2 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
5 * Copyright 1993 by OpenVision Technologies, Inc.
7 * Permission to use, copy, modify, distribute, and sell this software
8 * and its documentation for any purpose is hereby granted without fee,
9 * provided that the above copyright notice appears in all copies and
10 * that both that copyright notice and this permission notice appear in
11 * supporting documentation, and that the name of OpenVision not be used
12 * in advertising or publicity pertaining to distribution of the software
13 * without specific, written prior permission. OpenVision makes no
14 * representations about the suitability of this software for any
15 * purpose. It is provided "as is" without express or implied warranty.
17 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
18 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
19 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
20 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
21 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
22 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
23 * PERFORMANCE OF THIS SOFTWARE.
27 * $Id: krb5_gss_glue.c 18262 2006-06-29 04:38:48Z tlyu $
30 #include "gssapiP_krb5.h"
34 /** mechglue wrappers **/
36 static OM_uint32 k5glue_acquire_cred
37 (void *, OM_uint32
*, /* minor_status */
38 gss_name_t
, /* desired_name */
39 OM_uint32
, /* time_req */
40 gss_OID_set
, /* desired_mechs */
41 gss_cred_usage_t
, /* cred_usage */
42 gss_cred_id_t
*, /* output_cred_handle */
43 gss_OID_set
*, /* actual_mechs */
44 OM_uint32
* /* time_rec */
47 static OM_uint32 k5glue_release_cred
48 (void *, OM_uint32
*, /* minor_status */
49 gss_cred_id_t
* /* cred_handle */
52 static OM_uint32 k5glue_init_sec_context
53 (void *, OM_uint32
*, /* minor_status */
54 gss_cred_id_t
, /* claimant_cred_handle */
55 gss_ctx_id_t
*, /* context_handle */
56 gss_name_t
, /* target_name */
57 gss_OID
, /* mech_type */
58 OM_uint32
, /* req_flags */
59 OM_uint32
, /* time_req */
60 gss_channel_bindings_t
,
61 /* input_chan_bindings */
62 gss_buffer_t
, /* input_token */
63 gss_OID
*, /* actual_mech_type */
64 gss_buffer_t
, /* output_token */
65 OM_uint32
*, /* ret_flags */
66 OM_uint32
* /* time_rec */
69 static OM_uint32 k5glue_accept_sec_context
70 (void *, OM_uint32
*, /* minor_status */
71 gss_ctx_id_t
*, /* context_handle */
72 gss_cred_id_t
, /* verifier_cred_handle */
73 gss_buffer_t
, /* input_token_buffer */
74 gss_channel_bindings_t
,
75 /* input_chan_bindings */
76 gss_name_t
*, /* src_name */
77 gss_OID
*, /* mech_type */
78 gss_buffer_t
, /* output_token */
79 OM_uint32
*, /* ret_flags */
80 OM_uint32
*, /* time_rec */
81 gss_cred_id_t
* /* delegated_cred_handle */
84 static OM_uint32 k5glue_process_context_token
85 (void *, OM_uint32
*, /* minor_status */
86 gss_ctx_id_t
, /* context_handle */
87 gss_buffer_t
/* token_buffer */
90 static OM_uint32 k5glue_delete_sec_context
91 (void *, OM_uint32
*, /* minor_status */
92 gss_ctx_id_t
*, /* context_handle */
93 gss_buffer_t
/* output_token */
96 static OM_uint32 k5glue_context_time
97 (void *, OM_uint32
*, /* minor_status */
98 gss_ctx_id_t
, /* context_handle */
99 OM_uint32
* /* time_rec */
102 static OM_uint32 k5glue_sign
103 (void *, OM_uint32
*, /* minor_status */
104 gss_ctx_id_t
, /* context_handle */
106 gss_buffer_t
, /* message_buffer */
107 gss_buffer_t
/* message_token */
110 static OM_uint32 k5glue_verify
111 (void *, OM_uint32
*, /* minor_status */
112 gss_ctx_id_t
, /* context_handle */
113 gss_buffer_t
, /* message_buffer */
114 gss_buffer_t
, /* token_buffer */
118 static OM_uint32 k5glue_seal
119 (void *, OM_uint32
*, /* minor_status */
120 gss_ctx_id_t
, /* context_handle */
121 int, /* conf_req_flag */
123 gss_buffer_t
, /* input_message_buffer */
124 int*, /* conf_state */
125 gss_buffer_t
/* output_message_buffer */
128 static OM_uint32 k5glue_unseal
129 (void *, OM_uint32
*, /* minor_status */
130 gss_ctx_id_t
, /* context_handle */
131 gss_buffer_t
, /* input_message_buffer */
132 gss_buffer_t
, /* output_message_buffer */
133 int*, /* conf_state */
