diff options
| author | nectar <nectar@FreeBSD.org> | 2003-10-09 19:36:20 +0000 |
|---|---|---|
| committer | nectar <nectar@FreeBSD.org> | 2003-10-09 19:36:20 +0000 |
| commit | 5c90662d441c12cd30c694eb1172d6fea2f8f282 (patch) | |
| tree | cb08d962a1d1ff9fd191e67849a7057861f42a50 /crypto/heimdal/lib/gssapi | |
| parent | 12eb3dee85137da9effa7d2df35e855dd0a3814a (diff) | |
| download | FreeBSD-src-5c90662d441c12cd30c694eb1172d6fea2f8f282.zip FreeBSD-src-5c90662d441c12cd30c694eb1172d6fea2f8f282.tar.gz | |
Vendor import of Heimdal 0.6.
Diffstat (limited to 'crypto/heimdal/lib/gssapi')
43 files changed, 2939 insertions, 911 deletions
diff --git a/crypto/heimdal/lib/gssapi/8003.c b/crypto/heimdal/lib/gssapi/8003.c index 03992a4..677a25a 100644 --- a/crypto/heimdal/lib/gssapi/8003.c +++ b/crypto/heimdal/lib/gssapi/8003.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: 8003.c,v 1.11 2002/03/10 23:47:39 assar Exp $"); +RCSID("$Id: 8003.c,v 1.12 2002/10/31 14:38:49 joda Exp $"); static krb5_error_code encode_om_uint32(OM_uint32 n, u_char *p) @@ -100,56 +100,56 @@ gssapi_krb5_create_8003_checksum ( const krb5_data *fwd_data, Checksum *result) { - u_char *p; - - /* - * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value - * field's format) */ - result->cksumtype = 0x8003; - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) - result->checksum.length = 24 + 4 + fwd_data->length; - else - result->checksum.length = 24; - result->checksum.data = malloc (result->checksum.length); - if (result->checksum.data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } + u_char *p; + + /* + * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value + * field's format) */ + result->cksumtype = 0x8003; + if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) + result->checksum.length = 24 + 4 + fwd_data->length; + else + result->checksum.length = 24; + result->checksum.data = malloc (result->checksum.length); + if (result->checksum.data == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } - p = result->checksum.data; - encode_om_uint32 (16, p); - p += 4; - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) { - memset (p, 0, 16); - } else { - hash_input_chan_bindings (input_chan_bindings, p); - } - p += 16; - encode_om_uint32 (flags, p); - p += 4; - - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) { + p = result->checksum.data; + encode_om_uint32 (16, p); + p += 4; + if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) { + memset (p, 0, 16); + } else { + hash_input_chan_bindings (input_chan_bindings, p); + } + p += 16; + encode_om_uint32 (flags, p); + p += 4; + + if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) { #if 0 - u_char *tmp; + u_char *tmp; - result->checksum.length = 28 + fwd_data->length; - tmp = realloc(result->checksum.data, result->checksum.length); - if (tmp == NULL) - return ENOMEM; - result->checksum.data = tmp; + result->checksum.length = 28 + fwd_data->length; + tmp = realloc(result->checksum.data, result->checksum.length); + if (tmp == NULL) + return ENOMEM; + result->checksum.data = tmp; - p = (u_char*)result->checksum.data + 24; + p = (u_char*)result->checksum.data + 24; #endif - *p++ = (1 >> 0) & 0xFF; /* DlgOpt */ /* == 1 */ - *p++ = (1 >> 8) & 0xFF; /* DlgOpt */ /* == 0 */ - *p++ = (fwd_data->length >> 0) & 0xFF; /* Dlgth */ - *p++ = (fwd_data->length >> 8) & 0xFF; /* Dlgth */ - memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length); - - p += fwd_data->length; - } + *p++ = (1 >> 0) & 0xFF; /* DlgOpt */ /* == 1 */ + *p++ = (1 >> 8) & 0xFF; /* DlgOpt */ /* == 0 */ + *p++ = (fwd_data->length >> 0) & 0xFF; /* Dlgth */ + *p++ = (fwd_data->length >> 8) & 0xFF; /* Dlgth */ + memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length); + + p += fwd_data->length; + } - return GSS_S_COMPLETE; + return GSS_S_COMPLETE; } /* @@ -172,7 +172,7 @@ gssapi_krb5_verify_8003_checksum( static unsigned char zeros[16]; /* XXX should handle checksums > 24 bytes */ - if(cksum->cksumtype != 0x8003) { + if(cksum->cksumtype != 0x8003 || cksum->checksum.length < 24) { *minor_status = 0; return GSS_S_BAD_BINDINGS; } @@ -201,27 +201,33 @@ gssapi_krb5_verify_8003_checksum( p += sizeof(hash); decode_om_uint32(p, flags); + p += 4; if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) { + if(cksum->checksum.length < 28) { + *minor_status = 0; + return GSS_S_BAD_BINDINGS; + } - p += 4; - - DlgOpt = (p[0] << 0) | (p[1] << 8 ); - if (DlgOpt != 1) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - p += 2; - fwd_data->length = (p[0] << 0) | (p[1] << 8); - fwd_data->data = malloc(fwd_data->length); - if (fwd_data->data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p += 2; - memcpy(fwd_data->data, p, fwd_data->length); + DlgOpt = (p[0] << 0) | (p[1] << 8); + p += 2; + if (DlgOpt != 1) { + *minor_status = 0; + return GSS_S_BAD_BINDINGS; + } + + fwd_data->length = (p[0] << 0) | (p[1] << 8); + p += 2; + if(cksum->checksum.length < 28 + fwd_data->length) { + *minor_status = 0; + return GSS_S_BAD_BINDINGS; + } + fwd_data->data = malloc(fwd_data->length); + if (fwd_data->data == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + memcpy(fwd_data->data, p, fwd_data->length); } return GSS_S_COMPLETE; diff --git a/crypto/heimdal/lib/gssapi/ChangeLog b/crypto/heimdal/lib/gssapi/ChangeLog index cd9d9c1..d08f72b 100644 --- a/crypto/heimdal/lib/gssapi/ChangeLog +++ b/crypto/heimdal/lib/gssapi/ChangeLog @@ -1,3 +1,260 @@ +2003-05-07 Love Hörnquist Åstrand <lha@it.su.se> + + * gssapi.h: 1.27->1.28: + if __cplusplus, wrap the extern variable (just to be safe) and + functions in extern "C" { } + +2003-04-30 Love Hörnquist Åstrand <lha@it.su.se> + + * gssapi.3: more about the des3 mic mess + + * verify_mic.c 1.19->1.20 : (verify_mic_des3): always check if the + mic is the correct mic or the mic that old heimdal would have + generated + +2003-04-29 Jacques Vidrine <nectar@kth.se> + + * verify_mic.c: 1.18->1.19: verify_mic_des3: If MIC verification + fails, retry using the `old' MIC computation (with zero IV). + +2003-04-28 Love Hörnquist Åstrand <lha@it.su.se> + + * compat.c (_gss_DES3_get_mic_compat): default to use compat + + * gssapi.3: 1.5->1.6: document [gssapi]correct_des3_mic and + [gssapi]broken_des3_mic + + * compat.c: 1.2->1.4: + (gss_krb5_compat_des3_mci): return a value + (gss_krb5_compat_des3_mic): enable turning on/off des3 mic compat + (_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too + + * gssapi.h: 1.26->1.27: + (gss_krb5_compat_des3_mic): new function, turn on/off des3 mic compat + (GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if + gss_krb5_compat_des3_mic exists + +2003-04-23 Love Hörnquist Åstrand <lha@it.su.se> + + * Makefile.am: 1.44->1.45: test_acquire_cred_LDADD: use + libgssapi.la not ./libgssapi.la (makes make -jN work) + +2003-04-16 Love Hörnquist Åstrand <lha@it.su.se> + + * gssapi.3: spelling + + * gss_acquire_cred.3: Change .Fd #include <header.h> to .In + header.h, from Thomas Klausner <wiz@netbsd.org> + + +2003-04-06 Love Hörnquist Åstrand <lha@it.su.se> + + * gss_acquire_cred.3: spelling + + * Makefile.am: remove stuff that sneaked in with last commit + + * acquire_cred.c (acquire_initiator_cred): if the requested name + isn't in the ccache, also check keytab. Extact the krbtgt for the + default realm to check how long the credentials will last. + + * add_cred.c (gss_add_cred): don't create a new ccache, just open + the old one; better check if output handle is compatible with new + (copied) handle + + * test_acquire_cred.c: test gss_add_cred too + +2003-04-03 Love Hörnquist Åstrand <lha@it.su.se> + + * Makefile.am: build test_acquire_cred + + * test_acquire_cred.c: simple gss_acquire_cred test + +2003-04-02 Love Hörnquist Åstrand <lha@it.su.se> + + * gss_acquire_cred.3: s/gssapi/GSS-API/ + +2003-03-19 Love Hörnquist Åstrand <lha@it.su.se> + + * gss_acquire_cred.3: document v1 interface (and that they are + obsolete) + +2003-03-18 Love Hörnquist Åstrand <lha@it.su.se> + + * gss_acquire_cred.3: list supported mechanism and nametypes + +2003-03-16 Love Hörnquist Åstrand <lha@it.su.se> + + * gss_acquire_cred.3: text about gss_display_name + + * Makefile.am (libgssapi_la_LDFLAGS): bump to 3:6:2 + (libgssapi_la_SOURCES): add all new functions + + * gssapi.3: now that we have a functions, uncomment the missing + ones + + * gss_acquire_cred.3: now that we have a functions, uncomment the + missing ones + + * process_context_token.c: implement gss_process_context_token + + * inquire_names_for_mech.c: implement gss_inquire_names_for_mech + + * inquire_mechs_for_name.c: implement gss_inquire_mechs_for_name + + * inquire_cred_by_mech.c: implement gss_inquire_cred_by_mech + + * add_cred.c: implement gss_add_cred + + * acquire_cred.c (gss_acquire_cred): more testing of input + argument, make sure output arguments are ok, since we don't know + the time_rec (for now), set it to time_req + + * export_sec_context.c: send lifetime, also set minor_status + + * get_mic.c: set minor_status + + * import_sec_context.c (gss_import_sec_context): add error + checking, pick up lifetime (if there is no lifetime, use + GSS_C_INDEFINITE) + + * init_sec_context.c: take care to set export value to something + sane before we start so caller will have harmless values in them + if then function fails + + * release_buffer.c (gss_release_buffer): set minor_status + + * wrap.c: make sure minor_status get set + + * verify_mic.c (gss_verify_mic_internal): rename verify_mic to + gss_verify_mic_internal and let it take the type as an argument, + (gss_verify_mic): call gss_verify_mic_internal + set minor_status + + * unwrap.c: set minor_status + + * test_oid_set_member.c (gss_test_oid_set_member): use + gss_oid_equal + + * release_oid_set.c (gss_release_oid_set): set minor_status + + * release_name.c (gss_release_name): set minor_status + + * release_cred.c (gss_release_cred): set minor_status + + * add_oid_set_member.c (gss_add_oid_set_member): set minor_status + + * compare_name.c (gss_compare_name): set minor_status + + * compat.c (check_compat): make sure ret have a defined value + + * context_time.c (gss_context_time): set minor_status + + * copy_ccache.c (gss_krb5_copy_ccache): set minor_status + + * create_emtpy_oid_set.c (gss_create_empty_oid_set): set + minor_status + + * delete_sec_context.c (gss_delete_sec_context): set minor_status + + * display_name.c (gss_display_name): set minor_status + + * display_status.c (gss_display_status): use gss_oid_equal, handle + supplementary errors + + * duplicate_name.c (gss_duplicate_name): set minor_status + + * inquire_context.c (gss_inquire_context): set lifetime_rec now + when we know it, set minor_status + + * inquire_cred.c (gss_inquire_cred): take care to set export value + to something sane before we start so caller will have harmless + values in them if the function fails + + * accept_sec_context.c (gss_accept_sec_context): take care to set + export value to something sane before we start so caller will have + harmless values in them if then function fails, set lifetime from + ticket expiration date + + * indicate_mechs.c (gss_indicate_mechs): use + gss_create_empty_oid_set and gss_add_oid_set_member + + * gssapi.h (gss_ctx_id_t_desc): store the lifetime in the cred, + since there is no ticket transfered in the exported context + + * export_name.c (gss_export_name): export name with + GSS_C_NT_EXPORT_NAME wrapping, not just the principal + + * import_name.c (import_export_name): new function, parses a + GSS_C_NT_EXPORT_NAME + (import_krb5_name): factor out common code of parsing krb5 name + (gss_oid_equal): rename from oid_equal + + * gssapi_locl.h: add prototypes for gss_oid_equal and + gss_verify_mic_internal + + * gssapi.h: comment out the argument names + +2003-03-15 Love Hörnquist Åstrand <lha@it.su.se> + + * gssapi.3: add LIST OF FUNCTIONS and copyright/license + + * Makefile.am: s/gss_aquire_cred.3/gss_acquire_cred.3/ + + * Makefile.am: man_MANS += gss_aquire_cred.3 + +2003-03-14 Love Hörnquist Åstrand <lha@it.su.se> + + * gss_aquire_cred.3: the gssapi api manpage + +2003-03-03 Love Hörnquist Åstrand <lha@it.su.se> + + * inquire_context.c: (gss_inquire_context): rename argument open + to open_context + + * gssapi.h (gss_inquire_context): rename argument open to open_context + +2003-02-27 Love Hörnquist Åstrand <lha@it.su.se> + + * init_sec_context.c (do_delegation): remove