, init_sec_context.c, release_cred.c: add support - for getting creds from a keytab, from fvdl@netbsd.org - - * copy_ccache.c: add gss_krb5_copy_ccache - -2001-01-27 Assar Westerlund - - * get_mic.c: cast parameters to des function to non-const pointers - to handle the case where these functions actually take non-const - des_cblock * - -2001-01-09 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): use krb5_rd_cred2 - instead of krb5_rd_cred - -2000-12-11 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:3:1 - -2000-12-08 Assar Westerlund - - * wrap.c (wrap_des3): use the checksum as ivec when encrypting the - sequence number - * unwrap.c (unwrap_des3): use the checksum as ivec when encrypting - the sequence number - * init_sec_context.c (init_auth): always zero fwd_data - -2000-12-06 Johan Danielsson - - * accept_sec_context.c: de-pointerise auth_context parameter to - krb5_mk_rep - -2000-11-15 Assar Westerlund - - * init_sec_context.c (init_auth): update to new - krb5_build_authenticator - -2000-09-19 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:2:1 - -2000-08-27 Assar Westerlund - - * init_sec_context.c: actually pay attention to `time_req' - * init_sec_context.c: re-organize. leak less memory. - * gssapi_locl.h (gssapi_krb5_encapsulate, gss_krb5_getsomekey): - update prototypes add assert.h - * gssapi.h (GSS_KRB5_CONF_C_QOP_DES, GSS_KRB5_CONF_C_QOP_DES3_KD): - add - * verify_mic.c: re-organize and add 3DES code - * wrap.c: re-organize and add 3DES code - * unwrap.c: re-organize and add 3DES code - * get_mic.c: re-organize and add 3DES code - * encapsulate.c (gssapi_krb5_encapsulate): do not free `in_data', - let the caller do that. fix the callers. - -2000-08-16 Assar Westerlund - - * Makefile.am: bump version to 2:1:1 - -2000-07-29 Assar Westerlund - - * decapsulate.c (gssapi_krb5_verify_header): sanity-check length - -2000-07-25 Johan Danielsson - - * Makefile.am: bump version to 2:0:1 - -2000-07-22 Assar Westerlund - - * gssapi.h: update OID for GSS_C_NT_HOSTBASED_SERVICE and other - details from rfc2744 - -2000-06-29 Assar Westerlund - - * address_to_krb5addr.c (gss_address_to_krb5addr): actually use - `int' instead of `sa_family_t' for the address family. - -2000-06-21 Assar Westerlund - - * add support for token delegation. From Daniel Kouril - and Miroslav Ruda - -2000-05-15 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 1:1:1 - -2000-04-12 Assar Westerlund - - * release_oid_set.c (gss_release_oid_set): clear set for - robustness. From GOMBAS Gabor - * release_name.c (gss_release_name): reset input_name for - robustness. From GOMBAS Gabor - * release_buffer.c (gss_release_buffer): set value to NULL to be - more robust. From GOMBAS Gabor - * add_oid_set_member.c (gss_add_oid_set_member): actually check if - the oid is a member first. leave the oid_set unchanged if realloc - fails. - -2000-02-13 Assar Westerlund - - * Makefile.am: set version to 1:0:1 - -2000-02-12 Assar Westerlund - - * gssapi_locl.h: add flags for import/export - * import_sec_context.c (import_sec_context: add flags for what - fields are included. do not include the authenticator for now. - * export_sec_context.c (export_sec_context: add flags for what - fields are included. do not include the authenticator for now. - * accept_sec_context.c (gss_accept_sec_context): set target in - context_handle - -2000-02-11 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): set context to - GSS_C_NO_CONTEXT - - * Makefile.am: add {export,import}_sec_context.c - * export_sec_context.c: new file - * import_sec_context.c: new file - * accept_sec_context.c (gss_accept_sec_context): set trans flag - -2000-02-07 Assar Westerlund - - * Makefile.am: set version to 0:5:0 - -2000-01-26 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): handle a NULL - output_token - - * wrap.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * verify_mic.c: update to pseudo-standard APIs for md4,md5,sha. - some changes to libdes calls to make them more portable. - * unwrap.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * get_mic.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * 8003.c: update to pseudo-standard APIs for md4,md5,sha. - -2000-01-06 Assar Westerlund - - * Makefile.am: set version to 0:4:0 - -1999-12-26 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): always set - `output_token' - * init_sec_context.c (init_auth): always initialize `output_token' - * delete_sec_context.c (gss_delete_sec_context): always set - `output_token' - -1999-12-06 Assar Westerlund - - * Makefile.am: bump version to 0:3:0 - -1999-10-20 Assar Westerlund - - * Makefile.am: set version to 0:2:0 - -1999-09-21 Assar Westerlund - - * init_sec_context.c (gss_init_sec_context): initialize `ticket' - - * gssapi.h (gss_ctx_id_t_desc): add ticket in here. ick. - - * delete_sec_context.c (gss_delete_sec_context): free ticket - - * accept_sec_context.c (gss_accept_sec_context): stove away - `krb5_ticket' in context so that ugly programs such as - gss_nt_server can get at it. uck. - -1999-09-20 Johan Danielsson - - * accept_sec_context.c: set minor_status - -1999-08-04 Assar Westerlund - - * display_status.c (calling_error, routine_error): right shift the - code to make it possible to index into the arrays - -1999-07-28 Assar Westerlund - - * gssapi.h (GSS_C_AF_INET6): add - - * import_name.c (import_hostbased_name): set minor_status - -1999-07-26 Assar Westerlund - - * Makefile.am: set version to 0:1:0 - -Wed Apr 7 14:05:15 1999 Johan Danielsson - - * display_status.c: set minor_status - - * init_sec_context.c: set minor_status - - * lib/gssapi/init.c: remove donep (check gssapi_krb5_context - directly) - diff --git a/lib/gssapi/krb5/Makefile.am b/lib/gssapi/krb5/Makefile.am deleted file mode 100644 index ddfc2fe0a..000000000 --- a/lib/gssapi/krb5/Makefile.am +++ /dev/null @@ -1,98 +0,0 @@ -# $Id$ - -include $(top_srcdir)/Makefile.am.common - -AM_CPPFLAGS += -I$(srcdir)/../krb5 \ - -I${srcdir}/../asn1/include \ - $(INCLUDE_des) \ - $(INCLUDE_krb4) - -spnego_files = \ - asn1_ContextFlags.x \ - asn1_MechType.x \ - asn1_MechTypeList.x \ - asn1_NegotiationToken.x \ - asn1_NegTokenInit.x \ - asn1_NegTokenTarg.x - -BUILT_SOURCES = $(spnego_files:.x=.c) - -lib_LTLIBRARIES = libgssapi.la -libgssapi_la_LDFLAGS = -version-info 4:0:0 -libgssapi_la_LIBADD = \ - ../krb5/libkrb5.la \ - $(LIB_des) \ - ../asn1/libasn1.la \ - $(LIB_roken) - -man_MANS = gssapi.3 gss_acquire_cred.3 - -include_HEADERS = gssapi.h - -libgssapi_la_SOURCES = \ - $(BUILT_SOURCES) \ - 8003.c \ - accept_sec_context.c \ - acquire_cred.c \ - add_cred.c \ - add_oid_set_member.c \ - arcfour.c \ - canonicalize_name.c \ - ccache_name.c \ - cfx.c \ - compare_name.c \ - compat.c \ - context_time.c \ - copy_ccache.c \ - create_emtpy_oid_set.c \ - decapsulate.c \ - delete_sec_context.c \ - display_name.c \ - display_status.c \ - duplicate_name.c \ - encapsulate.c \ - export_sec_context.c \ - export_name.c \ - external.c \ - get_mic.c \ - gssapi.h \ - gssapi_locl.h \ - import_name.c \ - import_sec_context.c \ - indicate_mechs.c \ - init.c \ - init_sec_context.c \ - inquire_context.c \ - inquire_cred.c \ - inquire_cred_by_mech.c \ - inquire_mechs_for_name.c \ - inquire_names_for_mech.c \ - release_buffer.c \ - release_cred.c \ - release_name.c \ - release_oid_set.c \ - sequence.c \ - process_context_token.c \ - ticket_flags.c \ - test_oid_set_member.c \ - unwrap.c \ - v1.c \ - verify_mic.c \ - wrap.c \ - address_to_krb5addr.c - -CLEANFILES = $(BUILT_SOURCES) $(spnego_files) spnego_asn1.h asn1_files - -$(spnego_files) spnego_asn1.h: asn1_files - -asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego.asn1 - ../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego.asn1 spnego_asn1 - -$(libgssapi_la_OBJECTS): spnego_asn1.h - -TESTS = test_sequence - -check_PROGRAMS = test_acquire_cred $(TESTS) - -noinst_PROGRAMS = test_cred -LDADD = libgssapi.la $(LIB_roken) diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c deleted file mode 100644 index da3a4edc1..000000000 --- a/lib/gssapi/krb5/accept_sec_context.c +++ /dev/null @@ -1,974 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; -krb5_keytab gssapi_krb5_keytab; - -OM_uint32 -gsskrb5_register_acceptor_identity (const char *identity) -{ - krb5_error_code ret; - - ret = gssapi_krb5_init(); - if(ret) - return GSS_S_FAILURE; - - HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); - - if(gssapi_krb5_keytab != NULL) { - krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab); - gssapi_krb5_keytab = NULL; - } - if (identity == NULL) { - ret = krb5_kt_default(gssapi_krb5_context, &gssapi_krb5_keytab); - } else { - char *p; - - asprintf(&p, "FILE:%s", identity); - if(p == NULL) { - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - return GSS_S_FAILURE; - } - ret = krb5_kt_resolve(gssapi_krb5_context, p, &gssapi_krb5_keytab); - free(p); - } - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - if(ret) - return GSS_S_FAILURE; - return GSS_S_COMPLETE; -} - -void -gsskrb5_is_cfx(gss_ctx_id_t context_handle, int *is_cfx) -{ - krb5_keyblock *key; - int acceptor = (context_handle->more_flags & LOCAL) == 0; - - if (acceptor) { - if (context_handle->auth_context->local_subkey) - key = context_handle->auth_context->local_subkey; - else - key = context_handle->auth_context->remote_subkey; - } else { - if (context_handle->auth_context->remote_subkey) - key = context_handle->auth_context->remote_subkey; - else - key = context_handle->auth_context->local_subkey; - } - if (key == NULL) - key = context_handle->auth_context->keyblock; - - if (key == NULL) - return; - - switch (key->keytype) { - case ETYPE_DES_CBC_CRC: - case ETYPE_DES_CBC_MD4: - case ETYPE_DES_CBC_MD5: - case ETYPE_DES3_CBC_MD5: - case ETYPE_DES3_CBC_SHA1: - case ETYPE_ARCFOUR_HMAC_MD5: - case ETYPE_ARCFOUR_HMAC_MD5_56: - break; - default : - *is_cfx = 1; - if ((acceptor && context_handle->auth_context->local_subkey) || - (!acceptor && context_handle->auth_context->remote_subkey)) - context_handle->more_flags |= ACCEPTOR_SUBKEY; - break; - } -} - - -static OM_uint32 -gsskrb5_accept_delegated_token - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - krb5_data *fwd_data, - OM_uint32 *flags, - krb5_principal principal, - gss_cred_id_t * delegated_cred_handle - ) -{ - krb5_ccache ccache = NULL; - krb5_error_code kret; - int32_t ac_flags, ret; - gss_cred_id_t handle = NULL; - - if (delegated_cred_handle == NULL) { - /* XXX Create a new delegated_cred_handle? */ - - ret = 0; - - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - if (kret) { - *flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - } else { - - *delegated_cred_handle = NULL; - - handle = calloc(1, sizeof(*handle)); - if (handle == NULL) { - ret = GSS_S_FAILURE; - *minor_status = ENOMEM; - krb5_set_error_string(gssapi_krb5_context, "out of memory"); - gssapi_krb5_set_error_string(); - *flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - if ((ret = gss_duplicate_name(minor_status, principal, - &handle->principal)) != 0) { - *flags &= ~GSS_C_DELEG_FLAG; - ret = 0; - goto end_fwd; - } - kret = krb5_cc_gen_new (gssapi_krb5_context, - &krb5_mcc_ops, - &handle->ccache); - if (kret) { - *flags &= ~GSS_C_DELEG_FLAG; - ret = 0; - goto end_fwd; - } - ccache = handle->ccache; - - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret) { - *flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret) { - *flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - } - - kret = krb5_cc_initialize(gssapi_krb5_context, ccache, principal); - if (kret) { - *flags &= ~GSS_C_DELEG_FLAG; - ret = 0; - goto end_fwd; - } - - krb5_auth_con_removeflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_DO_TIME, - &ac_flags); - kret = krb5_rd_cred2(gssapi_krb5_context, - (*context_handle)->auth_context, - ccache, - fwd_data); - if (kret) - gssapi_krb5_set_error_string(); - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - ac_flags); - if (kret) { - *flags &= ~GSS_C_DELEG_FLAG; - ret = GSS_S_FAILURE; - *minor_status = kret; - goto end_fwd; - } - end_fwd: - /* if there was some kind of failure, clean up internal structures */ - if ((*flags & GSS_C_DELEG_FLAG) == 0) { - if (handle) { - if (handle->principal) - gss_release_name(minor_status, &handle->principal); - if (handle->mechanisms) - gss_release_oid_set(NULL, &handle->mechanisms); - if (handle->ccache) - krb5_cc_destroy(gssapi_krb5_context, handle->ccache); - free(handle); - handle = NULL; - } - } - if (delegated_cred_handle == NULL) { - if (ccache) - krb5_cc_close(gssapi_krb5_context, ccache); - } - if (handle) - *delegated_cred_handle = handle; - - return ret; -} - - -static OM_uint32 -gsskrb5_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - krb5_error_code kret; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data indata; - krb5_flags ap_options; - OM_uint32 flags; - krb5_ticket *ticket = NULL; - krb5_keytab keytab = NULL; - krb5_data fwd_data; - OM_uint32 minor; - int is_cfx = 0; - - GSSAPI_KRB5_INIT(); - - krb5_data_zero (&fwd_data); - output_token->length = 0; - output_token->value = NULL; - - if (src_name != NULL) - *src_name = NULL; - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (*context_handle == GSS_C_NO_CONTEXT) { - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == GSS_C_NO_CONTEXT) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - } - - HEIMDAL_MUTEX_init(&(*context_handle)->ctx_id_mutex); - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->ticket = NULL; - (*context_handle)->lifetime = GSS_C_INDEFINITE; - (*context_handle)->order = NULL; - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS - && input_chan_bindings->application_data.length == - 2 * sizeof((*context_handle)->auth_context->local_port) - ) { - - /* Port numbers are expected to be in application_data.value, - * initator's port first */ - - krb5_address initiator_addr, acceptor_addr; - - memset(&initiator_addr, 0, sizeof(initiator_addr)); - memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - - (*context_handle)->auth_context->remote_port = - *(int16_t *) input_chan_bindings->application_data.value; - - (*context_handle)->auth_context->local_port = - *((int16_t *) input_chan_bindings->application_data.value + 1); - - - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - (*context_handle)->auth_context->local_port, - &acceptor_addr); - if (kret) { - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - (*context_handle)->auth_context->remote_port, - &initiator_addr); - if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, - (*context_handle)->auth_context, - &acceptor_addr, /* local address */ - &initiator_addr); /* remote address */ - - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - -#if 0 - free(input_chan_bindings->application_data.value); - input_chan_bindings->application_data.value = NULL; - input_chan_bindings->application_data.length = 0; -#endif - - if (kret) { - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - } - - krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE, - NULL); - - ret = gssapi_krb5_decapsulate (minor_status, - input_token_buffer, - &indata, - "\x01\x00", - GSS_KRB5_MECHANISM); - if (ret) - goto failure; - - HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); - - if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { - if (gssapi_krb5_keytab != NULL) { - keytab = gssapi_krb5_keytab; - } - } else if (acceptor_cred_handle->keytab != NULL) { - keytab = acceptor_cred_handle->keytab; - } - - kret = krb5_rd_req (gssapi_krb5_context, - &(*context_handle)->auth_context, - &indata, - (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL - : acceptor_cred_handle->principal, - keytab, - &ap_options, - &ticket); - - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->client, - &(*context_handle)->source); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->server, - &(*context_handle)->target); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); - if (ret) - goto failure; - - if (src_name != NULL) { - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->client, - src_name); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - } - - { - krb5_authenticator authenticator; - - kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, - (*context_handle)->auth_context, - &authenticator); - if(kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - ret = gssapi_krb5_verify_8003_checksum(minor_status, - input_chan_bindings, - authenticator->cksum, - &flags, - &fwd_data); - krb5_free_authenticator(gssapi_krb5_context, &authenticator); - if (ret) - goto failure; - } - - flags |= GSS_C_TRANS_FLAG; - - if (ret_flags) - *ret_flags = flags; - (*context_handle)->lifetime = ticket->ticket.endtime; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= OPEN; - - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - time_rec); - if (ret) - goto failure; - } - - gsskrb5_is_cfx(*context_handle, &is_cfx); - - if(flags & GSS_C_MUTUAL_FLAG) { - krb5_data outbuf; - - if (is_cfx != 0 - || (ap_options & AP_OPTS_USE_SUBKEY)) { - kret = krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_USE_SUBKEY, - NULL); - (*context_handle)->more_flags |= ACCEPTOR_SUBKEY; - } - - kret = krb5_mk_rep (gssapi_krb5_context, - (*context_handle)->auth_context, - &outbuf); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - ret = gssapi_krb5_encapsulate (minor_status, - &outbuf, - output_token, - "\x02\x00", - GSS_KRB5_MECHANISM); - krb5_data_free (&outbuf); - if (ret) - goto failure; - } - - (*context_handle)->ticket = ticket; - - { - int32_t seq_number; - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - (*context_handle)->auth_context, - &seq_number); - ret = _gssapi_msg_order_create(minor_status, - &(*context_handle)->order, - _gssapi_msg_order_f(flags), - seq_number, 0, is_cfx); - if (ret) - goto failure; - - if ((flags & GSS_C_MUTUAL_FLAG) == 0 && _gssapi_msg_order_f(flags)) { - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - (*context_handle)->auth_context, - seq_number); - } - } - - if (fwd_data.length > 0) { - - if (flags & GSS_C_DELEG_FLAG) { - ret = gsskrb5_accept_delegated_token(minor_status, - context_handle, - &fwd_data, - &flags, - ticket->client, - delegated_cred_handle); - if (ret) - goto failure; - } - free(fwd_data.data); - krb5_data_zero(&fwd_data); - } - - *minor_status = 0; - return GSS_S_COMPLETE; - - failure: - if (fwd_data.length > 0) - free(fwd_data.data); - if (ticket != NULL) - krb5_free_ticket (gssapi_krb5_context, ticket); - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - if((*context_handle)->order) - _gssapi_msg_order_destroy(&(*context_handle)->order); - HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); - free (*context_handle); - if (src_name != NULL) { - gss_release_name (&minor, src_name); - *src_name = NULL; - } - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} - -static OM_uint32 -code_NegTokenArg(OM_uint32 *minor_status, - const NegTokenTarg *targ, - krb5_data *data, - u_char **ret_buf) -{ - OM_uint32 ret; - u_char *buf; - size_t buf_size, buf_len; - - buf_size = 1024; - buf = malloc(buf_size); - if (buf == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - do { - ret = encode_NegTokenTarg(buf + buf_size - 1, - buf_size, - targ, &buf_len); - if (ret == 0) { - size_t tmp; - - ret = der_put_length_and_tag(buf + buf_size - buf_len - 1, - buf_size - buf_len, - buf_len, - ASN1_C_CONTEXT, - CONS, - 1, - &tmp); - if (ret == 0) - buf_len += tmp; - } - if (ret) { - if (ret == ASN1_OVERFLOW) { - u_char *tmp; - - buf_size *= 2; - tmp = realloc (buf, buf_size); - if (tmp == NULL) { - *minor_status = ENOMEM; - free(buf); - return GSS_S_FAILURE; - } - buf = tmp; - } else { - *minor_status = ret; - free(buf); - return GSS_S_FAILURE; - } - } - } while (ret == ASN1_OVERFLOW); - - data->data = buf + buf_size - buf_len; - data->length = buf_len; - *ret_buf = buf; - return GSS_S_COMPLETE; -} - -static OM_uint32 -send_reject (OM_uint32 *minor_status, - gss_buffer_t output_token) -{ - NegTokenTarg targ; - krb5_data data; - u_char *buf; - OM_uint32 ret; - - ALLOC(targ.negResult, 1); - if (targ.negResult == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - *(targ.negResult) = reject; - targ.supportedMech = NULL; - targ.responseToken = NULL; - targ.mechListMIC = NULL; - - ret = code_NegTokenArg (minor_status, &targ, &data, &buf); - free_NegTokenTarg(&targ); - if (ret) - return ret; - -#if 0 - ret = _gssapi_encapsulate(minor_status, - &data, - output_token, - GSS_SPNEGO_MECHANISM); -#else - output_token->value = malloc(data.length); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - ret = GSS_S_FAILURE; - } else { - output_token->length = data.length; - memcpy(output_token->value, data.data, output_token->length); - } -#endif - free(buf); - if (ret) - return ret; - return GSS_S_BAD_MECH; -} - -static OM_uint32 -send_accept (OM_uint32 *minor_status, - OM_uint32 major_status, - gss_buffer_t output_token, - gss_buffer_t mech_token, - gss_ctx_id_t context_handle, - const MechTypeList *mechtypelist) -{ - NegTokenTarg targ; - krb5_data data; - u_char *buf; - OM_uint32 ret; - gss_buffer_desc mech_buf, mech_mic_buf; - krb5_boolean require_mic; - - memset(&targ, 0, sizeof(targ)); - ALLOC(targ.negResult, 1); - if (targ.negResult == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - *(targ.negResult) = accept_completed; - - ALLOC(targ.supportedMech, 1); - if (targ.supportedMech == NULL) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ret = der_get_oid(GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length, - targ.supportedMech, - NULL); - if (ret) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - if (mech_token != NULL && mech_token->length != 0) { - ALLOC(targ.responseToken, 1); - if (targ.responseToken == NULL) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - targ.responseToken->length = mech_token->length; - targ.responseToken->data = mech_token->value; - mech_token->length = 0; - mech_token->value = NULL; - } else { - targ.responseToken = NULL; - } - - ret = _gss_spnego_require_mechlist_mic(minor_status, context_handle, - &require_mic); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - - if (major_status == GSS_S_COMPLETE && require_mic) { - size_t buf_len; - - ALLOC(targ.mechListMIC, 1); - if (targ.mechListMIC == NULL) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ASN1_MALLOC_ENCODE(MechTypeList, mech_buf.value, mech_buf.length, - mechtypelist, &buf_len, ret); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - if (mech_buf.length != buf_len) - abort(); - - ret = gss_get_mic(minor_status, context_handle, 0, &mech_buf, - &mech_mic_buf); - free (mech_buf.value); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - - targ.mechListMIC->length = mech_mic_buf.length; - targ.mechListMIC->data = mech_mic_buf.value; - } else - targ.mechListMIC = NULL; - - ret = code_NegTokenArg (minor_status, &targ, &data, &buf); - free_NegTokenTarg(&targ); - if (ret) - return ret; - -#if 0 - ret = _gssapi_encapsulate(minor_status, - &data, - output_token, - GSS_SPNEGO_MECHANISM); -#else - output_token->value = malloc(data.length); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - ret = GSS_S_FAILURE; - } else { - output_token->length = data.length; - memcpy(output_token->value, data.data, output_token->length); - } -#endif - free(buf); - if (ret) - return ret; - return GSS_S_COMPLETE; -} - -static OM_uint32 -spnego_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - OM_uint32 ret, ret2; - NegTokenInit ni; - size_t ni_len; - int i; - int found = 0; - krb5_data data; - size_t len, taglen; - - output_token->length = 0; - output_token->value = NULL; - - ret = _gssapi_decapsulate (minor_status, - input_token_buffer, - &data, - GSS_SPNEGO_MECHANISM); - if (ret) - return ret; - - ret = der_match_tag_and_length(data.data, data.length, - ASN1_C_CONTEXT, CONS, 0, &len, &taglen); - if (ret) - return ret; - - if(len > data.length - taglen) - return ASN1_OVERRUN; - - ret = decode_NegTokenInit((const char *)data.data + taglen, len, - &ni, &ni_len); - if (ret) - return GSS_S_DEFECTIVE_TOKEN; - - if (ni.mechTypes == NULL) { - free_NegTokenInit(&ni); - return send_reject (minor_status, output_token); - } - - for (i = 0; !found && i < ni.mechTypes->len; ++i) { - char mechbuf[17]; - size_t mech_len; - - ret = der_put_oid (mechbuf + sizeof(mechbuf) - 1, - sizeof(mechbuf), - &ni.mechTypes->val[i], - &mech_len); - if (ret) { - free_NegTokenInit(&ni); - return GSS_S_DEFECTIVE_TOKEN; - } - if (mech_len == GSS_KRB5_MECHANISM->length - && memcmp(GSS_KRB5_MECHANISM->elements, - mechbuf + sizeof(mechbuf) - mech_len, - mech_len) == 0) - found = 1; - } - if (found) { - gss_buffer_desc ibuf, obuf; - gss_buffer_t ot = NULL; - OM_uint32 minor; - - if (ni.mechToken != NULL) { - ibuf.length = ni.mechToken->length; - ibuf.value = ni.mechToken->data; - - ret = gsskrb5_accept_sec_context(&minor, - context_handle, - acceptor_cred_handle, - &ibuf, - input_chan_bindings, - src_name, - mech_type, - &obuf, - ret_flags, - time_rec, - delegated_cred_handle); - if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { - ot = &obuf; - } else { - free_NegTokenInit(&ni); - send_reject (minor_status, output_token); - return ret; - } - } - ret2 = send_accept (minor_status, ret, output_token, ot, - *context_handle, ni.mechTypes); - if (ret2 != GSS_S_COMPLETE) - ret = ret2; - if (ot != NULL) - gss_release_buffer(&minor, ot); - free_NegTokenInit(&ni); - return ret; - } else { - free_NegTokenInit(&ni); - return send_reject (minor_status, output_token); - } -} - -OM_uint32 -gss_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - OM_uint32 ret; - ssize_t mech_len; - const u_char *p; - - *minor_status = 0; - - mech_len = gssapi_krb5_get_mech (input_token_buffer->value, - input_token_buffer->length, - &p); - if (mech_len < 0) - return GSS_S_DEFECTIVE_TOKEN; - if (mech_len == GSS_KRB5_MECHANISM->length - && memcmp(p, GSS_KRB5_MECHANISM->elements, mech_len) == 0) - ret = gsskrb5_accept_sec_context(minor_status, - context_handle, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - else if (mech_len == GSS_SPNEGO_MECHANISM->length - && memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_len) == 0) - ret = spnego_accept_sec_context(minor_status, - context_handle, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - else - return GSS_S_BAD_MECH; - - return ret; -} diff --git a/lib/gssapi/krb5/acquire_cred.c b/lib/gssapi/krb5/acquire_cred.c deleted file mode 100644 index 7f7e90f35..000000000 --- a/lib/gssapi/krb5/acquire_cred.c +++ /dev/null @@ -1,327 +0,0 @@ -/* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static krb5_error_code -get_keytab(krb5_keytab *keytab) -{ - char kt_name[256]; - krb5_error_code kret; - - HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); - - if (gssapi_krb5_keytab != NULL) { - kret = krb5_kt_get_name(gssapi_krb5_context, - gssapi_krb5_keytab, - kt_name, sizeof(kt_name)); - if (kret == 0) - kret = krb5_kt_resolve(gssapi_krb5_context, kt_name, keytab); - } else - kret = krb5_kt_default(gssapi_krb5_context, keytab); - - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - - return (kret); -} - -static OM_uint32 acquire_initiator_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_creds cred; - krb5_principal def_princ; - krb5_get_init_creds_opt *opt; - krb5_ccache ccache; - krb5_keytab keytab; - krb5_error_code kret; - - keytab = NULL; - ccache = NULL; - def_princ = NULL; - ret = GSS_S_FAILURE; - memset(&cred, 0, sizeof(cred)); - - kret = krb5_cc_default(gssapi_krb5_context, &ccache); - if (kret) - goto end; - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, - &def_princ); - if (kret != 0) { - /* we'll try to use a keytab below */ - krb5_cc_destroy(gssapi_krb5_context, ccache); - ccache = NULL; - kret = 0; - } else if (handle->principal == NULL) { - kret = krb5_copy_principal(gssapi_krb5_context, def_princ, - &handle->principal); - if (kret) - goto end; - } else if (handle->principal != NULL && - krb5_principal_compare(gssapi_krb5_context, handle->principal, - def_princ) == FALSE) { - /* Before failing, lets check the keytab */ - krb5_free_principal(gssapi_krb5_context, def_princ); - def_princ = NULL; - } - if (def_princ == NULL) { - /* We have no existing credentials cache, - * so attempt to get a TGT using a keytab. - */ - if (handle->principal == NULL) { - kret = krb5_get_default_principal(gssapi_krb5_context, - &handle->principal); - if (kret) - goto end; - } - kret = get_keytab(&keytab); - if (kret) - goto end; - kret = krb5_get_init_creds_opt_alloc(gssapi_krb5_context, &opt); - if (kret) - goto end; - kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred, - handle->principal, keytab, 0, NULL, opt); - krb5_get_init_creds_opt_free(opt); - if (kret) - goto end; - kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, - &ccache); - if (kret) - goto end; - kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client); - if (kret) - goto end; - kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred); - if (kret) - goto end; - handle->lifetime = cred.times.endtime; - } else { - krb5_creds in_cred, *out_cred; - krb5_const_realm realm; - - memset(&in_cred, 0, sizeof(in_cred)); - in_cred.client = handle->principal; - - realm = krb5_principal_get_realm(gssapi_krb5_context, - handle->principal); - if (realm == NULL) { - kret = KRB5_PRINC_NOMATCH; /* XXX */ - goto end; - } - - kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server, - realm, KRB5_TGS_NAME, realm, NULL); - if (kret) - goto end; - - kret = krb5_get_credentials(gssapi_krb5_context, 0, - ccache, &in_cred, &out_cred); - krb5_free_principal(gssapi_krb5_context, in_cred.server); - if (kret) - goto end; - - handle->lifetime = out_cred->times.endtime; - krb5_free_creds(gssapi_krb5_context, out_cred); - } - - handle->ccache = ccache; - ret = GSS_S_COMPLETE; - -end: - if (cred.client != NULL) - krb5_free_cred_contents(gssapi_krb5_context, &cred); - if (def_princ != NULL) - krb5_free_principal(gssapi_krb5_context, def_princ); - if (keytab != NULL) - krb5_kt_close(gssapi_krb5_context, keytab); - if (ret != GSS_S_COMPLETE) { - if (ccache != NULL) - krb5_cc_close(gssapi_krb5_context, ccache); - if (kret != 0) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - } - } - return (ret); -} - -static OM_uint32 acquire_acceptor_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_error_code kret; - - kret = 0; - ret = GSS_S_FAILURE; - kret = get_keytab(&handle->keytab); - if (kret) - goto end; - ret = GSS_S_COMPLETE; - -end: - if (ret != GSS_S_COMPLETE) { - if (handle->keytab != NULL) - krb5_kt_close(gssapi_krb5_context, handle->keytab); - if (kret != 0) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - } - } - return (ret); -} - -OM_uint32 gss_acquire_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - gss_cred_id_t handle; - OM_uint32 ret; - - if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) { - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return GSS_S_FAILURE; - } - - GSSAPI_KRB5_INIT (); - - *output_cred_handle = NULL; - if (time_rec) - *time_rec = 0; - if (actual_mechs) - *actual_mechs = GSS_C_NO_OID_SET; - - if (desired_mechs) { - int present = 0; - - ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - desired_mechs, &present); - if (ret) - return ret; - if (!present) { - *minor_status = 0; - return GSS_S_BAD_MECH; - } - } - - handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - - memset(handle, 0, sizeof (*handle)); - HEIMDAL_MUTEX_init(&handle->cred_id_mutex); - - if (desired_name != GSS_C_NO_NAME) { - ret = gss_duplicate_name(minor_status, desired_name, - &handle->principal); - if (ret != GSS_S_COMPLETE) { - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - free(handle); - return (ret); - } - } - if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { - ret = acquire_initiator_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); - if (ret != GSS_S_COMPLETE) { - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(gssapi_krb5_context, handle->principal); - free(handle); - return (ret); - } - } - if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { - ret = acquire_acceptor_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); - if (ret != GSS_S_COMPLETE) { - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(gssapi_krb5_context, handle->principal); - free(handle); - return (ret); - } - } - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL, - actual_mechs); - if (ret != GSS_S_COMPLETE) { - if (handle->mechanisms != NULL) - gss_release_oid_set(NULL, &handle->mechanisms); - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(gssapi_krb5_context, handle->principal); - free(handle); - return (ret); - } - *minor_status = 0; - if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - handle->lifetime, - time_rec); - - if (ret) - return ret; - } - handle->usage = cred_usage; - *output_cred_handle = handle; - return (GSS_S_COMPLETE); -} diff --git a/lib/gssapi/krb5/add_cred.c b/lib/gssapi/krb5/add_cred.c deleted file mode 100644 index 6c160333f..000000000 --- a/lib/gssapi/krb5/add_cred.c +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_add_cred ( - OM_uint32 *minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t *output_cred_handle, - gss_OID_set *actual_mechs, - OM_uint32 *initiator_time_rec, - OM_uint32 *acceptor_time_rec) -{ - OM_uint32 ret, lifetime; - gss_cred_id_t cred, handle; - - handle = NULL; - cred = input_cred_handle; - - if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) { - *minor_status = 0; - return GSS_S_BAD_MECH; - } - - if (cred == GSS_C_NO_CREDENTIAL && output_cred_handle == NULL) { - *minor_status = 0; - return GSS_S_NO_CRED; - } - - /* check if requested output usage is compatible with output usage */ - if (output_cred_handle != NULL) { - HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); - if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return(GSS_S_FAILURE); - } - } - - /* check that we have the same name */ - if (desired_name != GSS_C_NO_NAME && - krb5_principal_compare(gssapi_krb5_context, desired_name, - cred->principal) != FALSE) { - if (output_cred_handle) - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = 0; - return GSS_S_BAD_NAME; - } - - /* make a copy */ - if (output_cred_handle) { - - handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - - memset(handle, 0, sizeof (*handle)); - - handle->usage = cred_usage; - handle->lifetime = cred->lifetime; - handle->principal = NULL; - handle->keytab = NULL; - handle->ccache = NULL; - handle->mechanisms = NULL; - HEIMDAL_MUTEX_init(&handle->cred_id_mutex); - - ret = GSS_S_FAILURE; - - ret = gss_duplicate_name(minor_status, cred->principal, - &handle->principal); - if (ret) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - free(handle); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - if (cred->keytab) { - krb5_error_code kret; - char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN]; - int len; - - ret = GSS_S_FAILURE; - - kret = krb5_kt_get_type(gssapi_krb5_context, cred->keytab, - name, KRB5_KT_PREFIX_MAX_LEN); - if (kret) { - *minor_status = kret; - goto failure; - } - len = strlen(name); - name[len++] = ':'; - - kret = krb5_kt_get_name(gssapi_krb5_context, cred->keytab, - name + len, - sizeof(name) - len); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_kt_resolve(gssapi_krb5_context, name, - &handle->keytab); - if (kret){ - *minor_status = kret; - goto failure; - } - } - - if (cred->ccache) { - krb5_error_code kret; - const char *type, *name; - char *type_name; - - ret = GSS_S_FAILURE; - - type = krb5_cc_get_type(gssapi_krb5_context, cred->ccache); - if (type == NULL){ - *minor_status = ENOMEM; - goto failure; - } - - if (strcmp(type, "MEMORY") == 0) { - ret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, - &handle->ccache); - if (ret) { - *minor_status = ret; - goto failure; - } - - ret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, - handle->ccache); - if (ret) { - *minor_status = ret; - goto failure; - } - - } else { - name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache); - if (name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - asprintf(&type_name, "%s:%s", type, name); - if (type_name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - kret = krb5_cc_resolve(gssapi_krb5_context, type_name, - &handle->ccache); - free(type_name); - if (kret) { - *minor_status = kret; - goto failure; - } - } - } - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret) - goto failure; - - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret) - goto failure; - } - - ret = gss_inquire_cred(minor_status, cred, NULL, &lifetime, - NULL, actual_mechs); - if (ret) - goto failure; - - if (initiator_time_rec) - *initiator_time_rec = lifetime; - if (acceptor_time_rec) - *acceptor_time_rec = lifetime; - - if (output_cred_handle) { - *output_cred_handle = handle; - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - } - - *minor_status = 0; - return ret; - - failure: - - if (handle) { - if (handle->principal) - gss_release_name(NULL, &handle->principal); - if (handle->keytab) - krb5_kt_close(gssapi_krb5_context, handle->keytab); - if (handle->ccache) - krb5_cc_destroy(gssapi_krb5_context, handle->ccache); - if (handle->mechanisms) - gss_release_oid_set(NULL, &handle->mechanisms); - free(handle); - } - if (output_cred_handle) - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - return ret; -} diff --git a/lib/gssapi/krb5/add_oid_set_member.c b/lib/gssapi/krb5/add_oid_set_member.c deleted file mode 100644 index f768098bb..000000000 --- a/lib/gssapi/krb5/add_oid_set_member.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_add_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member_oid, - gss_OID_set * oid_set - ) -{ - gss_OID tmp; - size_t n; - OM_uint32 res; - int present; - - res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present); - if (res != GSS_S_COMPLETE) - return res; - - if (present) { - *minor_status = 0; - return GSS_S_COMPLETE; - } - - n = (*oid_set)->count + 1; - tmp = realloc ((*oid_set)->elements, n * sizeof(gss_OID_desc)); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - (*oid_set)->elements = tmp; - (*oid_set)->count = n; - (*oid_set)->elements[n-1] = *member_oid; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/address_to_krb5addr.c b/lib/gssapi/krb5/address_to_krb5addr.c deleted file mode 100644 index 13a6825f5..000000000 --- a/lib/gssapi/krb5/address_to_krb5addr.c +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -#include - -krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address) -{ - int addr_type; - struct sockaddr sa; - krb5_socklen_t sa_size = sizeof(sa); - krb5_error_code problem; - - if (gss_addr == NULL) - return GSS_S_FAILURE; - - switch (gss_addr_type) { -#ifdef HAVE_IPV6 - case GSS_C_AF_INET6: addr_type = AF_INET6; - break; -#endif /* HAVE_IPV6 */ - - case GSS_C_AF_INET: addr_type = AF_INET; - break; - default: - return GSS_S_FAILURE; - } - - problem = krb5_h_addr2sockaddr (gssapi_krb5_context, - addr_type, - gss_addr->value, - &sa, - &sa_size, - port); - if (problem) - return GSS_S_FAILURE; - - problem = krb5_sockaddr2address (gssapi_krb5_context, &sa, address); - - return problem; -} diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c deleted file mode 100644 index 2c2f012df..000000000 --- a/lib/gssapi/krb5/arcfour.c +++ /dev/null @@ -1,636 +0,0 @@ -/* - * Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -/* - * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt - * - * The arcfour message have the following formats: - * - * MIC token - * TOK_ID[2] = 01 01 - * SGN_ALG[2] = 11 00 - * Filler[4] - * SND_SEQ[8] - * SGN_CKSUM[8] - * - * WRAP token - * TOK_ID[2] = 02 01 - * SGN_ALG[2]; - * SEAL_ALG[2] - * Filler[2] - * SND_SEQ[2] - * SGN_CKSUM[8] - * Confounder[8] - */ - - -static krb5_error_code -arcfour_mic_key(krb5_context context, krb5_keyblock *key, - void *cksum_data, size_t cksum_size, - void *key6_data, size_t key6_size) -{ - krb5_error_code ret; - - Checksum cksum_k5; - krb5_keyblock key5; - char k5_data[16]; - - Checksum cksum_k6; - - char T[4]; - - memset(T, 0, 4); - cksum_k5.checksum.data = k5_data; - cksum_k5.checksum.length = sizeof(k5_data); - - if (key->keytype == KEYTYPE_ARCFOUR_56) { - char L40[14] = "fortybits"; - - memcpy(L40 + 10, T, sizeof(T)); - ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, - L40, 14, 0, key, &cksum_k5); - memset(&k5_data[7], 0xAB, 9); - } else { - ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, - T, 4, 0, key, &cksum_k5); - } - if (ret) - return ret; - - key5.keytype = KEYTYPE_ARCFOUR; - key5.keyvalue = cksum_k5.checksum; - - cksum_k6.checksum.data = key6_data; - cksum_k6.checksum.length = key6_size; - - return krb5_hmac(context, CKSUMTYPE_RSA_MD5, - cksum_data, cksum_size, 0, &key5, &cksum_k6); -} - - -static krb5_error_code -arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, - u_char *sgn_cksum, size_t sgn_cksum_sz, - const char *v1, size_t l1, - const void *v2, size_t l2, - const void *v3, size_t l3) -{ - Checksum CKSUM; - u_char *ptr; - size_t len; - krb5_crypto crypto; - krb5_error_code ret; - - assert(sgn_cksum_sz == 8); - - len = l1 + l2 + l3; - - ptr = malloc(len); - if (ptr == NULL) - return ENOMEM; - - memcpy(ptr, v1, l1); - memcpy(ptr + l1, v2, l2); - memcpy(ptr + l1 + l2, v3, l3); - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret) { - free(ptr); - return ret; - } - - ret = krb5_create_checksum(gssapi_krb5_context, - crypto, - usage, - 0, - ptr, len, - &CKSUM); - free(ptr); - if (ret == 0) { - memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz); - free_Checksum(&CKSUM); - } - krb5_crypto_destroy(gssapi_krb5_context, crypto); - - return ret; -} - - -OM_uint32 -_gssapi_get_mic_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key) -{ - krb5_error_code ret; - int32_t seq_number; - size_t len, total_len; - u_char k6_data[16], *p0, *p; - RC4_KEY rc4_key; - - gssapi_krb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p0 = _gssapi_make_mech_header(message_token->value, - len, - GSS_KRB5_MECHANISM); - p = p0; - - *p++ = 0x01; /* TOK_ID */ - *p++ = 0x01; - *p++ = 0x11; /* SGN_ALG */ - *p++ = 0x00; - *p++ = 0xff; /* Filler */ - *p++ = 0xff; - *p++ = 0xff; - *p++ = 0xff; - - p = NULL; - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN, - p0 + 16, 8, /* SGN_CKSUM */ - p0, 8, /* TOK_ID, SGN_ALG, Filer */ - message_buffer->value, message_buffer->length, - NULL, 0); - if (ret) { - gss_release_buffer(minor_status, message_token); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = arcfour_mic_key(gssapi_krb5_context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - gss_release_buffer(minor_status, message_token); - *minor_status = ret; - return GSS_S_FAILURE; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - p = p0 + 8; /* SND_SEQ */ - gssapi_encode_be_om_uint32(seq_number, p); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4); - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p, p); - - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - - -OM_uint32 -_gssapi_verify_mic_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type) -{ - krb5_error_code ret; - int32_t seq_number; - OM_uint32 omret; - char cksum_data[8], k6_data[16], SND_SEQ[8]; - u_char *p; - int cmp; - - if (qop_state) - *qop_state = 0; - - p = token_buffer->value; - omret = gssapi_krb5_verify_header (&p, - token_buffer->length, - type, - GSS_KRB5_MECHANISM); - if (omret) - return omret; - - if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN, - cksum_data, sizeof(cksum_data), - p - 8, 8, - message_buffer->value, message_buffer->length, - NULL, 0); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = arcfour_mic_key(gssapi_krb5_context, key, - cksum_data, sizeof(cksum_data), - k6_data, sizeof(k6_data)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - cmp = memcmp(cksum_data, p + 8, 8); - if (cmp) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p, SND_SEQ); - - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); - - memset(SND_SEQ, 0, sizeof(SND_SEQ)); - if (cmp != 0) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - omret = _gssapi_msg_order_check(context_handle->order, seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if (omret) - return omret; - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 -_gssapi_wrap_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key) -{ - u_char Klocaldata[16], k6_data[16], *p, *p0; - size_t len, total_len, datalen; - krb5_keyblock Klocal; - krb5_error_code ret; - int32_t seq_number; - - if (conf_state) - *conf_state = 0; - - datalen = input_message_buffer->length + 1 /* padding */; - len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE; - _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p0 = _gssapi_make_mech_header(output_message_buffer->value, - len, - GSS_KRB5_MECHANISM); - p = p0; - - *p++ = 0x02; /* TOK_ID */ - *p++ = 0x01; - *p++ = 0x11; /* SGN_ALG */ - *p++ = 0x00; - if (conf_req_flag) { - *p++ = 0x10; /* SEAL_ALG */ - *p++ = 0x00; - } else { - *p++ = 0xff; /* SEAL_ALG */ - *p++ = 0xff; - } - *p++ = 0xff; /* Filler */ - *p++ = 0xff; - - p = NULL; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - gssapi_encode_be_om_uint32(seq_number, p0 + 8); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - memset (p0 + 8 + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xff, - 4); - - krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */ - - /* p points to data */ - p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE; - memcpy(p, input_message_buffer->value, input_message_buffer->length); - p[input_message_buffer->length] = 1; /* PADDING */ - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, - p0 + 16, 8, /* SGN_CKSUM */ - p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */ - p0 + 24, 8, /* Confounder */ - p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - datalen); - if (ret) { - *minor_status = ret; - gss_release_buffer(minor_status, output_message_buffer); - return GSS_S_FAILURE; - } - - { - int i; - - Klocal.keytype = key->keytype; - Klocal.keyvalue.data = Klocaldata; - Klocal.keyvalue.length = sizeof(Klocaldata); - - for (i = 0; i < 16; i++) - Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; - } - ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, - p0 + 8, 4, /* SND_SEQ */ - k6_data, sizeof(k6_data)); - memset(Klocaldata, 0, sizeof(Klocaldata)); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - - if(conf_req_flag) { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - /* XXX ? */ - RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */ - memset(&rc4_key, 0, sizeof(rc4_key)); - } - memset(k6_data, 0, sizeof(k6_data)); - - ret = arcfour_mic_key(gssapi_krb5_context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 8, p0 + 8); /* SND_SEQ */ - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - if (conf_state) - *conf_state = conf_req_flag; - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key) -{ - u_char Klocaldata[16]; - krb5_keyblock Klocal; - krb5_error_code ret; - int32_t seq_number; - size_t datalen; - OM_uint32 omret; - char k6_data[16], SND_SEQ[8], Confounder[8]; - char cksum_data[8]; - u_char *p, *p0; - int cmp; - int conf_flag; - size_t padlen; - - if (conf_state) - *conf_state = 0; - if (qop_state) - *qop_state = 0; - - p0 = input_message_buffer->value; - omret = _gssapi_verify_mech_header(&p0, - input_message_buffer->length, - GSS_KRB5_MECHANISM); - if (omret) - return omret; - p = p0; - - datalen = input_message_buffer->length - - (p - ((u_char *)input_message_buffer->value)) - - GSS_ARCFOUR_WRAP_TOKEN_SIZE; - - if (memcmp(p, "\x02\x01", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ - return GSS_S_BAD_SIG; - p += 2; - - if (memcmp (p, "\x10\x00", 2) == 0) - conf_flag = 1; - else if (memcmp (p, "\xff\xff", 2) == 0) - conf_flag = 0; - else - return GSS_S_BAD_SIG; - - p += 2; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_BAD_MIC; - p = NULL; - - ret = arcfour_mic_key(gssapi_krb5_context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 8, SND_SEQ); /* SND_SEQ */ - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); - - if (cmp != 0) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - { - int i; - - Klocal.keytype = key->keytype; - Klocal.keyvalue.data = Klocaldata; - Klocal.keyvalue.length = sizeof(Klocaldata); - - for (i = 0; i < 16; i++) - Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; - } - ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, - SND_SEQ, 4, - k6_data, sizeof(k6_data)); - memset(Klocaldata, 0, sizeof(Klocaldata)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - output_message_buffer->value = malloc(datalen); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - output_message_buffer->length = datalen; - - if(conf_flag) { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 24, Confounder); /* Confounder */ - RC4 (&rc4_key, datalen, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - output_message_buffer->value); - memset(&rc4_key, 0, sizeof(rc4_key)); - } else { - memcpy(Confounder, p0 + 24, 8); /* Confounder */ - memcpy(output_message_buffer->value, - p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - datalen); - } - memset(k6_data, 0, sizeof(k6_data)); - - ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = 0; - return ret; - } - output_message_buffer->length -= padlen; - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, - cksum_data, sizeof(cksum_data), - p0, 8, - Confounder, sizeof(Confounder), - output_message_buffer->value, - output_message_buffer->length + padlen); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ - if (cmp) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - omret = _gssapi_msg_order_check(context_handle->order, seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if (omret) - return omret; - - if (conf_state) - *conf_state = conf_flag; - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/arcfour.h b/lib/gssapi/krb5/arcfour.h deleted file mode 100644 index 582359151..000000000 --- a/lib/gssapi/krb5/arcfour.h +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id$ */ - -#ifndef GSSAPI_ARCFOUR_H_ -#define GSSAPI_ARCFOUR_H_ 1 - -#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32 - -OM_uint32 _gssapi_wrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key); - -OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key); - -OM_uint32 _gssapi_get_mic_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key); - -OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key, - char *type); - -#endif /* GSSAPI_ARCFOUR_H_ */ diff --git a/lib/gssapi/krb5/canonicalize_name.c b/lib/gssapi/krb5/canonicalize_name.c deleted file mode 100644 index 9bd51e0d9..000000000 --- a/lib/gssapi/krb5/canonicalize_name.c +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_canonicalize_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - const gss_OID mech_type, - gss_name_t * output_name - ) -{ - return gss_duplicate_name (minor_status, input_name, output_name); -} diff --git a/lib/gssapi/krb5/ccache_name.c b/lib/gssapi/krb5/ccache_name.c deleted file mode 100644 index 4deb350c2..000000000 --- a/lib/gssapi/krb5/ccache_name.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -char *last_out_name; - -OM_uint32 -gss_krb5_ccache_name(OM_uint32 *minor_status, - const char *name, - const char **out_name) -{ - krb5_error_code kret; - - *minor_status = 0; - - GSSAPI_KRB5_INIT(); - - if (out_name) { - const char *name; - - if (last_out_name) { - free(last_out_name); - last_out_name = NULL; - } - - name = krb5_cc_default_name(gssapi_krb5_context); - if (name == NULL) { - *minor_status = ENOMEM; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - last_out_name = strdup(name); - if (last_out_name == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - *out_name = last_out_name; - } - - kret = krb5_cc_set_default_name(gssapi_krb5_context, name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/cfx.c b/lib/gssapi/krb5/cfx.c deleted file mode 100644 index 3d7506280..000000000 --- a/lib/gssapi/krb5/cfx.c +++ /dev/null @@ -1,841 +0,0 @@ -/* - * Copyright (c) 2003, PADL Software Pty Ltd. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of PADL Software nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -/* - * Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt - */ - -#define CFXSentByAcceptor (1 << 0) -#define CFXSealed (1 << 1) -#define CFXAcceptorSubkey (1 << 2) - -static krb5_error_code -wrap_length_cfx(krb5_crypto crypto, - int conf_req_flag, - size_t input_length, - size_t *output_length, - size_t *cksumsize, - u_int16_t *padlength) -{ - krb5_error_code ret; - krb5_cksumtype type; - - /* 16-byte header is always first */ - *output_length = sizeof(gss_cfx_wrap_token_desc); - *padlength = 0; - - ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, crypto, &type); - if (ret) { - return ret; - } - - ret = krb5_checksumsize(gssapi_krb5_context, type, cksumsize); - if (ret) { - return ret; - } - - if (conf_req_flag) { - size_t padsize; - - /* Header is concatenated with data before encryption */ - input_length += sizeof(gss_cfx_wrap_token_desc); - - ret = krb5_crypto_getpadsize(gssapi_krb5_context, crypto, &padsize); - if (ret) { - return ret; - } - if (padsize > 1) { - /* XXX check this */ - *padlength = padsize - (input_length % padsize); - } - - /* We add the pad ourselves (noted here for completeness only) */ - input_length += *padlength; - - *output_length += krb5_get_wrapped_length(gssapi_krb5_context, - crypto, input_length); - } else { - /* Checksum is concatenated with data */ - *output_length += input_length + *cksumsize; - } - - assert(*output_length > input_length); - - return 0; -} - -OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size, - krb5_keyblock *key) -{ - krb5_error_code ret; - krb5_crypto crypto; - u_int16_t padlength; - size_t output_length, cksumsize; - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = wrap_length_cfx(crypto, conf_req_flag, - req_output_size, - &output_length, &cksumsize, &padlength); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - return GSS_S_FAILURE; - } - - if (output_length < req_output_size) { - *max_input_size = (req_output_size - output_length); - *max_input_size -= padlength; - } else { - /* Should this return an error? */ - *max_input_size = 0; - } - - krb5_crypto_destroy(gssapi_krb5_context, crypto); - - return GSS_S_COMPLETE; -} - -/* - * Rotate "rrc" bytes to the front or back - */ - -static krb5_error_code -rrc_rotate(void *data, size_t len, u_int16_t rrc, krb5_boolean unrotate) -{ - u_char *tmp; - size_t left; - char buf[256]; - - if (len == 0) - return 0; - - rrc %= len; - - if (rrc == 0) - return 0; - - left = len - rrc; - - if (rrc <= sizeof(buf)) { - tmp = buf; - } else { - tmp = malloc(rrc); - if (tmp == NULL) - return ENOMEM; - } - - if (unrotate) { - memcpy(tmp, data, rrc); - memmove(data, (u_char *)data + rrc, left); - memcpy((u_char *)data + left, tmp, rrc); - } else { - memcpy(tmp, (u_char *)data + left, rrc); - memmove((u_char *)data + rrc, data, left); - memcpy(data, tmp, rrc); - } - - if (rrc > sizeof(buf)) - free(tmp); - - return 0; -} - -OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key) -{ - krb5_crypto crypto; - gss_cfx_wrap_token token; - krb5_error_code ret; - unsigned usage; - krb5_data cipher; - size_t wrapped_len, cksumsize; - u_int16_t padlength, rrc = 0; - OM_uint32 seq_number; - u_char *p; - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = wrap_length_cfx(crypto, conf_req_flag, - input_message_buffer->length, - &wrapped_len, &cksumsize, &padlength); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - return GSS_S_FAILURE; - } - - /* Always rotate encrypted token (if any) and checksum to header */ - rrc = (conf_req_flag ? sizeof(*token) : 0) + (u_int16_t)cksumsize; - - output_message_buffer->length = wrapped_len; - output_message_buffer->value = malloc(output_message_buffer->length); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - return GSS_S_FAILURE; - } - - p = output_message_buffer->value; - token = (gss_cfx_wrap_token)p; - token->TOK_ID[0] = 0x05; - token->TOK_ID[1] = 0x04; - token->Flags = 0; - token->Filler = 0xFF; - if ((context_handle->more_flags & LOCAL) == 0) - token->Flags |= CFXSentByAcceptor; - if (context_handle->more_flags & ACCEPTOR_SUBKEY) - token->Flags |= CFXAcceptorSubkey; - if (conf_req_flag) { - /* - * In Wrap tokens with confidentiality, the EC field is - * used to encode the size (in bytes) of the random filler. - */ - token->Flags |= CFXSealed; - token->EC[0] = (padlength >> 8) & 0xFF; - token->EC[1] = (padlength >> 0) & 0xFF; - } else { - /* - * In Wrap tokens without confidentiality, the EC field is - * used to encode the size (in bytes) of the trailing - * checksum. - * - * This is not used in the checksum calcuation itself, - * because the checksum length could potentially vary - * depending on the data length. - */ - token->EC[0] = 0; - token->EC[1] = 0; - } - - /* - * In Wrap tokens that provide for confidentiality, the RRC - * field in the header contains the hex value 00 00 before - * encryption. - * - * In Wrap tokens that do not provide for confidentiality, - * both