137 static OM_uint32 k5glue_display_status
138 (void *, OM_uint32
*, /* minor_status */
139 OM_uint32
, /* status_value */
140 int, /* status_type */
141 gss_OID
, /* mech_type */
142 OM_uint32
*, /* message_context */
143 gss_buffer_t
/* status_string */
146 static OM_uint32 k5glue_indicate_mechs
147 (void *, OM_uint32
*, /* minor_status */
148 gss_OID_set
* /* mech_set */
151 static OM_uint32 k5glue_compare_name
152 (void *, OM_uint32
*, /* minor_status */
153 gss_name_t
, /* name1 */
154 gss_name_t
, /* name2 */
155 int* /* name_equal */
158 static OM_uint32 k5glue_display_name
159 (void *, OM_uint32
*, /* minor_status */
160 gss_name_t
, /* input_name */
161 gss_buffer_t
, /* output_name_buffer */
162 gss_OID
* /* output_name_type */
165 static OM_uint32 k5glue_import_name
166 (void *, OM_uint32
*, /* minor_status */
167 gss_buffer_t
, /* input_name_buffer */
168 gss_OID
, /* input_name_type */
169 gss_name_t
* /* output_name */
172 static OM_uint32 k5glue_release_name
173 (void *, OM_uint32
*, /* minor_status */
174 gss_name_t
* /* input_name */
177 static OM_uint32 k5glue_inquire_cred
178 (void *, OM_uint32
*, /* minor_status */
179 gss_cred_id_t
, /* cred_handle */
180 gss_name_t
*, /* name */
181 OM_uint32
*, /* lifetime */
182 gss_cred_usage_t
*,/* cred_usage */
183 gss_OID_set
* /* mechanisms */
186 static OM_uint32 k5glue_inquire_context
187 (void *, OM_uint32
*, /* minor_status */
188 gss_ctx_id_t
, /* context_handle */
189 gss_name_t
*, /* initiator_name */
190 gss_name_t
*, /* acceptor_name */
191 OM_uint32
*, /* lifetime_rec */
192 gss_OID
*, /* mech_type */
193 OM_uint32
*, /* ret_flags */
194 int*, /* locally_initiated */
199 /* New V2 entry points */
200 static OM_uint32 k5glue_get_mic
201 (void *, OM_uint32
*, /* minor_status */
202 gss_ctx_id_t
, /* context_handle */
203 gss_qop_t
, /* qop_req */
204 gss_buffer_t
, /* message_buffer */
205 gss_buffer_t
/* message_token */
208 static OM_uint32 k5glue_verify_mic
209 (void *, OM_uint32
*, /* minor_status */
210 gss_ctx_id_t
, /* context_handle */
211 gss_buffer_t
, /* message_buffer */
212 gss_buffer_t
, /* message_token */
213 gss_qop_t
* /* qop_state */
216 static OM_uint32 k5glue_wrap
217 (void *, OM_uint32
*, /* minor_status */
218 gss_ctx_id_t
, /* context_handle */
219 int, /* conf_req_flag */
220 gss_qop_t
, /* qop_req */
221 gss_buffer_t
, /* input_message_buffer */
222 int *, /* conf_state */
223 gss_buffer_t
/* output_message_buffer */
226 static OM_uint32 k5glue_unwrap
227 (void *, OM_uint32
*, /* minor_status */
228 gss_ctx_id_t
, /* context_handle */
229 gss_buffer_t
, /* input_message_buffer */
230 gss_buffer_t
, /* output_message_buffer */
231 int *, /* conf_state */
232 gss_qop_t
* /* qop_state */
236 static OM_uint32 k5glue_wrap_size_limit
237 (void *, OM_uint32
*, /* minor_status */
238 gss_ctx_id_t
, /* context_handle */
239 int, /* conf_req_flag */
240 gss_qop_t
, /* qop_req */
241 OM_uint32
, /* req_output_size */
242 OM_uint32
* /* max_input_size */
246 static OM_uint32 k5glue_import_name_object
247 (void *, OM_uint32
*, /* minor_status */
248 void *, /* input_name */
249 gss_OID
, /* input_name_type */
250 gss_name_t
* /* output_name */
253 static OM_uint32 k5glue_export_name_object
254 (void *, OM_uint32
*, /* minor_status */
255 gss_name_t
, /* input_name */
256 gss_OID
, /* desired_name_type */
257 void * * /* output_name */
261 static OM_uint32 k5glue_add_cred
262 (void *, OM_uint32
*, /* minor_status */
263 gss_cred_id_t
, /* input_cred_handle */
264 gss_name_t
, /* desired_name */
265 gss_OID
, /* desired_mech */
266 gss_cred_usage_t
, /* cred_usage */
267 OM_uint32
, /* initiator_time_req */
268 OM_uint32
, /* acceptor_time_req */
269 gss_cred_id_t
*, /* output_cred_handle */
270 gss_OID_set
*, /* actual_mechs */
271 OM_uint32
*, /* initiator_time_rec */
272 OM_uint32
* /* acceptor_time_rec */
275 static OM_uint32 k5glue_inquire_cred_by_mech
276 (void *, OM_uint32
*, /* minor_status */
277 gss_cred_id_t
, /* cred_handle */
278 gss_OID
, /* mech_type */
279 gss_name_t
*, /* name */
280 OM_uint32
*, /* initiator_lifetime */
281 OM_uint32