unused variable + subkey + + * gssapi.3: all 0.5.x version had broken token delegation + +2003-02-21 Love Hörnquist Åstrand <lha@it.su.se> + + * (init_auth): only generate one subkey + +2003-01-27 Love Hörnquist Åstrand <lha@it.su.se> + + * verify_mic.c (verify_mic_des3): fix 3des verify_mic to conform + to rfc (and mit kerberos), provide backward compat hook + + * get_mic.c (mic_des3): fix 3des get_mic to conform to rfc (and + mit kerberos), provide backward compat hook + + * init_sec_context.c (init_auth): check if we need compat for + older get_mic/verify_mic + + * gssapi_locl.h: add prototype for _gss_DES3_get_mic_compat + + * gssapi.h (more_flags): add COMPAT_OLD_DES3 + + * Makefile.am: add gssapi.3 and compat.c + + * gssapi.3: add gssapi COMPATIBILITY documentation + + * accept_sec_context.c (gss_accept_sec_context): check if we need + compat for older get_mic/verify_mic + + * compat.c: check for compatiblity with other heimdal's 3des + get_mic/verify_mic + +2002-10-31 Johan Danielsson <joda@pdc.kth.se> + + * check return value from gssapi_krb5_init + + * 8003.c (gssapi_krb5_verify_8003_checksum): check size of input + 2002-09-03 Johan Danielsson <joda@pdc.kth.se> * wrap.c (wrap_des3): use ETYPE_DES3_CBC_NONE diff --git a/crypto/heimdal/lib/gssapi/Makefile.am b/crypto/heimdal/lib/gssapi/Makefile.am index 95ad40c..6d232e5 100644 --- a/crypto/heimdal/lib/gssapi/Makefile.am +++ b/crypto/heimdal/lib/gssapi/Makefile.am @@ -1,22 +1,26 @@ -# $Id: Makefile.am,v 1.38 2002/03/22 12:16:17 joda Exp $ +# $Id: Makefile.am,v 1.44.2.5 2003/05/12 15:20:46 joda Exp $ include $(top_srcdir)/Makefile.am.common INCLUDES += -I$(srcdir)/../krb5 $(INCLUDE_des) $(INCLUDE_krb4) lib_LTLIBRARIES = libgssapi.la -libgssapi_la_LDFLAGS = -version-info 3:5:2 +libgssapi_la_LDFLAGS = -version-info 4:0:3 libgssapi_la_LIBADD = ../krb5/libkrb5.la $(LIB_des) ../asn1/libasn1.la ../roken/libroken.la +man_MANS = gssapi.3 gss_acquire_cred.3 + include_HEADERS = gssapi.h libgssapi_la_SOURCES = \ 8003.c \ accept_sec_context.c \ acquire_cred.c \ + add_cred.c \ add_oid_set_member.c \ canonicalize_name.c \ compare_name.c \ + compat.c \ context_time.c \ copy_ccache.c \ create_emtpy_oid_set.c \ @@ -39,13 +43,23 @@ libgssapi_la_SOURCES = \ init_sec_context.c \ inquire_context.c \ inquire_cred.c \ + inquire_cred_by_mech.c \ + inquire_mechs_for_name.c \ + inquire_names_for_mech.c \ release_buffer.c \ release_cred.c \ release_name.c \ release_oid_set.c \ + process_context_token.c \ test_oid_set_member.c \ unwrap.c \ v1.c \ verify_mic.c \ wrap.c \ address_to_krb5addr.c + +#noinst_PROGRAMS = test_acquire_cred + +#test_acquire_cred_SOURCES = test_acquire_cred.c + +#test_acquire_cred_LDADD = libgssapi.la diff --git a/crypto/heimdal/lib/gssapi/Makefile.in b/crypto/heimdal/lib/gssapi/Makefile.in index c053595..7ce1a6e 100644 --- a/crypto/heimdal/lib/gssapi/Makefile.in +++ b/crypto/heimdal/lib/gssapi/Makefile.in @@ -14,11 +14,11 @@ @SET_MAKE@ -# $Id: Makefile.am,v 1.38 2002/03/22 12:16:17 joda Exp $ +# $Id: Makefile.am,v 1.44.2.5 2003/05/12 15:20:46 joda Exp $ # $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ +# $Id: Makefile.am.common,v 1.37.2.1 2003/05/08 17:08:09 joda Exp $ SHELL = @SHELL@ srcdir = @srcdir@ @@ -114,6 +114,7 @@ LIB_roken = @LIB_roken@ LIB_security = @LIB_security@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ NROFF = @NROFF@ @@ -192,7 +193,7 @@ LIB_readline = @LIB_readline@ NROFF_MAN = groff -mandoc -Tascii -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) +LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) @KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ @KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la @@ -202,18 +203,22 @@ NROFF_MAN = groff -mandoc -Tascii @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la lib_LTLIBRARIES = libgssapi.la -libgssapi_la_LDFLAGS = -version-info 3:5:2 +libgssapi_la_LDFLAGS = -version-info 4:0:3 libgssapi_la_LIBADD = ../krb5/libkrb5.la $(LIB_des) ../asn1/libasn1.la ../roken/libroken.la +man_MANS = gssapi.3 gss_acquire_cred.3 + include_HEADERS = gssapi.h libgssapi_la_SOURCES = \ 8003.c \ accept_sec_context.c \ acquire_cred.c \ + add_cred.c \ add_oid_set_member.c \ canonicalize_name.c \ compare_name.c \ + compat.c \ context_time.c \ copy_ccache.c \ create_emtpy_oid_set.c \ @@ -236,10 +241,14 @@ libgssapi_la_SOURCES = \ init_sec_context.c \ inquire_context.c \ inquire_cred.c \ + inquire_cred_by_mech.c \ + inquire_mechs_for_name.c \ + inquire_names_for_mech.c \ release_buffer.c \ release_cred.c \ release_name.c \ release_oid_set.c \ + process_context_token.c \ test_oid_set_member.c \ unwrap.c \ v1.c \ @@ -256,16 +265,19 @@ LTLIBRARIES = $(lib_LTLIBRARIES) libgssapi_la_DEPENDENCIES = ../krb5/libkrb5.la ../asn1/libasn1.la \ ../roken/libroken.la am_libgssapi_la_OBJECTS = 8003.lo accept_sec_context.lo acquire_cred.lo \ - add_oid_set_member.lo canonicalize_name.lo compare_name.lo \ - context_time.lo copy_ccache.lo create_emtpy_oid_set.lo \ - decapsulate.lo delete_sec_context.lo display_name.lo \ - display_status.lo duplicate_name.lo encapsulate.lo \ - export_sec_context.lo export_name.lo external.lo get_mic.lo \ - import_name.lo import_sec_context.lo indicate_mechs.lo init.lo \ - init_sec_context.lo inquire_context.lo inquire_cred.lo \ + add_cred.lo add_oid_set_member.lo canonicalize_name.lo \ + compare_name.lo compat.lo context_time.lo copy_ccache.lo \ + create_emtpy_oid_set.lo decapsulate.lo delete_sec_context.lo \ + display_name.lo display_status.lo duplicate_name.lo \ + encapsulate.lo export_sec_context.lo export_name.lo external.lo \ + get_mic.lo import_name.lo import_sec_context.lo \ + indicate_mechs.lo init.lo init_sec_context.lo \ + inquire_context.lo inquire_cred.lo inquire_cred_by_mech.lo \ + inquire_mechs_for_name.lo inquire_names_for_mech.lo \ release_buffer.lo release_cred.lo release_name.lo \ - release_oid_set.lo test_oid_set_member.lo unwrap.lo v1.lo \ - verify_mic.lo wrap.lo address_to_krb5addr.lo + release_oid_set.lo process_context_token.lo \ + test_oid_set_member.lo unwrap.lo v1.lo verify_mic.lo wrap.lo \ + address_to_krb5addr.lo libgssapi_la_OBJECTS = $(am_libgssapi_la_OBJECTS) DEFS = @DEFS@ @@ -284,6 +296,7 @@ LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ CFLAGS = @CFLAGS@ DIST_SOURCES = $(libgssapi_la_SOURCES) +MANS = $(man_MANS) HEADERS = $(include_HEADERS) DIST_COMMON = $(include_HEADERS) ChangeLog Makefile.am Makefile.in @@ -293,10 +306,10 @@ all: all-am .SUFFIXES: .SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) cd $(top_srcdir) && \ $(AUTOMAKE) --foreign lib/gssapi/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status +Makefile: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.in $(top_builddir)/config.status cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) libLTLIBRARIES_INSTALL = $(INSTALL) install-libLTLIBRARIES: $(lib_LTLIBRARIES) @@ -347,6 +360,45 @@ clean-libtool: distclean-libtool: -rm -f libtool uninstall-info-am: + +man3dir = $(mandir)/man3 +install-man3: $(man3_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + $(mkinstalldirs) $(DESTDIR)$(man3dir) + @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.3*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \ + $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \ + done +uninstall-man3: + @$(NORMAL_UNINSTALL) + @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.3*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \ + rm -f $(DESTDIR)$(man3dir)/$$inst; \ + done includeHEADERS_INSTALL = $(INSTALL_HEADER) install-includeHEADERS: $(include_HEADERS) @$(NORMAL_INSTALL) @@ -433,10 +485,10 @@ distdir: $(DISTFILES) check-am: all-am $(MAKE) $(AM_MAKEFLAGS) check-local check: check-am -all-am: Makefile $(LTLIBRARIES) $(HEADERS) all-local +all-am: Makefile $(LTLIBRARIES) $(MANS) $(HEADERS) all-local installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) + $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(man3dir) $(DESTDIR)$(includedir) install: install-am install-exec: install-exec-am @@ -480,7 +532,9 @@ info: info-am info-am: -install-data-am: install-data-local install-includeHEADERS +install-data-am: install-includeHEADERS install-man + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook install-exec-am: install-libLTLIBRARIES @$(NORMAL_INSTALL) @@ -488,7 +542,7 @@ install-exec-am: install-libLTLIBRARIES install-info: install-info-am -install-man: +install-man: install-man3 installcheck-am: @@ -502,20 +556,23 @@ mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES + uninstall-libLTLIBRARIES uninstall-man + +uninstall-man: uninstall-man3 .PHONY: GTAGS all all-am all-local check check-am check-local clean \ clean-generic clean-libLTLIBRARIES clean-libtool distclean \ distclean-compile distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-includeHEADERS \ - install-info install-info-am install-libLTLIBRARIES install-man \ + install-am install-data install-data-am install-exec \ + install-exec-am install-includeHEADERS install-info \ + install-info-am install-libLTLIBRARIES install-man install-man3 \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ tags uninstall uninstall-am uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES + uninstall-info-am uninstall-libLTLIBRARIES uninstall-man \ + uninstall-man3 install-suid-programs: @@ -641,12 +698,18 @@ dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans install-cat-mans: $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) -install-data-local: install-cat-mans +install-data-hook: install-cat-mans .et.h: $(COMPILE_ET) $< .et.c: $(COMPILE_ET) $< + +#noinst_PROGRAMS = test_acquire_cred + +#test_acquire_cred_SOURCES = test_acquire_cred.c + +#test_acquire_cred_LDADD = libgssapi.la # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/crypto/heimdal/lib/gssapi/accept_sec_context.c b/crypto/heimdal/lib/gssapi/accept_sec_context.c index 23eb769..62a0573 100644 --- a/crypto/heimdal/lib/gssapi/accept_sec_context.c +++ b/crypto/heimdal/lib/gssapi/accept_sec_context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,12 +33,12 @@ #include "gssapi_locl.h" -RCSID("$Id: accept_sec_context.c,v 1.30 2001/08/29 02:21:09 assar Exp $"); +RCSID("$Id: accept_sec_context.c,v 1.33 2003/03/16 17:41:12 lha Exp $"); krb5_keytab gssapi_krb5_keytab; OM_uint32 -gsskrb5_register_acceptor_identity (char *identity) +gsskrb5_register_acceptor_identity (const char *identity) { krb5_error_code ret; char *p; @@ -76,347 +76,356 @@ gss_accept_sec_context gss_cred_id_t * delegated_cred_handle ) { - krb5_error_code kret; - OM_uint32 ret; - krb5_data indata; - krb5_flags ap_options; - OM_uint32 flags; - krb5_ticket *ticket = NULL; - krb5_keytab keytab = NULL; - krb5_data fwd_data; - OM_uint32 minor; - - ret = 0; - gssapi_krb5_init (); - - krb5_data_zero (&fwd_data); - output_token->length = 0; - output_token->value = NULL; - - if (*context_handle == GSS_C_NO_CONTEXT) { - *context_handle = malloc(sizeof(**context_handle)); + krb5_error_code kret; + OM_uint32 ret = GSS_S_COMPLETE; + krb5_data indata; + krb5_flags ap_options; + OM_uint32 flags; + krb5_ticket *ticket = NULL; + krb5_keytab keytab = NULL; + krb5_data fwd_data; + OM_uint32 minor; + + GSSAPI_KRB5_INIT(); + + krb5_data_zero (&fwd_data); + output_token->length = 0; + output_token->value = NULL; + + if (src_name != NULL) + *src_name = NULL; + if (mech_type) + *mech_type = GSS_KRB5_MECHANISM; + if (*context_handle == GSS_C_NO_CONTEXT) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; + *context_handle = malloc(sizeof(**context_handle)); + if (*context_handle == GSS_C_NO_CONTEXT) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + } + + (*context_handle)->auth_context = NULL; + (*context_handle)->source = NULL; + (*context_handle)->target = NULL; + (*context_handle)->flags = 0; + (*context_handle)->more_flags = 0; + (*context_handle)->ticket = NULL; + (*context_handle)->lifetime = GSS_C_INDEFINITE; + + kret = krb5_auth_con_init (gssapi_krb5_context, + &(*context_handle)->auth_context); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; } - } - - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->ticket = NULL; - - if (src_name != NULL) - *src_name = NULL; - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS - && input_chan_bindings->application_data.length == - 2 * sizeof((*context_handle)->auth_context->local_port) - ) { + + if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS + && input_chan_bindings->application_data.length == + 2 * sizeof((*context_handle)->auth_context->local_port) + ) { - /* Port numbers are expected to be in application_data.value, - * initator's port first */ + /* Port numbers are expected to be in application_data.value, + * initator's port first */ - krb5_address initiator_addr, acceptor_addr; + krb5_address initiator_addr, acceptor_addr; - memset(&initiator_addr, 0, sizeof(initiator_addr)); - memset(&acceptor_addr, 0, sizeof(acceptor_addr)); + memset(&initiator_addr, 0, sizeof(initiator_addr)); + memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - (*context_handle)->auth_context->remote_port = - *(int16_t *) input_chan_bindings->application_data.value; + (*context_handle)->auth_context->remote_port = + *(int16_t *) input_chan_bindings->application_data.value; - (*context_handle)->auth_context->local_port = - *((int16_t *) input_chan_bindings->application_data.value + 1); + (*context_handle)->auth_context->local_port = + *((int16_t *) input_chan_bindings->application_data.value + 1); - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - (*context_handle)->auth_context->local_port, - &acceptor_addr); - if (kret) { - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } + kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, + &input_chan_bindings->acceptor_address, + (*context_handle)->auth_context->local_port, + &acceptor_addr); + if (kret) { + gssapi_krb5_set_error_string (); + ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; + goto failure; + } - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - (*context_handle)->auth_context->remote_port, - &initiator_addr); - if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } + kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, + &input_chan_bindings->initiator_address, + (*context_handle)->auth_context->remote_port, + &initiator_addr); + if (kret) { + krb5_free_address (gssapi_krb5_context, &acceptor_addr); + gssapi_krb5_set_error_string (); + ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; + goto failure; + } - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, - (*context_handle)->auth_context, - &acceptor_addr, /* local address */ - &initiator_addr); /* remote address */ + kret = krb5_auth_con_setaddrs(gssapi_krb5_context, + (*context_handle)->auth_context, + &acceptor_addr, /* local address */ + &initiator_addr); /* remote address */ - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); + krb5_free_address (gssapi_krb5_context, &initiator_addr); + krb5_free_address (gssapi_krb5_context, &acceptor_addr); #if 0 - free(input_chan_bindings->application_data.value); - input_chan_bindings->application_data.value = NULL; - input_chan_bindings->application_data.length = 0; + free(input_chan_bindings->application_data.value); + input_chan_bindings->application_data.value = NULL; + input_chan_bindings->application_data.length = 0; #endif - if (kret) { - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - } + if (kret) { + gssapi_krb5_set_error_string (); + ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; + goto failure; + } + } - { - int32_t tmp; - - krb5_auth_con_getflags(gssapi_krb5_context, - (*context_handle)->auth_context, - &tmp); - tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE; - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - tmp); - } - - ret = gssapi_krb5_decapsulate (minor_status, - input_token_buffer, - &indata, - "\x01\x00"); - if (ret) - goto failure; - - if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { - if (gssapi_krb5_keytab != NULL) { - keytab = gssapi_krb5_keytab; - } - } else if (acceptor_cred_handle->keytab != NULL) { - keytab = acceptor_cred_handle->keytab; - } - - kret = krb5_rd_req (gssapi_krb5_context, - &(*context_handle)->auth_context, - &indata, - (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL + { + int32_t tmp; + + krb5_auth_con_getflags(gssapi_krb5_context, + (*context_handle)->auth_context, + &tmp); + tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE; + krb5_auth_con_setflags(gssapi_krb5_context, + (*context_handle)->auth_context, + tmp); + } + + ret = gssapi_krb5_decapsulate (minor_status, + input_token_buffer, + &indata, + "\x01\x00"); + if (ret) + goto failure; + + if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { + if (gssapi_krb5_keytab != NULL) { + keytab = gssapi_krb5_keytab; + } + } else if (acceptor_cred_handle->keytab != NULL) { + keytab = acceptor_cred_handle->keytab; + } + + kret = krb5_rd_req (gssapi_krb5_context, + &(*context_handle)->auth_context, + &indata, + (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred_handle->principal, - keytab, - &ap_options, - &ticket); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->client, - &(*context_handle)->source); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->server, - &(*context_handle)->target); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - if (src_name != NULL) { + keytab, + &ap_options, + &ticket); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; + } + kret = krb5_copy_principal (gssapi_krb5_context, ticket->client, - src_name); + &(*context_handle)->source); if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; } - } - { - krb5_authenticator authenticator; - - kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, - (*context_handle)->auth_context, - &authenticator); - if(kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - ret = gssapi_krb5_verify_8003_checksum(minor_status, - input_chan_bindings, - authenticator->cksum, - &flags, - &fwd_data); - krb5_free_authenticator(gssapi_krb5_context, &authenticator); - if (ret) + kret = krb5_copy_principal (gssapi_krb5_context, + ticket->server, + &(*context_handle)->target); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); goto failure; - } + } - if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { - - krb5_ccache ccache; + ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); + if (ret) + goto failure; + + if (src_name != NULL) { + kret = krb5_copy_principal (gssapi_krb5_context, + ticket->client, + src_name); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; + } + } + + { + krb5_authenticator authenticator; - if (delegated_cred_handle == NULL) - /* XXX Create a new delegated_cred_handle? */ - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - else if (*delegated_cred_handle == NULL) { - if ((*delegated_cred_handle = - calloc(1, sizeof(**delegated_cred_handle))) == NULL) { + kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, + (*context_handle)->auth_context, + &authenticator); + if(kret) { ret = GSS_S_FAILURE; - *minor_status = ENOMEM; - krb5_set_error_string(gssapi_krb5_context, "out of memory"); - gssapi_krb5_set_error_string(); + *minor_status = kret; + gssapi_krb5_set_error_string (); goto failure; - } - if ((ret = gss_duplicate_name(minor_status, ticket->client, - &(*delegated_cred_handle)->principal)) != 0) { - flags &= ~GSS_C_DELEG_FLAG; - free(*delegated_cred_handle); - *delegated_cred_handle = NULL; - goto end_fwd; - } - } - if (delegated_cred_handle != NULL && - (*delegated_cred_handle)->ccache == NULL) { + } + + ret = gssapi_krb5_verify_8003_checksum(minor_status, + input_chan_bindings, + authenticator->cksum, + &flags, + &fwd_data); + krb5_free_authenticator(gssapi_krb5_context, &authenticator); + if (ret) + goto failure; + } + + if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { + + krb5_ccache ccache; + + if (delegated_cred_handle == NULL) + /* XXX Create a new delegated_cred_handle? */ + kret = krb5_cc_default (gssapi_krb5_context, &ccache); + else if (*delegated_cred_handle == NULL) { + if ((*delegated_cred_handle = + calloc(1, sizeof(**delegated_cred_handle))) == NULL) { + ret = GSS_S_FAILURE; + *minor_status = ENOMEM; + krb5_set_error_string(gssapi_krb5_context, "out of memory"); + gssapi_krb5_set_error_string(); + goto failure; + } + if ((ret = gss_duplicate_name(minor_status, ticket->client, + &(*delegated_cred_handle)->principal)) != 0) { + flags &= ~GSS_C_DELEG_FLAG; + free(*delegated_cred_handle); + *delegated_cred_handle = NULL; + goto end_fwd; + } + } + if (delegated_cred_handle != NULL && + (*delegated_cred_handle)->ccache == NULL) { kret = krb5_cc_gen_new (gssapi_krb5_context, &krb5_mcc_ops, &(*delegated_cred_handle)->ccache); - ccache = (*delegated_cred_handle)->ccache; - } - if (delegated_cred_handle != NULL && - (*delegated_cred_handle)->mechanisms == NULL) { + ccache = (*delegated_cred_handle)->ccache; + } + if (delegated_cred_handle != NULL && + (*delegated_cred_handle)->mechanisms == NULL) { ret = gss_create_empty_oid_set(minor_status, - &(*delegated_cred_handle)->mechanisms); + &(*delegated_cred_handle)->mechanisms); if (ret) - goto failure; + goto failure; ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &(*delegated_cred_handle)->mechanisms); + &(*delegated_cred_handle)->mechanisms); if (ret) - goto failure; - } + goto failure; + } - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } + if (kret) { + flags &= ~GSS_C_DELEG_FLAG; + goto end_fwd; + } - kret = krb5_cc_initialize(gssapi_krb5_context, - ccache, - *src_name); - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } + kret = krb5_cc_initialize(gssapi_krb5_context, + ccache, + *src_name); + if (kret) { + flags &= ~GSS_C_DELEG_FLAG; + goto end_fwd; + } - kret = krb5_rd_cred2(gssapi_krb5_context, - (*context_handle)->auth_context, - ccache, - &fwd_data); - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - -end_fwd: - free(fwd_data.data); - } + kret = krb5_rd_cred2(gssapi_krb5_context, + (*context_handle)->auth_context, + ccache, + &fwd_data); + if (kret) { + flags &= ~GSS_C_DELEG_FLAG; + goto end_fwd; + } + + end_fwd: + free(fwd_data.data); + } - flags |= GSS_C_TRANS_FLAG; + flags |= GSS_C_TRANS_FLAG; - if (ret_flags) - *ret_flags = flags; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= OPEN; + if (ret_flags) + *ret_flags = flags; + (*context_handle)->lifetime = ticket->ticket.endtime; + (*context_handle)->flags = flags; + (*context_handle)->more_flags |= OPEN; - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; + if (mech_type) + *mech_type = GSS_KRB5_MECHANISM; - if (time_rec) - *time_rec = GSS_C_INDEFINITE; + if (time_rec) + *time_rec = (*context_handle)->lifetime; - if(flags & GSS_C_MUTUAL_FLAG) { - krb5_data outbuf; + if(flags & GSS_C_MUTUAL_FLAG) { + krb5_data outbuf; - kret = krb5_mk_rep (gssapi_krb5_context, - (*context_handle)->auth_context, - &outbuf); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; + kret = krb5_mk_rep (gssapi_krb5_context, + (*context_handle)->auth_context, + &outbuf); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + goto failure; + } + ret = gssapi_krb5_encapsulate (minor_status, + &outbuf, + output_token, + "\x02\x00"); + krb5_data_free (&outbuf); + if (ret) + goto failure; + } else { + output_token->length = 0; + output_token->value = NULL; } - ret = gssapi_krb5_encapsulate (minor_status, - &outbuf, - output_token, - "\x02\x00"); - krb5_data_free (&outbuf); - if (ret) - goto failure; - } else { - output_token->length = 0; - } - (*context_handle)->ticket = ticket; - ticket = NULL; + (*context_handle)->ticket = ticket; + ticket = NULL; #if 0 - krb5_free_ticket (context, ticket); + krb5_free_ticket (context, ticket); #endif - return GSS_S_COMPLETE; - -failure: - if (fwd_data.length > 0) - free(fwd_data.data); - if (ticket != NULL) - krb5_free_ticket (gssapi_krb5_context, ticket); - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - free (*context_handle); - if (src_name != NULL) { - gss_release_name (&minor, src_name); - *src_name = NULL; - } - *context_handle = GSS_C_NO_CONTEXT; - return ret; + *minor_status = 0; + return GSS_S_COMPLETE; + + failure: + if (fwd_data.length > 0) + free(fwd_data.data); + if (ticket != NULL) + krb5_free_ticket (gssapi_krb5_context, ticket); + krb5_auth_con_free (gssapi_krb5_context, + (*context_handle)->auth_context); + if((*context_handle)->source) + krb5_free_principal (gssapi_krb5_context, + (*context_handle)->source); + if((*context_handle)->target) + krb5_free_principal (gssapi_krb5_context, + (*context_handle)->target); + free (*context_handle); + if (src_name != NULL) { + gss_release_name (&minor, src_name); + *src_name = NULL; + } + *context_handle = GSS_C_NO_CONTEXT; + return ret; } diff --git a/crypto/heimdal/lib/gssapi/acquire_cred.c b/crypto/heimdal/lib/gssapi/acquire_cred.c