the EC and RRC fields in the appended checksum - * contain the hex value 00 00 for the purpose of calculating - * the checksum. - */ - token->RRC[0] = 0; - token->RRC[1] = 0; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber(gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - gssapi_encode_be_om_uint32(0, &token->SND_SEQ[0]); - gssapi_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); - krb5_auth_con_setlocalseqnumber(gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* - * If confidentiality is requested, the token header is - * appended to the plaintext before encryption; the resulting - * token is {"header" | encrypt(plaintext | pad | "header")}. - * - * If no confidentiality is requested, the checksum is - * calculated over the plaintext concatenated with the - * token header. - */ - if (context_handle->more_flags & LOCAL) { - usage = KRB5_KU_USAGE_INITIATOR_SEAL; - } else { - usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; - } - - if (conf_req_flag) { - /* - * Any necessary padding is added here to ensure that the - * encrypted token header is always at the end of the - * ciphertext. - * - * The specification does not require that the padding - * bytes are initialized. - */ - p += sizeof(*token); - memcpy(p, input_message_buffer->value, input_message_buffer->length); - memset(p + input_message_buffer->length, 0xFF, padlength); - memcpy(p + input_message_buffer->length + padlength, - token, sizeof(*token)); - - ret = krb5_encrypt(gssapi_krb5_context, crypto, - usage, p, - input_message_buffer->length + padlength + - sizeof(*token), - &cipher); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); - return GSS_S_FAILURE; - } - assert(sizeof(*token) + cipher.length == wrapped_len); - token->RRC[0] = (rrc >> 8) & 0xFF; - token->RRC[1] = (rrc >> 0) & 0xFF; - - ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); - return GSS_S_FAILURE; - } - memcpy(p, cipher.data, cipher.length); - krb5_data_free(&cipher); - } else { - char *buf; - Checksum cksum; - - buf = malloc(input_message_buffer->length + sizeof(*token)); - if (buf == NULL) { - *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); - return GSS_S_FAILURE; - } - memcpy(buf, input_message_buffer->value, input_message_buffer->length); - memcpy(buf + input_message_buffer->length, token, sizeof(*token)); - - ret = krb5_create_checksum(gssapi_krb5_context, crypto, - usage, 0, buf, - input_message_buffer->length + - sizeof(*token), - &cksum); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); - free(buf); - return GSS_S_FAILURE; - } - - free(buf); - - assert(cksum.checksum.length == cksumsize); - token->EC[0] = (cksum.checksum.length >> 8) & 0xFF; - token->EC[1] = (cksum.checksum.length >> 0) & 0xFF; - token->RRC[0] = (rrc >> 8) & 0xFF; - token->RRC[1] = (rrc >> 0) & 0xFF; - - p += sizeof(*token); - memcpy(p, input_message_buffer->value, input_message_buffer->length); - memcpy(p + input_message_buffer->length, - cksum.checksum.data, cksum.checksum.length); - - ret = rrc_rotate(p, - input_message_buffer->length + cksum.checksum.length, rrc, FALSE); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); - free_Checksum(&cksum); - return GSS_S_FAILURE; - } - free_Checksum(&cksum); - } - - krb5_crypto_destroy(gssapi_krb5_context, crypto); - - if (conf_state != NULL) { - *conf_state = conf_req_flag; - } - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key) -{ - krb5_crypto crypto; - gss_cfx_wrap_token token; - u_char token_flags; - krb5_error_code ret; - unsigned usage; - krb5_data data; - u_int16_t ec, rrc; - OM_uint32 seq_number_lo, seq_number_hi; - size_t len; - u_char *p; - - *minor_status = 0; - - if (input_message_buffer->length < sizeof(*token)) { - return GSS_S_DEFECTIVE_TOKEN; - } - - p = input_message_buffer->value; - - token = (gss_cfx_wrap_token)p; - - if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04) { - return GSS_S_DEFECTIVE_TOKEN; - } - - /* Ignore unknown flags */ - token_flags = token->Flags & - (CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey); - - if (token_flags & CFXSentByAcceptor) { - if ((context_handle->more_flags & LOCAL) == 0) - return GSS_S_DEFECTIVE_TOKEN; - } - - if (context_handle->more_flags & ACCEPTOR_SUBKEY) { - if ((token_flags & CFXAcceptorSubkey) == 0) - return GSS_S_DEFECTIVE_TOKEN; - } else { - if (token_flags & CFXAcceptorSubkey) - return GSS_S_DEFECTIVE_TOKEN; - } - - if (token->Filler != 0xFF) { - return GSS_S_DEFECTIVE_TOKEN; - } - - if (conf_state != NULL) { - *conf_state = (token_flags & CFXSealed) ? 1 : 0; - } - - ec = (token->EC[0] << 8) | token->EC[1]; - rrc = (token->RRC[0] << 8) | token->RRC[1]; - - /* - * Check sequence number - */ - gssapi_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); - gssapi_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); - if (seq_number_hi) { - /* no support for 64-bit sequence numbers */ - *minor_status = ERANGE; - return GSS_S_UNSEQ_TOKEN; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo); - if (ret != 0) { - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - gss_release_buffer(minor_status, output_message_buffer); - return ret; - } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* - * Decrypt and/or verify checksum - */ - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - return GSS_S_FAILURE; - } - - if (context_handle->more_flags & LOCAL) { - usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; - } else { - usage = KRB5_KU_USAGE_INITIATOR_SEAL; - } - - p += sizeof(*token); - len = input_message_buffer->length; - len -= (p - (u_char *)input_message_buffer->value); - - /* Rotate by RRC; bogus to do this in-place XXX */ - *minor_status = rrc_rotate(p, len, rrc, TRUE); - if (*minor_status != 0) { - krb5_crypto_destroy(gssapi_krb5_context, crypto); - return GSS_S_FAILURE; - } - - if (token_flags & CFXSealed) { - ret = krb5_decrypt(gssapi_krb5_context, crypto, usage, - p, len, &data); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; - } - - /* Check that there is room for the pad and token header */ - if (data.length < ec + sizeof(*token)) { - krb5_crypto_destroy(gssapi_krb5_context, crypto); - krb5_data_free(&data); - return GSS_S_DEFECTIVE_TOKEN; - } - p = data.data; - p += data.length - sizeof(*token); - - /* RRC is unprotected; don't modify input buffer */ - ((gss_cfx_wrap_token)p)->RRC[0] = token->RRC[0]; - ((gss_cfx_wrap_token)p)->RRC[1] = token->RRC[1]; - - /* Check the integrity of the header */ - if (memcmp(p, token, sizeof(*token)) != 0) { - krb5_crypto_destroy(gssapi_krb5_context, crypto); - krb5_data_free(&data); - return GSS_S_BAD_MIC; - } - - output_message_buffer->value = data.data; - output_message_buffer->length = data.length - ec - sizeof(*token); - } else { - Checksum cksum; - - /* Determine checksum type */ - ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, - crypto, &cksum.cksumtype); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - return GSS_S_FAILURE; - } - - cksum.checksum.length = ec; - - /* Check we have at least as much data as the checksum */ - if (len < cksum.checksum.length) { - *minor_status = ERANGE; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; - } - - /* Length now is of the plaintext only, no checksum */ - len -= cksum.checksum.length; - cksum.checksum.data = p + len; - - output_message_buffer->length = len; /* for later */ - output_message_buffer->value = malloc(len + sizeof(*token)); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - return GSS_S_FAILURE; - } - - /* Checksum is over (plaintext-data | "header") */ - memcpy(output_message_buffer->value, p, len); - memcpy((u_char *)output_message_buffer->value + len, - token, sizeof(*token)); - - /* EC is not included in checksum calculation */ - token = (gss_cfx_wrap_token)((u_char *)output_message_buffer->value + - len); - token->EC[0] = 0; - token->EC[1] = 0; - token->RRC[0] = 0; - token->RRC[1] = 0; - - ret = krb5_verify_checksum(gssapi_krb5_context, crypto, - usage, - output_message_buffer->value, - len + sizeof(*token), - &cksum); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); - return GSS_S_BAD_MIC; - } - } - - krb5_crypto_destroy(gssapi_krb5_context, crypto); - - if (qop_state != NULL) { - *qop_state = GSS_C_QOP_DEFAULT; - } - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key) -{ - krb5_crypto crypto; - gss_cfx_mic_token token; - krb5_error_code ret; - unsigned usage; - Checksum cksum; - u_char *buf; - size_t len; - OM_uint32 seq_number; - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - return GSS_S_FAILURE; - } - - len = message_buffer->length + sizeof(*token); - buf = malloc(len); - if (buf == NULL) { - *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - return GSS_S_FAILURE; - } - - memcpy(buf, message_buffer->value, message_buffer->length); - - token = (gss_cfx_mic_token)(buf + message_buffer->length); - token->TOK_ID[0] = 0x04; - token->TOK_ID[1] = 0x04; - token->Flags = 0; - if ((context_handle->more_flags & LOCAL) == 0) - token->Flags |= CFXSentByAcceptor; - if (context_handle->more_flags & ACCEPTOR_SUBKEY) - token->Flags |= CFXAcceptorSubkey; - memset(token->Filler, 0xFF, 5); - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber(gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - gssapi_encode_be_om_uint32(0, &token->SND_SEQ[0]); - gssapi_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); - krb5_auth_con_setlocalseqnumber(gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - if (context_handle->more_flags & LOCAL) { - usage = KRB5_KU_USAGE_INITIATOR_SIGN; - } else { - usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; - } - - ret = krb5_create_checksum(gssapi_krb5_context, crypto, - usage, 0, buf, len, &cksum); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - free(buf); - return GSS_S_FAILURE; - } - krb5_crypto_destroy(gssapi_krb5_context, crypto); - - /* Determine MIC length */ - message_token->length = sizeof(*token) + cksum.checksum.length; - message_token->value = malloc(message_token->length); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - free_Checksum(&cksum); - free(buf); - return GSS_S_FAILURE; - } - - /* Token is { "header" | get_mic("header" | plaintext-data) } */ - memcpy(message_token->value, token, sizeof(*token)); - memcpy((u_char *)message_token->value + sizeof(*token), - cksum.checksum.data, cksum.checksum.length); - - free_Checksum(&cksum); - free(buf); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key) -{ - krb5_crypto crypto; - gss_cfx_mic_token token; - u_char token_flags; - krb5_error_code ret; - unsigned usage; - OM_uint32 seq_number_lo, seq_number_hi; - u_char *buf, *p; - Checksum cksum; - - *minor_status = 0; - - if (token_buffer->length < sizeof(*token)) { - return GSS_S_DEFECTIVE_TOKEN; - } - - p = token_buffer->value; - - token = (gss_cfx_mic_token)p; - - if (token->TOK_ID[0] != 0x04 || token->TOK_ID[1] != 0x04) { - return GSS_S_DEFECTIVE_TOKEN; - } - - /* Ignore unknown flags */ - token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey); - - if (token_flags & CFXSentByAcceptor) { - if ((context_handle->more_flags & LOCAL) == 0) - return GSS_S_DEFECTIVE_TOKEN; - } - if (context_handle->more_flags & ACCEPTOR_SUBKEY) { - if ((token_flags & CFXAcceptorSubkey) == 0) - return GSS_S_DEFECTIVE_TOKEN; - } else { - if (token_flags & CFXAcceptorSubkey) - return GSS_S_DEFECTIVE_TOKEN; - } - - if (memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) { - return GSS_S_DEFECTIVE_TOKEN; - } - - /* - * Check sequence number - */ - gssapi_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); - gssapi_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); - if (seq_number_hi) { - *minor_status = ERANGE; - return GSS_S_UNSEQ_TOKEN; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo); - if (ret != 0) { - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; - } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* - * Verify checksum - */ - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, crypto, - &cksum.cksumtype); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - return GSS_S_FAILURE; - } - - cksum.checksum.data = p + sizeof(*token); - cksum.checksum.length = token_buffer->length - sizeof(*token); - - if (context_handle->more_flags & LOCAL) { - usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; - } else { - usage = KRB5_KU_USAGE_INITIATOR_SIGN; - } - - buf = malloc(message_buffer->length + sizeof(*token)); - if (buf == NULL) { - *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - return GSS_S_FAILURE; - } - memcpy(buf, message_buffer->value, message_buffer->length); - memcpy(buf + message_buffer->length, token, sizeof(*token)); - - ret = krb5_verify_checksum(gssapi_krb5_context, crypto, - usage, - buf, - sizeof(*token) + message_buffer->length, - &cksum); - if (ret != 0) { - gssapi_krb5_set_error_string(); - *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - free(buf); - return GSS_S_BAD_MIC; - } - - free(buf); - - if (qop_state != NULL) { - *qop_state = GSS_C_QOP_DEFAULT; - } - - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/cfx.h b/lib/gssapi/krb5/cfx.h deleted file mode 100644 index de94bdec9..000000000 --- a/lib/gssapi/krb5/cfx.h +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (c) 2003, PADL Software Pty Ltd. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of PADL Software nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id$ */ - -#ifndef GSSAPI_CFX_H_ -#define GSSAPI_CFX_H_ 1 - -/* - * Implementation of draft-ietf-krb-wg-gssapi-cfx-01.txt - */ - -typedef struct gss_cfx_mic_token_desc_struct { - u_char TOK_ID[2]; /* 04 04 */ - u_char Flags; - u_char Filler[5]; - u_char SND_SEQ[8]; -} gss_cfx_mic_token_desc, *gss_cfx_mic_token; - -typedef struct gss_cfx_wrap_token_desc_struct { - u_char TOK_ID[2]; /* 04 05 */ - u_char Flags; - u_char Filler; - u_char EC[2]; - u_char RRC[2]; - u_char SND_SEQ[8]; -} gss_cfx_wrap_token_desc, *gss_cfx_wrap_token; - -typedef struct gss_cfx_delete_token_desc_struct { - u_char TOK_ID[2]; /* 05 04 */ - u_char Flags; - u_char Filler[5]; - u_char SND_SEQ[8]; -} gss_cfx_delete_token_desc, *gss_cfx_delete_token; - -OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size, - krb5_keyblock *key); - -OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key); - -OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key); - -OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key); - -OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key); - -#endif /* GSSAPI_CFX_H_ */ diff --git a/lib/gssapi/krb5/compare_name.c b/lib/gssapi/krb5/compare_name.c deleted file mode 100644 index 2162b1d3f..000000000 --- a/lib/gssapi/krb5/compare_name.c +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_compare_name - (OM_uint32 * minor_status, - const gss_name_t name1, - const gss_name_t name2, - int * name_equal - ) -{ - GSSAPI_KRB5_INIT(); - - *name_equal = krb5_principal_compare (gssapi_krb5_context, - name1, name2); - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/compat.c b/lib/gssapi/krb5/compat.c deleted file mode 100644 index cc0f1150c..000000000 --- a/lib/gssapi/krb5/compat.c +++ /dev/null @@ -1,154 +0,0 @@ -/* - * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - - -krb5_error_code -_gss_check_compat(OM_uint32 *minor_status, gss_name_t name, - const char *option, krb5_boolean *compat, - krb5_boolean match_val) -{ - krb5_error_code ret = 0; - char **p, **q; - krb5_principal match; - - - p = krb5_config_get_strings(gssapi_krb5_context, NULL, "gssapi", - option, NULL); - if(p == NULL) - return 0; - - match = NULL; - for(q = p; *q; q++) { - ret = krb5_parse_name(gssapi_krb5_context, *q, &match); - if (ret) - break; - - if (krb5_principal_match(gssapi_krb5_context, name, match)) { - *compat = match_val; - break; - } - - krb5_free_principal(gssapi_krb5_context, match); - match = NULL; - } - if (match) - krb5_free_principal(gssapi_krb5_context, match); - krb5_config_free_strings(p); - - if (ret) { - if (minor_status) - *minor_status = ret; - return GSS_S_FAILURE; - } - - return 0; -} - -/* - * ctx->ctx_id_mutex is assumed to be locked - */ - -OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx) -{ - krb5_boolean use_compat = FALSE; - OM_uint32 ret; - - if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) { - ret = _gss_check_compat(minor_status, ctx->target, - "broken_des3_mic", &use_compat, TRUE); - if (ret) - return ret; - ret = _gss_check_compat(minor_status, ctx->target, - "correct_des3_mic", &use_compat, FALSE); - if (ret) - return ret; - - if (use_compat) - ctx->more_flags |= COMPAT_OLD_DES3; - ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; - } - return 0; -} - -OM_uint32 -gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on) -{ - *minor_status = 0; - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - if (on) { - ctx->more_flags |= COMPAT_OLD_DES3; - } else { - ctx->more_flags &= ~COMPAT_OLD_DES3; - } - ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - return 0; -} - -/* - * For compatability with the Windows SPNEGO implementation, the - * default is to ignore the mechListMIC unless the initiator specified - * CFX or configured in krb5.conf with the option - * [gssapi]require_mechlist_mic=target-principal-pattern. - * The option is valid for both initiator and acceptor. - */ -OM_uint32 -_gss_spnego_require_mechlist_mic(OM_uint32 *minor_status, - gss_ctx_id_t ctx, - krb5_boolean *require_mic) -{ - OM_uint32 ret; - int is_cfx = 0; - - gsskrb5_is_cfx(ctx, &is_cfx); - if (is_cfx) { - /* CFX session key was used */ - *require_mic = TRUE; - } else { - *require_mic = FALSE; - ret = _gss_check_compat(minor_status, ctx->target, - "require_mechlist_mic", - require_mic, TRUE); - if (ret) - return ret; - } - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/context_time.c b/lib/gssapi/krb5/context_time.c deleted file mode 100644 index 944da30b3..000000000 --- a/lib/gssapi/krb5/context_time.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gssapi_lifetime_left(OM_uint32 *minor_status, - OM_uint32 lifetime, - OM_uint32 *lifetime_rec) -{ - krb5_timestamp timeret; - krb5_error_code kret; - - kret = krb5_timeofday(gssapi_krb5_context, &timeret); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - - if (lifetime < timeret) - *lifetime_rec = 0; - else - *lifetime_rec = lifetime - timeret; - - return GSS_S_COMPLETE; -} - - -OM_uint32 gss_context_time - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - OM_uint32 * time_rec - ) -{ - OM_uint32 lifetime; - OM_uint32 major_status; - - GSSAPI_KRB5_INIT (); - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - lifetime = context_handle->lifetime; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - major_status = gssapi_lifetime_left(minor_status, lifetime, time_rec); - if (major_status != GSS_S_COMPLETE) - return major_status; - - *minor_status = 0; - - if (*time_rec == 0) - return GSS_S_CONTEXT_EXPIRED; - - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/copy_ccache.c b/lib/gssapi/krb5/copy_ccache.c deleted file mode 100644 index b643f2ac0..000000000 --- a/lib/gssapi/krb5/copy_ccache.c +++ /dev/null @@ -1,106 +0,0 @@ -/* - * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gss_krb5_copy_ccache(OM_uint32 *minor_status, - gss_cred_id_t cred, - krb5_ccache out) -{ - krb5_error_code kret; - - HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); - - if (cred->ccache == NULL) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - kret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, out); - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 -gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - int ad_type, - gss_buffer_t ad_data) -{ - krb5_error_code ret; - krb5_data data; - - ad_data->value = NULL; - ad_data->length = 0; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - if (context_handle->ticket == NULL) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - ret = krb5_ticket_get_authorization_data_type(gssapi_krb5_context, - context_handle->ticket, - ad_type, - &data); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ad_data->value = malloc(data.length); - if (ad_data->value == NULL) { - krb5_data_free(&data); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ad_data->length = data.length; - memcpy(ad_data->value, data.data, ad_data->length); - krb5_data_free(&data); - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/create_emtpy_oid_set.c b/lib/gssapi/krb5/create_emtpy_oid_set.c deleted file mode 100644 index 14b8757ac..000000000 --- a/lib/gssapi/krb5/create_emtpy_oid_set.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_create_empty_oid_set ( - OM_uint32 * minor_status, - gss_OID_set * oid_set - ) -{ - *oid_set = malloc(sizeof(**oid_set)); - if (*oid_set == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - (*oid_set)->count = 0; - (*oid_set)->elements = NULL; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c deleted file mode 100644 index 64ae9ffd5..000000000 --- a/lib/gssapi/krb5/decapsulate.c +++ /dev/null @@ -1,209 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -/* - * return the length of the mechanism in token or -1 - * (which implies that the token was bad - GSS_S_DEFECTIVE_TOKEN - */ - -ssize_t -gssapi_krb5_get_mech (const u_char *ptr, - size_t total_len, - const u_char **mech_ret) -{ - size_t len, len_len, mech_len, foo; - const u_char *p = ptr; - int e; - - if (total_len < 1) - return -1; - if (*p++ != 0x60) - return -1; - e = der_get_length (p, total_len - 1, &len, &len_len); - if (e || 1 + len_len + len != total_len) - return -1; - p += len_len; - if (*p++ != 0x06) - return -1; - e = der_get_length (p, total_len - 1 - len_len - 1, - &mech_len, &foo); - if (e) - return -1; - p += foo; - *mech_ret = p; - return mech_len; -} - -OM_uint32 -_gssapi_verify_mech_header(u_char **str, - size_t total_len, - gss_OID mech) -{ - const u_char *p; - ssize_t mech_len; - - mech_len = gssapi_krb5_get_mech (*str, total_len, &p); - if (mech_len < 0) - return GSS_S_DEFECTIVE_TOKEN; - - if (mech_len != mech->length) - return GSS_S_BAD_MECH; - if (memcmp(p, - mech->elements, - mech->length) != 0) - return GSS_S_BAD_MECH; - p += mech_len; - *str = (char *)p; - return GSS_S_COMPLETE; -} - -OM_uint32 -gssapi_krb5_verify_header(u_char **str, - size_t total_len, - u_char *type, - gss_OID oid) -{ - OM_uint32 ret; - size_t len; - u_char *p = *str; - - ret = _gssapi_verify_mech_header(str, total_len, oid); - if (ret) - return ret; - - len = total_len - (*str - p); - - if (len < 2) - return GSS_S_DEFECTIVE_TOKEN; - - if (memcmp (*str, type, 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - *str += 2; - - return 0; -} - -/* - * Remove the GSS-API wrapping from `in_token' giving `out_data. - * Does not copy data, so just free `in_token'. - */ - -OM_uint32 -_gssapi_decapsulate( - OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - const gss_OID mech -) -{ - u_char *p; - OM_uint32 ret; - - p = input_token_buffer->value; - ret = _gssapi_verify_mech_header(&p, - input_token_buffer->length, - mech); - if (ret) { - *minor_status = 0; - return ret; - } - - out_data->length = input_token_buffer->length - - (p - (u_char *)input_token_buffer->value); - out_data->data = p; - return GSS_S_COMPLETE; -} - -/* - * Remove the GSS-API wrapping from `in_token' giving `out_data. - * Does not copy data, so just free `in_token'. - */ - -OM_uint32 -gssapi_krb5_decapsulate(OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - char *type, - gss_OID oid) -{ - u_char *p; - OM_uint32 ret; - - p = input_token_buffer->value; - ret = gssapi_krb5_verify_header(&p, - input_token_buffer->length, - type, - oid); - if (ret) { - *minor_status = 0; - return ret; - } - - out_data->length = input_token_buffer->length - - (p - (u_char *)input_token_buffer->value); - out_data->data = p; - return GSS_S_COMPLETE; -} - -/* - * Verify padding of a gss wrapped message and return its length. - */ - -OM_uint32 -_gssapi_verify_pad(gss_buffer_t wrapped_token, - size_t datalen, - size_t *padlen) -{ - u_char *pad; - size_t padlength; - int i; - - pad = (u_char *)wrapped_token->value + wrapped_token->length - 1; - padlength = *pad; - - if (padlength > datalen) - return GSS_S_BAD_MECH; - - for (i = padlength; i > 0 && *pad == padlength; i--, pad--) - ; - if (i != 0) - return GSS_S_BAD_MIC; - - *padlen = padlength; - - return 0; -} diff --git a/lib/gssapi/krb5/delete_sec_context.c b/lib/gssapi/krb5/delete_sec_context.c deleted file mode 100644 index 6803fd117..000000000 --- a/lib/gssapi/krb5/delete_sec_context.c +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_delete_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t output_token - ) -{ - GSSAPI_KRB5_INIT (); - - if (output_token) { - output_token->length = 0; - output_token->value = NULL; - } - - HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex); - - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - if ((*context_handle)->ticket) - krb5_free_ticket (gssapi_krb5_context, - (*context_handle)->ticket); - if((*context_handle)->order) - _gssapi_msg_order_destroy(&(*context_handle)->order); - - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); - memset(*context_handle, 0, sizeof(**context_handle)); - free (*context_handle); - *context_handle = GSS_C_NO_CONTEXT; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/display_name.c b/lib/gssapi/krb5/display_name.c deleted file mode 100644 index 0078d8224..000000000 --- a/lib/gssapi/krb5/display_name.c +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_display_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID * output_name_type - ) -{ - krb5_error_code kret; - char *buf; - size_t len; - - GSSAPI_KRB5_INIT (); - kret = krb5_unparse_name (gssapi_krb5_context, - input_name, - &buf); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - len = strlen (buf); - output_name_buffer->length = len; - output_name_buffer->value = malloc(len + 1); - if (output_name_buffer->value == NULL) { - free (buf); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (output_name_buffer->value, buf, len); - ((char *)output_name_buffer->value)[len] = '\0'; - free (buf); - if (output_name_type) - *output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/display_status.c b/lib/gssapi/krb5/display_status.c deleted file mode 100644 index 59c3bcf0f..000000000 --- a/lib/gssapi/krb5/display_status.c +++ /dev/null @@ -1,208 +0,0 @@ -/* - * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static char * -calling_error(OM_uint32 v) -{ - static char *msgs[] = { - NULL, /* 0 */ - "A required input parameter could not be read.", /* */ - "A required output parameter could not be written.", /* */ - "A parameter was malformed" - }; - - v >>= GSS_C_CALLING_ERROR_OFFSET; - - if (v == 0) - return ""; - else if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown calling error"; - else - return msgs[v]; -} - -static char * -routine_error(OM_uint32 v) -{ - static char *msgs[] = { - NULL, /* 0 */ - "An unsupported mechanism was requested", - "An invalid name was supplied", - "A supplied name was of an unsupported type", - "Incorrect channel bindings were supplied", - "An invalid status code was supplied", - "A token had an invalid MIC", - "No credentials were supplied, " - "or the credentials were unavailable or inaccessible.", - "No context has been established", - "A token was invalid", - "A credential was invalid", - "The referenced credentials have expired", - "The context has expired", - "Miscellaneous failure (see text)", - "The quality-of-protection requested could not be provide", - "The operation is forbidden by local security policy", - "The operation or option is not available", - "The requested credential element already exists", - "The provided name was not a mechanism name.", - }; - - v >>= GSS_C_ROUTINE_ERROR_OFFSET; - - if (v == 0) - return ""; - else if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown routine error"; - else - return msgs[v]; -} - -static char * -supplementary_error(OM_uint32 v) -{ - static char *msgs[] = { - "normal completion", - "continuation call to routine required", - "duplicate per-message token detected", - "timed-out per-message token detected", - "reordered (early) per-message token detected", - "skipped predecessor token(s) detected" - }; - - v >>= GSS_C_SUPPLEMENTARY_OFFSET; - - if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown routine error"; - else - return msgs[v]; -} - -void -gssapi_krb5_set_error_string (void) -{ - struct gssapi_thr_context *ctx = gssapi_get_thread_context(1); - char *e; - - if (ctx == NULL) - return; - HEIMDAL_MUTEX_lock(&ctx->mutex); - if (ctx->error_string) - free(ctx->error_string); - e = krb5_get_error_string(gssapi_krb5_context); - if (e == NULL) - ctx->error_string = NULL; - else { - /* ignore failures, will use status code instead */ - ctx->error_string = strdup(e); - krb5_free_error_string(gssapi_krb5_context, e); - } - HEIMDAL_MUTEX_unlock(&ctx->mutex); -} - -char * -gssapi_krb5_get_error_string (void) -{ - struct gssapi_thr_context *ctx = gssapi_get_thread_context(0); - char *ret; - - if (ctx == NULL) - return NULL; - HEIMDAL_MUTEX_lock(&ctx->mutex); - ret = ctx->error_string; - ctx->error_string = NULL; - HEIMDAL_MUTEX_unlock(&ctx->mutex); - return ret; -} - -OM_uint32 gss_display_status - (OM_uint32 *minor_status, - OM_uint32 status_value, - int status_type, - const gss_OID mech_type, - OM_uint32 *message_context, - gss_buffer_t status_string) -{ - char *buf; - - GSSAPI_KRB5_INIT (); - - status_string->length = 0; - status_string->value = NULL; - - if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { - *minor_status = 0; - return GSS_C_GSS_CODE; - } - - if (status_type == GSS_C_GSS_CODE) { - if (GSS_SUPPLEMENTARY_INFO(status_value)) - asprintf(&buf, "%s", - supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value))); - else - asprintf (&buf, "%s %s", - calling_error(GSS_CALLING_ERROR(status_value)), - routine_error(GSS_ROUTINE_ERROR(status_value))); - } else if (status_type == GSS_C_MECH_CODE) { - buf = gssapi_krb5_get_error_string (); - if (buf == NULL) { - const char *tmp = krb5_get_err_text (gssapi_krb5_context, - status_value); - if (tmp == NULL) - asprintf(&buf, "unknown mech error-code %u", - (unsigned)status_value); - else - buf = strdup(tmp); - } - } else { - *minor_status = EINVAL; - return GSS_S_BAD_STATUS; - } - - if (buf == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - *message_context = 0; - *minor_status = 0; - - status_string->length = strlen(buf); - status_string->value = buf; - - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/duplicate_name.c b/lib/gssapi/krb5/duplicate_name.c deleted file mode 100644 index 3c3a1cd1b..000000000 --- a/lib/gssapi/krb5/duplicate_name.