*, /* acceptor_lifetime */
282 gss_cred_usage_t
* /* cred_usage */
285 static OM_uint32 k5glue_export_sec_context
286 (void *, OM_uint32
*, /* minor_status */
287 gss_ctx_id_t
*, /* context_handle */
288 gss_buffer_t
/* interprocess_token */
291 static OM_uint32 k5glue_import_sec_context
292 (void *, OM_uint32
*, /* minor_status */
293 gss_buffer_t
, /* interprocess_token */
294 gss_ctx_id_t
* /* context_handle */
297 krb5_error_code
k5glue_ser_init(krb5_context
);
299 static OM_uint32 k5glue_internal_release_oid
300 (void *, OM_uint32
*, /* minor_status */
304 static OM_uint32 k5glue_inquire_names_for_mech
305 (void *, OM_uint32
*, /* minor_status */
306 gss_OID
, /* mechanism */
307 gss_OID_set
* /* name_types */
311 static OM_uint32 k5glue_canonicalize_name
312 (void *, OM_uint32
*, /* minor_status */
313 const gss_name_t
, /* input_name */
314 const gss_OID
, /* mech_type */
315 gss_name_t
* /* output_name */
319 static OM_uint32 k5glue_export_name
320 (void *, OM_uint32
*, /* minor_status */
321 const gss_name_t
, /* input_name */
322 gss_buffer_t
/* exported_name */
325 /* SUNW15resync - Solaris specific */
326 static OM_uint32
k5glue_store_cred (
328 OM_uint32
*, /* minor_status */
329 const gss_cred_id_t
, /* input_cred */
330 gss_cred_usage_t
, /* cred_usage */
331 const gss_OID
, /* desired_mech */
332 OM_uint32
, /* overwrite_cred */
333 OM_uint32
, /* default_cred */
334 gss_OID_set
*, /* elements_stored */
335 gss_cred_usage_t
* /* cred_usage_stored */
338 /* SUNW17PACresync - this decl not needed in MIT but is for Sol */
339 /* Note code is in gsspi_krb5.c */
340 OM_uint32
krb5_gss_inquire_sec_context_by_oid(
348 void *, /* context */
349 OM_uint32
*, /* minor_status */
350 const gss_name_t
, /* pname */
351 const char *, /* local user */
357 void *, /* context */
358 OM_uint32
*, /* minor_status */
359 const gss_name_t
, /* pname */
367 static OM_uint32 k5glue_duplicate_name
368 (void *, OM_uint32
*, /* minor_status */
369 const gss_name_t
, /* input_name */
370 gss_name_t
* /* dest_name */
375 static OM_uint32 k5glue_validate_cred
376 (void *, OM_uint32
*, /* minor_status */
377 gss_cred_id_t
/* cred */
384 * Solaris can't use the KRB5_GSS_CONFIG_INIT macro because of the src
385 * slicing&dicing needs of the "nightly -SD" build. When it goes away,
386 * we should use it assuming MIT still uses it then.
390 * The krb5 mechanism provides two mech OIDs; use this initializer to
391 * ensure that both dispatch tables contain identical function
394 #define KRB5_GSS_CONFIG_INIT \
400 static struct gss_config krb5_mechanism
= {
401 #if 0 /* Solaris Kerberos */
404 { GSS_MECH_KRB5_OID_LENGTH
, GSS_MECH_KRB5_OID
},
408 k5glue_init_sec_context
,
409 k5glue_accept_sec_context
,
411 k5glue_process_context_token
,
412 k5glue_delete_sec_context
,
414 k5glue_display_status
,
415 k5glue_indicate_mechs
,
423 k5glue_export_sec_context
,
424 k5glue_import_sec_context
,
425 k5glue_inquire_cred_by_mech
,
426 k5glue_inquire_names_for_mech
,
427 k5glue_inquire_context
,
428 k5glue_internal_release_oid
,
429 k5glue_wrap_size_limit
,
436 krb5_gss_inquire_sec_context_by_oid
439 static struct gss_config krb5_mechanism_old
= {
440 #if 0 /* Solaris Kerberos */
441 200, "kerberos_v5 (pre-RFC OID)",
443 { GSS_MECH_KRB5_OLD_OID_LENGTH
, GSS_MECH_KRB5_OLD_OID
},
447 k5glue_init_sec_context
,
448 k5glue_accept_sec_context
,
450 k5glue_process_context_token
,
451 k5glue_delete_sec_context
,
453 k5glue_display_status
,
454 k5glue_indicate_mechs
,
462 k5glue_export_sec_context
,
463 k5glue_import_sec_context
,
464 k5glue_inquire_cred_by_mech
,
465 k5glue_inquire_names_for_mech
,
466 k5glue_inquire_context
,
467 k5glue_internal_release_oid
,
468 k5glue_wrap_size_limit
,
475 krb5_gss_inquire_sec_context_by_oid
478 static struct gss_config krb5_mechanism_wrong
= {
479 #if 0 /* Solaris Kerberos */
480 300, "kerberos_v5 (wrong OID)",
482 { GSS_MECH_KRB5_WRONG_OID_LENGTH
, GSS_MECH_KRB5_WRONG_OID
},
486 k5glue_init_sec_context
,
487 k5glue_accept_sec_context
,
489 k5glue_process_context_token
,
490 k5glue_delete_sec_context
,
492 k5glue_display_status
,