index 6940b26..503ac91 100644 --- a/crypto/heimdal/lib/gssapi/acquire_cred.c +++ b/crypto/heimdal/lib/gssapi/acquire_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: acquire_cred.c,v 1.10 2002/08/20 12:02:45 nectar Exp $"); +RCSID("$Id: acquire_cred.c,v 1.13 2003/04/06 00:31:55 lha Exp $"); static krb5_error_code get_keytab(krb5_keytab *keytab) @@ -95,8 +95,9 @@ static OM_uint32 acquire_initiator_cred } else if (handle->principal != NULL && krb5_principal_compare(gssapi_krb5_context, handle->principal, def_princ) == FALSE) { - kret = KRB5_PRINC_NOMATCH; - goto end; + /* Before failing, lets check the keytab */ + krb5_free_principal(gssapi_krb5_context, def_princ); + def_princ = NULL; } if (def_princ == NULL) { /* We have no existing credentials cache, @@ -126,7 +127,36 @@ static OM_uint32 acquire_initiator_cred kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred); if (kret) goto end; + handle->lifetime = cred.times.endtime; + } else { + krb5_creds in_cred, *out_cred; + krb5_const_realm realm; + + memset(&in_cred, 0, sizeof(in_cred)); + in_cred.client = handle->principal; + + realm = krb5_principal_get_realm(gssapi_krb5_context, + handle->principal); + if (realm == NULL) { + kret = KRB5_PRINC_NOMATCH; /* XXX */ + goto end; + } + + kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server, + realm, KRB5_TGS_NAME, realm, NULL); + if (kret) + goto end; + + kret = krb5_get_credentials(gssapi_krb5_context, 0, + ccache, &in_cred, &out_cred); + krb5_free_principal(gssapi_krb5_context, in_cred.server); + if (kret) + goto end; + + handle->lifetime = out_cred->times.endtime; + krb5_free_creds(gssapi_krb5_context, out_cred); } + handle->ccache = ccache; ret = GSS_S_COMPLETE; @@ -195,12 +225,32 @@ OM_uint32 gss_acquire_cred gss_cred_id_t handle; OM_uint32 ret; - gssapi_krb5_init (); + GSSAPI_KRB5_INIT (); + + *output_cred_handle = NULL; + if (time_rec) + *time_rec = 0; + if (actual_mechs) + *actual_mechs = GSS_C_NO_OID_SET; + + if (desired_mechs) { + OM_uint32 present = 0; + + ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + desired_mechs, &present); + if (ret) + return ret; + if (!present) { + *minor_status = 0; + return GSS_S_BAD_MECH; + } + } - *minor_status = 0; handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) + if (handle == GSS_C_NO_CREDENTIAL) { + *minor_status = ENOMEM; return (GSS_S_FAILURE); + } memset(handle, 0, sizeof (*handle)); @@ -219,14 +269,17 @@ OM_uint32 gss_acquire_cred free(handle); return (ret); } - } - if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { + } else if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { ret = acquire_acceptor_cred(minor_status, desired_name, time_req, desired_mechs, cred_usage, handle, actual_mechs, time_rec); if (ret != GSS_S_COMPLETE) { free(handle); return (ret); } + } else { + free(handle); + *minor_status = GSS_KRB5_S_G_BAD_USAGE; + return GSS_S_FAILURE; } ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); if (ret == GSS_S_COMPLETE) @@ -241,8 +294,9 @@ OM_uint32 gss_acquire_cred free(handle); return (ret); } - /* XXX */ - handle->lifetime = time_req; + *minor_status = 0; + if (time_rec) + *time_rec = handle->lifetime; handle->usage = cred_usage; *output_cred_handle = handle; return (GSS_S_COMPLETE); diff --git a/crypto/heimdal/lib/gssapi/add_cred.c b/crypto/heimdal/lib/gssapi/add_cred.c new file mode 100644 index 0000000..1e23a5b --- /dev/null +++ b/crypto/heimdal/lib/gssapi/add_cred.c @@ -0,0 +1,216 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapi_locl.h" + +RCSID("$Id: add_cred.c,v 1.2 2003/04/06 00:29:17 lha Exp $"); + +OM_uint32 gss_add_cred ( + OM_uint32 *minor_status, + const gss_cred_id_t input_cred_handle, + const gss_name_t desired_name, + const gss_OID desired_mech, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *initiator_time_rec, + OM_uint32 *acceptor_time_rec) +{ + OM_uint32 ret, lifetime; + gss_cred_id_t cred, handle; + + handle = NULL; + cred = input_cred_handle; + + if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) { + *minor_status = 0; + return GSS_S_BAD_MECH; + } + + if (cred == GSS_C_NO_CREDENTIAL && output_cred_handle == NULL) { + *minor_status = 0; + return GSS_S_NO_CRED; + } + + /* check if requested output usage is compatible with output usage */ + if (output_cred_handle != NULL && + (cred->usage != cred_usage && cred->usage != GSS_C_BOTH)) { + *minor_status = GSS_KRB5_S_G_BAD_USAGE; + return(GSS_S_FAILURE); + } + + /* check that we have the same name */ + if (desired_name != GSS_C_NO_NAME && + krb5_principal_compare(gssapi_krb5_context, desired_name, + cred->principal) != FALSE) { + *minor_status = 0; + return GSS_S_BAD_NAME; + } + + /* make a copy */ + if (output_cred_handle) { + + handle = (gss_cred_id_t)malloc(sizeof(*handle)); + if (handle == GSS_C_NO_CREDENTIAL) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + + memset(handle, 0, sizeof (*handle)); + + handle->usage = cred_usage; + handle->lifetime = cred->lifetime; + handle->principal = NULL; + handle->keytab = NULL; + handle->ccache = NULL; + handle->mechanisms = NULL; + + ret = GSS_S_FAILURE; + + ret = gss_duplicate_name(minor_status, cred->principal, + &handle->principal); + if (ret) { + free(handle); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + if (cred->keytab) { + krb5_error_code kret; + char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN]; + int len; + + ret = GSS_S_FAILURE; + + kret = krb5_kt_get_type(gssapi_krb5_context, cred->keytab, + name, KRB5_KT_PREFIX_MAX_LEN); + if (kret) { + *minor_status = kret; + goto failure; + } + len = strlen(name); + name[len++] = ':'; + + kret = krb5_kt_get_name(gssapi_krb5_context, cred->keytab, + name + len, + sizeof(name) - len); + if (kret) { + *minor_status = kret; + goto failure; + } + + kret = krb5_kt_resolve(gssapi_krb5_context, name, + &handle->keytab); + if (kret){ + *minor_status = kret; + goto failure; + } + } + + if (cred->ccache) { + krb5_error_code kret; + const char *type, *name; + char *type_name; + + ret = GSS_S_FAILURE; + + type = krb5_cc_get_type(gssapi_krb5_context, cred->ccache); + if (type == NULL){ + *minor_status = ENOMEM; + goto failure; + } + + name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache); + if (name == NULL) { + *minor_status = ENOMEM; + goto failure; + } + + asprintf(&type_name, "%s:%s", type, name); + if (type_name == NULL) { + *minor_status = ENOMEM; + goto failure; + } + + kret = krb5_cc_resolve(gssapi_krb5_context, type_name, + &handle->ccache); + free(type_name); + if (kret) { + *minor_status = kret; + goto failure; + } + } + + ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); + if (ret) + goto failure; + + ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + &handle->mechanisms); + if (ret) + goto failure; + } + + ret = gss_inquire_cred(minor_status, cred, NULL, &lifetime, + NULL, actual_mechs); + if (ret) + goto failure; + + if (initiator_time_rec) + *initiator_time_rec = lifetime; + if (acceptor_time_rec) + *acceptor_time_rec = lifetime; + + if (output_cred_handle) + *output_cred_handle = handle; + + *minor_status = 0; + return ret; + + failure: + + if (handle) { + if (handle->principal) + gss_release_name(NULL, &handle->principal); + if (handle->keytab) + krb5_kt_close(gssapi_krb5_context, handle->keytab); + if (handle->ccache) + krb5_cc_destroy(gssapi_krb5_context, handle->ccache); + if (handle->mechanisms) + gss_release_oid_set(NULL, &handle->mechanisms); + free(handle); + } + return ret; +} diff --git a/crypto/heimdal/lib/gssapi/add_oid_set_member.c b/crypto/heimdal/lib/gssapi/add_oid_set_member.c index baf70c5..ed654fc 100644 --- a/crypto/heimdal/lib/gssapi/add_oid_set_member.c +++ b/crypto/heimdal/lib/gssapi/add_oid_set_member.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: add_oid_set_member.c,v 1.7 2001/02/18 03:39:08 assar Exp $"); +RCSID("$Id: add_oid_set_member.c,v 1.8 2003/03/16 17:50:49 lha Exp $"); OM_uint32 gss_add_oid_set_member ( OM_uint32 * minor_status, @@ -50,8 +50,10 @@ OM_uint32 gss_add_oid_set_member ( if (res != GSS_S_COMPLETE) return res; - if (present) + if (present) { + *minor_status = 0; return GSS_S_COMPLETE; + } n = (*oid_set)->count + 1; tmp = realloc ((*oid_set)->elements, n * sizeof(gss_OID_desc)); @@ -62,5 +64,6 @@ OM_uint32 gss_add_oid_set_member ( (*oid_set)->elements = tmp; (*oid_set)->count = n; (*oid_set)->elements[n-1] = *member_oid; + *minor_status = 0; return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/compare_name.c b/crypto/heimdal/lib/gssapi/compare_name.c index 5926b15..da494b0 100644 --- a/crypto/heimdal/lib/gssapi/compare_name.c +++ b/crypto/heimdal/lib/gssapi/compare_name.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: compare_name.c,v 1.2 1999/12/02 17:05:03 joda Exp $"); +RCSID("$Id: compare_name.c,v 1.4 2003/03/16 17:50:07 lha Exp $"); OM_uint32 gss_compare_name (OM_uint32 * minor_status, @@ -42,8 +42,10 @@ OM_uint32 gss_compare_name int * name_equal ) { - gssapi_krb5_init (); + GSSAPI_KRB5_INIT(); + *name_equal = krb5_principal_compare (gssapi_krb5_context, name1, name2); + *minor_status = 0; return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/compat.c b/crypto/heimdal/lib/gssapi/compat.c new file mode 100644 index 0000000..311b1cb --- /dev/null +++ b/crypto/heimdal/lib/gssapi/compat.c @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapi_locl.h" + +RCSID("$Id: compat.c,v 1.2.2.2 2003/04/28 13:58:09 lha Exp $"); + + +static krb5_error_code +check_compat(OM_uint32 *minor_status, gss_name_t name, + const char *option, krb5_boolean *compat, + krb5_boolean match_val) +{ + krb5_error_code ret = 0; + char **p, **q; + krb5_principal match; + + + p = krb5_config_get_strings(gssapi_krb5_context, NULL, "gssapi", + option, NULL); + if(p == NULL) + return 0; + + for(q = p; *q; q++) { + + ret = krb5_parse_name(gssapi_krb5_context, *q, &match); + if (ret) + break; + + if (krb5_principal_match(gssapi_krb5_context, name, match)) { + *compat = match_val; + break; + } + + krb5_free_principal(gssapi_krb5_context, match); + } + krb5_config_free_strings(p); + + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + return 0; +} + +OM_uint32 +_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx) +{ + krb5_boolean use_compat = TRUE; + OM_uint32 ret; + + if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) { + ret = check_compat(minor_status, ctx->target, + "broken_des3_mic", &use_compat, TRUE); + if (ret) + return ret; + ret = check_compat(minor_status, ctx->target, + "correct_des3_mic", &use_compat, FALSE); + if (ret) + return ret; + + if (use_compat) + ctx->more_flags |= COMPAT_OLD_DES3; + ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; + } + return 0; +} + +OM_uint32 +gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on) +{ + *minor_status = 0; + + if (on) { + ctx->more_flags |= COMPAT_OLD_DES3; + } else { + ctx->more_flags &= ~COMPAT_OLD_DES3; + } + ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; + + return 0; +} diff --git a/crypto/heimdal/lib/gssapi/context_time.c b/crypto/heimdal/lib/gssapi/context_time.c index f933f9e..e947df6 100644 --- a/crypto/heimdal/lib/gssapi/context_time.c +++ b/crypto/heimdal/lib/gssapi/context_time.