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_duplicate_name ( - OM_uint32 * minor_status, - const gss_name_t src_name, - gss_name_t * dest_name - ) -{ - krb5_error_code kret; - - GSSAPI_KRB5_INIT (); - - kret = krb5_copy_principal (gssapi_krb5_context, - src_name, - dest_name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } else { - *minor_status = 0; - return GSS_S_COMPLETE; - } -} diff --git a/lib/gssapi/krb5/encapsulate.c b/lib/gssapi/krb5/encapsulate.c deleted file mode 100644 index ec3337900..000000000 --- a/lib/gssapi/krb5/encapsulate.c +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -void -_gssapi_encap_length (size_t data_len, - size_t *len, - size_t *total_len, - const gss_OID mech) -{ - size_t len_len; - - *len = 1 + 1 + mech->length + data_len; - - len_len = length_len(*len); - - *total_len = 1 + len_len + *len; -} - -void -gssapi_krb5_encap_length (size_t data_len, - size_t *len, - size_t *total_len, - const gss_OID mech) -{ - _gssapi_encap_length(data_len + 2, len, total_len, mech); -} - -u_char * -gssapi_krb5_make_header (u_char *p, - size_t len, - const u_char *type, - const gss_OID mech) -{ - p = _gssapi_make_mech_header(p, len, mech); - memcpy (p, type, 2); - p += 2; - return p; -} - -u_char * -_gssapi_make_mech_header(u_char *p, - size_t len, - const gss_OID mech) -{ - int e; - size_t len_len, foo; - - *p++ = 0x60; - len_len = length_len(len); - e = der_put_length (p + len_len - 1, len_len, len, &foo); - if(e || foo != len_len) - abort (); - p += len_len; - *p++ = 0x06; - *p++ = mech->length; - memcpy (p, mech->elements, mech->length); - p += mech->length; - return p; -} - -/* - * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings. - */ - -OM_uint32 -_gssapi_encapsulate( - OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - const gss_OID mech -) -{ - size_t len, outer_len; - u_char *p; - - _gssapi_encap_length (in_data->length, &len, &outer_len, mech); - - output_token->length = outer_len; - output_token->value = malloc (outer_len); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = _gssapi_make_mech_header (output_token->value, len, mech); - memcpy (p, in_data->data, in_data->length); - return GSS_S_COMPLETE; -} - -/* - * Give it a krb5_data and it will encapsulate with extra GSS-API krb5 - * wrappings. - */ - -OM_uint32 -gssapi_krb5_encapsulate( - OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - const u_char *type, - const gss_OID mech -) -{ - size_t len, outer_len; - u_char *p; - - gssapi_krb5_encap_length (in_data->length, &len, &outer_len, mech); - - output_token->length = outer_len; - output_token->value = malloc (outer_len); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header (output_token->value, len, type, mech); - memcpy (p, in_data->data, in_data->length); - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/export_name.c b/lib/gssapi/krb5/export_name.c deleted file mode 100644 index 4d478c601..000000000 --- a/lib/gssapi/krb5/export_name.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_export_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t exported_name - ) -{ - krb5_error_code kret; - char *buf, *name; - size_t len; - - GSSAPI_KRB5_INIT (); - kret = krb5_unparse_name (gssapi_krb5_context, - input_name, - &name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - len = strlen (name); - - exported_name->length = 10 + len + GSS_KRB5_MECHANISM->length; - exported_name->value = malloc(exported_name->length); - if (exported_name->value == NULL) { - free (name); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ - - buf = exported_name->value; - memcpy(buf, "\x04\x01", 2); - buf += 2; - buf[0] = ((GSS_KRB5_MECHANISM->length + 2) >> 8) & 0xff; - buf[1] = (GSS_KRB5_MECHANISM->length + 2) & 0xff; - buf+= 2; - buf[0] = 0x06; - buf[1] = (GSS_KRB5_MECHANISM->length) & 0xFF; - buf+= 2; - - memcpy(buf, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); - buf += GSS_KRB5_MECHANISM->length; - - buf[0] = (len >> 24) & 0xff; - buf[1] = (len >> 16) & 0xff; - buf[2] = (len >> 8) & 0xff; - buf[3] = (len) & 0xff; - buf += 4; - - memcpy (buf, name, len); - - free (name); - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/export_sec_context.c b/lib/gssapi/krb5/export_sec_context.c deleted file mode 100644 index f90b75cd9..000000000 --- a/lib/gssapi/krb5/export_sec_context.c +++ /dev/null @@ -1,231 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gss_export_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t interprocess_token - ) -{ - krb5_storage *sp; - krb5_auth_context ac; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data data; - gss_buffer_desc buffer; - int flags; - OM_uint32 minor; - krb5_error_code kret; - - GSSAPI_KRB5_INIT (); - - HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex); - - if (!((*context_handle)->flags & GSS_C_TRANS_FLAG)) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - *minor_status = 0; - return GSS_S_UNAVAILABLE; - } - - sp = krb5_storage_emem (); - if (sp == NULL) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ac = (*context_handle)->auth_context; - - /* flagging included fields */ - - flags = 0; - if (ac->local_address) - flags |= SC_LOCAL_ADDRESS; - if (ac->remote_address) - flags |= SC_REMOTE_ADDRESS; - if (ac->keyblock) - flags |= SC_KEYBLOCK; - if (ac->local_subkey) - flags |= SC_LOCAL_SUBKEY; - if (ac->remote_subkey) - flags |= SC_REMOTE_SUBKEY; - - kret = krb5_store_int32 (sp, flags); - if (kret) { - *minor_status = kret; - goto failure; - } - - /* marshall auth context */ - - kret = krb5_store_int32 (sp, ac->flags); - if (kret) { - *minor_status = kret; - goto failure; - } - if (ac->local_address) { - kret = krb5_store_address (sp, *ac->local_address); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->remote_address) { - kret = krb5_store_address (sp, *ac->remote_address); - if (kret) { - *minor_status = kret; - goto failure; - } - } - kret = krb5_store_int16 (sp, ac->local_port); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int16 (sp, ac->remote_port); - if (kret) { - *minor_status = kret; - goto failure; - } - if (ac->keyblock) { - kret = krb5_store_keyblock (sp, *ac->keyblock); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->local_subkey) { - kret = krb5_store_keyblock (sp, *ac->local_subkey); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->remote_subkey) { - kret = krb5_store_keyblock (sp, *ac->remote_subkey); - if (kret) { - *minor_status = kret; - goto failure; - } - } - kret = krb5_store_int32 (sp, ac->local_seqnumber); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ac->remote_seqnumber); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_store_int32 (sp, ac->keytype); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ac->cksumtype); - if (kret) { - *minor_status = kret; - goto failure; - } - - /* names */ - - ret = gss_export_name (minor_status, (*context_handle)->source, &buffer); - if (ret) - goto failure; - data.data = buffer.value; - data.length = buffer.length; - kret = krb5_store_data (sp, data); - gss_release_buffer (&minor, &buffer); - if (kret) { - *minor_status = kret; - goto failure; - } - - ret = gss_export_name (minor_status, (*context_handle)->target, &buffer); - if (ret) - goto failure; - data.data = buffer.value; - data.length = buffer.length; - - ret = GSS_S_FAILURE; - - kret = krb5_store_data (sp, data); - gss_release_buffer (&minor, &buffer); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_store_int32 (sp, (*context_handle)->flags); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, (*context_handle)->more_flags); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, (*context_handle)->lifetime); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_storage_to_data (sp, &data); - krb5_storage_free (sp); - if (kret) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - *minor_status = kret; - return GSS_S_FAILURE; - } - interprocess_token->length = data.length; - interprocess_token->value = data.data; - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - ret = gss_delete_sec_context (minor_status, context_handle, - GSS_C_NO_BUFFER); - if (ret != GSS_S_COMPLETE) - gss_release_buffer (NULL, interprocess_token); - *minor_status = 0; - return ret; - failure: - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - krb5_storage_free (sp); - return ret; -} diff --git a/lib/gssapi/krb5/external.c b/lib/gssapi/krb5/external.c deleted file mode 100644 index 3c01dd91d..000000000 --- a/lib/gssapi/krb5/external.c +++ /dev/null @@ -1,270 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_user_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x01"}; - -gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x02"}; - -gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_string_uid_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x03"}; - -gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ - -static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc = -{6, (void *)"\x2b\x06\x01\x05\x06\x02"}; - -gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ -static gss_OID_desc gss_c_nt_hostbased_service_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04"}; - -gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_anonymous_oid_desc = -{6, (void *)"\x2b\x06\01\x05\x06\x03"}; - -gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_export_name_oid_desc = -{6, (void *)"\x2b\x06\x01\x05\x06\x04"}; - -gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * krb5(2) krb5_name(1)}. The recommended symbolic name for this type - * is "GSS_KRB5_NT_PRINCIPAL_NAME". - */ - -static gss_OID_desc gss_krb5_nt_principal_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"}; - -gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) user_name(1)}. The recommended symbolic name for this - * type is "GSS_KRB5_NT_USER_NAME". - */ - -gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) machine_uid_name(2)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". - */ - -gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) string_uid_name(3)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_STRING_UID_NAME". - */ - -gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; - -/* - * To support ongoing experimentation, testing, and evolution of the - * specification, the Kerberos V5 GSS-API mechanism as defined in this - * and any successor memos will be identified with the following Object - * Identifier, as defined in RFC-1510, until the specification is - * advanced to the level of Proposed Standard RFC: - * - * {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)} - * - * Upon advancement to the level of Proposed Standard RFC, the Kerberos - * V5 GSS-API mechanism will be identified by an Object Identifier - * having the value: - * - * {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - * gssapi(2) krb5(2)} - */ - -#if 0 /* This is the old OID */ - -static gss_OID_desc gss_krb5_mechanism_oid_desc = -{5, (void *)"\x2b\x05\x01\x05\x02"}; - -#endif - -static gss_OID_desc gss_krb5_mechanism_oid_desc = -{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; - -gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; - -/* - * RFC2478, SPNEGO: - * The security mechanism of the initial - * negotiation token is identified by the Object Identifier - * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). - */ - -static gss_OID_desc gss_spnego_mechanism_oid_desc = -{6, (void *)"\x2b\x06\x01\x05\x05\x02"}; - -gss_OID GSS_SPNEGO_MECHANISM = &gss_spnego_mechanism_oid_desc; - -/* - * draft-ietf-cat-iakerb-09, IAKERB: - * The mechanism ID for IAKERB proxy GSS-API Kerberos, in accordance - * with the mechanism proposed by SPNEGO [7] for negotiating protocol - * variations, is: {iso(1) org(3) dod(6) internet(1) security(5) - * mechanisms(5) iakerb(10) iakerbProxyProtocol(1)}. The proposed - * mechanism ID for IAKERB minimum messages GSS-API Kerberos, in - * accordance with the mechanism proposed by SPNEGO for negotiating - * protocol variations, is: {iso(1) org(3) dod(6) internet(1) - * security(5) mechanisms(5) iakerb(10) - * iakerbMinimumMessagesProtocol(2)}. - */ - -static gss_OID_desc gss_iakerb_proxy_mechanism_oid_desc = -{7, (void *)"\x2b\x06\x01\x05\x05\x0a\x01"}; - -gss_OID GSS_IAKERB_PROXY_MECHANISM = &gss_iakerb_proxy_mechanism_oid_desc; - -static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc = -{7, (void *)"\x2b\x06\x01\x05\x05\x0a\x02"}; - -gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc; - -/* - * Context for krb5 calls. - */ - -krb5_context gssapi_krb5_context; diff --git a/lib/gssapi/krb5/get_mic.c b/lib/gssapi/krb5/get_mic.c deleted file mode 100644 index 5ddb6a027..000000000 --- a/lib/gssapi/krb5/get_mic.c +++ /dev/null @@ -1,302 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static OM_uint32 -mic_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16]; - DES_key_schedule schedule; - DES_cblock deskey; - DES_cblock zero; - int32_t seq_number; - size_t len, total_len; - - gssapi_krb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(message_token->value, - len, - "\x01\x01", /* TOK_ID */ - GSS_KRB5_MECHANISM); - - memcpy (p, "\x00\x00", 2); /* SGN_ALG = DES MAC MD5 */ - p += 2; - - memcpy (p, "\xff\xff\xff\xff", 4); /* Filler */ - p += 4; - - /* Fill in later (SND-SEQ) */ - memset (p, 0, 16); - p += 16; - - /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, message_buffer->length); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); - DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - &schedule, &zero); - memcpy (p - 8, hash, 8); /* SGN_CKSUM */ - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - p -= 16; /* SND_SEQ */ - p[0] = (seq_number >> 0) & 0xFF; - p[1] = (seq_number >> 8) & 0xFF; - p[2] = (seq_number >> 16) & 0xFF; - p[3] = (seq_number >> 24) & 0xFF; - memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - DES_set_key (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -mic_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key - ) -{ - u_char *p; - Checksum cksum; - u_char seq[8]; - - int32_t seq_number; - size_t len, total_len; - - krb5_crypto crypto; - krb5_error_code kret; - krb5_data encdata; - char *tmp; - char ivec[8]; - - gssapi_krb5_encap_length (36, &len, &total_len, GSS_KRB5_MECHANISM); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(message_token->value, - len, - "\x01\x01", /* TOK-ID */ - GSS_KRB5_MECHANISM); - - memcpy (p, "\x04\x00", 2); /* SGN_ALG = HMAC SHA1 DES3-KD */ - p += 2; - - memcpy (p, "\xff\xff\xff\xff", 4); /* filler */ - p += 4; - - /* this should be done in parts */ - - tmp = malloc (message_buffer->length + 8); - if (tmp == NULL) { - free (message_token->value); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, p - 8, 8); - memcpy (tmp + 8, message_buffer->value, message_buffer->length); - - kret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (kret) { - free (message_token->value); - free (tmp); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_create_checksum (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SIGN, - 0, - tmp, - message_buffer->length + 8, - &cksum); - free (tmp); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - kret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - if (context_handle->more_flags & COMPAT_OLD_DES3) - memset(ivec, 0, 8); - else - memcpy(ivec, p + 8, 8); - - kret = krb5_encrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - seq, 8, &encdata, ivec); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - assert (encdata.length == 8); - - memcpy (p, encdata.data, encdata.length); - krb5_data_free (&encdata); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - free_Checksum (&cksum); - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 gss_get_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_subkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = mic_des (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - case KEYTYPE_DES3 : - ret = mic_des3 (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - case KEYTYPE_ARCFOUR: - case KEYTYPE_ARCFOUR_56: - ret = _gssapi_get_mic_arcfour (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - default : - ret = _gssapi_mic_cfx (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/lib/gssapi/krb5/gss_acquire_cred.3 b/lib/gssapi/krb5/gss_acquire_cred.3 deleted file mode 100644 index 412f94043..000000000 --- a/lib/gssapi/krb5/gss_acquire_cred.3 +++ /dev/null @@ -1,650 +0,0 @@ -.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id$ -.\" -.Dd September 9, 2003 -.Dt GSS_ACQUIRE_CRED 3 -.Os HEIMDAL -.Sh NAME -.Nm gss_accept_sec_context , -.Nm gss_acquire_cred , -.Nm gss_add_cred , -.Nm gss_add_oid_set_member , -.Nm gss_canonicalize_name , -.Nm gss_compare_name , -.Nm gss_context_time , -.Nm gss_create_empty_oid_set , -.Nm gss_delete_sec_context , -.Nm gss_display_name , -.Nm gss_display_status , -.Nm gss_duplicate_name , -.Nm gss_export_name , -.Nm gss_export_sec_context , -.Nm gss_get_mic , -.Nm gss_import_name , -.Nm gss_import_sec_context , -.Nm gss_indicate_mechs , -.Nm gss_init_sec_context , -.Nm gss_inquire_context , -.Nm gss_inquire_cred , -.Nm gss_inquire_cred_by_mech , -.Nm gss_inquire_mechs_for_name , -.Nm gss_inquire_names_for_mech , -.Nm gss_krb5_ccache_name , -.Nm gss_krb5_compat_des3_mic , -.Nm gss_krb5_copy_ccache , -.Nm gsskrb5_extract_authz_data_from_sec_context , -.Nm gss_krb5_get_tkt_flags , -.Nm gss_process_context_token , -.Nm gss_release_buffer , -.Nm gss_release_cred , -.Nm gss_release_name , -.Nm gss_release_oid_set , -.Nm gss_seal , -.Nm gss_sign , -.Nm gss_test_oid_set_member , -.Nm gss_unseal , -.Nm gss_unwrap , -.Nm gss_verify , -.Nm gss_verify_mic , -.Nm gss_wrap , -.Nm gss_wrap_size_limit -.Nd Generic Security Service Application Program Interface library -.Sh LIBRARY -GSS-API library (libgssapi, -lgssapi) -.Sh SYNOPSIS -.In gssapi.h -.Pp -.Ft OM_uint32 -.Fo gss_accept_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "const gss_cred_id_t acceptor_cred_handle" -.Fa "const gss_buffer_t input_token_buffer" -.Fa "const gss_channel_bindings_t input_chan_bindings" -.Fa "gss_name_t * src_name" -.Fa "gss_OID * mech_type" -.Fa "gss_buffer_t output_token" -.Fa "OM_uint32 * ret_flags" -.Fa "OM_uint32 * time_rec" -.Fa "gss_cred_id_t * delegated_cred_handle" -.Fc -.Pp -.Ft OM_uint32 -.Fo gss_acquire_cred -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t desired_name" -.Fa "OM_uint32 time_req" -.Fa "const gss_OID_set desired_mechs" -.Fa "gss_cred_usage_t cred_usage" -.Fa "gss_cred_id_t * output_cred_handle" -.Fa "gss_OID_set * actual_mechs" -.Fa "OM_uint32 * time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_add_cred -.Fa "OM_uint32 *minor_status" -.Fa "const gss_cred_id_t input_cred_handle" -.Fa "const gss_name_t desired_name" -.Fa "const gss_OID desired_mech" -.Fa "gss_cred_usage_t cred_usage" -.Fa "OM_uint32 initiator_time_req" -.Fa "OM_uint32 acceptor_time_req" -.Fa "gss_cred_id_t *output_cred_handle" -.Fa "gss_OID_set *actual_mechs" -.Fa "OM_uint32 *initiator_time_rec" -.Fa "OM_uint32 *acceptor_time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_add_oid_set_member -.Fa "OM_uint32 * minor_status" -.Fa "const gss_OID member_oid" -.Fa "gss_OID_set * oid_set" -.Fc -.Ft OM_uint32 -.Fo gss_canonicalize_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "const gss_OID mech_type" -.Fa "gss_name_t * output_name" -.Fc -.Ft OM_uint32 -.Fo gss_compare_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t name1" -.Fa "const gss_name_t name2" -.Fa "int * name_equal" -.Fc -.Ft OM_uint32 -.Fo gss_context_time -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "OM_uint32 * time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_create_empty_oid_set -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * oid_set" -.Fc -.Ft OM_uint32 -.Fo gss_delete_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "gss_buffer_t output_token" -.Fc -.Ft OM_uint32 -.Fo gss_display_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "gss_buffer_t output_name_buffer" -.Fa "gss_OID * output_name_type" -.Fc -.Ft OM_uint32 -.Fo gss_display_status -.Fa "OM_uint32 *minor_status" -.Fa "OM_uint32 status_value" -.Fa "int status_type" -.Fa "const gss_OID mech_type" -.Fa "OM_uint32 *message_context" -.Fa "gss_buffer_t status_string" -.Fc -.Ft OM_uint32 -.Fo gss_duplicate_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t src_name" -.Fa "gss_name_t * dest_name" -.Fc -.Ft OM_uint32 -.Fo gss_export_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "gss_buffer_t exported_name" -.Fc -.Ft OM_uint32 -.Fo gss_export_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "gss_buffer_t interprocess_token" -.Fc -.Ft OM_uint32 -.Fo gss_get_mic -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "gss_qop_t qop_req" -.Fa "const gss_buffer_t message_buffer" -.Fa "gss_buffer_t message_token" -.Fc -.Ft OM_uint32 -.Fo gss_import_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_buffer_t input_name_buffer" -.Fa "const gss_OID input_name_type" -.Fa "gss_name_t * output_name" -.Fc -.Ft OM_uint32 -.Fo gss_import_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_buffer_t interprocess_token" -.Fa "gss_ctx_id_t * context_handle" -.Fc -.Ft OM_uint32 -.Fo gss_indicate_mechs -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * mech_set" -.Fc -.Ft OM_uint32 -.Fo gss_init_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_cred_id_t initiator_cred_handle" -.Fa "gss_ctx_id_t * context_handle" -.Fa "const gss_name_t target_name" -.Fa "const gss_OID mech_type" -.Fa "OM_uint32 req_flags" -.Fa "OM_uint32 time_req" -.Fa "const gss_channel_bindings_t input_chan_bindings" -.Fa "const gss_buffer_t input_token" -.Fa "gss_OID * actual_mech_type" -.Fa "gss_buffer_t output_token" -.Fa "OM_uint32 * ret_flags" -.Fa "OM_uint32 * time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "gss_name_t * src_name" -.Fa "gss_name_t * targ_name" -.Fa "OM_uint32 * lifetime_rec" -.Fa "gss_OID * mech_type" -.Fa "OM_uint32 * ctx_flags" -.Fa "int * locally_initiated" -.Fa "int * open_context" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_cred -.Fa "OM_uint32 * minor_status" -.Fa "const gss_cred_id_t cred_handle" -.Fa "gss_name_t * name" -.Fa "OM_uint32 * lifetime" -.Fa "gss_cred_usage_t * cred_usage" -.Fa "gss_OID_set * mechanisms" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_cred_by_mech -.Fa "OM_uint32 * minor_status" -.Fa "const gss_cred_id_t cred_handle" -.Fa "const gss_OID mech_type" -.Fa "gss_name_t * name" -.Fa "OM_uint32 * initiator_lifetime" -.Fa "OM_uint32 * acceptor_lifetime" -.Fa "gss_cred_usage_t * cred_usage" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_mechs_for_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "gss_OID_set * mech_types" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_names_for_mech -.Fa "OM_uint32 * minor_status" -.Fa "const gss_OID mechanism" -.Fa "gss_OID_set * name_types" -.Fc -.Ft OM_uint32 -.Fo gss_krb5_ccache_name -.Fa "OM_uint32 *minor" -.Fa "const char *name" -.Fa "const char **old_name" -.Fc -.Ft OM_uint32 -.Fo gss_krb5_copy_ccache -.Fa "OM_uint32 *minor" -.Fa "gss_cred_id_t cred" -.Fa "krb5_ccache out" -.Fc -.Ft OM_uint32 -.Fo gss_krb5_compat_des3_mic -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int onoff" -.Fc -.Ft OM_uint32 -.Fo gsskrb5_extract_authz_data_from_sec_context -.Fa "OM_uint32 *minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int ad_type" -.Fa "gss_buffer_t ad_data" -.Fc -.Ft OM_uint32 -.Fo gss_krb5_get_tkt_flags -.Fa "OM_uint32 *minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "OM_uint32 *tkt_flags" -.Fc -.Ft OM_uint32 -.Fo gss_process_context_token -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "const gss_buffer_t token_buffer" -.Fc -.Ft OM_uint32 -.Fo gss_release_buffer -.Fa "OM_uint32 * minor_status" -.Fa "gss_buffer_t buffer" -.Fc -.Ft OM_uint32 -.Fo gss_release_cred -.Fa "OM_uint32 * minor_status" -.Fa "gss_cred_id_t * cred_handle" -.Fc -.Ft OM_uint32 -.Fo gss_release_name -.Fa "OM_uint32 * minor_status" -.Fa "gss_name_t * input_name" -.Fc -.Ft OM_uint32 -.Fo gss_release_oid_set -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * set" -.Fc -.Ft OM_uint32 -.Fo gss_seal -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "int qop_req" -.Fa "gss_buffer_t input_message_buffer" -.Fa "int * conf_state" -.Fa "gss_buffer_t output_message_buffer" -.Fc -.Ft OM_uint32 -.Fo gss_sign -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int qop_req" -.Fa "gss_buffer_t message_buffer" -.Fa "gss_buffer_t message_token" -.Fc -.Ft OM_uint32 -.Fo gss_test_oid_set_member -.Fa "OM_uint32 * minor_status" -.Fa "const gss_OID member" -.Fa "const gss_OID_set set" -.Fa "int * present" -.Fc -.Ft OM_uint32 -.Fo gss_unseal -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "gss_buffer_t input_message_buffer" -.Fa "gss_buffer_t output_message_buffer" -.Fa "int * conf_state" -.Fa "int * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_unwrap -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "const gss_buffer_t input_message_buffer" -.Fa "gss_buffer_t output_message_buffer" -.Fa "int * conf_state" -.Fa "gss_qop_t * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_verify -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "gss_buffer_t message_buffer" -.Fa "gss_buffer_t token_buffer" -.Fa "int * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_verify_mic -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "const gss_buffer_t message_buffer" -.Fa "const gss_buffer_t token_buffer" -.Fa "gss_qop_t * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_wrap -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "gss_qop_t qop_req" -.Fa "const gss_buffer_t input_message_buffer" -.Fa "int * conf_state" -.Fa "gss_buffer_t output_message_buffer" -.Fc -.Ft OM_uint32 -.Fo gss_wrap_size_limit -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "gss_qop_t qop_req" -.Fa "OM_uint32 req_output_size" -.Fa "OM_uint32 * max_input_size" -.Fc -.Sh DESCRIPTION -Generic Security Service API (GSS-API) version 2, and its C binding, -is described in -.Li RFC2743 -and -.Li RFC2744 . -Version 1 (deprecated) of the C binding is described in -.Li RFC1509 . -.Pp -Heimdals GSS-API implementation supports the following mechanisms -.Bl -bullet -.It -.Li GSS_KRB5_MECHANISM -.It -.Li GSS_SPNEGO_MECHANISM -.El -.Pp -GSS-API have generic name types that all mechanism are supposed to -implement (if possible): -.Bl -bullet -.It -.Li GSS_C_NT_USER_NAME -.It -.Li GSS_C_NT_MACHINE_UID_NAME -.It -.Li GSS_C_NT_STRING_UID_NAME -.It -.Li