493 k5glue_indicate_mechs
,
501 k5glue_export_sec_context
,
502 k5glue_import_sec_context
,
503 k5glue_inquire_cred_by_mech
,
504 k5glue_inquire_names_for_mech
,
505 k5glue_inquire_context
,
506 k5glue_internal_release_oid
,
507 k5glue_wrap_size_limit
,
514 krb5_gss_inquire_sec_context_by_oid
517 static gss_mechanism krb5_mech_configs
[] = {
518 &krb5_mechanism
, &krb5_mechanism_old
, &krb5_mechanism_wrong
, NULL
522 static gss_mechanism krb5_mech_configs_hack
[] = {
523 &krb5_mechanism
, &krb5_mechanism_old
, NULL
528 #define gssint_get_mech_configs krb5_gss_get_mech_configs
532 gssint_get_mech_configs(void)
535 char *envstr
= getenv("MS_FORCE_NO_MSOID");
537 if (envstr
!= NULL
&& strcmp(envstr
, "1") == 0) {
538 return krb5_mech_configs_hack
;
541 return krb5_mech_configs
;
545 k5glue_accept_sec_context(ctx
, minor_status
, context_handle
, verifier_cred_handle
,
546 input_token
, input_chan_bindings
, src_name
, mech_type
,
547 output_token
, ret_flags
, time_rec
, delegated_cred_handle
)
549 OM_uint32
*minor_status
;
550 gss_ctx_id_t
*context_handle
;
551 gss_cred_id_t verifier_cred_handle
;
552 gss_buffer_t input_token
;
553 gss_channel_bindings_t input_chan_bindings
;
554 gss_name_t
*src_name
;
556 gss_buffer_t output_token
;
557 OM_uint32
*ret_flags
;
559 gss_cred_id_t
*delegated_cred_handle
;
561 return(krb5_gss_accept_sec_context(minor_status
,
563 verifier_cred_handle
,
571 delegated_cred_handle
));
575 k5glue_acquire_cred(ctx
, minor_status
, desired_name
, time_req
, desired_mechs
,
576 cred_usage
, output_cred_handle
, actual_mechs
, time_rec
)
578 OM_uint32
*minor_status
;
579 gss_name_t desired_name
;
581 gss_OID_set desired_mechs
;
582 gss_cred_usage_t cred_usage
;
583 gss_cred_id_t
*output_cred_handle
;
584 gss_OID_set
*actual_mechs
;
587 return(krb5_gss_acquire_cred(minor_status
,
599 k5glue_add_cred(ctx
, minor_status
, input_cred_handle
, desired_name
, desired_mech
,
600 cred_usage
, initiator_time_req
, acceptor_time_req
,
601 output_cred_handle
, actual_mechs
, initiator_time_rec
,
604 OM_uint32
*minor_status
;
605 gss_cred_id_t input_cred_handle
;
606 gss_name_t desired_name
;
607 gss_OID desired_mech
;
608 gss_cred_usage_t cred_usage
;
609 OM_uint32 initiator_time_req
;
610 OM_uint32 acceptor_time_req
;
611 gss_cred_id_t
*output_cred_handle
;
612 gss_OID_set
*actual_mechs
;
613 OM_uint32
*initiator_time_rec
;
614 OM_uint32
*acceptor_time_rec
;
616 return(krb5_gss_add_cred(minor_status
, input_cred_handle
, desired_name
,
617 desired_mech
, cred_usage
, initiator_time_req
,
618 acceptor_time_req
, output_cred_handle
,
619 actual_mechs
, initiator_time_rec
,
626 k5glue_add_oid_set_member(ctx
, minor_status
, member_oid
, oid_set
)
628 OM_uint32
*minor_status
;
630 gss_OID_set
*oid_set
;
632 return(generic_gss_add_oid_set_member(minor_status
, member_oid
, oid_set
));
637 k5glue_compare_name(ctx
, minor_status
, name1
, name2
, name_equal
)
639 OM_uint32
*minor_status
;
644 return(krb5_gss_compare_name(minor_status
, name1
,
649 k5glue_context_time(ctx
, minor_status
, context_handle
, time_rec
)
651 OM_uint32
*minor_status
;
652 gss_ctx_id_t context_handle
;
655 return(krb5_gss_context_time(minor_status
, context_handle
,
662 k5glue_create_empty_oid_set(ctx
, minor_status
, oid_set
)
664 OM_uint32
*minor_status
;
665 gss_OID_set
*oid_set
;
667 return(generic_gss_create_empty_oid_set(minor_status
, oid_set
));
672 k5glue_delete_sec_context(ctx
, minor_status
, context_handle
, output_token
)
674 OM_uint32
*minor_status
;
675 gss_ctx_id_t
*context_handle
;
676 gss_buffer_t output_token
;
678 return(krb5_gss_delete_sec_context(minor_status
,
679 context_handle
, output_token
));
683 k5glue_display_name(ctx
, minor_status
, input_name
, output_name_buffer
, output_name_type
)
685 OM_uint32
*minor_status
;
686 gss_name_t input_name
;
687 gss_buffer_t output_name_buffer
;
688 gss_OID
*output_name_type
;
690 return(krb5_gss_display_name(minor_status
, input_name
,
691 output_name_buffer
, output_name_type
));
695 k5glue_display_status(ctx
, minor_status
, status_value
, status_type
,
696 mech_type
, message_context
, status_string