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: context_time.c,v 1.5 2001/05/11 09:16:45 assar Exp $"); +RCSID("$Id: context_time.c,v 1.7 2003/03/16 17:48:33 lha Exp $"); OM_uint32 gss_context_time (OM_uint32 * minor_status, @@ -46,7 +46,7 @@ OM_uint32 gss_context_time krb5_error_code kret; krb5_timestamp timeret; - gssapi_krb5_init(); + GSSAPI_KRB5_INIT (); ret = gss_inquire_context(minor_status, context_handle, NULL, NULL, &lifetime, NULL, NULL, NULL, NULL); @@ -62,5 +62,6 @@ OM_uint32 gss_context_time } *time_rec = lifetime - timeret; + *minor_status = 0; return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/copy_ccache.c b/crypto/heimdal/lib/gssapi/copy_ccache.c index a6f53df..2ffe065 100644 --- a/crypto/heimdal/lib/gssapi/copy_ccache.c +++ b/crypto/heimdal/lib/gssapi/copy_ccache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,25 +33,26 @@ #include "gssapi_locl.h" -RCSID("$Id: copy_ccache.c,v 1.2 2001/05/11 09:16:45 assar Exp $"); +RCSID("$Id: copy_ccache.c,v 1.3 2003/03/16 17:47:44 lha Exp $"); OM_uint32 -gss_krb5_copy_ccache(OM_uint32 *minor, +gss_krb5_copy_ccache(OM_uint32 *minor_status, gss_cred_id_t cred, krb5_ccache out) { krb5_error_code kret; if (cred->ccache == NULL) { - *minor = EINVAL; + *minor_status = EINVAL; return GSS_S_FAILURE; } kret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, out); if (kret) { - *minor = kret; + *minor_status = kret; gssapi_krb5_set_error_string (); return GSS_S_FAILURE; } + *minor_status = 0; return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c b/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c index de71749..1a25e0d 100644 --- a/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c +++ b/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: create_emtpy_oid_set.c,v 1.4 2001/02/18 03:39:08 assar Exp $"); +RCSID("$Id: create_emtpy_oid_set.c,v 1.5 2003/03/16 17:47:07 lha Exp $"); OM_uint32 gss_create_empty_oid_set ( OM_uint32 * minor_status, @@ -47,5 +47,6 @@ OM_uint32 gss_create_empty_oid_set ( } (*oid_set)->count = 0; (*oid_set)->elements = NULL; + *minor_status = 0; return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/delete_sec_context.c b/crypto/heimdal/lib/gssapi/delete_sec_context.c index 06f44e3..2df1f39 100644 --- a/crypto/heimdal/lib/gssapi/delete_sec_context.c +++ b/crypto/heimdal/lib/gssapi/delete_sec_context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: delete_sec_context.c,v 1.9 2001/05/10 15:23:04 assar Exp $"); +RCSID("$Id: delete_sec_context.c,v 1.11 2003/03/16 17:46:40 lha Exp $"); OM_uint32 gss_delete_sec_context (OM_uint32 * minor_status, @@ -41,28 +41,29 @@ OM_uint32 gss_delete_sec_context gss_buffer_t output_token ) { - gssapi_krb5_init (); + GSSAPI_KRB5_INIT (); - if (output_token) { - output_token->length = 0; - output_token->value = NULL; - } + if (output_token) { + output_token->length = 0; + output_token->value = NULL; + } - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - if ((*context_handle)->ticket) { - krb5_free_ticket (gssapi_krb5_context, - (*context_handle)->ticket); - free((*context_handle)->ticket); - } + krb5_auth_con_free (gssapi_krb5_context, + (*context_handle)->auth_context); + if((*context_handle)->source) + krb5_free_principal (gssapi_krb5_context, + (*context_handle)->source); + if((*context_handle)->target) + krb5_free_principal (gssapi_krb5_context, + (*context_handle)->target); + if ((*context_handle)->ticket) { + krb5_free_ticket (gssapi_krb5_context, + (*context_handle)->ticket); + free((*context_handle)->ticket); + } - free (*context_handle); - *context_handle = GSS_C_NO_CONTEXT; - return GSS_S_COMPLETE; + free (*context_handle); + *context_handle = GSS_C_NO_CONTEXT; + *minor_status = 0; + return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/display_name.c b/crypto/heimdal/lib/gssapi/display_name.c index 1c25e67..27a232f 100644 --- a/crypto/heimdal/lib/gssapi/display_name.c +++ b/crypto/heimdal/lib/gssapi/display_name.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: display_name.c,v 1.7 2001/05/11 09:16:46 assar Exp $"); +RCSID("$Id: display_name.c,v 1.9 2003/03/16 17:46:11 lha Exp $"); OM_uint32 gss_display_name (OM_uint32 * minor_status, @@ -42,31 +42,32 @@ OM_uint32 gss_display_name gss_OID * output_name_type ) { - krb5_error_code kret; - char *buf; - size_t len; + krb5_error_code kret; + char *buf; + size_t len; - gssapi_krb5_init (); - kret = krb5_unparse_name (gssapi_krb5_context, - input_name, - &buf); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - len = strlen (buf); - output_name_buffer->length = len; - output_name_buffer->value = malloc(len + 1); - if (output_name_buffer->value == NULL) { + GSSAPI_KRB5_INIT (); + kret = krb5_unparse_name (gssapi_krb5_context, + input_name, + &buf); + if (kret) { + *minor_status = kret; + gssapi_krb5_set_error_string (); + return GSS_S_FAILURE; + } + len = strlen (buf); + output_name_buffer->length = len; + output_name_buffer->value = malloc(len + 1); + if (output_name_buffer->value == NULL) { + free (buf); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + memcpy (output_name_buffer->value, buf, len); + ((char *)output_name_buffer->value)[len] = '\0'; free (buf); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (output_name_buffer->value, buf, len); - ((char *)output_name_buffer->value)[len] = '\0'; - free (buf); - if (output_name_type) - *output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME; - return GSS_S_COMPLETE; + if (output_name_type) + *output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME; + *minor_status = 0; + return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/display_status.c b/crypto/heimdal/lib/gssapi/display_status.c index fc1451d..d266fa4 100644 --- a/crypto/heimdal/lib/gssapi/display_status.c +++ b/crypto/heimdal/lib/gssapi/display_status.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1998 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: display_status.c,v 1.7 2001/08/23 04:34:41 assar Exp $"); +RCSID("$Id: display_status.c,v 1.9 2003/03/16 17:45:36 lha Exp $"); static char *krb5_error_string; @@ -93,6 +93,26 @@ routine_error(OM_uint32 v) return msgs[v]; } +static char * +supplementary_error(OM_uint32 v) +{ + static char *msgs[] = { + "normal completion", + "continuation call to routine required", + "duplicate per-message token detected", + "timed-out per-message token detected", + "reordered (early) per-message token detected", + "skipped predecessor token(s) detected" + }; + + v >>= GSS_C_SUPPLEMENTARY_OFFSET; + + if (v >= sizeof(msgs)/sizeof(*msgs)) + return "unknown routine error"; + else + return msgs[v]; +} + void gssapi_krb5_set_error_string (void) { @@ -117,18 +137,25 @@ OM_uint32 gss_display_status { char *buf; - gssapi_krb5_init (); + GSSAPI_KRB5_INIT (); - *minor_status = 0; + status_string->length = 0; + status_string->value = NULL; - if (mech_type != GSS_C_NO_OID && - mech_type != GSS_KRB5_MECHANISM) - return GSS_S_BAD_MECH; + if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && + gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { + *minor_status = 0; + return GSS_C_GSS_CODE; + } if (status_type == GSS_C_GSS_CODE) { - asprintf (&buf, "%s %s", - calling_error(GSS_CALLING_ERROR(status_value)), - routine_error(GSS_ROUTINE_ERROR(status_value))); + if (GSS_SUPPLEMENTARY_INFO(status_value)) + asprintf(&buf, "%s", + supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value))); + else + asprintf (&buf, "%s %s", + calling_error(GSS_CALLING_ERROR(status_value)), + routine_error(GSS_ROUTINE_ERROR(status_value))); } else if (status_type == GSS_C_MECH_CODE) { buf = gssapi_krb5_get_error_string (); if (buf == NULL) { @@ -140,8 +167,10 @@ OM_uint32 gss_display_status else buf = strdup(tmp); } - } else + } else { + *minor_status = EINVAL; return GSS_S_BAD_STATUS; + } if (buf == NULL) { *minor_status = ENOMEM; @@ -149,6 +178,7 @@ OM_uint32 gss_display_status } *message_context = 0; + *minor_status = 0; status_string->length = strlen(buf); status_string->value = buf; diff --git a/crypto/heimdal/lib/gssapi/duplicate_name.c b/crypto/heimdal/lib/gssapi/duplicate_name.c index b0ecdf2..2b54e90 100644 --- a/crypto/heimdal/lib/gssapi/duplicate_name.c +++ b/crypto/heimdal/lib/gssapi/duplicate_name.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: duplicate_name.c,v 1.5 2001/05/11 09:16:46 assar Exp $"); +RCSID("$Id: duplicate_name.c,v 1.7 2003/03/16 17:44:26 lha Exp $"); OM_uint32 gss_duplicate_name ( OM_uint32 * minor_status, @@ -41,18 +41,19 @@ OM_uint32 gss_duplicate_name ( gss_name_t * dest_name ) { - krb5_error_code kret; + krb5_error_code kret; - gssapi_krb5_init (); + GSSAPI_KRB5_INIT (); - kret = krb5_copy_principal (gssapi_krb5_context, - src_name, - dest_name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } else { - return GSS_S_COMPLETE; - } + kret = krb5_copy_principal (gssapi_krb5_context, + src_name, + dest_name); + if (kret) { + *minor_status = kret; + gssapi_krb5_set_error_string (); + return GSS_S_FAILURE; + } else { + *minor_status = 0; + return GSS_S_COMPLETE; + } } diff --git a/crypto/heimdal/lib/gssapi/export_name.c b/crypto/heimdal/lib/gssapi/export_name.c index efbd9c4..c5fcbd4 100644 --- a/crypto/heimdal/lib/gssapi/export_name.c +++ b/crypto/heimdal/lib/gssapi/export_name.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: export_name.c,v 1.4 1999/12/02 17:05:03 joda Exp $"); +RCSID("$Id: export_name.c,v 1.5 2003/03/16 17:34:46 lha Exp $"); OM_uint32 gss_export_name (OM_uint32 * minor_status, @@ -41,8 +41,54 @@ OM_uint32 gss_export_name gss_buffer_t exported_name ) { - return gss_display_name(minor_status, - input_name, - exported_name, - NULL); + krb5_error_code kret; + char *buf, *name; + size_t len; + + GSSAPI_KRB5_INIT (); + kret = krb5_unparse_name (gssapi_krb5_context, + input_name, + &name); + if (kret) { + *minor_status = kret; + gssapi_krb5_set_error_string (); + return GSS_S_FAILURE; + } + len = strlen (name); + + exported_name->length = 10 + len + GSS_KRB5_MECHANISM->length; + exported_name->value = malloc(exported_name->length); + if (exported_name->value == NULL) { + free (name); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ + + buf = exported_name->value; + memcpy(buf, "\x04\x01", 2); + buf += 2; + buf[0] = ((GSS_KRB5_MECHANISM->length + 2) >> 8) & 0xff; + buf[1] = (GSS_KRB5_MECHANISM->length + 2) & 0xff; + buf+= 2; + buf[0] = 0x06; + buf[1] = (GSS_KRB5_MECHANISM->length) & 0xFF; + buf+= 2; + + memcpy(buf, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); + buf += GSS_KRB5_MECHANISM->length; + + buf[0] = (len >> 24) & 0xff; + buf[1] = (len >> 16) & 0xff; + buf[2] = (len >> 8) & 0xff; + buf[3] = (len) & 0xff; + buf += 4; + + memcpy (buf, name, len); + + free (name); + + *minor_status = 0; + return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/export_sec_context.c b/crypto/heimdal/lib/gssapi/export_sec_context.c index 30c5a11..c7e6265 100644 --- a/crypto/heimdal/lib/gssapi/export_sec_context.c +++ b/crypto/heimdal/lib/gssapi/export_sec_context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: export_sec_context.c,v 1.4 2001/02/18 03:39:09 assar Exp $"); +RCSID("$Id: export_sec_context.c,v 1.6 2003/03/16 18:02:52 lha Exp $"); OM_uint32 gss_export_sec_context ( @@ -51,9 +51,11 @@ gss_export_sec_context ( OM_uint32 minor; krb5_error_code kret; - gssapi_krb5_init (); - if (!((*context_handle)->flags & GSS_C_TRANS_FLAG)) + GSSAPI_KRB5_INIT (); + if (!((*context_handle)->flags & GSS_C_TRANS_FLAG)) { + *minor_status = 0; return GSS_S_UNAVAILABLE; + } sp = krb5_storage_emem (); if (sp == NULL) { @@ -145,27 +147,6 @@ gss_export_sec_context ( goto failure; } -#if 0 - { - size_t sz; - unsigned char auth_buf[1024]; - - ret = encode_Authenticator (auth_buf, sizeof(auth_buf), - ac->authenticator, &sz); - if (ret) { - krb5_storage_free (sp); - *minor_status = ret; - return GSS_S_FAILURE; - } - data.data = auth_buf; - data.length = sz; - kret = krb5_store_data (sp, data); - if (kret) { - *minor_status = kret; - goto failure; - } - } -#endif kret = krb5_store_int32 (sp, ac->keytype); if (kret) { *minor_status = kret; @@ -196,6 +177,9 @@ gss_export_sec_context ( goto failure; data.data = buffer.value; data.length = buffer.length; + + ret = GSS_S_FAILURE; + kret = krb5_store_data (sp, data); gss_release_buffer (&minor, &buffer); if (kret) { @@ -213,6 +197,11 @@ gss_export_sec_context ( *minor_status = kret; goto failure; } + kret = krb5_store_int32 (sp, (*context_handle)->lifetime); + if (kret) { + *minor_status = kret; + goto failure; + } kret = krb5_storage_to_data (sp, &data); krb5_storage_free (sp); @@ -226,6 +215,7 @@ gss_export_sec_context ( GSS_C_NO_BUFFER); if (ret != GSS_S_COMPLETE) gss_release_buffer (NULL, interprocess_token); + *minor_status = 0; return ret; failure: krb5_storage_free (sp); diff --git a/crypto/heimdal/lib/gssapi/get_mic.c b/crypto/heimdal/lib/gssapi/get_mic.c index 720a2ff..e890b08 100644 --- a/crypto/heimdal/lib/gssapi/get_mic.c +++ b/crypto/heimdal/lib/gssapi/get_mic.