GSS_C_NT_HOSTBASED_SERVICE -.It -.Li GSS_C_NT_ANONYMOUS -.It -.Li GSS_C_NT_EXPORT_NAME -.El -.Pp -GSS-API implementations that supports Kerberos 5 have some additional -name types: -.Bl -bullet -.It -.Li GSS_KRB5_NT_PRINCIPAL_NAME -.It -.Li GSS_KRB5_NT_USER_NAME -.It -.Li GSS_KRB5_NT_MACHINE_UID_NAME -.It -.Li GSS_KRB5_NT_STRING_UID_NAME -.El -.Pp -In GSS-API, names have two forms, internal names and contiguous string -names. -.Bl -bullet -.It -.Li Internal name and mechanism name -.Pp -Internal names are implementation specific representation of -a GSS-API name. -.Li Mechanism names -special form of internal names corresponds to one and only one mechanism. -.Pp -In GSS-API an internal name is stored in a -.Dv gss_name_t . -.It -.Li Contiguous string name and exported name -.Pp -Contiguous string names are gssapi names stored in a -.Dv OCTET STRING -that together with a name type identifier (OID) uniquely specifies a -gss-name. -A special form of the contiguous string name is the exported name that -have a OID embedded in the string to make it unique. -Exported name have the nametype -.Dv GSS_C_NT_EXPORT_NAME . -.Pp -In GSS-API an contiguous string name is stored in a -.Dv gss_buffer_t . -.Pp -Exported names also have the property that they are specified by the -mechanism itself and compatible between diffrent GSS-API -implementations. -.El -.Sh ACCESS CONTROL -There are two ways of comparing GSS-API names, either comparing two -internal names with each other or two contiguous string names with -either other. -.Pp -To compare two internal names with each other, import (if needed) the -names with -.Fn gss_import_name -into the GSS-API implementation and the compare the imported name with -.Fn gss_compare_name . -.Pp -Importing names can be slow, so when its possible to store exported -names in the access control list, comparing contiguous string name -might be better. -.Pp -when comparing contiguous string name, first export them into a -.Dv GSS_C_NT_EXPORT_NAME -name with -.Fn gss_export_name -and then compare with -.Xr memcmp 3 . -.Pp -Note that there are might be a difference between the two methods of -comparing names. -The first (using -.Fn gss_compare_name ) -will compare to (unauthenticated) names are the same. -The second will compare if a mechanism will authenticate them as the -same principal. -.Pp -For example, if -.Fn gss_import_name -name was used with -.Dv GSS_C_NO_OID -the default syntax is used for all mechanism the GSS-API -implementation supports. -When compare the imported name of -.Dv GSS_C_NO_OID -it may match serveral mechanism names (MN). -.Pp -The resulting name from -.Fn gss_display_name -must not be used for acccess control. -.Sh FUNCTIONS -.Fn gss_display_name -takes the gss name in -.Fa input_name -and puts a printable form in -.Fa output_name_buffer . -.Fa output_name_buffer -should be freed when done using -.Fn gss_release_buffer . -.Fa output_name_type -can either be -.Dv NULL -or a pointer to a -.Li gss_OID -and will in the latter case contain the OID type of the name. -The name must only be used for printing. -If access control is needed, see section -.Sx ACCESS CONTROL . -.Pp -.Fn gss_inquire_context -returns information about the context. -Information is available even after the context have expired. -.Fa lifetime_rec -argument is set to -.Dv GSS_C_INDEFINITE -(dont expire) or the number of seconds that the context is still valid. -A value of 0 means that the context is expired. -.Fa mech_type -argument should be considered readonly and must not be released. -.Fa src_name -and -.Fn dest_name -are both mechanims names and must be released with -.Fn gss_release_name -when no longer used. -.Pp -.Nm gss_context_time -will return the amount of time (in seconds) of the context is still -valid. -If its expired -.Fa time_rec -will be set to 0 and -.Dv GSS_S_CONTEXT_EXPIRED -returned. -.Pp -.Fn gss_sign , -.Fn gss_verify , -.Fn gss_seal , -and -.Fn gss_unseal -are part of the GSS-API V1 interface and are obsolete. -The functions should not be used for new applications. -They are provided so that version 1 applications can link against the -library. -.Sh EXTENSIONS -.Fn gss_krb5_ccache_name -sets the internal kerberos 5 credential cache name to -.Fa name . -The old name is returned in -.Fa old_name , -and must not be freed. -The data allocated for -.Fa old_name -is free upon next call to -.Fn gss_krb5_ccache_name . -This function is not threadsafe if -.Fa old_name -argument is used. -.Pp -.Fn gss_krb5_copy_ccache -will extract the krb5 credentials that are transferred from the -initiator to the acceptor when using token delegation in the Kerberos -mechanism. -The acceptor receives the delegated token in the last argument to -.Fn gss_accept_sec_context . -.Pp -.Fn gsskrb5_register_acceptor_identity -sets the Kerberos 5 principal that the acceptor will use. -.Pp -.Fn gsskrb5_extract_authz_data_from_sec_context -extracts the Kerberos authorizationdata that may be stored within the -context. -Tha caller must free the returned buffer -.Fa ad_data -with -.Fn gss_release_buffer -upon success. -.Pp -.Fn gss_krb5_get_tkt_flags -return the ticket flags for the kerberos ticket receive when -authenticating the initiator. -Only valid on the acceptor context. -.Pp -.Fn gss_krb5_compat_des3_mic -turns on or off the compatibility with older version of Heimdal using -des3 get and verify mic, this is way to programmatically set the -[gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see -COMPATIBILITY section in -.Xr gssapi 3 ) . -If the CPP symbol -.Dv GSS_C_KRB5_COMPAT_DES3_MIC -is present, -.Fn gss_krb5_compat_des3_mic -exists. -.Fn gss_krb5_compat_des3_mic -will be removed in a later version of the GSS-API library. -.Sh SEE ALSO -.Xr gssapi 3 , -.Xr krb5 3 , -.Xr krb5_ccache 3 , -.Xr kerberos 8 diff --git a/lib/gssapi/krb5/gssapi.3 b/lib/gssapi/krb5/gssapi.3 deleted file mode 100644 index 79897cdad..000000000 --- a/lib/gssapi/krb5/gssapi.3 +++ /dev/null @@ -1,176 +0,0 @@ -.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id$ -.\" -.Dd April 20, 2005 -.Dt GSSAPI 3 -.Os -.Sh NAME -.Nm gssapi -.Nd Generic Security Service Application Program Interface library -.Sh LIBRARY -GSS-API Library (libgssapi, -lgssapi) -.Sh DESCRIPTION -The Generic Security Service Application Program Interface (GSS-API) -provides security services to callers in a generic fashion, -supportable with a range of underlying mechanisms and technologies and -hence allowing source-level portability of applications to different -environments. -.Pp -The GSS-API implementation in Heimdal implements the Kerberos 5 and -the SPNEGO GSS-API security mechanisms. -.Sh LIST OF FUNCTIONS -These functions constitute the gssapi library, -.Em libgssapi . -Declarations for these functions may be obtained from the include file -.Pa gssapi.h . -.sp 2 -.nf -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u -\fIName/Page\fP \fIDescription\fP -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC -.sp 5p -gss_accept_sec_context.3 -gss_acquire_cred.3 -gss_add_cred.3 -gss_add_oid_set_member.3 -gss_canonicalize_name.3 -gss_compare_name.3 -gss_context_time.3 -gss_create_empty_oid_set.3 -gss_delete_sec_context.3 -gss_display_name.3 -gss_display_status.3 -gss_duplicate_name.3 -gss_export_name.3 -gss_export_sec_context.3 -gss_get_mic.3 -gss_import_name.3 -gss_import_sec_context.3 -gss_indicate_mechs.3 -gss_init_sec_context.3 -gss_inquire_context.3 -gss_inquire_cred.3 -gss_inquire_cred_by_mech.3 -gss_inquire_mechs_for_name.3 -gss_inquire_names_for_mech.3 -gss_krb5_ccache_name.3 -gss_krb5_copy_ccache.3 -gss_krb5_compat_des3_mic.3 -gss_krb5_extract_authz_data_from_sec_context.3 -gss_process_context_token.3 -gss_release_buffer.3 -gss_release_cred.3 -gss_release_name.3 -gss_release_oid_set.3 -gss_seal.3 -gss_sign.3 -gss_test_oid_set_member.3 -gss_unseal.3 -gss_unwrap.3 -gss_verify.3 -gss_verify_mic.3 -gss_wrap.3 -gss_wrap_size_limit.3 -.ta -.Fi -.Sh COMPATIBILITY -The -.Nm Heimdal -GSS-API implementation had a bug in releases before 0.6 that made it -fail to inter-operate when using DES3 with other GSS-API -implementations when using -.Fn gss_get_mic -/ -.Fn gss_verify_mic . -It is possible to modify the behavior of the generator of the MIC with -the -.Pa krb5.conf -configuration file so that old clients/servers will still -work. -.Pp -New clients/servers will try both the old and new MIC in Heimdal 0.6. -In 0.7 it will check only if configured - the compatibility code will -be removed in 0.8. -.Pp -Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, -this will change in 0.7 to generate correct des3 mic. -.Pp -To turn on compatibility with older clients and servers, change the -.Nm [gssapi] -.Ar broken_des3_mic -in -.Pa krb5.conf -that contains a list of globbing expressions that will be matched -against the server name. -To turn off generation of the old (incompatible) mic of the MIC use -.Nm [gssapi] -.Ar correct_des3_mic . -.Pp -If a match for a entry is in both -.Nm [gssapi] -.Ar correct_des3_mic -and -.Nm [gssapi] -.Ar broken_des3_mic , -the later will override. -.Pp -This config option modifies behaviour for both clients and servers. -.Pp -Microsoft implemented SPNEGO to Windows2000, however, they manage to -get it wrong, their implementation didn't fill in the MechListMIC in -the reply token with the right content. -There is a work around for this problem, but not all implementation -support it. -.Pp -Heimdal defaults to correct SPNEGO when the the kerberos -implementation uses CFX, or when its configured by the user. -To turn on compatibility with peers, use option -.Nm [gssapi] -.Ar require_mechlist_mic . -.Sh EXAMPLES -.Bd -literal -offset indent -[gssapi] - broken_des3_mic = cvs/*@SU.SE - broken_des3_mic = host/*@E.KTH.SE - correct_des3_mic = host/*@SU.SE - require_mechlist_mic = host/*@SU.SE -.Ed -.Sh BUGS -All of 0.5.x versions of -.Nm heimdal -had broken token delegations in the client side, the server side was -correct. -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/lib/gssapi/krb5/gssapi.h b/lib/gssapi/krb5/gssapi.h deleted file mode 100644 index 3bc000e2a..000000000 --- a/lib/gssapi/krb5/gssapi.h +++ /dev/null @@ -1,797 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id$ */ - -#ifndef GSSAPI_H_ -#define GSSAPI_H_ - -/* - * First, include stddef.h to get size_t defined. - */ -#include - -#include - -/* - * Now define the three implementation-dependent types. - */ - -typedef u_int32_t OM_uint32; - -typedef u_int32_t gss_uint32; - -/* - * This is to avoid having to include - */ - -struct krb5_auth_context_data; - -struct Principal; - -/* typedef void *gss_name_t; */ - -typedef struct Principal *gss_name_t; - -struct gss_ctx_id_t_desc_struct; -typedef struct gss_ctx_id_t_desc_struct *gss_ctx_id_t; - -typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; -} gss_OID_desc, *gss_OID; - -typedef struct gss_OID_set_desc_struct { - size_t count; - gss_OID elements; -} gss_OID_set_desc, *gss_OID_set; - -struct krb5_keytab_data; - -struct krb5_ccache_data; - -typedef int gss_cred_usage_t; - -struct gss_cred_id_t_desc_struct; -typedef struct gss_cred_id_t_desc_struct *gss_cred_id_t; - -typedef struct gss_buffer_desc_struct { - size_t length; - void *value; -} gss_buffer_desc, *gss_buffer_t; - -typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; -} *gss_channel_bindings_t; - -/* - * For now, define a QOP-type as an OM_uint32 - */ -typedef OM_uint32 gss_qop_t; - -/* - * Flag bits for context-level services. - */ -#define GSS_C_DELEG_FLAG 1 -#define GSS_C_MUTUAL_FLAG 2 -#define GSS_C_REPLAY_FLAG 4 -#define GSS_C_SEQUENCE_FLAG 8 -#define GSS_C_CONF_FLAG 16 -#define GSS_C_INTEG_FLAG 32 -#define GSS_C_ANON_FLAG 64 -#define GSS_C_PROT_READY_FLAG 128 -#define GSS_C_TRANS_FLAG 256 - -/* - * Credential usage options - */ -#define GSS_C_BOTH 0 -#define GSS_C_INITIATE 1 -#define GSS_C_ACCEPT 2 - -/* - * Status code types for gss_display_status - */ -#define GSS_C_GSS_CODE 1 -#define GSS_C_MECH_CODE 2 - -/* - * The constant definitions for channel-bindings address families - */ -#define GSS_C_AF_UNSPEC 0 -#define GSS_C_AF_LOCAL 1 -#define GSS_C_AF_INET 2 -#define GSS_C_AF_IMPLINK 3 -#define GSS_C_AF_PUP 4 -#define GSS_C_AF_CHAOS 5 -#define GSS_C_AF_NS 6 -#define GSS_C_AF_NBS 7 -#define GSS_C_AF_ECMA 8 -#define GSS_C_AF_DATAKIT 9 -#define GSS_C_AF_CCITT 10 -#define GSS_C_AF_SNA 11 -#define GSS_C_AF_DECnet 12 -#define GSS_C_AF_DLI 13 -#define GSS_C_AF_LAT 14 -#define GSS_C_AF_HYLINK 15 -#define GSS_C_AF_APPLETALK 16 -#define GSS_C_AF_BSC 17 -#define GSS_C_AF_DSS 18 -#define GSS_C_AF_OSI 19 -#define GSS_C_AF_X25 21 -#define GSS_C_AF_INET6 24 - -#define GSS_C_AF_NULLADDR 255 - -/* - * Various Null values - */ -#define GSS_C_NO_NAME ((gss_name_t) 0) -#define GSS_C_NO_BUFFER ((gss_buffer_t) 0) -#define GSS_C_NO_OID ((gss_OID) 0) -#define GSS_C_NO_OID_SET ((gss_OID_set) 0) -#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) -#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) -#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) -#define GSS_C_EMPTY_BUFFER {0, NULL} - -/* - * Some alternate names for a couple of the above - * values. These are defined for V1 compatibility. - */ -#define GSS_C_NULL_OID GSS_C_NO_OID -#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET - -/* - * Define the default Quality of Protection for per-message - * services. Note that an implementation that offers multiple - * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero - * (as done here) to mean "default protection", or to a specific - * explicit QOP value. However, a value of 0 should always be - * interpreted by a GSSAPI implementation as a request for the - * default protection level. - */ -#define GSS_C_QOP_DEFAULT 0 - -#define GSS_KRB5_CONF_C_QOP_DES 0x0100 -#define GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 - -/* - * Expiration time of 2^32-1 seconds means infinite lifetime for a - * credential or security context - */ -#define GSS_C_INDEFINITE 0xfffffffful - -#ifdef __cplusplus -extern "C" { -#endif - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_USER_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_MACHINE_UID_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_STRING_UID_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_ANONYMOUS; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_EXPORT_NAME; - -/* - * RFC2478, SPNEGO: - * The security mechanism of the initial - * negotiation token is identified by the Object Identifier - * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). - */ -extern gss_OID GSS_SPNEGO_MECHANISM; - -/* - * This if for kerberos5 names. - */ - -extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME; -extern gss_OID GSS_KRB5_NT_USER_NAME; -extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME; -extern gss_OID GSS_KRB5_NT_STRING_UID_NAME; - -extern gss_OID GSS_KRB5_MECHANISM; - -/* for compatibility with MIT api */ - -#define gss_mech_krb5 GSS_KRB5_MECHANISM -#define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME - -/* Major status codes */ - -#define GSS_S_COMPLETE 0 - -/* - * Some "helper" definitions to make the status code macros obvious. - */ -#define GSS_C_CALLING_ERROR_OFFSET 24 -#define GSS_C_ROUTINE_ERROR_OFFSET 16 -#define GSS_C_SUPPLEMENTARY_OFFSET 0 -#define GSS_C_CALLING_ERROR_MASK 0377ul -#define GSS_C_ROUTINE_ERROR_MASK 0377ul -#define GSS_C_SUPPLEMENTARY_MASK 0177777ul - -/* - * The macros that test status codes for error conditions. - * Note that the GSS_ERROR() macro has changed slightly from - * the V1 GSSAPI so that it now evaluates its argument - * only once. - */ -#define GSS_CALLING_ERROR(x) \ - (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) -#define GSS_ROUTINE_ERROR(x) \ - (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) -#define GSS_SUPPLEMENTARY_INFO(x) \ - (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) -#define GSS_ERROR(x) \ - (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \ - (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))) - -/* - * Now the actual status code definitions - */ - -/* - * Calling errors: - */ -#define GSS_S_CALL_INACCESSIBLE_READ \ - (1ul << GSS_C_CALLING_ERROR_OFFSET) -#define GSS_S_CALL_INACCESSIBLE_WRITE \ - (2ul << GSS_C_CALLING_ERROR_OFFSET) -#define GSS_S_CALL_BAD_STRUCTURE \ - (3ul << GSS_C_CALLING_ERROR_OFFSET) - -/* - * Routine errors: - */ -#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) - -#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_MIC GSS_S_BAD_SIG -#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET) - -/* - * Supplementary info bits: - */ -#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) -#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) -#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) -#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) -#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4)) - -/* - * From RFC1964: - * - * 4.1.1. Non-Kerberos-specific codes - */ - -#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1 - /* "No @ in SERVICE-NAME name string" */ -#define GSS_KRB5_S_G_BAD_STRING_UID 2 - /* "STRING-UID-NAME contains nondigits" */ -#define GSS_KRB5_S_G_NOUSER 3 - /* "UID does not resolve to username" */ -#define GSS_KRB5_S_G_VALIDATE_FAILED 4 - /* "Validation error" */ -#define GSS_KRB5_S_G_BUFFER_ALLOC 5 - /* "Couldn't allocate gss_buffer_t data" */ -#define GSS_KRB5_S_G_BAD_MSG_CTX 6 - /* "Message context invalid" */ -#define GSS_KRB5_S_G_WRONG_SIZE 7 - /* "Buffer is the wrong size" */ -#define GSS_KRB5_S_G_BAD_USAGE 8 - /* "Credential usage type is unknown" */ -#define GSS_KRB5_S_G_UNKNOWN_QOP 9 - /* "Unknown quality of protection specified" */ - - /* - * 4.1.2. Kerberos-specific-codes - */ - -#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10 - /* "Principal in credential cache does not match desired name" */ -#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11 - /* "No principal in keytab matches desired name" */ -#define GSS_KRB5_S_KG_TGT_MISSING 12 - /* "Credential cache has no TGT" */ -#define GSS_KRB5_S_KG_NO_SUBKEY 13 - /* "Authenticator has no subkey" */ -#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14 - /* "Context is already fully established" */ -#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15 - /* "Unknown signature type in token" */ -#define GSS_KRB5_S_KG_BAD_LENGTH 16 - /* "Invalid field length in token" */ -#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17 - /* "Attempt to use incomplete security context" */ - -/* - * Finally, function prototypes for the GSS-API routines. - */ - -OM_uint32 gss_acquire_cred - (OM_uint32 * /*minor_status*/, - const gss_name_t /*desired_name*/, - OM_uint32 /*time_req*/, - const gss_OID_set /*desired_mechs*/, - gss_cred_usage_t /*cred_usage*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_release_cred - (OM_uint32 * /*minor_status*/, - gss_cred_id_t * /*cred_handle*/ - ); - -OM_uint32 gss_init_sec_context - (OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*initiator_cred_handle*/, - gss_ctx_id_t * /*context_handle*/, - const gss_name_t /*target_name*/, - const gss_OID /*mech_type*/, - OM_uint32 /*req_flags*/, - OM_uint32 /*time_req*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - const gss_buffer_t /*input_token*/, - gss_OID * /*actual_mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_accept_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - const gss_cred_id_t /*acceptor_cred_handle*/, - const gss_buffer_t /*input_token_buffer*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - gss_name_t * /*src_name*/, - gss_OID * /*mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * /*time_rec*/, - gss_cred_id_t * /*delegated_cred_handle*/ - ); - -OM_uint32 gss_process_context_token - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*token_buffer*/ - ); - -OM_uint32 gss_delete_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t /*output_token*/ - ); - -OM_uint32 gss_context_time - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_get_mic - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/ - ); - -OM_uint32 gss_verify_mic - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*message_buffer*/, - const gss_buffer_t /*token_buffer*/, - gss_qop_t * /*qop_state*/ - ); - -OM_uint32 gss_wrap - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t /*output_message_buffer*/ - ); - -OM_uint32 gss_unwrap - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - gss_qop_t * /*qop_state*/ - ); - -OM_uint32 gss_display_status - (OM_uint32 * /*minor_status*/, - OM_uint32 /*status_value*/, - int /*status_type*/, - const gss_OID /*mech_type*/, - OM_uint32 * /*message_context*/, - gss_buffer_t /*status_string*/ - ); - -OM_uint32 gss_indicate_mechs - (OM_uint32 * /*minor_status*/, - gss_OID_set * /*mech_set*/ - ); - -OM_uint32 gss_compare_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*name1*/, - const gss_name_t /*name2*/, - int * /*name_equal*/ - ); - -OM_uint32 gss_display_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t /*output_name_buffer*/, - gss_OID * /*output_name_type*/ - ); - -OM_uint32 gss_import_name - (OM_uint32 * /*minor_status*/, - const gss_buffer_t /*input_name_buffer*/, - const gss_OID /*input_name_type*/, - gss_name_t * /*output_name*/ - ); - -OM_uint32 gss_export_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t /*exported_name*/ - ); - -OM_uint32 gss_release_name - (OM_uint32 * /*minor_status*/, - gss_name_t * /*input_name*/ - ); - -OM_uint32 gss_release_buffer - (OM_uint32 * /*minor_status*/, - gss_buffer_t /*buffer*/ - ); - -OM_uint32 gss_release_oid_set - (OM_uint32 * /*minor_status*/, - gss_OID_set * /*set*/ - ); - -OM_uint32 gss_inquire_cred - (OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - gss_name_t * /*name*/, - OM_uint32 * /*lifetime*/, - gss_cred_usage_t * /*cred_usage*/, - gss_OID_set * /*mechanisms*/ - ); - -OM_uint32 gss_inquire_context ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_name_t * /*src_name*/, - gss_name_t * /*targ_name*/, - OM_uint32 * /*lifetime_rec*/, - gss_OID * /*mech_type*/, - OM_uint32 * /*ctx_flags*/, - int * /*locally_initiated*/, - int * /*open_context*/ - ); - -OM_uint32 gss_wrap_size_limit ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - OM_uint32 /*req_output_size*/, - OM_uint32 * /*max_input_size*/ - ); - -OM_uint32 gss_add_cred ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*input_cred_handle*/, - const gss_name_t /*desired_name*/, - const gss_OID /*desired_mech*/, - gss_cred_usage_t /*cred_usage*/, - OM_uint32 /*initiator_time_req*/, - OM_uint32 /*acceptor_time_req*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * /*initiator_time_rec*/, - OM_uint32 * /*acceptor_time_rec*/ - ); - -OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - const gss_OID /*mech_type*/, - gss_name_t * /*name*/, - OM_uint32 * /*initiator_lifetime*/, - OM_uint32 * /*acceptor_lifetime*/, - gss_cred_usage_t * /*cred_usage*/ - ); - -OM_uint32 gss_export_sec_context ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t /*interprocess_token*/ - ); - -OM_uint32 gss_import_sec_context ( - OM_uint32 * /*minor_status*/, - const gss_buffer_t /*interprocess_token*/, - gss_ctx_id_t * /*context_handle*/ - ); - -OM_uint32 gss_create_empty_oid_set ( - OM_uint32 * /*minor_status*/, - gss_OID_set * /*oid_set*/ - ); - -OM_uint32 gss_add_oid_set_member ( - OM_uint32 * /*minor_status*/, - const gss_OID /*member_oid*/, - gss_OID_set * /*oid_set*/ - ); - -OM_uint32 gss_test_oid_set_member ( - OM_uint32 * /*minor_status*/, - const gss_OID /*member*/, - const gss_OID_set /*set*/, - int * /*present*/ - ); - -OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 * /*minor_status*/, - const gss_OID /*mechanism*/, - gss_OID_set * /*name_types*/ - ); - -OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_OID_set * /*mech_types*/ - ); - -OM_uint32 gss_canonicalize_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - const gss_OID /*mech_type*/, - gss_name_t * /*output_name*/ - ); - -OM_uint32 gss_duplicate_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*src_name*/, - gss_name_t * /*dest_name*/ - ); - -/* - * The following routines are obsolete variants of gss_get_mic, - * gss_verify_mic, gss_wrap and gss_unwrap. They should be - * provided by GSSAPI V2 implementations for backwards - * compatibility with V1 applications. Distinct entrypoints - * (as opposed to #defines) should be provided, both to allow - * GSSAPI V1 applications to link against GSSAPI V2 implementations, - * and to retain the slight parameter type differences between the - * obsolete versions of these routines and their current forms. - */ - -OM_uint32 gss_sign - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*qop_req*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/ - ); - -OM_uint32 gss_verify - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*token_buffer*/, - int * /*qop_state*/ - ); - -OM_uint32 gss_seal - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - int /*qop_req*/, - gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t /*output_message_buffer*/ - ); - -OM_uint32 gss_unseal - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - int * /*qop_state*/ - ); - -/* - * kerberos mechanism specific functions - */ - -OM_uint32 -gss_krb5_ccache_name(OM_uint32 * /*minor_status*/, - const char * /*name */, - const char ** /*out_name */); - -OM_uint32 gsskrb5_register_acceptor_identity - (const char */*identity*/); - -OM_uint32 gss_krb5_copy_ccache - (OM_uint32 */*minor*/, - gss_cred_id_t /*cred*/, - struct krb5_ccache_data */*out*/); - -OM_uint32 gss_krb5_get_tkt_flags - (OM_uint32 */*minor*/, - gss_ctx_id_t /*context_handle*/, - OM_uint32 */*tkt_flags*/); - -OM_uint32 -gsskrb5_extract_authz_data_from_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*ad_type*/, - gss_buffer_t /*ad_data*/); - -#define GSS_C_KRB5_COMPAT_DES3_MIC 1 - -OM_uint32 -gss_krb5_compat_des3_mic(OM_uint32 *, gss_ctx_id_t, int); - -#ifdef __cplusplus -} -#endif - -#endif /* GSSAPI_H_ */ diff --git a/lib/gssapi/krb5/gssapi_locl.h b/lib/gssapi/krb5/gssapi_locl.h deleted file mode 100644 index 54c6176f3..000000000 --- a/lib/gssapi/krb5/gssapi_locl.h +++ /dev/null @@ -1,279 +0,0 @@ -/* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id$ */ - -#ifndef GSSAPI_LOCL_H -#define GSSAPI_LOCL_H - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include - -#include "cfx.h" -#include "arcfour.h" - -#include "spnego_asn1.h" - -/* - * - */ - -struct gss_msg_order; - -typedef struct gss_ctx_id_t_desc_struct { - struct krb5_auth_context_data *auth_context; - gss_name_t source, target; - OM_uint32 flags; - enum { LOCAL = 1, OPEN = 2, - COMPAT_OLD_DES3 = 4, - COMPAT_OLD_DES3_SELECTED = 8, - ACCEPTOR_SUBKEY = 16 - } more_flags; - struct krb5_ticket *ticket; - OM_uint32 lifetime; - HEIMDAL_MUTEX ctx_id_mutex; - struct gss_msg_order *order; -} gss_ctx_id_t_desc; - -typedef struct gss_cred_id_t_desc_struct { - gss_name_t principal; - struct krb5_keytab_data *keytab; - OM_uint32 lifetime; - gss_cred_usage_t usage; - gss_OID_set mechanisms; - struct krb5_ccache_data *ccache; - HEIMDAL_MUTEX cred_id_mutex; -} gss_cred_id_t_desc; - -/* - * - */ - -extern krb5_context gssapi_krb5_context; - -extern krb5_keytab gssapi_krb5_keytab; -extern HEIMDAL_MUTEX gssapi_keytab_mutex; - -struct gssapi_thr_context { - HEIMDAL_MUTEX mutex; - char *error_string; -}; - -/* - * Prototypes - */ - -krb5_error_code gssapi_krb5_init (void); - -#define GSSAPI_KRB5_INIT() do { \ - krb5_error_code kret; \ - if((kret = gssapi_krb5_init ()) != 0) { \ - *minor_status = kret; \ - return GSS_S_FAILURE; \ - } \ -} while (0) - -struct gssapi_thr_context * -gssapi_get_thread_context(int); - -void -gsskrb5_is_cfx(gss_ctx_id_t, int *); - -OM_uint32 -gssapi_krb5_create_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - OM_uint32 flags, - const krb5_data *fwd_data, - Checksum *result); - -OM_uint32 -gssapi_krb5_verify_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - const Checksum *cksum, - OM_uint32 *flags, - krb5_data *fwd_data); - -void -_gssapi_encap_length (size_t data_len, - size_t *len, - size_t *total_len, - const gss_OID mech); - -void -gssapi_krb5_encap_length (size_t data_len, - size_t *len, - size_t *total_len, - const gss_OID mech); - - - -OM_uint32 -_gssapi_encapsulate(OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - const gss_OID mech); - - -OM_uint32 -gssapi_krb5_encapsulate(OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - const u_char *type, - const gss_OID mech); - -OM_uint32 -gssapi_krb5_decapsulate(OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - char *type, - gss_OID oid); - -u_char * -gssapi_krb5_make_header (u_char *p, - size_t len, - const u_char *type, - const gss_OID mech); - -u_char * -_gssapi_make_mech_header(u_char *p, - size_t len, - const gss_OID mech); - -OM_uint32 -_gssapi_verify_mech_header(u_char **str, - size_t total_len, - gss_OID oid); - -OM_uint32 -gssapi_krb5_verify_header(u_char **str, - size_t total_len, - u_char *type, - gss_OID oid); - -OM_uint32 -_gssapi_decapsulate(OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - const gss_OID mech); - - -ssize_t -gssapi_krb5_get_mech (const u_char *, size_t, const u_char **); - -OM_uint32 -_gssapi_verify_pad(gss_buffer_t, size_t, size_t *); - -OM_uint32 -gss_verify_mic_internal(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - char * type); - -OM_uint32 -gss_krb5_get_subkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key); - -krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address); - -/* sec_context flags */ - -#define SC_LOCAL_ADDRESS 0x01 -#define SC_REMOTE_ADDRESS 0x02 -#define SC_KEYBLOCK 0x04 -#define SC_LOCAL_SUBKEY 0x08 -#define SC_REMOTE_SUBKEY 0x10 - -int -gss_oid_equal(const gss_OID a, const gss_OID b); - -void -gssapi_krb5_set_error_string (void); - -char * -gssapi_krb5_get_error_string (void); - -OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *, gss_ctx_id_t); - -OM_uint32 -_gss_spnego_require_mechlist_mic(OM_uint32 *, gss_ctx_id_t, krb5_boolean *); - -krb5_error_code -_gss_check_compat(OM_uint32 *, gss_name_t, const char *, - krb5_boolean *, krb5_boolean); - -OM_uint32 -gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *); - -/* sequence */ - -OM_uint32 -_gssapi_msg_order_create(OM_uint32 *, struct gss_msg_order **, - OM_uint32, OM_uint32, OM_uint32, int); -OM_uint32 -_gssapi_msg_order_destroy(struct gss_msg_order **); - -OM_uint32 -_gssapi_msg_order_check(struct gss_msg_order *, OM_uint32); - -OM_uint32 -_gssapi_msg_order_f(OM_uint32); - -/* 8003 */ - -krb5_error_code -gssapi_encode_om_uint32(OM_uint32, u_char *); - -krb5_error_code -gssapi_encode_be_om_uint32(OM_uint32, u_char *); - -krb5_error_code -gssapi_decode_om_uint32(u_char *, OM_uint32 *); - -krb5_error_code -gssapi_decode_be_om_uint32(u_char *, OM_uint32 *); - -#endif diff --git a/lib/gssapi/krb5/import_name.c b/lib/gssapi/krb5/import_name.c deleted file mode 100644 index f3af21743..000000000 --- a/lib/gssapi/krb5/import_name.c +++ /dev/null @@ -1,229 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static OM_uint32 -parse_krb5_name (OM_uint32 *minor_status, - const char *name, - gss_name_t *output_name) -{ - krb5_error_code kerr; - - kerr = krb5_parse_name (gssapi_krb5_context, name, output_name); - - if (kerr == 0) - return GSS_S_COMPLETE; - else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_BAD_NAME; - } else { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_FAILURE; - } -} - -static OM_uint32 -import_krb5_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - OM_uint32 ret; - char *tmp; - - tmp = malloc (input_name_buffer->length + 1); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, - input_name_buffer->value, - input_name_buffer->length); - tmp[input_name_buffer->length] = '\0'; - - ret = parse_krb5_name(minor_status, tmp, output_name); - free(tmp); - - return ret; -} - -static OM_uint32 -import_hostbased_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - krb5_error_code kerr; - char *tmp; - char *p; - char *host; - char local_hostname[MAXHOSTNAMELEN]; - - *output_name = NULL; - - tmp = malloc (input_name_buffer->length + 1); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, - input_name_buffer->value, - input_name_buffer->length); - tmp[input_name_buffer->length] = '\0'; - - p = strchr (tmp, '@'); - if (p != NULL) { - *p = '\0'; - host = p + 1; - } else { - if (gethostname(local_hostname, sizeof(local_hostname)) < 0) { - *minor_status = errno; - free (tmp); - return GSS_S_FAILURE; - } - host = local_hostname; - } - - kerr = krb5_sname_to_principal (gssapi_krb5_context, - host, - tmp, - KRB5_NT_SRV_HST, - output_name); - free (tmp); - *minor_status = kerr; - if (kerr == 0) - return GSS_S_COMPLETE; - else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_BAD_NAME; - } else { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_FAILURE; - } -} - -static OM_uint32 -import_export_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - unsigned char *p; - uint32_t length; - OM_uint32 ret; - char *name; - - if (input_name_buffer->length < 10 + GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_NAME; - - /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ - - p = input_name_buffer->value; - - if (memcmp(&p[0], "\x04\x01\x00", 3) != 0 || - p[3] != GSS_KRB5_MECHANISM->length + 2 || - p[4] != 0x06 || - p[5] != GSS_KRB5_MECHANISM->length || - memcmp(&p[6], GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length) != 0) - return GSS_S_BAD_NAME; - - p += 6 + GSS_KRB5_MECHANISM->length; - - length = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]; - p += 4; - - if (length > input_name_buffer->length - 10 - GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_NAME; - - name = malloc(length + 1); - if (name == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(name, p, length); - name[length] = '\0'; - - ret = parse_krb5_name(minor_status, name, output_name); - free(name); - - return ret; -} - -int -gss_oid_equal(const gss_OID a, const gss_OID b) -{ - if (a == b) - return 1; - else if (a == GSS_C_NO_OID || b == GSS_C_NO_OID || a->length != b->length) - return 0; - else - return memcmp(a->elements, b->elements, a->length) == 0; -} - -OM_uint32 gss_import_name - (OM_uint32 * minor_status, - const gss_buffer_t input_name_buffer, - const gss_OID input_name_type, - gss_name_t * output_name - ) -{ - GSSAPI_KRB5_INIT (); - - *minor_status = 0; - *output_name = GSS_C_NO_NAME; - - if (gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE)) - return import_hostbased_name (minor_status, - input_name_buffer, - output_name); - else if (gss_oid_equal(input_name_type, GSS_C_NO_OID) - || gss_oid_equal(input_name_type, GSS_C_NT_USER_NAME) - || gss_oid_equal(input_name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) - /* default printable syntax */ - return import_krb5_name (minor_status, - input_name_buffer, - output_name); - else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) { - return import_export_name(minor_status, - input_name_buffer, - output_name); - } else { - *minor_status = 0; - return GSS_S_BAD_NAMETYPE; - } -} diff --git a/lib/gssapi/krb5/import_sec_context.c b/lib/gssapi/krb5/import_sec_context.c deleted file mode 100644 index e86f60d53..000000000 --- a/lib/gssapi/krb5/import_sec_context.c +++ /dev/null @@ -1,228 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gss_import_sec_context ( - OM_uint32 * minor_status, - const gss_buffer_t interprocess_token, - gss_ctx_id_t * context_handle - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - krb5_error_code kret; - krb5_storage *sp; - krb5_auth_context ac; - krb5_address local, remote; - krb5_address *localp, *remotep; - krb5_data data; - gss_buffer_desc buffer; - krb5_keyblock keyblock; - int32_t tmp; - int32_t flags; - OM_uint32 minor; - int is_cfx = 0; - - GSSAPI_KRB5_INIT (); - - localp = remotep = NULL; - - sp = krb5_storage_from_mem (interprocess_token->value, - interprocess_token->length); - if (sp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == NULL) { - *minor_status = ENOMEM; - krb5_storage_free (sp); - return GSS_S_FAILURE; - } - memset (*context_handle, 0, sizeof(**context_handle)); - HEIMDAL_MUTEX_init(&(*context_handle)->ctx_id_mutex); - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - /* flags */ - - *minor_status = 0; - - if (krb5_ret_int32 (sp, &flags) != 0) - goto failure; - - /* retrieve the auth context */ - - ac = (*context_handle)->auth_context; - krb5_ret_int32 (sp, &ac->flags); - if (flags & SC_LOCAL_ADDRESS) { - if (krb5_ret_address (sp, localp = &local) != 0) - goto failure; - } - - if (flags & SC_REMOTE_ADDRESS) { - if (krb5_ret_address (sp, remotep = &remote) != 0) - goto failure; - } - - krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep); - if (localp) - krb5_free_address (gssapi_krb5_context, localp); - if (remotep) - krb5_free_address (gssapi_krb5_context, remotep); - localp = remotep = NULL; - - if (krb5_ret_int16 (sp, &ac->local_port) != 0) - goto failure; - - if (krb5_ret_int16 (sp, &ac->remote_port) != 0) - goto failure; - if (flags & SC_KEYBLOCK) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (flags & SC_LOCAL_SUBKEY) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (flags & SC_REMOTE_SUBKEY) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (krb5_ret_int32 (sp, &ac->local_seqnumber)) - goto failure; - if (krb5_ret_int32 (sp, &ac->remote_seqnumber)) - goto failure; - - if (krb5_ret_int32 (sp, &tmp) != 0) - goto failure; - ac->keytype = tmp; - if (krb5_ret_int32 (sp, &tmp) != 0) - goto failure; - ac->cksumtype = tmp; - - /* names */ - - if (krb5_ret_data (sp, &data)) - goto failure; - buffer.value = data.data; - buffer.length = data.length; - - ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &(*context_handle)->source); - if (ret) { - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, - &(*context_handle)->source); - if (ret) { - krb5_data_free (&data); - goto failure; - } - } - krb5_data_free (&data); - - if (krb5_ret_data (sp, &data) != 0) - goto failure; - buffer.value = data.data; - buffer.length = data.length; - - ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &(*context_handle)->target); - if (ret) { - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, - &(*context_handle)->target); - if (ret) { - krb5_data_free (&data); - goto failure; - } - } - krb5_data_free (&data); - - if (krb5_ret_int32 (sp, &tmp)) - goto failure; - (*context_handle)->flags = tmp; - if (krb5_ret_int32 (sp, &tmp)) - goto failure; - (*context_handle)->more_flags = tmp; - if (krb5_ret_int32 (sp, &tmp) == 0) - (*context_handle)->lifetime = tmp; - else - (*context_handle)->lifetime = GSS_C_INDEFINITE; - - gsskrb5_is_cfx(*context_handle, &is_cfx); - - ret = _gssapi_msg_order_create(minor_status, - &(*context_handle)->order, - _gssapi_msg_order_f((*context_handle)->flags), - 0, 0, is_cfx); - if (ret) - goto failure; - - krb5_storage_free (sp); - return GSS_S_COMPLETE; - -failure: - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if ((*context_handle)->source != NULL) - gss_release_name(&minor, &(*context_handle)->source); - if ((*context_handle)->target != NULL) - gss_release_name(&minor, &(*context_handle)->target); - if (localp) - krb5_free_address (gssapi_krb5_context, localp); - if (remotep) - krb5_free_address (gssapi_krb5_context, remotep); - if((*context_handle)->order) - _gssapi_msg_order_destroy(&(*context_handle)->order); - HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); - krb5_storage_free (sp); - free (*context_handle); - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} diff --git a/lib/gssapi/krb5/indicate_mechs.c b/lib/gssapi/krb5/indicate_mechs.c deleted file mode 100644 index 338f0e33f..000000000 --- a/lib/gssapi/krb5/indicate_mechs.c +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_indicate_mechs - (OM_uint32 * minor_status, - gss_OID_set * mech_set - ) -{ - OM_uint32 ret; - - ret = gss_create_empty_oid_set(minor_status, mech_set); - if (ret) - return ret; - - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, mech_set); - if (ret) { - gss_release_oid_set(NULL, mech_set); - return ret; - } - - ret = gss_add_oid_set_member(minor_status, GSS_SPNEGO_MECHANISM, mech_set); - if (ret) { - gss_release_oid_set(NULL, mech_set); - return ret; - } - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/init.c b/lib/gssapi/krb5/init.c deleted file mode 100644 index c036b3e5a..000000000 --- a/lib/gssapi/krb5/init.c +++ /dev/null @@ -1,111 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static HEIMDAL_MUTEX gssapi_krb5_context_mutex = HEIMDAL_MUTEX_INITIALIZER; -static int created_key; -static HEIMDAL_thread_key gssapi_context_key; - -static void -gssapi_destroy_thread_context(void *ptr) -{ - struct gssapi_thr_context *ctx = ptr; - - if (ctx == NULL) - return; - if (ctx->error_string) - free(ctx->error_string); - HEIMDAL_MUTEX_destroy(&ctx->mutex); - free(ctx); -} - - -struct gssapi_thr_context * -gssapi_get_thread_context(int createp) -{ - struct gssapi_thr_context *ctx; - int ret; - - HEIMDAL_MUTEX_lock(&gssapi_krb5_context_mutex); - - if (!created_key) - abort(); - ctx = HEIMDAL_getspecific(gssapi_context_key); - if (ctx == NULL) { - if (!createp) - goto fail; - ctx = malloc(sizeof(*ctx)); - if (ctx == NULL) - goto fail; - ctx->error_string = NULL; - HEIMDAL_MUTEX_init(&ctx->mutex); - HEIMDAL_setspecific(gssapi_context_key, ctx, ret); - if (ret) - goto fail; - } - HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex); - return ctx; - fail: - HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex); - if (ctx) - free(ctx); - return NULL; -} - -krb5_error_code -gssapi_krb5_init (void) -{ - krb5_error_code ret = 0; - - HEIMDAL_MUTEX_lock(&gssapi_krb5_context_mutex); - - if(gssapi_krb5_context == NULL) - ret = krb5_init_context (&gssapi_krb5_context); - if (ret == 0 && !created_key) { - HEIMDAL_key_create(&gssapi_context_key, - gssapi_destroy_thread_context, - ret); - if (ret) { - krb5_free_context(gssapi_krb5_context); - gssapi_krb5_context = NULL; - } else - created_key = 1; - } - - HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex); - - return ret; -} diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c deleted file mode 100644 index ee242f51f..000000000 --- a/lib/gssapi/krb5/init_sec_context.c +++ /dev/null @@ -1,1093 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -/* - * copy the addresses from `input_chan_bindings' (if any) to - * the auth context `ac' - */ - -static OM_uint32 -set_addresses (krb5_auth_context ac, - const gss_channel_bindings_t input_chan_bindings) -{ - /* Port numbers are expected to be in application_data.value, - * initator's port first */ - - krb5_address initiator_addr, acceptor_addr; - krb5_error_code kret; - - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS - || input_chan_bindings->application_data.length != - 2 * sizeof(ac->local_port)) - return 0; - - memset(&initiator_addr, 0, sizeof(initiator_addr)); - memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - - ac->local_port = - *(int16_t *) input_chan_bindings->application_data.value; - - ac->remote_port = - *((int16_t *) input_chan_bindings->application_data.value + 1); - - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - ac->remote_port, - &acceptor_addr); - if (kret) - return kret; - - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - ac->local_port, - &initiator_addr); - if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - return kret; - } - - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, - ac, - &initiator_addr, /* local address */ - &acceptor_addr); /* remote address */ - - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - -#if 0 - free(input_chan_bindings->application_data.value); - input_chan_bindings->application_data.value = NULL; - input_chan_bindings->application_data.length = 0; -#endif - - return kret; -} - -/* - * handle delegated creds in init-sec-context - */ - -static void -do_delegation (krb5_auth_context ac, - krb5_ccache ccache, - krb5_creds *cred, - const gss_name_t target_name, - krb5_data *fwd_data, - int *flags) -{ - krb5_creds creds; - krb5_kdc_flags fwd_flags; - krb5_error_code kret; - - memset (&creds, 0, sizeof(creds)); - krb5_data_zero (fwd_data); - - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, &creds.client); - if (kret) - goto out; - - kret = krb5_build_principal(gssapi_krb5_context, - &creds.server, - strlen(creds.client->realm), - creds.client->realm, - KRB5_TGS_NAME, - creds.client->realm, - NULL); - if (kret) - goto out; - - creds.times.endtime = 0; - - fwd_flags.i = 0; - fwd_flags.b.forwarded = 1; - fwd_flags.b.forwardable = 1; - - if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/ - target_name->name.name_string.len < 2) - goto out; - - kret = krb5_get_forwarded_creds(gssapi_krb5_context, - ac, - ccache, - fwd_flags.i, - target_name->name.name_string.val[1], - &creds, - fwd_data); - - out: - if (kret) - *flags &= ~GSS_C_DELEG_FLAG; - else - *flags |= GSS_C_DELEG_FLAG; - - if (creds.client) - krb5_free_principal(gssapi_krb5_context, creds.client); - if (creds.server) - krb5_free_principal(gssapi_krb5_context, creds.server); -} - -/* - * first stage of init-sec-context - */ - -static OM_uint32 -init_auth -(OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - krb5_error_code kret; - krb5_flags ap_options; - krb5_creds this_cred, *cred = NULL; - krb5_data outbuf; - krb5_ccache ccache = NULL; - u_int32_t flags; - krb5_data authenticator; - Checksum cksum; - krb5_enctype enctype; - krb5_data fwd_data; - OM_uint32 lifetime_rec; - - krb5_data_zero(&outbuf); - krb5_data_zero(&fwd_data); - - *minor_status = 0; - - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->ticket = NULL; - (*context_handle)->lifetime = GSS_C_INDEFINITE; - (*context_handle)->order = NULL; - HEIMDAL_MUTEX_init(&(*context_handle)->ctx_id_mutex); - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = set_addresses ((*context_handle)->auth_context, - input_chan_bindings); - if (kret) { - *minor_status = kret; - ret = GSS_S_BAD_BINDINGS; - goto failure; - } - - krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE | - KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, - NULL); - - if (actual_mech_type) - *actual_mech_type = GSS_KRB5_MECHANISM; - - if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) { - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - } else - ccache = initiator_cred_handle->ccache; - - kret = krb5_cc_get_principal (gssapi_krb5_context, - ccache, - &(*context_handle)->source); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - target_name, - &(*context_handle)->target); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); - if (ret) - goto failure; - - - memset(&this_cred, 0, sizeof(this_cred)); - this_cred.client = (*context_handle)->source; - this_cred.server = (*context_handle)->target; - if (time_req && time_req != GSS_C_INDEFINITE) { - krb5_timestamp ts; - - krb5_timeofday (gssapi_krb5_context, &ts); - this_cred.times.endtime = ts + time_req; - } else - this_cred.times.endtime = 0; - this_cred.session.keytype = KEYTYPE_NULL; - - kret = krb5_get_credentials (gssapi_krb5_context, - 0, - ccache, - &this_cred, - &cred); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - (*context_handle)->lifetime = cred->times.endtime; - - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - &lifetime_rec); - if (ret) { - goto failure; - } - - if (lifetime_rec == 0) { - *minor_status = 0; - ret = GSS_S_CONTEXT_EXPIRED; - goto failure; - } - - krb5_auth_con_setkey(gssapi_krb5_context, - (*context_handle)->auth_context, - &cred->session); - - kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, - (*context_handle)->auth_context, - &cred->session); - if(kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - /* - * If the realm policy approves a delegation, lets check local - * policy if the credentials should be delegated, defafult to - * false. - */ - if (cred->flags.b.ok_as_delegate) { - krb5_boolean delegate = FALSE; - - _gss_check_compat(NULL, target_name, "ok-as-delegate", - &delegate, TRUE); - krb5_appdefault_boolean(gssapi_krb5_context, - "gssapi", target_name->realm, - "ok-as-delegate", delegate, &delegate); - if (delegate) - req_flags |= GSS_C_DELEG_FLAG; - } - - flags = 0; - ap_options = 0; - if (req_flags & GSS_C_DELEG_FLAG) - do_delegation ((*context_handle)->auth_context, - ccache, cred, target_name, &fwd_data, &flags); - - if (req_flags & GSS_C_MUTUAL_FLAG) { - flags |= GSS_C_MUTUAL_FLAG; - ap_options |= AP_OPTS_MUTUAL_REQUIRED; - } - - if (req_flags & GSS_C_REPLAY_FLAG) - flags |= GSS_C_REPLAY_FLAG; - if (req_flags & GSS_C_SEQUENCE_FLAG) - flags |= GSS_C_SEQUENCE_FLAG; - if (req_flags & GSS_C_ANON_FLAG) - ; /* XXX */ - flags |= GSS_C_CONF_FLAG; - flags |= GSS_C_INTEG_FLAG; - flags |= GSS_C_TRANS_FLAG; - - if (ret_flags) - *ret_flags = flags; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= LOCAL; - - ret = gssapi_krb5_create_8003_checksum (minor_status, - input_chan_bindings, - flags, - &fwd_data, - &cksum); - krb5_data_free (&fwd_data); - if (ret) - goto failure; - - enctype = (*context_handle)->auth_context->keyblock->keytype; - - kret = krb5_build_authenticator (gssapi_krb5_context, - (*context_handle)->auth_context, - enctype, - cred, - &cksum, - NULL, - &authenticator, - KRB5_KU_AP_REQ_AUTH); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = krb5_build_ap_req (gssapi_krb5_context, - enctype, - cred, - ap_options, - authenticator, - &outbuf); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - ret = gssapi_krb5_encapsulate (minor_status, &outbuf, output_token, - "\x01\x00", GSS_KRB5_MECHANISM); - if (ret) - goto failure; - - krb5_data_free (&outbuf); - krb5_free_creds(gssapi_krb5_context, cred); - free_Checksum(&cksum); - if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) - krb5_cc_close(gssapi_krb5_context, ccache); - - if (flags & GSS_C_MUTUAL_FLAG) { - return GSS_S_CONTINUE_NEEDED; - } else { - int32_t seq_number; - int is_cfx = 0; - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - (*context_handle)->auth_context, - &seq_number); - - gsskrb5_is_cfx(*context_handle, &is_cfx); - - ret = _gssapi_msg_order_create(minor_status, - &(*context_handle)->order, - _gssapi_msg_order_f(flags), - seq_number, 0, is_cfx); - if (ret) - goto failure; - - if (time_rec) - *time_rec = lifetime_rec; - - (*context_handle)->more_flags |= OPEN; - return GSS_S_COMPLETE; - } - - failure: - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - krb5_data_free (&outbuf); - if(cred) - krb5_free_creds(gssapi_krb5_context, cred); - if (ccache && initiator_cred_handle == GSS_C_NO_CREDENTIAL) - krb5_cc_close(gssapi_krb5_context, ccache); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - if((*context_handle)->order) - _gssapi_msg_order_destroy(&(*context_handle)->order); - HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); - free (*context_handle); - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} - -static OM_uint32 -repl_mutual - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret, seq_number; - krb5_error_code kret; - krb5_data indata; - krb5_ap_rep_enc_part *repl; - int is_cfx = 0; - - output_token->length = 0; - output_token->value = NULL; - - HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex); - - if (actual_mech_type) - *actual_mech_type = GSS_KRB5_MECHANISM; - - ret = gssapi_krb5_decapsulate (minor_status, input_token, &indata, - "\x02\x00", GSS_KRB5_MECHANISM); - if (ret) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - /* XXX - Handle AP_ERROR */ - return ret; - } - - kret = krb5_rd_rep (gssapi_krb5_context, - (*context_handle)->auth_context, - &indata, - &repl); - if (kret) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - krb5_free_ap_rep_enc_part (gssapi_krb5_context, - repl); - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - (*context_handle)->auth_context, - &seq_number); - - gsskrb5_is_cfx(*context_handle, &is_cfx); - - ret = _gssapi_msg_order_create(minor_status, - &(*context_handle)->order, - _gssapi_msg_order_f((*context_handle)->flags), - seq_number, 0, is_cfx); - if (ret) { - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - return ret; - } - - (*context_handle)->more_flags |= OPEN; - - *minor_status = 0; - if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - time_rec); - } else { - ret = GSS_S_COMPLETE; - } - if (ret_flags) - *ret_flags = (*context_handle)->flags; - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - - return ret; -} - -static OM_uint32 -gsskrb5_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) - return init_auth (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else - return repl_mutual(minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); -} - -static OM_uint32 -spnego_reply - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_data indata; - NegTokenTarg targ; - u_char oidbuf[17]; - size_t oidlen; - gss_buffer_desc sub_token; - ssize_t mech_len; - const u_char *p; - size_t len, taglen; - krb5_boolean require_mic; - - output_token->length = 0; - output_token->value = NULL; - - /* - * SPNEGO doesn't include gss wrapping on SubsequentContextToken - * like the Kerberos 5 mech does. But lets check for it anyway. - */ - - mech_len = gssapi_krb5_get_mech (input_token->value, - input_token->length, - &p); - - if (mech_len < 0) { - indata.data = input_token->value; - indata.length = input_token->length; - } else if (mech_len == GSS_KRB5_MECHANISM->length - && memcmp(GSS_KRB5_MECHANISM->elements, p, mech_len) == 0) - return gsskrb5_init_sec_context (minor_status, - initiator_cred_handle, - context_handle, - target_name, - GSS_KRB5_MECHANISM, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else if (mech_len == GSS_SPNEGO_MECHANISM->length - && memcmp(GSS_SPNEGO_MECHANISM->elements, p, mech_len) == 0){ - ret = _gssapi_decapsulate (minor_status, - input_token, - &indata, - GSS_SPNEGO_MECHANISM); - if (ret) - return ret; - } else - return GSS_S_BAD_MECH; - - ret = der_match_tag_and_length((const char *)indata.data, - indata.length, - ASN1_C_CONTEXT, CONS, 1, &len, &taglen); - if (ret) - return ret; - - if(len > indata.length - taglen) - return ASN1_OVERRUN; - - ret = decode_NegTokenTarg((const char *)indata.data + taglen, - len, &targ, NULL); - if (ret) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - if (targ.negResult == NULL - || *(targ.negResult) == reject - || targ.supportedMech == NULL) { - free_NegTokenTarg(&targ); - return GSS_S_BAD_MECH; - } - - ret = der_put_oid(oidbuf + sizeof(oidbuf) - 1, - sizeof(oidbuf), - targ.supportedMech, - &oidlen); - if (ret || oidlen != GSS_KRB5_MECHANISM->length - || memcmp(oidbuf + sizeof(oidbuf) - oidlen, - GSS_KRB5_MECHANISM->elements, - oidlen) != 0) { - free_NegTokenTarg(&targ); - return GSS_S_BAD_MECH; - } - - if (targ.responseToken != NULL) { - sub_token.length = targ.responseToken->length; - sub_token.value = targ.responseToken->data; - } else { - sub_token.length = 0; - sub_token.value = NULL; - } - - ret = gsskrb5_init_sec_context(minor_status, - initiator_cred_handle, - context_handle, - target_name, - GSS_KRB5_MECHANISM, - req_flags, - time_req, - input_chan_bindings, - &sub_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - - /* - * Verify the mechListMIC if CFX was used; or if local policy - * dictated so. - */ - ret = _gss_spnego_require_mechlist_mic(minor_status, *context_handle, - &require_mic); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - - if (require_mic) { - MechTypeList mechlist; - MechType m0; - size_t buf_len; - gss_buffer_desc mic_buf, mech_buf; - - if (targ.mechListMIC == NULL) { - free_NegTokenTarg(&targ); - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - mechlist.len = 1; - mechlist.val = &m0; - - ret = der_get_oid(GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length, - &m0, - NULL); - if (ret) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ASN1_MALLOC_ENCODE(MechTypeList, mech_buf.value, mech_buf.length, - &mechlist, &buf_len, ret); - if (ret) { - free_NegTokenTarg(&targ); - free_oid(&m0); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - if (mech_buf.length != buf_len) - abort(); - - mic_buf.length = targ.mechListMIC->length; - mic_buf.value = targ.mechListMIC->data; - - ret = gss_verify_mic(minor_status, *context_handle, - &mech_buf, &mic_buf, NULL); - free(mech_buf.value); - free_oid(&m0); - } - free_NegTokenTarg(&targ); - return ret; -} - -static OM_uint32 -spnego_initial - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - NegTokenInit ni; - int ret; - OM_uint32 sub, minor; - gss_buffer_desc mech_token; - u_char *buf; - size_t buf_size, buf_len; - krb5_data data; -#if 1 - size_t ni_len; -#endif - - memset (&ni, 0, sizeof(ni)); - - ALLOC(ni.mechTypes, 1); - if (ni.mechTypes == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ALLOC_SEQ(ni.mechTypes, 1); - if (ni.mechTypes->val == NULL) { - free_NegTokenInit(&ni); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ret = der_get_oid(GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length, - &ni.mechTypes->val[0], - NULL); - if (ret) { - free_NegTokenInit(&ni); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - -#if 0 - ALLOC(ni.reqFlags, 1); - if (ni.reqFlags == NULL) { - free_NegTokenInit(&ni); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ni.reqFlags->delegFlag = req_flags & GSS_C_DELEG_FLAG; - ni.reqFlags->mutualFlag = req_flags & GSS_C_MUTUAL_FLAG; - ni.reqFlags->replayFlag = req_flags & GSS_C_REPLAY_FLAG; - ni.reqFlags->sequenceFlag = req_flags & GSS_C_SEQUENCE_FLAG; - ni.reqFlags->anonFlag = req_flags & GSS_C_ANON_FLAG; - ni.reqFlags->confFlag = req_flags & GSS_C_CONF_FLAG; - ni.reqFlags->integFlag = req_flags & GSS_C_INTEG_FLAG; -#else - ni.reqFlags = NULL; -#endif - - sub = gsskrb5_init_sec_context(&minor, - initiator_cred_handle, - context_handle, - target_name, - GSS_KRB5_MECHANISM, - req_flags, - time_req, - input_chan_bindings, - GSS_C_NO_BUFFER, - actual_mech_type, - &mech_token, - ret_flags, - time_rec); - if (GSS_ERROR(sub)) { - free_NegTokenInit(&ni); - return sub; - } - if (mech_token.length != 0) { - ALLOC(ni.mechToken, 1); - if (ni.mechToken == NULL) { - free_NegTokenInit(&ni); - gss_release_buffer(&minor, &mech_token); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ni.mechToken->length = mech_token.length; - ni.mechToken->data = malloc(mech_token.length); - if (ni.mechToken->data == NULL && mech_token.length != 0) { - free_NegTokenInit(&ni); - gss_release_buffer(&minor, &mech_token); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(ni.mechToken->data, mech_token.value, mech_token.length); - gss_release_buffer(&minor, &mech_token); - } else - ni.mechToken = NULL; - - /* XXX ignore mech list mic for now */ - ni.mechListMIC = NULL; - - -#if 0 - { - int ret; - NegotiationToken nt; - - nt.element = choice_NegotiationToken_negTokenInit; - nt.u.negTokenInit = ni; - - ASN1_MALLOC_ENCODE(NegotiationToken, buf, buf_size, - &nt, &buf_len, ret); - if (buf_size != buf_len) - abort(); - } -#else - ni_len = length_NegTokenInit(&ni); - buf_size = 1 + length_len(ni_len) + ni_len; - - buf = malloc(buf_size); - if (buf == NULL) { - free_NegTokenInit(&ni); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ret = encode_NegTokenInit(buf + buf_size - 1, - ni_len, - &ni, &buf_len); - if (ret == 0 && ni_len != buf_len) - abort(); - - if (ret == 0) { - size_t tmp; - - ret = der_put_length_and_tag(buf + buf_size - buf_len - 1, - buf_size - buf_len, - buf_len, - ASN1_C_CONTEXT, - CONS, - 0, - &tmp); - if (ret == 0 && tmp + buf_len != buf_size) - abort(); - } - if (ret) { - *minor_status = ret; - free(buf); - free_NegTokenInit(&ni); - return GSS_S_FAILURE; - } - -#endif - data.data = buf; - data.length = buf_size; - - free_NegTokenInit(&ni); - if (ret) - return ret; - - sub = _gssapi_encapsulate(minor_status, - &data, - output_token, - GSS_SPNEGO_MECHANISM); - free (buf); - - if (sub) - return sub; - - return GSS_S_CONTINUE_NEEDED; -} - -static OM_uint32 -spnego_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) - return spnego_initial (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else - return spnego_reply (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); -} - -/* - * gss_init_sec_context - */ - -OM_uint32 gss_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - GSSAPI_KRB5_INIT (); - - output_token->length = 0; - output_token->value = NULL; - - if (ret_flags) - *ret_flags = 0; - if (time_rec) - *time_rec = 0; - - if (target_name == GSS_C_NO_NAME) { - if (actual_mech_type) - *actual_mech_type = GSS_C_NO_OID; - *minor_status = 0; - return GSS_S_BAD_NAME; - } - - if (mech_type == GSS_C_NO_OID || - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM)) - return gsskrb5_init_sec_context(minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else if (gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM)) - return spnego_init_sec_context (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else - return GSS_S_BAD_MECH; -} diff --git a/lib/gssapi/krb5/inquire_context.c b/lib/gssapi/krb5/inquire_context.c deleted file mode 100644 index 4fddfd379..000000000 --- a/lib/gssapi/krb5/inquire_context.c +++ /dev/null @@ -1,97 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_inquire_context ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_name_t * src_name, - gss_name_t * targ_name, - OM_uint32 * lifetime_rec, - gss_OID * mech_type, - OM_uint32 * ctx_flags, - int * locally_initiated, - int * open_context - ) -{ - OM_uint32 ret; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - if (src_name) { - ret = gss_duplicate_name (minor_status, - context_handle->source, - src_name); - if (ret) - goto failed; - } - - if (targ_name) { - ret = gss_duplicate_name (minor_status, - context_handle->target, - targ_name); - if (ret) - goto failed; - } - - if (lifetime_rec) { - ret = gssapi_lifetime_left(minor_status, - context_handle->lifetime, - lifetime_rec); - if (ret) - goto failed; - } - - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (ctx_flags) - *ctx_flags = context_handle->flags; - - if (locally_initiated) - *locally_initiated = context_handle->more_flags & LOCAL; - - if (open_context) - *open_context = context_handle->more_flags & OPEN; - - *minor_status = 0; - ret = GSS_S_COMPLETE; - - failed: - - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; -} diff --git a/lib/gssapi/krb5/inquire_cred.c b/lib/gssapi/krb5/inquire_cred.c deleted file mode 100644 index 1663d2cb1..000000000 --- a/lib/gssapi/krb5/inquire_cred.c +++ /dev/null @@ -1,123 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_inquire_cred - (OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - gss_name_t * name, - OM_uint32 * lifetime, - gss_cred_usage_t * cred_usage, - gss_OID_set * mechanisms - ) -{ - gss_cred_id_t cred; - OM_uint32 ret; - - *minor_status = 0; - - if (name) - *name = NULL; - if (mechanisms) - *mechanisms = GSS_C_NO_OID_SET; - - if (cred_handle == GSS_C_NO_CREDENTIAL) { - ret = gss_acquire_cred(minor_status, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - GSS_C_BOTH, - &cred, - NULL, - NULL); - if (ret) - return ret; - } else - cred = (gss_cred_id_t)cred_handle; - - HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); - - if (name != NULL) { - if (cred->principal != NULL) { - ret = gss_duplicate_name(minor_status, cred->principal, - name); - if (ret) - goto out; - } else if (cred->usage == GSS_C_ACCEPT) { - *minor_status = krb5_sname_to_principal(gssapi_krb5_context, NULL, - NULL, KRB5_NT_SRV_HST, name); - if (*minor_status) { - ret = GSS_S_FAILURE; - goto out; - } - } else { - *minor_status = krb5_get_default_principal(gssapi_krb5_context, - name); - if (*minor_status) { - ret = GSS_S_FAILURE; - goto out; - } - } - } - if (lifetime != NULL) { - ret = gssapi_lifetime_left(minor_status, - cred->lifetime, - lifetime); - if (ret) - goto out; - } - if (cred_usage != NULL) - *cred_usage = cred->usage; - - if (mechanisms != NULL) { - ret = gss_create_empty_oid_set(minor_status, mechanisms); - if (ret) - goto out; - ret = gss_add_oid_set_member(minor_status, - &cred->mechanisms->elements[0], - mechanisms); - if (ret) - goto out; - } - ret = GSS_S_COMPLETE; - out: - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - - if (cred_handle == GSS_C_NO_CREDENTIAL) - ret = gss_release_cred(minor_status, &cred); - - return ret; -} diff --git a/lib/gssapi/krb5/inquire_cred_by_mech.c b/lib/gssapi/krb5/inquire_cred_by_mech.c deleted file mode 100644 index 9d0dfae61..000000000 --- a/lib/gssapi/krb5/inquire_cred_by_mech.c +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - const gss_OID mech_type, - gss_name_t * name, - OM_uint32 * initiator_lifetime, - OM_uint32 * acceptor_lifetime, - gss_cred_usage_t * cred_usage - ) -{ - OM_uint32 ret; - OM_uint32 lifetime; - - if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { - *minor_status = EINVAL; - return GSS_S_BAD_MECH; - } - - ret = gss_inquire_cred (minor_status, - cred_handle, - name, - &lifetime, - cred_usage, - NULL); - - if (ret == 0 && cred_handle != GSS_C_NO_CREDENTIAL) { - gss_cred_usage_t usage; - - HEIMDAL_MUTEX_lock(&cred_handle->cred_id_mutex); - usage = cred_handle->usage; - HEIMDAL_MUTEX_unlock(&cred_handle->cred_id_mutex); - - if (initiator_lifetime) { - if (usage == GSS_C_INITIATE || usage == GSS_C_BOTH) - *initiator_lifetime = lifetime; - } - if (acceptor_lifetime) { - if (usage == GSS_C_ACCEPT || usage == GSS_C_BOTH) - *acceptor_lifetime = lifetime; - } - } - - return ret; -} diff --git a/lib/gssapi/krb5/inquire_mechs_for_name.c b/lib/gssapi/krb5/inquire_mechs_for_name.c deleted file mode 100644 index fb3709f93..000000000 --- a/lib/gssapi/krb5/inquire_mechs_for_name.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - gss_OID_set * mech_types - ) -{ - OM_uint32 ret; - - ret = gss_create_empty_oid_set(minor_status, mech_types); - if (ret) - return ret; - - ret = gss_add_oid_set_member(minor_status, - GSS_KRB5_MECHANISM, - mech_types); - if (ret) - gss_release_oid_set(NULL, mech_types); - - return ret; -} diff --git a/lib/gssapi/krb5/inquire_names_for_mech.c b/lib/gssapi/krb5/inquire_names_for_mech.c deleted file mode 100644 index 7441d99b9..000000000 --- a/lib/gssapi/krb5/inquire_names_for_mech.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - - -static gss_OID *name_list[] = { - &GSS_C_NT_HOSTBASED_SERVICE, - &GSS_C_NT_USER_NAME, - &GSS_KRB5_NT_PRINCIPAL_NAME, - &GSS_C_NT_EXPORT_NAME, - NULL -}; - -OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 * minor_status, - const gss_OID mechanism, - gss_OID_set * name_types - ) -{ - OM_uint32 ret; - int i; - - *minor_status = 0; - - if (gss_oid_equal(mechanism, GSS_KRB5_MECHANISM) == 0 && - gss_oid_equal(mechanism, GSS_C_NULL_OID) == 0) { - *name_types = GSS_C_NO_OID_SET; - return GSS_S_BAD_MECH; - } - - ret = gss_create_empty_oid_set(minor_status, name_types); - if (ret != GSS_S_COMPLETE) - return ret; - - for (i = 0; name_list[i] != NULL; i++) { - ret = gss_add_oid_set_member(minor_status, - *(name_list[i]), - name_types); - if (ret != GSS_S_COMPLETE) - break; - } - - if (ret != GSS_S_COMPLETE) - gss_release_oid_set(NULL, name_types); - - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/process_context_token.c b/lib/gssapi/krb5/process_context_token.c deleted file mode 100644 index 59778ba1a..000000000 --- a/lib/gssapi/krb5/process_context_token.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_process_context_token ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t token_buffer - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - gss_buffer_desc empty_buffer; - gss_qop_t qop_state; - - empty_buffer.length = 0; - empty_buffer.value = NULL; - - qop_state = GSS_C_QOP_DEFAULT; - - ret = gss_verify_mic_internal(minor_status, context_handle, - token_buffer, &empty_buffer, - GSS_C_QOP_DEFAULT, "\x01\x02"); - - if (ret == GSS_S_COMPLETE) - ret = gss_delete_sec_context(minor_status, - (gss_ctx_id_t *)&context_handle, - GSS_C_NO_BUFFER); - if (ret == GSS_S_COMPLETE) - *minor_status = 0; - - return ret; -} diff --git a/lib/gssapi/krb5/release_buffer.c b/lib/gssapi/krb5/release_buffer.c deleted file mode 100644 index 60782bff7..000000000 --- a/lib/gssapi/krb5/release_buffer.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_release_buffer - (OM_uint32 * minor_status, - gss_buffer_t buffer - ) -{ - *minor_status = 0; - free (buffer->value); - buffer->value = NULL; - buffer->length = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/release_cred.c b/lib/gssapi/krb5/release_cred.c deleted file mode 100644 index d2c1f645c..000000000 --- a/lib/gssapi/krb5/release_cred.c +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_release_cred - (OM_uint32 * minor_status, - gss_cred_id_t * cred_handle - ) -{ - *minor_status = 0; - - if (*cred_handle == GSS_C_NO_CREDENTIAL) { - return GSS_S_COMPLETE; - } - - GSSAPI_KRB5_INIT (); - - HEIMDAL_MUTEX_lock(&(*cred_handle)->cred_id_mutex); - - if ((*cred_handle)->principal != NULL) - krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); - if ((*cred_handle)->keytab != NULL) - krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab); - if ((*cred_handle)->ccache != NULL) { - const krb5_cc_ops *ops; - ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache); - if (ops == &krb5_mcc_ops) - krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache); - else - krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); - } - gss_release_oid_set(NULL, &(*cred_handle)->mechanisms); - HEIMDAL_MUTEX_unlock(&(*cred_handle)->cred_id_mutex); - HEIMDAL_MUTEX_destroy(&(*cred_handle)->cred_id_mutex); - memset(*cred_handle, 0, sizeof(**cred_handle)); - free(*cred_handle); - *cred_handle = GSS_C_NO_CREDENTIAL; - return GSS_S_COMPLETE; -} - diff --git a/lib/gssapi/krb5/release_name.c b/lib/gssapi/krb5/release_name.c deleted file mode 100644 index 042153a48..000000000 --- a/lib/gssapi/krb5/release_name.c +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_release_name - (OM_uint32 * minor_status, - gss_name_t * input_name - ) -{ - GSSAPI_KRB5_INIT (); - if (minor_status) - *minor_status = 0; - krb5_free_principal(gssapi_krb5_context, - *input_name); - *input_name = GSS_C_NO_NAME; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/release_oid_set.c b/lib/gssapi/krb5/release_oid_set.c deleted file mode 100644 index 4bdcf4285..000000000 --- a/lib/gssapi/krb5/release_oid_set.c +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_release_oid_set - (OM_uint32 * minor_status, - gss_OID_set * set - ) -{ - if (minor_status) - *minor_status = 0; - free ((*set)->elements); - free (*set); - *set = GSS_C_NO_OID_SET; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/sequence.c b/lib/gssapi/krb5/sequence.c deleted file mode 100644 index 37f576008..000000000 --- a/lib/gssapi/krb5/sequence.c +++ /dev/null @@ -1,189 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -#define DEFAULT_JITTER_WINDOW 20 - -struct gss_msg_order { - OM_uint32 flags; - OM_uint32 start; - OM_uint32 length; - OM_uint32 jitter_window; - OM_uint32 first_seq; - OM_uint32 elem[1]; -}; - -/* - * - */ - -OM_uint32 -_gssapi_msg_order_create(OM_uint32 *minor_status, - struct gss_msg_order **o, - OM_uint32 flags, - OM_uint32 seq_num, - OM_uint32 jitter_window, - int use_64) -{ - size_t len; - - if (jitter_window == 0) - jitter_window = DEFAULT_JITTER_WINDOW; - - len = jitter_window * sizeof((*o)->elem[0]); - len += sizeof(**o); - len -= sizeof((*o)->elem[0]); - - *o = malloc(len); - if (*o == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memset(*o, 0, len); - (*o)->flags = flags; - (*o)->length = 0; - (*o)->first_seq = seq_num; - (*o)->jitter_window = jitter_window; - (*o)->elem[0] = seq_num - 1; - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 -_gssapi_msg_order_destroy(struct gss_msg_order **m) -{ - free(*m); - *m = NULL; - return GSS_S_COMPLETE; -} - -static void -elem_set(struct gss_msg_order *o, unsigned int slot, OM_uint32 val) -{ - o->elem[slot % o->jitter_window] = val; -} - -static void -elem_insert(struct gss_msg_order *o, - unsigned int after_slot, - OM_uint32 seq_num) -{ - assert(o->jitter_window > after_slot); - - if (o->length > after_slot) - memmove(&o->elem[after_slot + 1], &o->elem[after_slot], - (o->length - after_slot - 1) * sizeof(o->elem[0])); - - elem_set(o, after_slot, seq_num); - - if (o->length < o->jitter_window) - o->length++; -} - -/* rule 1: expected sequence number */ -/* rule 2: > expected sequence number */ -/* rule 3: seqnum < seqnum(first) */ -/* rule 4+5: seqnum in [seqnum(first),seqnum(last)] */ - -OM_uint32 -_gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num) -{ - OM_uint32 r; - int i; - - if (o == NULL) - return GSS_S_COMPLETE; - - if ((o->flags & (GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG)) == 0) - return GSS_S_COMPLETE; - - /* check if the packet is the next in order */ - if (o->elem[0] == seq_num - 1) { - elem_insert(o, 0, seq_num); - return GSS_S_COMPLETE; - } - - r = (o->flags & (GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG))==GSS_C_REPLAY_FLAG; - - /* sequence number larger then largest sequence number - * or smaller then the first sequence number */ - if (seq_num > o->elem[0] - || seq_num < o->first_seq - || o->length == 0) - { - elem_insert(o, 0, seq_num); - if (r) { - return GSS_S_COMPLETE; - } else { - return GSS_S_GAP_TOKEN; - } - } - - assert(o->length > 0); - - /* sequence number smaller the first sequence number */ - if (seq_num < o->elem[o->length - 1]) { - if (r) - return(GSS_S_OLD_TOKEN); - else - return(GSS_S_UNSEQ_TOKEN); - } - - if (seq_num == o->elem[o->length - 1]) { - return GSS_S_DUPLICATE_TOKEN; - } - - for (i = 0; i < o->length - 1; i++) { - if (o->elem[i] == seq_num) - return GSS_S_DUPLICATE_TOKEN; - if (o->elem[i + 1] < seq_num && o->elem[i] < seq_num) { - elem_insert(o, i, seq_num); - if (r) - return GSS_S_COMPLETE; - else - return GSS_S_UNSEQ_TOKEN; - } - } - - return GSS_S_FAILURE; -} - -OM_uint32 -_gssapi_msg_order_f(OM_uint32 flags) -{ - return flags & (GSS_C_SEQUENCE_FLAG|GSS_C_REPLAY_FLAG); -} diff --git a/lib/gssapi/krb5/spkm.asn1 b/lib/gssapi/krb5/spkm.asn1 deleted file mode 100644 index 5c14196a4..000000000 --- a/lib/gssapi/krb5/spkm.asn1 +++ /dev/null @@ -1,240 +0,0 @@ --- from rfc2025 --- $Id$ - -SpkmGssTokens DEFINITIONS ::= -BEGIN - -IMPORTS AlgorithmIdentifier, Validity, - Attribute, Certificate, CertificateList, CertificatePair, Name - FROM rfc2459 - AuthorizationData FROM krb5; - -SPKM-REQ ::= SEQUENCE { - requestToken REQ-TOKEN, - certif-data [0] CertificationData OPTIONAL, - auth-data [1] AuthorizationData OPTIONAL -} - - -CertificationData ::= SEQUENCE { - certificationPath [0] CertificationPath OPTIONAL, - certificateRevocationList [1] CertificateList OPTIONAL -} -- at least one of the above shall be present - - -CertificationPath ::= SEQUENCE { - userKeyId [0] OCTET STRING OPTIONAL, - userCertif [1] Certificate OPTIONAL, - verifKeyId [2] OCTET STRING OPTIONAL, - userVerifCertif [3] Certificate OPTIONAL, - theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL -} -- Presence of [2] or [3] implies that [0] or [1] must also be - -- present. Presence of [4] implies that at least one of [0], [1], - -- [2], and [3] must also be present. - -REQ-TOKEN ::= SEQUENCE { - req-contents Req-contents, - algId AlgorithmIdentifier, - req-integrity Integrity -- "token" is Req-contents -} - -Integrity ::= BIT STRING - -- If corresponding algId specifies a signing algorithm, - -- "Integrity" holds the result of applying the signing procedure - -- specified in algId to the BER-encoded octet string which results - -- from applying the hashing procedure (also specified in algId) to - -- the DER-encoded octets of "token". - -- Alternatively, if corresponding algId specifies a MACing - -- algorithm, "Integrity" holds the result of applying the MACing - -- procedure specified in algId to the DER-encoded octets of - -- "token" - -Req-contents ::= SEQUENCE { - tok-id INTEGER --(256)--, -- shall contain 0100 (hex) - context-id Random-Integer, - pvno BIT STRING, - timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2 - randSrc Random-Integer, - targ-name Name, - src-name [0] Name OPTIONAL, - req-data Context-Data, - validity [1] Validity OPTIONAL, - key-estb-set Key-Estb-Algs, - key-estb-req BIT STRING OPTIONAL, - key-src-bind OCTET STRING OPTIONAL - -- This field must be present for the case of SPKM-2 - -- unilateral authen. if the K-ALG in use does not provide - -- such a binding (but is optional for all other cases). - -- The octet string holds the result of applying the - -- mandatory hashing procedure (in MANDATORY I-ALG; - -- see Section 2.1) as follows: MD5(src || context_key), - -- where "src" is the DER-encoded octets of src-name, - -- "context-key" is the symmetric key (i.e., the - -- unprotected version of what is transmitted in - -- key-estb-req), and "||" is the concatenation operation. -} - -Random-Integer ::= BIT STRING - -Context-Data ::= SEQUENCE { - channelId ChannelId OPTIONAL, - seq-number INTEGER OPTIONAL, - options Options, - conf-alg Conf-Algs, - intg-alg Intg-Algs, - owf-alg OWF-Algs -} - -ChannelId ::= OCTET STRING - -Options ::= BIT STRING { - delegation-state (0), - mutual-state (1), - replay-det-state (2), - sequence-state (3), - conf-avail (4), - integ-avail (5), - target-certif-data-required (6) -} - -Conf-Algs ::= CHOICE { - algs [0] SEQUENCE OF AlgorithmIdentifier, - null [1] NULL -} - -Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier - -OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier - -Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier - - -SPKM-REP-TI ::= SEQUENCE { - responseToken REP-TI-TOKEN, - certif-data CertificationData OPTIONAL - -- present if target-certif-data-required option was -} -- set to TRUE in SPKM-REQ - -REP-TI-TOKEN ::= SEQUENCE { - rep-ti-contents Rep-ti-contents, - algId AlgorithmIdentifier, - rep-ti-integ Integrity -- "token" is Rep-ti-contents -} - -Rep-ti-contents ::= SEQUENCE { - tok-id INTEGER --(512)--, -- shall contain 0200 (hex) - context-id Random-Integer, - pvno [0] BIT STRING OPTIONAL, - timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2 - randTarg Random-Integer, - src-name [1] Name OPTIONAL, - targ-name Name, - randSrc Random-Integer, - rep-data Context-Data, - validity [2] Validity OPTIONAL, - key-estb-id AlgorithmIdentifier OPTIONAL, - key-estb-str BIT STRING OPTIONAL -} - -SPKM-REP-IT ::= SEQUENCE { - responseToken REP-IT-TOKEN, - algId AlgorithmIdentifier, - rep-it-integ Integrity -- "token" is REP-IT-TOKEN -} - -REP-IT-TOKEN ::= SEQUENCE { - tok-id INTEGER --(768)--, -- shall contain 0300 (hex) - context-id Random-Integer, - randSrc Random-Integer, - randTarg Random-Integer, - targ-name Name, - src-name Name OPTIONAL, - key-estb-rep BIT STRING OPTIONAL -} - -SPKM-ERROR ::= SEQUENCE { - errorToken ERROR-TOKEN, - algId AlgorithmIdentifier, - integrity Integrity -- "token" is ERROR-TOKEN -} - -ERROR-TOKEN ::= SEQUENCE { - tok-id INTEGER --(1024)--, -- shall contain 0400 (hex) - context-id Random-Integer -} - -SPKM-MIC ::= SEQUENCE { - mic-header Mic-Header, - int-cksum BIT STRING -} - -Mic-Header ::= SEQUENCE { - tok-id INTEGER --(257)--, -- shall contain 0101 (hex) - context-id Random-Integer, - int-alg [0] AlgorithmIdentifier OPTIONAL, - snd-seq [1] SeqNum OPTIONAL -} - -SeqNum ::= SEQUENCE { - num INTEGER, - dir-ind BOOLEAN -} - -SPKM-WRAP ::= SEQUENCE { - wrap-header Wrap-Header, - wrap-body Wrap-Body -} - -Wrap-Header ::= SEQUENCE { - tok-id INTEGER --(513)--, -- shall contain 0201 (hex) - context-id Random-Integer, - int-alg [0] AlgorithmIdentifier OPTIONAL, - conf-alg [1] Conf-Alg OPTIONAL, - snd-seq [2] SeqNum OPTIONAL -} - -Wrap-Body ::= SEQUENCE { - int-cksum BIT STRING, - data BIT STRING -} - -Conf-Alg ::= CHOICE { - algId [0] AlgorithmIdentifier, - null [1] NULL -} - - -SPKM-DEL ::= SEQUENCE { - del-header Del-Header, - int-cksum BIT STRING -} - -Del-Header ::= SEQUENCE { - tok-id INTEGER --(769)--, -- shall contain 0301 (hex) - context-id Random-Integer, - int-alg [0] AlgorithmIdentifier OPTIONAL, - snd-seq [1] SeqNum OPTIONAL -} - - --- other types -- - -MechType ::= OBJECT IDENTIFIER - -SPKMInnerContextToken ::= CHOICE { - req [0] SPKM-REQ, - rep-ti [1] SPKM-REP-TI, - rep-it [2] SPKM-REP-IT, - error [3] SPKM-ERROR, - mic [4] SPKM-MIC, - wrap [5] SPKM-WRAP, - del [6] SPKM-DEL -} - -InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType, - innerContextToken SPKMInnerContextToken -} -- when thisMech is SPKM-1 or SPKM-2 - - -END diff --git a/lib/gssapi/krb5/spnego.asn1 b/lib/gssapi/krb5/spnego.asn1 deleted file mode 100644 index 27d9b951e..000000000 --- a/lib/gssapi/krb5/spnego.asn1 +++ /dev/null @@ -1,42 +0,0 @@ --- $Id$ - -SPNEGO DEFINITIONS ::= -BEGIN - -MechType::= OBJECT IDENTIFIER - -MechTypeList ::= SEQUENCE OF MechType - -ContextFlags ::= BIT STRING { - delegFlag (0), - mutualFlag (1), - replayFlag (2), - sequenceFlag (3), - anonFlag (4), - confFlag (5), - integFlag (6) -} - -NegTokenInit ::= SEQUENCE { - mechTypes [0] MechTypeList OPTIONAL, - reqFlags [1] ContextFlags OPTIONAL, - mechToken [2] OCTET STRING OPTIONAL, - mechListMIC [3] OCTET STRING OPTIONAL - } - -NegTokenTarg ::= SEQUENCE { - negResult [0] ENUMERATED { - accept_completed (0), - accept_incomplete (1), - reject (2) } OPTIONAL, - supportedMech [1] MechType OPTIONAL, - responseToken [2] OCTET STRING OPTIONAL, - mechListMIC [3] OCTET STRING OPTIONAL -} - -NegotiationToken ::= CHOICE { - negTokenInit[0] NegTokenInit, - negTokenTarg[1] NegTokenTarg -} - -END diff --git a/lib/gssapi/krb5/test_acquire_cred.c b/lib/gssapi/krb5/test_acquire_cred.c deleted file mode 100644 index 91b8c74b1..000000000 --- a/lib/gssapi/krb5/test_acquire_cred.c +++ /dev/null @@ -1,110 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "gssapi_locl.h" -#include - -RCSID("$Id$"); - -static void -print_time(OM_uint32 time_rec) -{ - if (time_rec == GSS_C_INDEFINITE) { - printf("cred never expire\n"); - } else { - time_t t = time_rec + time(NULL); - printf("expiration time: %s", ctime(&t)); - } -} - -static void -test_add(gss_cred_id_t cred_handle) -{ - OM_uint32 major_status, minor_status; - gss_cred_id_t copy_cred; - OM_uint32 time_rec; - - major_status = gss_add_cred (&minor_status, - cred_handle, - GSS_C_NO_NAME, - GSS_KRB5_MECHANISM, - GSS_C_INITIATE, - 0, - 0, - ©_cred, - NULL, - &time_rec, - NULL); - - if (GSS_ERROR(major_status)) - errx(1, "add_cred failed"); - - print_time(time_rec); - - major_status = gss_release_cred(&minor_status, - ©_cred); - if (GSS_ERROR(major_status)) - errx(1, "release_cred failed"); -} - -int -main(int argc, char **argv) -{ - OM_uint32 major_status, minor_status; - gss_cred_id_t cred_handle; - OM_uint32 time_rec; - - major_status = gss_acquire_cred(&minor_status, - GSS_C_NO_NAME, - 0, - NULL, - GSS_C_INITIATE, - &cred_handle, - NULL, - &time_rec); - if (GSS_ERROR(major_status)) - errx(1, "acquire_cred failed"); - - print_time(time_rec); - - test_add(cred_handle); - test_add(cred_handle); - test_add(cred_handle); - - major_status = gss_release_cred(&minor_status, - &cred_handle); - if (GSS_ERROR(major_status)) - errx(1, "release_cred failed"); - - return 0; -} diff --git a/lib/gssapi/krb5/test_cred.c b/lib/gssapi/krb5/test_cred.c deleted file mode 100644 index a7feb49fa..000000000 --- a/lib/gssapi/krb5/test_cred.c +++ /dev/null @@ -1,184 +0,0 @@ -/* - * Copyright (c) 2003-2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "gssapi_locl.h" -#include -#include - -RCSID("$Id$"); - -static void -acquire_release_loop(gss_name_t name, int counter, gss_cred_usage_t usage) -{ - OM_uint32 maj_stat, min_stat; - gss_cred_id_t cred; - int i; - - for (i = 0; i < counter; i++) { - maj_stat = gss_acquire_cred(&min_stat, name, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - usage, - &cred, - NULL, - NULL); - if (maj_stat != GSS_S_COMPLETE) - errx(1, "aquire %d %d != GSS_S_COMPLETE", i, (int)maj_stat); - - maj_stat = gss_release_cred(&min_stat, &cred); - if (maj_stat != GSS_S_COMPLETE) - errx(1, "release %d %d != GSS_S_COMPLETE", i, (int)maj_stat); - } -} - - -static void -acquire_add_release_add(gss_name_t name, gss_cred_usage_t usage) -{ - OM_uint32 maj_stat, min_stat; - gss_cred_id_t cred, cred2, cred3; - - maj_stat = gss_acquire_cred(&min_stat, name, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - usage, - &cred, - NULL, - NULL); - if (maj_stat != GSS_S_COMPLETE) - errx(1, "aquire %d != GSS_S_COMPLETE", (int)maj_stat); - - maj_stat = gss_add_cred(&min_stat, - cred, - GSS_C_NO_NAME, - GSS_KRB5_MECHANISM, - usage, - GSS_C_INDEFINITE, - GSS_C_INDEFINITE, - &cred2, - NULL, - NULL, - NULL); - - if (maj_stat != GSS_S_COMPLETE) - errx(1, "add_cred %d != GSS_S_COMPLETE", (int)maj_stat); - - maj_stat = gss_release_cred(&min_stat, &cred); - if (maj_stat != GSS_S_COMPLETE) - errx(1, "release %d != GSS_S_COMPLETE", (int)maj_stat); - - maj_stat = gss_add_cred(&min_stat, - cred2, - GSS_C_NO_NAME, - GSS_KRB5_MECHANISM, - GSS_C_BOTH, - GSS_C_INDEFINITE, - GSS_C_INDEFINITE, - &cred3, - NULL, - NULL, - NULL); - - maj_stat = gss_release_cred(&min_stat, &cred2); - if (maj_stat != GSS_S_COMPLETE) - errx(1, "release 2 %d != GSS_S_COMPLETE", (int)maj_stat); - - maj_stat = gss_release_cred(&min_stat, &cred3); - if (maj_stat != GSS_S_COMPLETE) - errx(1, "release 2 %d != GSS_S_COMPLETE", (int)maj_stat); -} - -static int version_flag = 0; -static int help_flag = 0; - -static struct getargs args[] = { - {"version", 0, arg_flag, &version_flag, "print version", NULL }, - {"help", 0, arg_flag, &help_flag, NULL, NULL } -}; - -static void -usage (int ret) -{ - arg_printusage (args, sizeof(args)/sizeof(*args), - NULL, "service@host"); - exit (ret); -} - - -int -main(int argc, char **argv) -{ - struct gss_buffer_desc_struct name_buffer; - OM_uint32 maj_stat, min_stat; - gss_name_t name; - int optind = 0; - - setprogname(argv[0]); - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argc < 1) - errx(1, "argc < 1"); - - name_buffer.value = argv[0]; - name_buffer.length = strlen(argv[0]); - - maj_stat = gss_import_name(&min_stat, &name_buffer, - GSS_C_NT_HOSTBASED_SERVICE, - &name); - if (maj_stat != GSS_S_COMPLETE) - errx(1, "import name error"); - - acquire_release_loop(name, 100, GSS_C_ACCEPT); - acquire_release_loop(name, 100, GSS_C_INITIATE); - acquire_release_loop(name, 100, GSS_C_BOTH); - - acquire_add_release_add(name, GSS_C_ACCEPT); - acquire_add_release_add(name, GSS_C_INITIATE); - acquire_add_release_add(name, GSS_C_BOTH); - - gss_release_name(&min_stat, &name); - - return 0; -} diff --git a/lib/gssapi/krb5/test_oid_set_member.c b/lib/gssapi/krb5/test_oid_set_member.c deleted file mode 100644 index cc15d78b8..000000000 --- a/lib/gssapi/krb5/test_oid_set_member.