)
698 OM_uint32
*minor_status
;
699 OM_uint32 status_value
;
702 OM_uint32
*message_context
;
703 gss_buffer_t status_string
;
705 return(krb5_gss_display_status(minor_status
, status_value
,
706 status_type
, mech_type
, message_context
,
712 k5glue_export_sec_context(ctx
, minor_status
, context_handle
, interprocess_token
)
714 OM_uint32
*minor_status
;
715 gss_ctx_id_t
*context_handle
;
716 gss_buffer_t interprocess_token
;
718 return(krb5_gss_export_sec_context(minor_status
,
720 interprocess_token
));
726 k5glue_get_mic(ctx
, minor_status
, context_handle
, qop_req
,
727 message_buffer
, message_token
)
729 OM_uint32
*minor_status
;
730 gss_ctx_id_t context_handle
;
732 gss_buffer_t message_buffer
;
733 gss_buffer_t message_token
;
735 return(krb5_gss_get_mic(minor_status
, context_handle
,
736 qop_req
, message_buffer
, message_token
));
741 k5glue_import_name(ctx
, minor_status
, input_name_buffer
, input_name_type
, output_name
)
743 OM_uint32
*minor_status
;
744 gss_buffer_t input_name_buffer
;
745 gss_OID input_name_type
;
746 gss_name_t
*output_name
;
750 err
= gssint_initialize_library();
753 return GSS_S_FAILURE
;
756 return(krb5_gss_import_name(minor_status
, input_name_buffer
,
757 input_name_type
, output_name
));
762 k5glue_import_sec_context(ctx
, minor_status
, interprocess_token
, context_handle
)
764 OM_uint32
*minor_status
;
765 gss_buffer_t interprocess_token
;
766 gss_ctx_id_t
*context_handle
;
768 return(krb5_gss_import_sec_context(minor_status
,
774 k5glue_indicate_mechs(ctx
, minor_status
, mech_set
)
776 OM_uint32
*minor_status
;
777 gss_OID_set
*mech_set
;
779 return(krb5_gss_indicate_mechs(minor_status
, mech_set
));
783 k5glue_init_sec_context(ctx
, minor_status
, claimant_cred_handle
, context_handle
,
784 target_name
, mech_type
, req_flags
, time_req
,
785 input_chan_bindings
, input_token
, actual_mech_type
,
786 output_token
, ret_flags
, time_rec
)
788 OM_uint32
*minor_status
;
789 gss_cred_id_t claimant_cred_handle
;
790 gss_ctx_id_t
*context_handle
;
791 gss_name_t target_name
;
795 gss_channel_bindings_t input_chan_bindings
;
796 gss_buffer_t input_token
;
797 gss_OID
*actual_mech_type
;
798 gss_buffer_t output_token
;
799 OM_uint32
*ret_flags
;
802 return(krb5_gss_init_sec_context(minor_status
,
803 claimant_cred_handle
, context_handle
,
804 target_name
, mech_type
, req_flags
,
805 time_req
, input_chan_bindings
, input_token
,
806 actual_mech_type
, output_token
, ret_flags
,
811 k5glue_inquire_context(ctx
, minor_status
, context_handle
, initiator_name
, acceptor_name
,
812 lifetime_rec
, mech_type
, ret_flags
,
813 locally_initiated
, open
)
815 OM_uint32
*minor_status
;
816 gss_ctx_id_t context_handle
;
817 gss_name_t
*initiator_name
;
818 gss_name_t
*acceptor_name
;
819 OM_uint32
*lifetime_rec
;
821 OM_uint32
*ret_flags
;
822 int *locally_initiated
;
825 return(krb5_gss_inquire_context(minor_status
, context_handle
,
826 initiator_name
, acceptor_name
, lifetime_rec
,
827 mech_type
, ret_flags
, locally_initiated
,
832 k5glue_inquire_cred(ctx
, minor_status
, cred_handle
, name
, lifetime_ret
,
833 cred_usage
, mechanisms
)
835 OM_uint32
*minor_status
;
836 gss_cred_id_t cred_handle
;
838 OM_uint32
*lifetime_ret
;
839 gss_cred_usage_t
*cred_usage
;
840 gss_OID_set
*mechanisms
;
842 return(krb5_gss_inquire_cred(minor_status
, cred_handle
,
843 name
, lifetime_ret
, cred_usage
, mechanisms
));
848 k5glue_inquire_cred_by_mech(ctx
, minor_status
, cred_handle
, mech_type
, name
,
849 initiator_lifetime
, acceptor_lifetime
, cred_usage
)
851 OM_uint32
*minor_status
;
852 gss_cred_id_t cred_handle
;
855 OM_uint32
*initiator_lifetime
;
856 OM_uint32
*acceptor_lifetime
;
857 gss_cred_usage_t
*cred_usage
;
859 return(krb5_gss_inquire_cred_by_mech(minor_status
, cred_handle
,
860 mech_type
, name
, initiator_lifetime
,
861 acceptor_lifetime
, cred_usage
));
866 k5glue_inquire_names_for_mech(ctx
, minor_status
, mechanism
, name_types
)
868 OM_uint32
*minor_status
;
870 gss_OID_set
*name_types
;
872 return(krb5_gss_inquire_names_for_mech(minor_status
,
880 k5glue_oid_to_str(ctx
, minor_status