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: get_mic.c,v 1.19 2001/10/31 13:37:39 nectar Exp $"); +RCSID("$Id: get_mic.c,v 1.21 2003/03/16 18:02:04 lha Exp $"); static OM_uint32 mic_des @@ -115,6 +115,7 @@ mic_des memset (deskey, 0, sizeof(deskey)); memset (schedule, 0, sizeof(schedule)); + *minor_status = 0; return GSS_S_COMPLETE; } @@ -139,6 +140,7 @@ mic_des3 krb5_error_code kret; krb5_data encdata; char *tmp; + char ivec[8]; gssapi_krb5_encap_length (36, &len, &total_len); @@ -219,10 +221,15 @@ mic_des3 return GSS_S_FAILURE; } - kret = krb5_encrypt (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - seq, 8, &encdata); + if (context_handle->more_flags & COMPAT_OLD_DES3) + memset(ivec, 0, 8); + else + memcpy(ivec, p + 8, 8); + + kret = krb5_encrypt_ivec (gssapi_krb5_context, + crypto, + KRB5_KU_USAGE_SEQ, + seq, 8, &encdata, ivec); krb5_crypto_destroy (gssapi_krb5_context, crypto); if (kret) { free (message_token->value); @@ -241,6 +248,7 @@ mic_des3 ++seq_number); free_Checksum (&cksum); + *minor_status = 0; return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/gss_acquire_cred.3 b/crypto/heimdal/lib/gssapi/gss_acquire_cred.3 new file mode 100644 index 0000000..1d8c0a0 --- /dev/null +++ b/crypto/heimdal/lib/gssapi/gss_acquire_cred.3 @@ -0,0 +1,465 @@ +.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: gss_acquire_cred.3,v 1.8.2.1 2003/04/28 13:41:42 lha Exp $ +.\" +.Dd April 2, 2003 +.Dt GSS_ACQUIRE_CRED 3 +.Os HEIMDAL +.Sh NAME +.Nm gss_accept_sec_context , +.Nm gss_acquire_cred , +.Nm gss_add_cred , +.Nm gss_add_oid_set_member , +.Nm gss_canonicalize_name , +.Nm gss_compare_name , +.Nm gss_context_time , +.Nm gss_create_empty_oid_set , +.Nm gss_delete_sec_context , +.Nm gss_display_name , +.Nm gss_display_status , +.Nm gss_duplicate_name , +.Nm gss_export_name , +.Nm gss_export_sec_context , +.Nm gss_get_mic , +.Nm gss_import_name , +.Nm gss_import_sec_context , +.Nm gss_indicate_mechs , +.Nm gss_init_sec_context , +.Nm gss_inquire_context , +.Nm gss_inquire_cred , +.Nm gss_inquire_cred_by_mech , +.Nm gss_inquire_mechs_for_name , +.Nm gss_inquire_names_for_mech , +.Nm gss_krb5_copy_ccache , +.Nm gss_krb5_compat_des3_mic , +.Nm gss_process_context_token , +.Nm gss_release_buffer , +.Nm gss_release_cred , +.Nm gss_release_name , +.Nm gss_release_oid_set , +.Nm gss_seal , +.Nm gss_sign , +.Nm gss_test_oid_set_member , +.Nm gss_unseal , +.Nm gss_unwrap , +.Nm gss_verify , +.Nm gss_verify_mic , +.Nm gss_wrap , +.Nm gss_wrap_size_limit +.Nd Generic Security Service Application Program Interface library +.Sh LIBRARY +GSS-API library (libgssapi, -lgssapi) +.Sh SYNOPSIS +.In gssapi.h +.Pp +.Ft OM_uint32 +.Fo gss_accept_sec_context +.Fa "OM_uint32 * minor_status" +.Fa "gss_ctx_id_t * context_handle" +.Fa "const gss_cred_id_t acceptor_cred_handle" +.Fa "const gss_buffer_t input_token_buffer" +.Fa "const gss_channel_bindings_t input_chan_bindings" +.Fa "gss_name_t * src_name" +.Fa "gss_OID * mech_type" +.Fa "gss_buffer_t output_token" +.Fa "OM_uint32 * ret_flags" +.Fa "OM_uint32 * time_rec" +.Fa "gss_cred_id_t * delegated_cred_handle" +.Fc +.Pp +.Ft OM_uint32 +.Fo gss_acquire_cred +.Fa "OM_uint32 * minor_status" +.Fa "const gss_name_t desired_name" +.Fa "OM_uint32 time_req" +.Fa "const gss_OID_set desired_mechs" +.Fa "gss_cred_usage_t cred_usage" +.Fa "gss_cred_id_t * output_cred_handle" +.Fa "gss_OID_set * actual_mechs" +.Fa "OM_uint32 * time_rec" +.Fc +.\" .Fn gss_add_cred +.Ft OM_uint32 +.Fo gss_add_oid_set_member +.Fa "OM_uint32 * minor_status" +.Fa "const gss_OID member_oid" +.Fa "gss_OID_set * oid_set" +.Fc +.Ft OM_uint32 +.Fo gss_canonicalize_name +.Fa "OM_uint32 * minor_status" +.Fa "const gss_name_t input_name" +.Fa "const gss_OID mech_type" +.Fa "gss_name_t * output_name" +.Fc +.Ft OM_uint32 +.Fo gss_compare_name +.Fa "OM_uint32 * minor_status" +.Fa "const gss_name_t name1" +.Fa "const gss_name_t name2" +.Fa "int * name_equal" +.Fc +.Ft OM_uint32 +.Fo gss_context_time +.Fa "OM_uint32 * minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "OM_uint32 * time_rec" +.Fc +.Ft OM_uint32 +.Fo gss_create_empty_oid_set +.Fa "OM_uint32 * minor_status" +.Fa "gss_OID_set * oid_set" +.Fc +.Ft OM_uint32 +.Fo gss_delete_sec_context +.Fa "OM_uint32 * minor_status" +.Fa "gss_ctx_id_t * context_handle" +.Fa "gss_buffer_t output_token" +.Fc +.Ft OM_uint32 +.Fo gss_display_name +.Fa "OM_uint32 * minor_status" +.Fa "const gss_name_t input_name" +.Fa "gss_buffer_t output_name_buffer" +.Fa "gss_OID * output_name_type" +.Fc +.Ft OM_uint32 +.Fo gss_display_status +.Fa "OM_uint32 *minor_status" +.Fa "OM_uint32 status_value" +.Fa "int status_type" +.Fa "const gss_OID mech_type" +.Fa "OM_uint32 *message_context" +.Fa "gss_buffer_t status_string" +.Fc +.Ft OM_uint32 +.Fo gss_duplicate_name +.Fa "OM_uint32 * minor_status" +.Fa "const gss_name_t src_name" +.Fa "gss_name_t * dest_name" +.Fc +.Ft OM_uint32 +.Fo gss_export_name +.Fa "OM_uint32 * minor_status" +.Fa "const gss_name_t input_name" +.Fa "gss_buffer_t exported_name" +.Fc +.Ft OM_uint32 +.Fo gss_export_sec_context +.Fa "OM_uint32 * minor_status" +.Fa "gss_ctx_id_t * context_handle" +.Fa "gss_buffer_t interprocess_token" +.Fc +.Ft OM_uint32 +.Fo gss_get_mic +.Fa "OM_uint32 * minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "gss_qop_t qop_req" +.Fa "const gss_buffer_t message_buffer" +.Fa "gss_buffer_t message_token" +.Fc +.Ft OM_uint32 +.Fo gss_import_name +.Fa "OM_uint32 * minor_status, +.Fa "const gss_buffer_t input_name_buffer" +.Fa "const gss_OID input_name_type" +.Fa "gss_name_t * output_name" +.Fc +.Ft OM_uint32 +.Fo gss_import_sec_context +.Fa "OM_uint32 * minor_status" +.Fa "const gss_buffer_t interprocess_token" +.Fa "gss_ctx_id_t * context_handle" +.Fc +.Ft OM_uint32 +.Fo gss_indicate_mechs +.Fa "OM_uint32 * minor_status" +.Fa "gss_OID_set * mech_set" +.Fc +.Ft OM_uint32 +.Fo gss_init_sec_context +.Fa "OM_uint32 * minor_status" +.Fa "const gss_cred_id_t initiator_cred_handle" +.Fa "gss_ctx_id_t * context_handle" +.Fa "const gss_name_t target_name" +.Fa "const gss_OID mech_type" +.Fa "OM_uint32 req_flags" +.Fa "OM_uint32 time_req" +.Fa "const gss_channel_bindings_t input_chan_bindings" +.Fa "const gss_buffer_t input_token" +.Fa "gss_OID * actual_mech_type" +.Fa "gss_buffer_t output_token" +.Fa "OM_uint32 * ret_flags" +.Fa "OM_uint32 * time_rec" +.Fc +.Ft OM_uint32 +.Fo gss_inquire_context +.Fa "OM_uint32 * minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "gss_name_t * src_name" +.Fa "gss_name_t * targ_name" +.Fa "OM_uint32 * lifetime_rec" +.Fa "gss_OID * mech_type" +.Fa "OM_uint32 * ctx_flags" +.Fa "int * locally_initiated" +.Fa "int * open_context" +.Fc +.Ft OM_uint32 +.Fo gss_inquire_cred +.Fa "OM_uint32 * minor_status" +.Fa "const gss_cred_id_t cred_handle" +.Fa "gss_name_t * name" +.Fa "OM_uint32 * lifetime" +.Fa "gss_cred_usage_t * cred_usage" +.Fa "gss_OID_set * mechanisms" +.Fc +.Ft OM_uint32 +.Fo gss_inquire_cred_by_mech +.Fc +.Ft OM_uint32 +.Fo gss_inquire_mechs_for_name +.Fc +.Ft OM_uint32 +.Fo gss_inquire_names_for_mech +.Fc +.Ft OM_uint32 +.Fo gss_krb5_copy_ccache +.Fa "OM_uint32 *minor" +.Fa "gss_cred_id_t cred" +.Fa "krb5_ccache out" +.Fc +.Ft OM_uint32 +.Fo gss_krb5_compat_des3_mic +.Fa "OM_uint32 * minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "int onoff" +.Fc +.Ft OM_uint32 +.Fo gss_process_context_token +.Fc +.Ft OM_uint32 +.Fo gss_release_buffer +.Fa "OM_uint32 * minor_status" +.Fa "gss_buffer_t buffer" +.Fc +.Ft OM_uint32 +.Fo gss_release_cred +.Fa "OM_uint32 * minor_status" +.Fa "gss_cred_id_t * cred_handle" +.Fc +.Ft OM_uint32 +.Fo gss_release_name +.Fa "OM_uint32 * minor_status" +.Fa "gss_name_t * input_name" +.Fc +.Ft +.Fo gss_release_oid_set +.Fa "OM_uint32 * minor_status" +.Fa "gss_OID_set * set" +.Fc +.Ft OM_uint32 +.Fo gss_seal +.Fa "OM_uint32 * minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "int conf_req_flag" +.Fa "int qop_req" +.Fa "gss_buffer_t input_message_buffer" +.Fa "int * conf_state" +.Fa "gss_buffer_t output_message_buffer" +.Fc +.Ft OM_uint32 +.Fo gss_sign +.Fa "OM_uint32 * minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "int qop_req" +.Fa "gss_buffer_t message_buffer" +.Fa "gss_buffer_t message_token" +.Fc +.Ft OM_uint32 +.Fo gss_test_oid_set_member +.Fa "OM_uint32 * minor_status" +.Fa "const gss_OID member" +.Fa "const gss_OID_set set" +.Fa "int * present" +.Fc +.Ft OM_uint32 +.Fo gss_unseal +.Fa "OM_uint32 * minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "gss_buffer_t input_message_buffer" +.Fa "gss_buffer_t output_message_buffer" +.Fa "int * conf_state" +.Fa "int * qop_state" +.Fc +.Ft OM_uint32 +.Fo gss_unwrap +.Fa "OM_uint32 * minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "const gss_buffer_t input_message_buffer" +.Fa "gss_buffer_t output_message_buffer" +.Fa "int * conf_state" +.Fa "gss_qop_t * qop_state" +.Fc +.Ft OM_uint32 +.Fo gss_verify +.Fa "OM_uint32 * minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "gss_buffer_t message_buffer" +.Fa "gss_buffer_t token_buffer" +.Fa "int * qop_state" +.Fc +.Ft OM_uint32 +.Fo gss_verify_mic +.Fa "OM_uint32 * minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "const gss_buffer_t message_buffer" +.Fa "const gss_buffer_t token_buffer" +.Fa "gss_qop_t * qop_state" +.Fc +.Ft +.Fo gss_wrap +.Fa "OM_uint32 * minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "int conf_req_flag" +.Fa "gss_qop_t qop_req" +.Fa "const gss_buffer_t input_message_buffer" +.Fa "int * conf_state" +.Fa "gss_buffer_t output_message_buffer" +.Fc +.Ft OM_uint32 +.Fo gss_wrap_size_limit +.Fa "OM_uint32 * minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "int conf_req_flag" +.Fa "gss_qop_t qop_req" +.Fa "OM_uint32 req_output_size" +.Fa "OM_uint32 * max_input_size" +.Fc +.Sh DESCRIPTION +Generic Security Service API (GSS-API) version 2, and its C binding, +is described in +.Li RFC2743 +and +.Li RFC2744 . +Version 1 (deprecated) of the C binding is described in +.Li RFC1509 . +.Pp +Heimdals GSS-API implementation supports the following mechanisms +.Bl -bullet +.It +.Li GSS_KRB5_MECHANISM +.El +.Pp +GSS-API have generic name types that all mechanism are supposed to +implement (if possible) +.Bl -bullet +.It +.Li GSS_C_NT_USER_NAME +.It +.Li GSS_C_NT_MACHINE_UID_NAME +.It +.Li GSS_C_NT_STRING_UID_NAME +.It +.Li GSS_C_NT_HOSTBASED_SERVICE +.It +.Li GSS_C_NT_ANONYMOUS +.It +.Li GSS_C_NT_EXPORT_NAME +.El +.Pp +GSS-API implementations that supports Kerberos 5 have some additional +name types +.Bl -bullet +.It +.Li GSS_KRB5_NT_PRINCIPAL_NAME +.It +.Li GSS_KRB5_NT_USER_NAME +.It +.Li GSS_KRB5_NT_MACHINE_UID_NAME +.It +.Li GSS_KRB5_NT_STRING_UID_NAME +.El +.Pp +.Fn gss_display_name +takes the gss name in +.Fa input_name +and put a printable form in +.Fa output_name_buffer . +.Fa output_name_buffer +should be freed when done using +.Fn gss_release_buffer . +.Fa output_name_type +can either be +.Dv NULL +or a pointer to a +.Li gss_OID +and will in the later case contain the OID type of the name. +The name should only be used for printing. +Access control should be done with the result of +.Fn gss_export_name . +.Pp +.Fn gss_sign , +.Fn gss_verify , +.Fn gss_seal , +and +.Fn gss_unseal +are part of the GSS-API V1 interface and are obsolete. The functions +should not be used for new applications. +They are provided so that version 1 applications can link against the +library. +.Pp +.Fn gss_krb5_copy_ccache +is an extension to the GSS-API API. +The function will extract the krb5 credential that are transfered from +the initiator to the acceptor when using token delegation in the +Kerberos mechanism. +The acceptor receives the delegated token in the last argument to +.Fn gss_accept_sec_context . +.Pp +.Nm gss_krb5_compat_des3_mic +turns on or off the compatibly with older version of Heimdal using +des3 get and verify mic, this is way to programmatically set the +[gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see +COMPATIBILITY section in +.Xr gssapi 3 ) . +If the CPP symbol +.Dv GSS_C_KRB5_COMPAT_DES3_MIC +is present, +.Nm gss_krb5_compat_des3_mic +exists. +.Nm gss_krb5_compat_des3_mic +will be removed in a later version of the GSS-API library. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_ccache 3 , +.Xr gssapi 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/gssapi/gssapi.3 b/crypto/heimdal/lib/gssapi/gssapi.3 new file mode 100644 index 0000000..ff30042 --- /dev/null +++ b/crypto/heimdal/lib/gssapi/gssapi.3 @@ -0,0 +1,158 @@ +.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: gssapi.3,v 1.5.2.2 2003/04/30 09:56:26 lha Exp $ +.\" +.Dd January 23, 2003 +.Dt GSSAPI 3 +.Os +.Sh NAME +.Nm gssapi +.Nd Generic Security Service Application Program Interface library +.Sh LIBRARY +GSS-API Library (libgssapi, -lgssapi) +.Sh DESCRIPTION +The Generic Security Service Application Program Interface (GSS-API) +provides security services to callers in a generic fashion, +supportable with a range of underlying mechanisms and technologies and +hence allowing source-level portability of applications to different +environments. +.Sh LIST OF FUNCTIONS +These functions constitute the gssapi library, +.Em libgssapi . +Declarations for these functions may be obtained from the include file +.Pa gssapi.h . +.sp 2 +.nf +.