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_test_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member, - const gss_OID_set set, - int * present - ) -{ - size_t i; - - *minor_status = 0; - *present = 0; - for (i = 0; i < set->count; ++i) - if (gss_oid_equal(member, &set->elements[i]) != 0) { - *present = 1; - break; - } - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/test_sequence.c b/lib/gssapi/krb5/test_sequence.c deleted file mode 100644 index 26d1d9ff3..000000000 --- a/lib/gssapi/krb5/test_sequence.c +++ /dev/null @@ -1,333 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -/* correct ordering */ -OM_uint32 pattern1[] = { - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 -}; - -/* gap 10 */ -OM_uint32 pattern2[] = { - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13 -}; - -/* dup 9 */ -OM_uint32 pattern3[] = { - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 9, 10, 11, 12, 13 -}; - -/* gaps */ -OM_uint32 pattern4[] = { - 0, 1, 2, 3, 4, 5, 6, 7, 8, 10, 12, 13, 14, 15, 16, 18, 100 -}; - -/* 11 before 10 */ -OM_uint32 pattern5[] = { - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21 -}; - -/* long */ -OM_uint32 pattern6[] = { - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, - 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, - 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, - 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, - 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, - 50, 51, 52, 53, 54, 55, 56, 57, 58, 59 -}; - -/* dont start at 0 */ -OM_uint32 pattern7[] = { - 11, 12, 13 -}; - -/* wrap around */ -OM_uint32 pattern8[] = { - 4294967293U, 4294967294U, 4294967295U, 0, 1, 2 -}; - -static int -test_seq(int t, OM_uint32 flags, OM_uint32 start_seq, - OM_uint32 *pattern, int pattern_len) -{ - struct gss_msg_order *o; - OM_uint32 maj_stat, min_stat; - int i; - - maj_stat = _gssapi_msg_order_create(&min_stat, &o, flags, - start_seq, 20, 0); - if (maj_stat) - err(1, "create: %d %d", maj_stat, min_stat); - - for (i = 0; i < pattern_len; i++) { - maj_stat = _gssapi_msg_order_check(o, pattern[i]); - if (maj_stat) - return maj_stat; - } - _gssapi_msg_order_destroy(&o); - - return 0; -} - -struct { - OM_uint32 flags; - OM_uint32 *pattern; - int pattern_len; - OM_uint32 error_code; - OM_uint32 start_seq; -} pl[] = { - { - GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG, - pattern1, - sizeof(pattern1)/sizeof(pattern1[0]), - 0 - }, - { - GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG, - pattern2, - sizeof(pattern2)/sizeof(pattern2[0]), - GSS_S_GAP_TOKEN - }, - { - GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG, - pattern3, - sizeof(pattern3)/sizeof(pattern3[0]), - GSS_S_DUPLICATE_TOKEN - }, - { - GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG, - pattern4, - sizeof(pattern4)/sizeof(pattern4[0]), - GSS_S_GAP_TOKEN - }, - { - GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG, - pattern5, - sizeof(pattern5)/sizeof(pattern5[0]), - GSS_S_GAP_TOKEN - }, - { - GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG, - pattern6, - sizeof(pattern6)/sizeof(pattern6[0]), - GSS_S_COMPLETE - }, - { - GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG, - pattern7, - sizeof(pattern7)/sizeof(pattern7[0]), - GSS_S_GAP_TOKEN - }, - { - GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG, - pattern8, - sizeof(pattern8)/sizeof(pattern8[0]), - GSS_S_COMPLETE, - 4294967293U - }, - { - 0, - pattern1, - sizeof(pattern1)/sizeof(pattern1[0]), - GSS_S_COMPLETE - }, - { - 0, - pattern2, - sizeof(pattern2)/sizeof(pattern2[0]), - GSS_S_COMPLETE - }, - { - 0, - pattern3, - sizeof(pattern3)/sizeof(pattern3[0]), - GSS_S_COMPLETE - }, - { - 0, - pattern4, - sizeof(pattern4)/sizeof(pattern4[0]), - GSS_S_COMPLETE - }, - { - 0, - pattern5, - sizeof(pattern5)/sizeof(pattern5[0]), - GSS_S_COMPLETE - }, - { - 0, - pattern6, - sizeof(pattern6)/sizeof(pattern6[0]), - GSS_S_COMPLETE - }, - { - 0, - pattern7, - sizeof(pattern7)/sizeof(pattern7[0]), - GSS_S_COMPLETE - }, - { - 0, - pattern8, - sizeof(pattern8)/sizeof(pattern8[0]), - GSS_S_COMPLETE, - 4294967293U - - }, - { - GSS_C_REPLAY_FLAG, - pattern1, - sizeof(pattern1)/sizeof(pattern1[0]), - GSS_S_COMPLETE - }, - { - GSS_C_REPLAY_FLAG, - pattern2, - sizeof(pattern2)/sizeof(pattern2[0]), - GSS_S_COMPLETE - }, - { - GSS_C_REPLAY_FLAG, - pattern3, - sizeof(pattern3)/sizeof(pattern3[0]), - GSS_S_DUPLICATE_TOKEN - }, - { - GSS_C_REPLAY_FLAG, - pattern4, - sizeof(pattern4)/sizeof(pattern4[0]), - GSS_S_COMPLETE - }, - { - GSS_C_REPLAY_FLAG, - pattern5, - sizeof(pattern5)/sizeof(pattern5[0]), - 0 - }, - { - GSS_C_REPLAY_FLAG, - pattern6, - sizeof(pattern6)/sizeof(pattern6[0]), - GSS_S_COMPLETE - }, - { - GSS_C_REPLAY_FLAG, - pattern7, - sizeof(pattern7)/sizeof(pattern7[0]), - GSS_S_COMPLETE - }, - { - GSS_C_SEQUENCE_FLAG, - pattern8, - sizeof(pattern8)/sizeof(pattern8[0]), - GSS_S_COMPLETE, - 4294967293U - }, - { - GSS_C_SEQUENCE_FLAG, - pattern1, - sizeof(pattern1)/sizeof(pattern1[0]), - 0 - }, - { - GSS_C_SEQUENCE_FLAG, - pattern2, - sizeof(pattern2)/sizeof(pattern2[0]), - GSS_S_GAP_TOKEN - }, - { - GSS_C_SEQUENCE_FLAG, - pattern3, - sizeof(pattern3)/sizeof(pattern3[0]), - GSS_S_DUPLICATE_TOKEN - }, - { - GSS_C_SEQUENCE_FLAG, - pattern4, - sizeof(pattern4)/sizeof(pattern4[0]), - GSS_S_GAP_TOKEN - }, - { - GSS_C_SEQUENCE_FLAG, - pattern5, - sizeof(pattern5)/sizeof(pattern5[0]), - GSS_S_GAP_TOKEN - }, - { - GSS_C_SEQUENCE_FLAG, - pattern6, - sizeof(pattern6)/sizeof(pattern6[0]), - GSS_S_COMPLETE - }, - { - GSS_C_SEQUENCE_FLAG, - pattern7, - sizeof(pattern7)/sizeof(pattern7[0]), - GSS_S_GAP_TOKEN - }, - { - GSS_C_REPLAY_FLAG, - pattern8, - sizeof(pattern8)/sizeof(pattern8[0]), - GSS_S_COMPLETE, - 4294967293U - } -}; - -int -main(int argc, char **argv) -{ - OM_uint32 maj_stat; - int i, failed = 0; - - for (i = 0; i < sizeof(pl)/sizeof(pl[0]); i++) { - maj_stat = test_seq(i, - pl[i].flags, - pl[i].start_seq, - pl[i].pattern, - pl[i].pattern_len); - if (maj_stat != pl[i].error_code) { - printf("test pattern %d failed with %d (should have been %d)\n", - i, maj_stat, pl[i].error_code); - failed++; - } - } - if (failed) - printf("FAILED %d tests\n", failed); - return failed != 0; -} diff --git a/lib/gssapi/krb5/ticket_flags.c b/lib/gssapi/krb5/ticket_flags.c deleted file mode 100644 index 06105e13c..000000000 --- a/lib/gssapi/krb5/ticket_flags.c +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (c) 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gss_krb5_get_tkt_flags(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - OM_uint32 *tkt_flags) -{ - if (context_handle == GSS_C_NO_CONTEXT) { - *minor_status = EINVAL; - return GSS_S_NO_CONTEXT; - } - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - if (context_handle->ticket == NULL) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - *minor_status = EINVAL; - return GSS_S_BAD_MECH; - } - - *tkt_flags = TicketFlags2int(context_handle->ticket->ticket.flags); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c deleted file mode 100644 index a87ff7b38..000000000 --- a/lib/gssapi/krb5/unwrap.c +++ /dev/null @@ -1,413 +0,0 @@ -/* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static OM_uint32 -unwrap_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state, - krb5_keyblock *key - ) -{ - u_char *p, *seq; - size_t len; - MD5_CTX md5; - u_char hash[16]; - DES_key_schedule schedule; - DES_cblock deskey; - DES_cblock zero; - int i; - int32_t seq_number; - size_t padlength; - OM_uint32 ret; - int cstate; - int cmp; - - p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, - input_message_buffer->length, - "\x02\x01", - GSS_KRB5_MECHANISM); - if (ret) - return ret; - - if (memcmp (p, "\x00\x00", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\x00\x00", 2) == 0) { - cstate = 1; - } else if (memcmp (p, "\xFF\xFF", 2) == 0) { - cstate = 0; - } else - return GSS_S_BAD_MIC; - p += 2; - if(conf_state != NULL) - *conf_state = cstate; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - p += 16; - - len = p - (u_char *)input_message_buffer->value; - - if(cstate) { - /* decrypt data */ - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - for (i = 0; i < sizeof(deskey); ++i) - deskey[i] ^= 0xf0; - DES_set_key (&deskey, &schedule); - memset (&zero, 0, sizeof(zero)); - DES_cbc_encrypt ((void *)p, - (void *)p, - input_message_buffer->length - len, - &schedule, - &zero, - DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - } - /* check pad */ - ret = _gssapi_verify_pad(input_message_buffer, - input_message_buffer->length - len, - &padlength); - if (ret) - return ret; - - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, input_message_buffer->length - len); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); - DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - &schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) - return GSS_S_BAD_MIC; - - /* verify sequence number */ - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - p -= 16; - DES_set_key (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)hash, DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - - seq = p; - gssapi_decode_om_uint32(seq, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); - - if (cmp != 0) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - - ret = _gssapi_msg_order_check(context_handle->order, seq_number); - if (ret) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; - } - - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* copy out data */ - - output_message_buffer->length = input_message_buffer->length - - len - padlength - 8; - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; - memcpy (output_message_buffer->value, - p + 24, - output_message_buffer->length); - return GSS_S_COMPLETE; -} - -static OM_uint32 -unwrap_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state, - krb5_keyblock *key - ) -{ - u_char *p; - size_t len; - u_char *seq; - krb5_data seq_data; - u_char cksum[20]; - int32_t seq_number; - size_t padlength; - OM_uint32 ret; - int cstate; - krb5_crypto crypto; - Checksum csum; - int cmp; - - p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, - input_message_buffer->length, - "\x02\x01", - GSS_KRB5_MECHANISM); - if (ret) - return ret; - - if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\x02\x00", 2) == 0) { - cstate = 1; - } else if (memcmp (p, "\xff\xff", 2) == 0) { - cstate = 0; - } else - return GSS_S_BAD_MIC; - p += 2; - if(conf_state != NULL) - *conf_state = cstate; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - p += 28; - - len = p - (u_char *)input_message_buffer->value; - - if(cstate) { - /* decrypt data */ - krb5_data tmp; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - ret = krb5_decrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, - p, input_message_buffer->length - len, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - assert (tmp.length == input_message_buffer->length - len); - - memcpy (p, tmp.data, tmp.length); - krb5_data_free(&tmp); - } - /* check pad */ - ret = _gssapi_verify_pad(input_message_buffer, - input_message_buffer->length - len, - &padlength); - if (ret) - return ret; - - /* verify sequence number */ - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - p -= 28; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_FAILURE; - } - { - DES_cblock ivec; - - memcpy(&ivec, p + 8, 8); - ret = krb5_decrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - p, 8, &seq_data, - &ivec); - } - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_FAILURE; - } - if (seq_data.length != 8) { - krb5_data_free (&seq_data); - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - - seq = seq_data.data; - gssapi_decode_om_uint32(seq, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); - - krb5_data_free (&seq_data); - if (cmp != 0) { - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - - ret = _gssapi_msg_order_check(context_handle->order, seq_number); - if (ret) { - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; - } - - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* verify checksum */ - - memcpy (cksum, p + 8, 20); - - memcpy (p + 20, p - 8, 8); - - csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3; - csum.checksum.length = 20; - csum.checksum.data = cksum; - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, - KRB5_KU_USAGE_SIGN, - p + 20, - input_message_buffer->length - len + 8, - &csum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* copy out data */ - - output_message_buffer->length = input_message_buffer->length - - len - padlength - 8; - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; - memcpy (output_message_buffer->value, - p + 36, - output_message_buffer->length); - return GSS_S_COMPLETE; -} - -OM_uint32 gss_unwrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - output_message_buffer->value = NULL; - output_message_buffer->length = 0; - - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; - ret = gss_krb5_get_subkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - *minor_status = 0; - - switch (keytype) { - case KEYTYPE_DES : - ret = unwrap_des (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - case KEYTYPE_DES3 : - ret = unwrap_des3 (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - case KEYTYPE_ARCFOUR: - case KEYTYPE_ARCFOUR_56: - ret = _gssapi_unwrap_arcfour (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - default : - ret = _gssapi_unwrap_cfx (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/lib/gssapi/krb5/v1.c b/lib/gssapi/krb5/v1.c deleted file mode 100644 index 781a87881..000000000 --- a/lib/gssapi/krb5/v1.c +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -/* These functions are for V1 compatibility */ - -OM_uint32 gss_sign - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int qop_req, - gss_buffer_t message_buffer, - gss_buffer_t message_token - ) -{ - return gss_get_mic(minor_status, - context_handle, - (gss_qop_t)qop_req, - message_buffer, - message_token); -} - -OM_uint32 gss_verify - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int * qop_state - ) -{ - return gss_verify_mic(minor_status, - context_handle, - message_buffer, - token_buffer, - (gss_qop_t *)qop_state); -} - -OM_uint32 gss_seal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) -{ - return gss_wrap(minor_status, - context_handle, - conf_req_flag, - (gss_qop_t)qop_req, - input_message_buffer, - conf_state, - output_message_buffer); -} - -OM_uint32 gss_unseal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - int * qop_state - ) -{ - return gss_unwrap(minor_status, - context_handle, - input_message_buffer, - output_message_buffer, - conf_state, - (gss_qop_t *)qop_state); -} diff --git a/lib/gssapi/krb5/verify_mic.c b/lib/gssapi/krb5/verify_mic.c deleted file mode 100644 index e5ccb8317..000000000 --- a/lib/gssapi/krb5/verify_mic.c +++ /dev/null @@ -1,336 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static OM_uint32 -verify_mic_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16], *seq; - DES_key_schedule schedule; - DES_cblock zero; - DES_cblock deskey; - int32_t seq_number; - OM_uint32 ret; - int cmp; - - p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, - token_buffer->length, - type, - GSS_KRB5_MECHANISM); - if (ret) - return ret; - - if (memcmp(p, "\x00\x00", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - p += 16; - - /* verify checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, - message_buffer->length); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - DES_set_key (&deskey, &schedule); - DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - &schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) { - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - return GSS_S_BAD_MIC; - } - - /* verify sequence number */ - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - p -= 16; - DES_set_key (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)hash, DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - - seq = p; - gssapi_decode_om_uint32(seq, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); - - if (cmp != 0) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - - ret = _gssapi_msg_order_check(context_handle->order, seq_number); - if (ret) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; - } - - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -verify_mic_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type - ) -{ - u_char *p; - u_char *seq; - int32_t seq_number; - OM_uint32 ret; - krb5_crypto crypto; - krb5_data seq_data; - int cmp, docompat; - Checksum csum; - char *tmp; - char ivec[8]; - - p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, - token_buffer->length, - type, - GSS_KRB5_MECHANISM); - if (ret) - return ret; - - if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret){ - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* verify sequence number */ - docompat = 0; -retry: - if (docompat) - memset(ivec, 0, 8); - else - memcpy(ivec, p + 8, 8); - - ret = krb5_decrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - p, 8, &seq_data, ivec); - if (ret) { - if (docompat++) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - return GSS_S_FAILURE; - } else - goto retry; - } - - if (seq_data.length != 8) { - krb5_data_free (&seq_data); - if (docompat++) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; - } else - goto retry; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - seq = seq_data.data; - gssapi_decode_om_uint32(seq, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); - - krb5_data_free (&seq_data); - if (cmp != 0) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - - ret = _gssapi_msg_order_check(context_handle->order, seq_number); - if (ret) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; - } - - /* verify checksum */ - - tmp = malloc (message_buffer->length + 8); - if (tmp == NULL) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - memcpy (tmp, p - 8, 8); - memcpy (tmp + 8, message_buffer->value, message_buffer->length); - - csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3; - csum.checksum.length = 20; - csum.checksum.data = p + 8; - - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, - KRB5_KU_USAGE_SIGN, - tmp, message_buffer->length + 8, - &csum); - free (tmp); - if (ret) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_COMPLETE; -} - -OM_uint32 -gss_verify_mic_internal - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - char * type - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_subkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - *minor_status = 0; - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - switch (keytype) { - case KEYTYPE_DES : - ret = verify_mic_des (minor_status, context_handle, - message_buffer, token_buffer, qop_state, key, - type); - break; - case KEYTYPE_DES3 : - ret = verify_mic_des3 (minor_status, context_handle, - message_buffer, token_buffer, qop_state, key, - type); - break; - case KEYTYPE_ARCFOUR : - case KEYTYPE_ARCFOUR_56 : - ret = _gssapi_verify_mic_arcfour (minor_status, context_handle, - message_buffer, token_buffer, - qop_state, key, type); - break; - default : - ret = _gssapi_verify_mic_cfx (minor_status, context_handle, - message_buffer, token_buffer, qop_state, - key); - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - - return ret; -} - -OM_uint32 -gss_verify_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state - ) -{ - OM_uint32 ret; - - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; - - ret = gss_verify_mic_internal(minor_status, context_handle, - message_buffer, token_buffer, - qop_state, "\x01\x01"); - - return ret; -} diff --git a/lib/gssapi/krb5/wrap.c b/lib/gssapi/krb5/wrap.c deleted file mode 100644 index 80801926e..000000000 --- a/lib/gssapi/krb5/wrap.c +++ /dev/null @@ -1,492 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gss_krb5_get_subkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key) -{ - krb5_keyblock *skey = NULL; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - if (context_handle->more_flags & LOCAL) { - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - } else { - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - } - /* - * Only use the initiator subkey or ticket session key if - * an acceptor subkey was not required. - */ - if (skey == NULL && - (context_handle->more_flags & ACCEPTOR_SUBKEY) == 0) { - if (context_handle->more_flags & LOCAL) { - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - } else { - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - } - if(skey == NULL) - krb5_auth_con_getkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if(skey == NULL) - return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ - *key = skey; - return 0; -} - -static OM_uint32 -sub_wrap_size ( - OM_uint32 req_output_size, - OM_uint32 * max_input_size, - int blocksize, - int extrasize - ) -{ - size_t len, total_len; - - len = 8 + req_output_size + blocksize + extrasize; - - gssapi_krb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); - - total_len -= req_output_size; /* token length */ - if (total_len < req_output_size) { - *max_input_size = (req_output_size - total_len); - (*max_input_size) &= (~(OM_uint32)(blocksize - 1)); - } else { - *max_input_size = 0; - } - return GSS_S_COMPLETE; -} - -OM_uint32 -gss_wrap_size_limit ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 * max_input_size - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_subkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - case KEYTYPE_ARCFOUR: - case KEYTYPE_ARCFOUR_56: - ret = sub_wrap_size(req_output_size, max_input_size, 8, 22); - break; - case KEYTYPE_DES3 : - ret = sub_wrap_size(req_output_size, max_input_size, 8, 34); - break; - default : - ret = _gssapi_wrap_size_cfx(minor_status, context_handle, - conf_req_flag, qop_req, - req_output_size, max_input_size, key); - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - *minor_status = 0; - return ret; -} - -static OM_uint32 -wrap_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16]; - DES_key_schedule schedule; - DES_cblock deskey; - DES_cblock zero; - int i; - int32_t seq_number; - size_t len, total_len, padlength, datalen; - - padlength = 8 - (input_message_buffer->length % 8); - datalen = input_message_buffer->length + padlength + 8; - len = datalen + 22; - gssapi_krb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(output_message_buffer->value, - len, - "\x02\x01", /* TOK_ID */ - GSS_KRB5_MECHANISM); - - /* SGN_ALG */ - memcpy (p, "\x00\x00", 2); - p += 2; - /* SEAL_ALG */ - if(conf_req_flag) - memcpy (p, "\x00\x00", 2); - else - memcpy (p, "\xff\xff", 2); - p += 2; - /* Filler */ - memcpy (p, "\xff\xff", 2); - p += 2; - - /* fill in later */ - memset (p, 0, 16); - p += 16; - - /* confounder + data + pad */ - krb5_generate_random_block(p, 8); - memcpy (p + 8, input_message_buffer->value, - input_message_buffer->length); - memset (p + 8 + input_message_buffer->length, padlength, padlength); - - /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, datalen); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); - DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - &schedule, &zero); - memcpy (p - 8, hash, 8); - - /* sequence number */ - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - p -= 16; - p[0] = (seq_number >> 0) & 0xFF; - p[1] = (seq_number >> 8) & 0xFF; - p[2] = (seq_number >> 16) & 0xFF; - p[3] = (seq_number >> 24) & 0xFF; - memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - DES_set_key (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* encrypt the data */ - p += 16; - - if(conf_req_flag) { - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - for (i = 0; i < sizeof(deskey); ++i) - deskey[i] ^= 0xf0; - DES_set_key (&deskey, &schedule); - memset (&zero, 0, sizeof(zero)); - DES_cbc_encrypt ((void *)p, - (void *)p, - datalen, - &schedule, - &zero, - DES_ENCRYPT); - } - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - - if(conf_state != NULL) - *conf_state = conf_req_flag; - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -wrap_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key - ) -{ - u_char *p; - u_char seq[8]; - int32_t seq_number; - size_t len, total_len, padlength, datalen; - u_int32_t ret; - krb5_crypto crypto; - Checksum cksum; - krb5_data encdata; - - padlength = 8 - (input_message_buffer->length % 8); - datalen = input_message_buffer->length + padlength + 8; - len = datalen + 34; - gssapi_krb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(output_message_buffer->value, - len, - "\x02\x01", /* TOK_ID */ - GSS_KRB5_MECHANISM); - - /* SGN_ALG */ - memcpy (p, "\x04\x00", 2); /* HMAC SHA1 DES3-KD */ - p += 2; - /* SEAL_ALG */ - if(conf_req_flag) - memcpy (p, "\x02\x00", 2); /* DES3-KD */ - else - memcpy (p, "\xff\xff", 2); - p += 2; - /* Filler */ - memcpy (p, "\xff\xff", 2); - p += 2; - - /* calculate checksum (the above + confounder + data + pad) */ - - memcpy (p + 20, p - 8, 8); - krb5_generate_random_block(p + 28, 8); - memcpy (p + 28 + 8, input_message_buffer->value, - input_message_buffer->length); - memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength); - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_create_checksum (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SIGN, - 0, - p + 20, - datalen + 8, - &cksum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* zero out SND_SEQ + SGN_CKSUM in case */ - memset (p, 0, 28); - - memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - free_Checksum (&cksum); - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - - ret = krb5_crypto_init(gssapi_krb5_context, key, ETYPE_DES3_CBC_NONE, - &crypto); - if (ret) { - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - DES_cblock ivec; - - memcpy (&ivec, p + 8, 8); - ret = krb5_encrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - seq, 8, &encdata, - &ivec); - } - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - assert (encdata.length == 8); - - memcpy (p, encdata.data, encdata.length); - krb5_data_free (&encdata); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* encrypt the data */ - p += 28; - - if(conf_req_flag) { - krb5_data tmp; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - ret = krb5_encrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, - p, datalen, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - assert (tmp.length == datalen); - - memcpy (p, tmp.data, datalen); - krb5_data_free(&tmp); - } - if(conf_state != NULL) - *conf_state = conf_req_flag; - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 gss_wrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_subkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = wrap_des (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - case KEYTYPE_DES3 : - ret = wrap_des3 (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - case KEYTYPE_ARCFOUR: - case KEYTYPE_ARCFOUR_56: - ret = _gssapi_wrap_arcfour (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - default : - ret = _gssapi_wrap_cfx (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/lib/krb5/cache.c b/lib/krb5/cache.c index 0120144a8..da5cf7b12 100644 --- a/lib/krb5/cache.c +++ b/lib/krb5/cache.c @@ -233,7 +233,11 @@ _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res) while (str && *str) { tmp = strstr(str, "%{"); if (tmp && tmp != str) { - append = strndup(str, tmp - str); + append = malloc((tmp - str) + 1); + if (append) { + memcpy(append, str, tmp - str); + append[tmp - str] = '\0'; + } str = tmp; } else if (tmp) { tmp2 = strchr(tmp, '}'); -- 2.11.4.GIT