, oid
, oid_str
)
882 OM_uint32
*minor_status
;
884 gss_buffer_t oid_str
;
886 return(generic_gss_oid_to_str(minor_status
, oid
, oid_str
));
891 k5glue_process_context_token(ctx
, minor_status
, context_handle
, token_buffer
)
893 OM_uint32
*minor_status
;
894 gss_ctx_id_t context_handle
;
895 gss_buffer_t token_buffer
;
897 return(krb5_gss_process_context_token(minor_status
,
898 context_handle
, token_buffer
));
902 k5glue_release_cred(ctx
, minor_status
, cred_handle
)
904 OM_uint32
*minor_status
;
905 gss_cred_id_t
*cred_handle
;
907 return(krb5_gss_release_cred(minor_status
, cred_handle
));
911 k5glue_release_name(ctx
, minor_status
, input_name
)
913 OM_uint32
*minor_status
;
914 gss_name_t
*input_name
;
916 return(krb5_gss_release_name(minor_status
, input_name
));
921 k5glue_release_buffer(ctx
, minor_status
, buffer
)
923 OM_uint32
*minor_status
;
926 return(generic_gss_release_buffer(minor_status
,
933 k5glue_internal_release_oid(ctx
, minor_status
, oid
)
935 OM_uint32
*minor_status
;
938 return(krb5_gss_internal_release_oid(minor_status
, oid
));
943 k5glue_release_oid_set(ctx
, minor_status
, set
)
945 OM_uint32
* minor_status
;
948 return(generic_gss_release_oid_set(minor_status
, set
));
954 k5glue_seal(ctx
, minor_status
, context_handle
, conf_req_flag
, qop_req
,
955 input_message_buffer
, conf_state
, output_message_buffer
)
957 OM_uint32
*minor_status
;
958 gss_ctx_id_t context_handle
;
961 gss_buffer_t input_message_buffer
;
963 gss_buffer_t output_message_buffer
;
965 return(krb5_gss_seal(minor_status
, context_handle
,
966 conf_req_flag
, qop_req
, input_message_buffer
,
967 conf_state
, output_message_buffer
));
971 k5glue_sign(ctx
, minor_status
, context_handle
,
972 qop_req
, message_buffer
,
975 OM_uint32
*minor_status
;
976 gss_ctx_id_t context_handle
;
978 gss_buffer_t message_buffer
;
979 gss_buffer_t message_token
;
981 return(krb5_gss_sign(minor_status
, context_handle
,
982 qop_req
, message_buffer
, message_token
));
988 k5glue_verify_mic(ctx
, minor_status
, context_handle
,
989 message_buffer
, token_buffer
, qop_state
)
991 OM_uint32
*minor_status
;
992 gss_ctx_id_t context_handle
;
993 gss_buffer_t message_buffer
;
994 gss_buffer_t token_buffer
;
995 gss_qop_t
*qop_state
;
997 return(krb5_gss_verify_mic(minor_status
, context_handle
,
998 message_buffer
, token_buffer
, qop_state
));
1003 k5glue_wrap(ctx
, minor_status
, context_handle
, conf_req_flag
, qop_req
,
1004 input_message_buffer
, conf_state
, output_message_buffer
)
1006 OM_uint32
*minor_status
;
1007 gss_ctx_id_t context_handle
;
1010 gss_buffer_t input_message_buffer
;
1012 gss_buffer_t output_message_buffer
;
1014 return(krb5_gss_wrap(minor_status
, context_handle
, conf_req_flag
, qop_req
,
1015 input_message_buffer
, conf_state
,
1016 output_message_buffer
));
1021 k5glue_str_to_oid(ctx
, minor_status
, oid_str
, oid
)
1023 OM_uint32
*minor_status
;
1024 gss_buffer_t oid_str
;
1027 return(generic_gss_str_to_oid(minor_status
, oid_str
, oid
));
1032 k5glue_test_oid_set_member(ctx
, minor_status
, member
, set
, present
)
1034 OM_uint32
*minor_status
;
1039 return(generic_gss_test_oid_set_member(minor_status
, member
, set
,
1046 k5glue_unseal(ctx
, minor_status
, context_handle
, input_message_buffer
,
1047 output_message_buffer
, conf_state
, qop_state
)
1049 OM_uint32
*minor_status
;
1050 gss_ctx_id_t context_handle
;
1051 gss_buffer_t input_message_buffer
;
1052 gss_buffer_t output_message_buffer
;
1056 return(krb5_gss_unseal(minor_status
, context_handle
,
1057 input_message_buffer
, output_message_buffer
,
1058 conf_state
, qop_state
));
1064 k5glue_unwrap(ctx
, minor_status
, context_handle
, input_message_buffer
,
1065 output_message_buffer
, conf_state
, qop_state
)
1067 OM_uint32
*minor_status
;
1068 gss_ctx_id_t context_handle
;
1069 gss_buffer_t input_message_buffer
;
1070 gss_buffer_t output_message_buffer
;
1072 gss_qop_t
*qop_state
;
1074 return(krb5_gss_unwrap(minor_status
, context_handle
, input_message_buffer
,
1075 output_message_buffer
, conf_state
, qop_state
));
1081 k5glue_verify(ctx
, minor_status
, context_handle
, message_buffer
,
1082 token_buffer
, qop_state
)
1084 OM_uint32
*minor_status
;
1085 gss_ctx_id_t context_handle
;
1086 gss_buffer_t message_buffer
;
1087 gss_buffer_t token_buffer
;
1090 return(krb5_gss_verify(minor_status
,
1099 k5glue_wrap_size_limit(ctx
, minor_status
, context_handle
, conf_req_flag
,
1100 qop_req
, req_output_size
, max_input_size
)
1102 OM_uint32
*minor_status
;
1103 gss_ctx_id_t context_handle
;
1106 OM_uint32 req_output_size
;
1107 OM_uint32
*max_input_size
;
1109 return(krb5_gss_wrap_size_limit(minor_status
, context_handle
,
1110 conf_req_flag
, qop_req
,
1111 req_output_size
, max_input_size
));
1117 k5glue_canonicalize_name(ctx
, minor_status
, input_name
, mech_type
, output_name
)
1119 OM_uint32
*minor_status
;
1120 const gss_name_t input_name
;
1121 const gss_OID mech_type
;
1122 gss_name_t
*output_name
;
1124 return krb5_gss_canonicalize_name(minor_status
, input_name
,
1125 mech_type
, output_name
);
1131 k5glue_export_name(ctx
, minor_status
, input_name
, exported_name
)
1133 OM_uint32
*minor_status
;
1134 const gss_name_t input_name
;
1135 gss_buffer_t exported_name
;
1137 return krb5_gss_export_name(minor_status
, input_name
, exported_name
);
1140 /* SUNW15resync - this is not in the MIT mech (lib) yet */
1142 k5glue_store_cred(ctx
, minor_status
, input_cred
, cred_usage
, desired_mech
,
1143 overwrite_cred
, default_cred
, elements_stored
,
1146 OM_uint32
*minor_status
;
1147 const gss_cred_id_t input_cred
;
1148 gss_cred_usage_t cred_usage
;
1149 gss_OID desired_mech
;
1150 OM_uint32 overwrite_cred
;
1151 OM_uint32 default_cred
;
1152 gss_OID_set
*elements_stored
;
1153 gss_cred_usage_t
*cred_usage_stored
;
1155 return(krb5_gss_store_cred(minor_status
, input_cred
,
1156 cred_usage
, desired_mech
,
1157 overwrite_cred
, default_cred
, elements_stored
,
1158 cred_usage_stored
));
1163 void *ctxt
, /* context */
1164 OM_uint32
*minor
, /* minor_status */
1165 const gss_name_t pname
, /* pname */
1166 const char *user
, /* local user */
1167 int *user_ok
/* user ok? */
1170 return(krb5_gss_userok(minor
, pname
, user
, user_ok
));
1174 k5glue_pname_to_uid(
1175 void *ctxt
, /* context */
1176 OM_uint32
*minor
, /* minor_status */
1177 const gss_name_t pname
, /* pname */
1178 uid_t
*uidOut
/* uid */
1181 return (krb5_pname_to_uid(minor
, pname
, uidOut
));
1189 k5glue_duplicate_name(ctx
, minor_status
, input_name
, dest_name
)
1191 OM_uint32
*minor_status
;
1192 const gss_name_t input_name
;
1193 gss_name_t
*dest_name
;
1195 return krb5_gss_duplicate_name(minor_status
, input_name
, dest_name
);
1200 OM_uint32 KRB5_CALLCONV
1201 gss_krb5_copy_ccache(
1202 OM_uint32
*minor_status
,
1203 gss_cred_id_t cred_handle
,
1204 krb5_ccache out_ccache
)
1206 gss_union_cred_t ucred
;
1207 gss_cred_id_t mcred
;
1209 ucred
= (gss_union_cred_t
)cred_handle
;
1211 mcred
= gssint_get_mechanism_cred(ucred
, &krb5_mechanism
.mech_type
);
1212 if (mcred
!= GSS_C_NO_CREDENTIAL
)
1213 return gss_krb5int_copy_ccache(minor_status
, mcred
, out_ccache
);
1215 mcred
= gssint_get_mechanism_cred(ucred
, &krb5_mechanism_old
.mech_type
);
1216 if (mcred
!= GSS_C_NO_CREDENTIAL
)
1217 return gss_krb5int_copy_ccache(minor_status
, mcred
, out_ccache
);
1219 return GSS_S_DEFECTIVE_CREDENTIAL
;
1222 OM_uint32 KRB5_CALLCONV
1223 gss_krb5_set_allowable_enctypes(
1224 OM_uint32
*minor_status
,
1226 OM_uint32 num_ktypes
,
1227 krb5_enctype
*ktypes
)
1229 gss_union_cred_t ucred
;
1230 gss_cred_id_t mcred
;
1232 ucred
= (gss_union_cred_t
)cred
;
1233 mcred
= gssint_get_mechanism_cred(ucred
, &krb5_mechanism
.mech_type
);
1234 if (mcred
!= GSS_C_NO_CREDENTIAL
)
1235 return gss_krb5int_set_allowable_enctypes(minor_status
, mcred
,
1236 num_ktypes
, ktypes
);
1238 mcred
= gssint_get_mechanism_cred(ucred
, &krb5_mechanism_old
.mech_type
);
1239 if (mcred
!= GSS_C_NO_CREDENTIAL
)
1240 return gss_krb5int_set_allowable_enctypes(minor_status
, mcred
,
1241 num_ktypes
, ktypes
);
1243 return GSS_S_DEFECTIVE_CREDENTIAL
;
1247 * Glue routine for returning the mechanism-specific credential from a
1248 * external union credential.
1250 /* SUNW15resync - in MIT 1.5, it's in g_glue.c (libgss) but we don't
1251 want to link against libgss so we put it here since we need it in the mech */
1253 gssint_get_mechanism_cred(union_cred
, mech_type
)
1254 gss_union_cred_t union_cred
;
1259 if (union_cred
== (gss_union_cred_t
) GSS_C_NO_CREDENTIAL
)
1260 return GSS_C_NO_CREDENTIAL
;
1262 for (i
=0; i
< union_cred
->count
; i
++) {
1263 if (g_OID_equal(mech_type
, &union_cred
->mechs_array
[i
]))
1264 return union_cred
->cred_array
[i
];
1266 return GSS_C_NO_CREDENTIAL
;
1272 * entry point for the gss layer,
1273 * called "krb5_gss_initialize()" in MIT 1.2.1
1275 /* SUNW15resync - this used to be in k5mech.c */
1277 gss_mech_initialize(oid
)
1281 * Solaris Kerberos: We also want to use the same functions for KRB5 as
1282 * we do for the MS KRB5 (krb5_mechanism_wrong). So both are valid.
1284 /* ensure that the requested oid matches our oid */
1285 if (oid
== NULL
|| (!g_OID_equal(oid
, &krb5_mechanism
.mech_type
) &&
1286 !g_OID_equal(oid
, &krb5_mechanism_wrong
.mech_type
))) {
1287 (void) syslog(LOG_INFO
, "krb5mech: gss_mech_initialize: bad oid");
1291 #if 0 /* SUNW15resync - no longer needed(?) */
1292 if (krb5_gss_get_context(&(krb5_mechanism
.context
)) !=
1297 return (&krb5_mechanism
);
1301 * This API should go away and be replaced with an accessor
1302 * into a gss_name_t.
1304 OM_uint32 KRB5_CALLCONV
1305 gsskrb5_extract_authz_data_from_sec_context(
1306 OM_uint32
*minor_status
,
1307 gss_ctx_id_t context_handle
,
1309 gss_buffer_t ad_data
)
1311 gss_OID_desc req_oid
;
1312 unsigned char oid_buf
[GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH
+ 6];
1313 OM_uint32 major_status
;
1314 gss_buffer_set_t data_set
= GSS_C_NO_BUFFER_SET
;
1316 if (ad_data
== NULL
)
1317 return GSS_S_CALL_INACCESSIBLE_WRITE
;
1319 req_oid
.elements
= oid_buf
;
1320 req_oid
.length
= sizeof(oid_buf
);
1322 major_status
= generic_gss_oid_compose(minor_status
,
1323 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID
,
1324 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH
,
1327 if (GSS_ERROR(major_status
))
1328 return major_status
;
1330 major_status
= gss_inquire_sec_context_by_oid(minor_status
,
1334 if (major_status
!= GSS_S_COMPLETE
) {
1335 return major_status
;
1339 * SUNW17PACresync / Solaris Kerberos
1340 * MIT17 allows only count==1 which is correct for pre-Win2008 but
1341 * our testing with Win2008 shows count==2 and Win7 count==3.
1343 if ((data_set
== GSS_C_NO_BUFFER_SET
) || (data_set
->count
== 0)) {
1344 gss_release_buffer_set(minor_status
, &data_set
);
1345 *minor_status
= EINVAL
;
1346 return GSS_S_FAILURE
;
1349 ad_data
->length
= data_set
->elements
[0].length
;
1350 ad_data
->value
= malloc(ad_data
->length
);
1351 if (!ad_data
->value
) {
1352 gss_release_buffer_set(minor_status
, &data_set
);
1355 bcopy(data_set
->elements
[0].value
, ad_data
->value
, ad_data
->length
);
1357 gss_release_buffer_set(minor_status
, &data_set
);
1359 return GSS_S_COMPLETE
;
1363 OM_uint32 KRB5_CALLCONV
1364 gsskrb5_extract_authtime_from_sec_context(OM_uint32
*minor_status
,
1365 gss_ctx_id_t context_handle
,
1366 krb5_timestamp
*authtime
)
1368 static const gss_OID_desc req_oid
= {
1369 GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH
,
1370 GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID
};
1371 OM_uint32 major_status
;
1372 gss_buffer_set_t data_set
= GSS_C_NO_BUFFER_SET
;
1374 if (authtime
== NULL
)
1375 return GSS_S_CALL_INACCESSIBLE_WRITE
;
1377 major_status
= gss_inquire_sec_context_by_oid(minor_status
,
1381 if (major_status
!= GSS_S_COMPLETE
)
1382 return major_status
;
1384 if (data_set
== GSS_C_NO_BUFFER_SET
||
1385 data_set
->count
!= 1 ||
1386 data_set
->elements
[0].length
!= sizeof(*authtime
)) {
1387 *minor_status
= EINVAL
;
1388 return GSS_S_FAILURE
;
1391 *authtime
= *((krb5_timestamp
*)data_set
->elements
[0].value
);
1393 gss_release_buffer_set(minor_status
, &data_set
);
1397 return GSS_S_COMPLETE
;