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u +\fIName/Page\fP \fIDescription\fP +.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC +.sp 5p +gss_accept_sec_context.3 +gss_acquire_cred.3 +gss_add_cred.3 +gss_add_oid_set_member.3 +gss_canonicalize_name.3 +gss_compare_name.3 +gss_context_time.3 +gss_create_empty_oid_set.3 +gss_delete_sec_context.3 +gss_display_name.3 +gss_display_status.3 +gss_duplicate_name.3 +gss_export_name.3 +gss_export_sec_context.3 +gss_get_mic.3 +gss_import_name.3 +gss_import_sec_context.3 +gss_indicate_mechs.3 +gss_init_sec_context.3 +gss_inquire_context.3 +gss_inquire_cred.3 +gss_inquire_cred_by_mech.3 +gss_inquire_mechs_for_name.3 +gss_inquire_names_for_mech.3 +gss_krb5_copy_ccache.3 +gss_process_context_token.3 +gss_release_buffer.3 +gss_release_cred.3 +gss_release_name.3 +gss_release_oid_set.3 +gss_seal.3 +gss_sign.3 +gss_test_oid_set_member.3 +gss_unseal.3 +gss_unwrap.3 +gss_verify.3 +gss_verify_mic.3 +gss_wrap.3 +gss_wrap_size_limit.3 +.ta +.Fi +.Sh COMPATIBILITY +The +.Nm Heimdal +GSS-API implementation had a bug in releases before 0.6 that made it +fail to inter-operate when using DES3 with other GSS-API +implementations when using +.Fn gss_get_mic +/ +.Fn gss_verify_mic . +Its possible to modify the behavior of the generator of the MIC with +the +.Pa krb5.conf +configuration file so that old clients/servers will still +work. +.Pp +New clients/servers will try both the old and new MIC in Heimdal 0.6. +In 0.7 it will check only if configured and the compatibility code +will be removed in 0.8. +.Pp +Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, +this will change in 0.7 to generate correct des3 mic. +.Pp +To turn on compatibility with older clients and servers, change the +.Nm [gssapi] +.Ar broken_des3_mic +in +.Pa krb5.conf +that contains a list of globbing expressions that will be matched +against the server name. +To turn off generation of the old (incompatible) mic of the MIC use +.Nm [gssapi] +.Ar correct_des3_mic . +.Pp +If a match for a entry is in both +.Nm [gssapi] +.Ar correct_des3_mic +and +.Nm [gssapi] +.Ar correct_des3_mic , +the later will override. +.Pp +This config option modifies behaviour for both clients and servers. +.Pp +Example: +.Bd -literal -offset indent +[gssapi] + broken_des3_mic = cvs/*@SU.SE + broken_des3_mic = host/*@E.KTH.SE + correct_des3_mic = host/*@SU.SE +.Ed +.Sh BUGS +All of 0.5.x versions of +.Nm heimdal +had broken token delegations in the client side, the server side was +correct. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5.conf 5 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/gssapi/gssapi.h b/crypto/heimdal/lib/gssapi/gssapi.h index 82d4056..12ac426 100644 --- a/crypto/heimdal/lib/gssapi/gssapi.h +++ b/crypto/heimdal/lib/gssapi/gssapi.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi.h,v 1.21 2001/05/04 13:52:02 assar Exp $ */ +/* $Id: gssapi.h,v 1.26.2.2 2003/05/07 11:12:21 lha Exp $ */ #ifndef GSSAPI_H_ #define GSSAPI_H_ @@ -67,8 +67,10 @@ typedef struct gss_ctx_id_t_desc_struct { struct krb5_auth_context_data *auth_context; gss_name_t source, target; OM_uint32 flags; - enum { LOCAL = 1, OPEN = 2} more_flags; + enum { LOCAL = 1, OPEN = 2, + COMPAT_OLD_DES3 = 4, COMPAT_OLD_DES3_SELECTED = 8 } more_flags; struct krb5_ticket *ticket; + time_t lifetime; } gss_ctx_id_t_desc; typedef gss_ctx_id_t_desc *gss_ctx_id_t; @@ -211,6 +213,10 @@ typedef OM_uint32 gss_qop_t; */ #define GSS_C_INDEFINITE 0xfffffffful +#ifdef __cplusplus +extern "C" { +#endif + /* * The implementation must reserve static storage for a * gss_OID_desc object containing the value @@ -449,267 +455,267 @@ extern gss_OID GSS_KRB5_MECHANISM; */ OM_uint32 gss_acquire_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec + (OM_uint32 * /*minor_status*/, + const gss_name_t /*desired_name*/, + OM_uint32 /*time_req*/, + const gss_OID_set /*desired_mechs*/, + gss_cred_usage_t /*cred_usage*/, + gss_cred_id_t * /*output_cred_handle*/, + gss_OID_set * /*actual_mechs*/, + OM_uint32 * /*time_rec*/ ); OM_uint32 gss_release_cred - (OM_uint32 * minor_status, - gss_cred_id_t * cred_handle + (OM_uint32 * /*minor_status*/, + gss_cred_id_t * /*cred_handle*/ ); OM_uint32 gss_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec + (OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*initiator_cred_handle*/, + gss_ctx_id_t * /*context_handle*/, + const gss_name_t /*target_name*/, + const gss_OID /*mech_type*/, + OM_uint32 /*req_flags*/, + OM_uint32 /*time_req*/, + const gss_channel_bindings_t /*input_chan_bindings*/, + const gss_buffer_t /*input_token*/, + gss_OID * /*actual_mech_type*/, + gss_buffer_t /*output_token*/, + OM_uint32 * /*ret_flags*/, + OM_uint32 * /*time_rec*/ ); OM_uint32 gss_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + const gss_cred_id_t /*acceptor_cred_handle*/, + const gss_buffer_t /*input_token_buffer*/, + const gss_channel_bindings_t /*input_chan_bindings*/, + gss_name_t * /*src_name*/, + gss_OID * /*mech_type*/, + gss_buffer_t /*output_token*/, + OM_uint32 * /*ret_flags*/, + OM_uint32 * /*time_rec*/, + gss_cred_id_t * /*delegated_cred_handle*/ ); OM_uint32 gss_process_context_token - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t token_buffer + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t /*token_buffer*/ ); OM_uint32 gss_delete_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t output_token + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + gss_buffer_t /*output_token*/ ); OM_uint32 gss_context_time - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - OM_uint32 * time_rec + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + OM_uint32 * /*time_rec*/ ); OM_uint32 gss_get_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*message_buffer*/, + gss_buffer_t /*message_token*/ ); OM_uint32 gss_verify_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t /*message_buffer*/, + const gss_buffer_t /*token_buffer*/, + gss_qop_t * /*qop_state*/ ); OM_uint32 gss_wrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*input_message_buffer*/, + int * /*conf_state*/, + gss_buffer_t /*output_message_buffer*/ ); OM_uint32 gss_unwrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t /*input_message_buffer*/, + gss_buffer_t /*output_message_buffer*/, + int * /*conf_state*/, + gss_qop_t * /*qop_state*/ ); OM_uint32 gss_display_status - (OM_uint32 * minor_status, - OM_uint32 status_value, - int status_type, - const gss_OID mech_type, - OM_uint32 * message_context, - gss_buffer_t status_string + (OM_uint32 * /*minor_status*/, + OM_uint32 /*status_value*/, + int /*status_type*/, + const gss_OID /*mech_type*/, + OM_uint32 * /*message_context*/, + gss_buffer_t /*status_string*/ ); OM_uint32 gss_indicate_mechs - (OM_uint32 * minor_status, - gss_OID_set * mech_set + (OM_uint32 * /*minor_status*/, + gss_OID_set * /*mech_set*/ ); OM_uint32 gss_compare_name - (OM_uint32 * minor_status, - const gss_name_t name1, - const gss_name_t name2, - int * name_equal + (OM_uint32 * /*minor_status*/, + const gss_name_t /*name1*/, + const gss_name_t /*name2*/, + int * /*name_equal*/ ); OM_uint32 gss_display_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID * output_name_type + (OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_buffer_t /*output_name_buffer*/, + gss_OID * /*output_name_type*/ ); OM_uint32 gss_import_name - (OM_uint32 * minor_status, - const gss_buffer_t input_name_buffer, - const gss_OID input_name_type, - gss_name_t * output_name + (OM_uint32 * /*minor_status*/, + const gss_buffer_t /*input_name_buffer*/, + const gss_OID /*input_name_type*/, + gss_name_t * /*output_name*/ ); OM_uint32 gss_export_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t exported_name + (OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_buffer_t /*exported_name*/ ); OM_uint32 gss_release_name - (OM_uint32 * minor_status, - gss_name_t * input_name + (OM_uint32 * /*minor_status*/, + gss_name_t * /*input_name*/ ); OM_uint32 gss_release_buffer - (OM_uint32 * minor_status, - gss_buffer_t buffer + (OM_uint32 * /*minor_status*/, + gss_buffer_t /*buffer*/ ); OM_uint32 gss_release_oid_set - (OM_uint32 * minor_status, - gss_OID_set * set + (OM_uint32 * /*minor_status*/, + gss_OID_set * /*set*/ ); OM_uint32 gss_inquire_cred - (OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - gss_name_t * name, - OM_uint32 * lifetime, - gss_cred_usage_t * cred_usage, - gss_OID_set * mechanisms + (OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*cred_handle*/, + gss_name_t * /*name*/, + OM_uint32 * /*lifetime*/, + gss_cred_usage_t * /*cred_usage*/, + gss_OID_set * /*mechanisms*/ ); OM_uint32 gss_inquire_context ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_name_t * src_name, - gss_name_t * targ_name, - OM_uint32 * lifetime_rec, - gss_OID * mech_type, - OM_uint32 * ctx_flags, - int * locally_initiated, - int * open + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + gss_name_t * /*src_name*/, + gss_name_t * /*targ_name*/, + OM_uint32 * /*lifetime_rec*/, + gss_OID * /*mech_type*/, + OM_uint32 * /*ctx_flags*/, + int * /*locally_initiated*/, + int * /*open_context*/ ); OM_uint32 gss_wrap_size_limit ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 * max_input_size + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + OM_uint32 /*req_output_size*/, + OM_uint32 * /*max_input_size*/ ); OM_uint32 gss_add_cred ( - OM_uint32 * minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * initiator_time_rec, - OM_uint32 * acceptor_time_rec + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*input_cred_handle*/, + const gss_name_t /*desired_name*/, + const gss_OID /*desired_mech*/, + gss_cred_usage_t /*cred_usage*/, + OM_uint32 /*initiator_time_req*/, + OM_uint32 /*acceptor_time_req*/, + gss_cred_id_t * /*output_cred_handle*/, + gss_OID_set * /*actual_mechs*/, + OM_uint32 * /*initiator_time_rec*/, + OM_uint32 * /*acceptor_time_rec*/ ); OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - const gss_OID mech_type, - gss_name_t * name, - OM_uint32 * initiator_lifetime, - OM_uint32 * acceptor_lifetime, - gss_cred_usage_t * cred_usage + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*cred_handle*/, + const gss_OID /*mech_type*/, + gss_name_t * /*name*/, + OM_uint32 * /*initiator_lifetime*/, + OM_uint32 * /*acceptor_lifetime*/, + gss_cred_usage_t * /*cred_usage*/ ); OM_uint32 gss_export_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t interprocess_token + OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + gss_buffer_t /*interprocess_token*/ ); OM_uint32 gss_import_sec_context ( - OM_uint32 * minor_status, - const gss_buffer_t interprocess_token, - gss_ctx_id_t * context_handle + OM_uint32 * /*minor_status*/, + const gss_buffer_t /*interprocess_token*/, + gss_ctx_id_t * /*context_handle*/ ); OM_uint32 gss_create_empty_oid_set ( - OM_uint32 * minor_status, - gss_OID_set * oid_set + OM_uint32 * /*minor_status*/, + gss_OID_set * /*oid_set*/ ); OM_uint32 gss_add_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member_oid, - gss_OID_set * oid_set + OM_uint32 * /*minor_status*/, + const gss_OID /*member_oid*/, + gss_OID_set * /*oid_set*/ ); OM_uint32 gss_test_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member, - const gss_OID_set set, - int * present + OM_uint32 * /*minor_status*/, + const gss_OID /*member*/, + const gss_OID_set /*set*/, + int * /*present*/ ); OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 * minor_status, - const gss_OID mechanism, - gss_OID_set * name_types + OM_uint32 * /*minor_status*/, + const gss_OID /*mechanism*/, + gss_OID_set * /*name_types*/ ); OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - gss_OID_set * mech_types + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_OID_set * /*mech_types*/ ); OM_uint32 gss_canonicalize_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - const gss_OID mech_type, - gss_name_t * output_name + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + const gss_OID /*mech_type*/, + gss_name_t * /*output_name*/ ); OM_uint32 gss_duplicate_name ( - OM_uint32 * minor_status, - const gss_name_t src_name, - gss_name_t * dest_name + OM_uint32 * /*minor_status*/, + const gss_name_t /*src_name*/, + gss_name_t * /*dest_name*/ ); /* @@ -724,38 +730,38 @@ OM_uint32 gss_duplicate_name ( */ OM_uint32 gss_sign - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int qop_req, - gss_buffer_t message_buffer, - gss_buffer_t message_token + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*qop_req*/, + gss_buffer_t /*message_buffer*/, + gss_buffer_t /*message_token*/ ); OM_uint32 gss_verify - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int * qop_state + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + gss_buffer_t /*message_buffer*/, + gss_buffer_t /*token_buffer*/, + int * /*qop_state*/ ); OM_uint32 gss_seal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + int /*qop_req*/, + gss_buffer_t /*input_message_buffer*/, + int * /*conf_state*/, + gss_buffer_t /*output_message_buffer*/ ); OM_uint32 gss_unseal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - int * qop_state + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + gss_buffer_t /*input_message_buffer*/, + gss_buffer_t /*output_message_buffer*/, + int * /*conf_state*/, + int * /*qop_state*/ ); /* @@ -763,11 +769,20 @@ OM_uint32 gss_unseal */ OM_uint32 gsskrb5_register_acceptor_identity - (char *identity); + (const char */*identity*/); OM_uint32 gss_krb5_copy_ccache - (OM_uint32 *minor, - gss_cred_id_t cred, - struct krb5_ccache_data *out); + (OM_uint32 */*minor*/, + gss_cred_id_t /*cred*/, + struct krb5_ccache_data */*out*/); + +#define GSS_C_KRB5_COMPAT_DES3_MIC 1 + +OM_uint32 +gss_krb5_compat_des3_mic(OM_uint32 *, gss_ctx_id_t, int); + +#ifdef __cplusplus +} +#endif #endif /* GSSAPI_H_ */ diff --git a/crypto/heimdal/lib/gssapi/gssapi_locl.h b/crypto/heimdal/lib/gssapi/gssapi_locl.h index 65bd273..a27b27a 100644 --- a/crypto/heimdal/lib/gssapi/gssapi_locl.h +++ b/crypto/heimdal/lib/gssapi/gssapi_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi_locl.h,v 1.21 2001/08/29 02:21:09 assar Exp $ */ +/* $Id: gssapi_locl.h,v 1.24 2003/03/16 17:30:15 lha Exp $ */ #ifndef GSSAPI_LOCL_H #define GSSAPI_LOCL_H @@ -50,6 +50,14 @@ extern krb5_keytab gssapi_krb5_keytab; krb5_error_code gssapi_krb5_init (void); +#define GSSAPI_KRB5_INIT() do { \ + krb5_error_code kret; \ + if((kret = gssapi_krb5_init ()) != 0) { \ + *minor_status = kret; \ + return GSS_S_FAILURE; \ + } \ +} while (0) + OM_uint32 gssapi_krb5_create_8003_checksum ( OM_uint32 *minor_status, @@ -96,6 +104,14 @@ gssapi_krb5_verify_header(u_char **str, char *type); OM_uint32 +gss_verify_mic_internal(OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t message_buffer, + const gss_buffer_t token_buffer, + gss_qop_t * qop_state, + char * type); + +OM_uint32 gss_krb5_get_remotekey(const gss_ctx_id_t context_handle, krb5_keyblock **key); @@ -117,10 +133,16 @@ gss_address_to_krb5addr(OM_uint32 gss_addr_type, #define SC_LOCAL_SUBKEY 0x08 #define SC_REMOTE_SUBKEY 0x10 +int +gss_oid_equal(const gss_OID a, const gss_OID b); + void gssapi_krb5_set_error_string (void); char * gssapi_krb5_get_error_string (void); +OM_uint32 +_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx); + #endif diff --git a/crypto/heimdal/lib/gssapi/import_name.c b/crypto/heimdal/lib/gssapi/import_name.c index 2f2ec1a..423e757 100644 --- a/crypto/heimdal/lib/gssapi/import_name.c +++ b/crypto/heimdal/lib/gssapi/import_name.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,14 +33,36 @@ #include "gssapi_locl.h" -RCSID("$Id: import_name.c,v 1.11 2002/06/20 20:05:42 nectar Exp $"); +RCSID("$Id: import_name.c,v 1.13 2003/03/16 17:33:31 lha Exp $"); + +static OM_uint32 +parse_krb5_name (OM_uint32 *minor_status, + const char *name, + gss_name_t *output_name) +{ + krb5_error_code kerr; + + kerr = krb5_parse_name (gssapi_krb5_context, name, output_name); + + if (kerr == 0) + return GSS_S_COMPLETE; + else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { + gssapi_krb5_set_error_string (); + *minor_status = kerr; + return GSS_S_BAD_NAME; + } else { + gssapi_krb5_set_error_string (); + *minor_status = kerr; + return GSS_S_FAILURE; + } +} static OM_uint32 import_krb5_name (OM_uint32 *minor_status, const gss_buffer_t input_name_buffer, gss_name_t *output_name) { - krb5_error_code kerr; + OM_uint32 ret; char *tmp; tmp = malloc (input_name_buffer->length + 1); @@ -53,21 +75,10 @@ import_krb5_name (OM_uint32 *minor_status, input_name_buffer->length); tmp[input_name_buffer->length] = '\0'; - kerr = krb5_parse_name (gssapi_krb5_context, - tmp, - output_name); - free (tmp); - if (kerr == 0) - return GSS_S_COMPLETE; - else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_BAD_NAME; - } else { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_FAILURE; - } + ret = parse_krb5_name(minor_status, tmp, output_name); + free(tmp); + + return ret; } static OM_uint32 @@ -81,6 +92,8 @@ import_hostbased_name (OM_uint32 *minor_status, char *host; char local_hostname[MAXHOSTNAMELEN]; + *output_name = NULL; + tmp = malloc (input_name_buffer->length + 1); if (tmp == NULL) { *minor_status = ENOMEM; @@ -124,8 +137,55 @@ import_hostbased_name (OM_uint32 *minor_status, } } -static int -oid_equal(const gss_OID a, const gss_OID b) +static OM_uint32 +import_export_name (OM_uint32 *minor_status, + const gss_buffer_t input_name_buffer, + gss_name_t *output_name) +{ + unsigned char *p; + uint32_t length; + OM_uint32 ret; + char *name; + + if (input_name_buffer->length < 10 + GSS_KRB5_MECHANISM->length) + return GSS_S_BAD_NAME; + + /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ + + p = input_name_buffer->value; + + if (memcmp(&p[0], "\x04\x01\x00", 3) != 0 || + p[3] != GSS_KRB5_MECHANISM->length + 2 || + p[4] != 0x06 || + p[5] != GSS_KRB5_MECHANISM->length || + memcmp(&p[6], GSS_KRB5_MECHANISM->elements, + GSS_KRB5_MECHANISM->length) != 0) + return GSS_S_BAD_NAME; + + p += 6 + GSS_KRB5_MECHANISM->length; + + length = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]; + p += 4; + + if (length > input_name_buffer->length - 10 - GSS_KRB5_MECHANISM->length) + return GSS_S_BAD_NAME; + + name = malloc(length + 1); + if (name == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + memcpy(name, p, length); + name[length] = '\0'; + + ret = parse_krb5_name(minor_status, name, output_name); + free(name); + + return ret; +} + +int +gss_oid_equal(const gss_OID a, const gss_OID b) { if (a == b) return 1; @@ -142,20 +202,27 @@ OM_uint32 gss_import_name gss_name_t * output_name ) { - gssapi_krb5_init (); + GSSAPI_KRB5_INIT (); - if (oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE)) + *minor_status = 0; + *output_name = GSS_C_NO_NAME; + + if (gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE)) return import_hostbased_name (minor_status, input_name_buffer, output_name); - else if (input_name_type == GSS_C_NO_OID - || oid_equal(input_name_type, GSS_C_NT_USER_NAME) - || oid_equal(input_name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) + else if (gss_oid_equal(input_name_type, GSS_C_NO_OID) + || gss_oid_equal(input_name_type, GSS_C_NT_USER_NAME) + || gss_oid_equal(input_name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) /* default printable syntax */ return import_krb5_name (minor_status, input_name_buffer, output_name); - else { + else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) { + return import_export_name(minor_status, + input_name_buffer, + output_name); + } else { *minor_status = 0; return GSS_S_BAD_NAMETYPE; } diff --git a/crypto/heimdal/lib/gssapi/import_sec_context.c b/crypto/heimdal/lib/gssapi/import_sec_context.c index c84f3b6..2daa573 100644 --- a/crypto/heimdal/lib/gssapi/import_sec_context.c +++ b/crypto/heimdal/lib/gssapi/import_sec_context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: import_sec_context.c,v 1.5 2001/05/11 09:16:46 assar Exp $"); +RCSID("$Id: import_sec_context.c,v 1.7 2003/03/16 18:01:32 lha Exp $"); OM_uint32 gss_import_sec_context ( @@ -55,7 +55,9 @@ gss_import_sec_context ( int32_t flags; OM_uint32 minor; - gssapi_krb5_init (); + GSSAPI_KRB5_INIT (); + + localp = remotep = NULL; sp = krb5_storage_from_mem (interprocess_token->value, interprocess_token->length); @@ -83,99 +85,113 @@ gss_import_sec_context ( /* flags */ - krb5_ret_int32 (sp, &flags); + *minor_status = 0; + + if (krb5_ret_int32 (sp, &flags) != 0) + goto failure; /* retrieve the auth context */ ac = (*context_handle)->auth_context; krb5_ret_int32 (sp, &ac->flags); - if (flags & SC_LOCAL_ADDRESS) - krb5_ret_address (sp, localp = &local); - else - localp = NULL; - if (flags & SC_REMOTE_ADDRESS) - krb5_ret_address (sp, remotep = &remote); - else - remotep = NULL; + if (flags & SC_LOCAL_ADDRESS) { + if (krb5_ret_address (sp, localp = &local) != 0) + goto failure; + } + + if (flags & SC_REMOTE_ADDRESS) { + if (krb5_ret_address (sp, remotep = &remote) != 0) + goto failure; + } + krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep); if (localp) krb5_free_address (gssapi_krb5_context, localp); if (remotep) krb5_free_address (gssapi_krb5_context, remotep); - krb5_ret_int16 (sp, &ac->local_port); - krb5_ret_int16 (sp, &ac->remote_port); + localp = remotep = NULL; + + if (krb5_ret_int16 (sp, &ac->local_port) != 0) + goto failure; + + if (krb5_ret_int16 (sp, &ac->remote_port) != 0) + goto failure; if (flags & SC_KEYBLOCK) { - krb5_ret_keyblock (sp, &keyblock); + if (krb5_ret_keyblock (sp, &keyblock) != 0) + goto failure; krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock); krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); } if (flags & SC_LOCAL_SUBKEY) { - krb5_ret_keyblock (sp, &keyblock); + if (krb5_ret_keyblock (sp, &keyblock) != 0) + goto failure; krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock); krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); } if (flags & SC_REMOTE_SUBKEY) { - krb5_ret_keyblock (sp, &keyblock); + if (krb5_ret_keyblock (sp, &keyblock) != 0) + goto failure; krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock); krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); } - krb5_ret_int32 (sp, &ac->local_seqnumber); - krb5_ret_int32 (sp, &ac->remote_seqnumber); - -#if 0 - { - size_t sz; - - krb5_ret_data (sp, &data); - ac->authenticator = malloc (sizeof (*ac->authenticator)); - if (ac->authenticator == NULL) { - *minor_status = ENOMEM; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = decode_Authenticator (data.data, data.length, - ac->authenticator, &sz); - krb5_data_free (&data); - if (kret) { - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - } -#endif + if (krb5_ret_int32 (sp, &ac->local_seqnumber)) + goto failure; + if (krb5_ret_int32 (sp, &ac->remote_seqnumber)) + goto failure; - krb5_ret_int32 (sp, &tmp); + if (krb5_ret_int32 (sp, &tmp) != 0) + goto failure; ac->keytype = tmp; - krb5_ret_int32 (sp, &tmp); + if (krb5_ret_int32 (sp, &tmp) != 0) + goto failure; ac->cksumtype = tmp; /* names */ - krb5_ret_data (sp, &data); + if (krb5_ret_data (sp, &data)) + goto failure; buffer.value = data.data; buffer.length = data.length; - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, + ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, &(*context_handle)->source); + if (ret) { + ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, + &(*context_handle)->source); + if (ret) { + krb5_data_free (&data); + goto failure; + } + } krb5_data_free (&data); - if (ret) - goto failure; - krb5_ret_data (sp, &data); + if (krb5_ret_data (sp, &data) != 0) + goto failure; buffer.value = data.data; buffer.length = data.length; - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, + ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, &(*context_handle)->target); + if (ret) { + ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, + &(*context_handle)->target); + if (ret) { + krb5_data_free (&data); + goto failure; + } + } krb5_data_free (&data); - if (ret) - goto failure; - krb5_ret_int32 (sp, &tmp); + if (krb5_ret_int32 (sp, &tmp)) + goto failure; (*context_handle)->flags = tmp; - krb5_ret_int32 (sp, &tmp); + if (krb5_ret_int32 (sp, &tmp)) + goto failure; (*context_handle)->more_flags = tmp; + if (krb5_ret_int32 (sp, &tmp) == 0) + (*context_handle)->lifetime = tmp; + else + (*context_handle)->lifetime = GSS_C_INDEFINITE; return GSS_S_COMPLETE; @@ -186,6 +202,10 @@ failure: gss_release_name(&minor, &(*context_handle)->source); if ((*context_handle)->target != NULL) gss_release_name(&minor, &(*context_handle)->target); + if (localp) + krb5_free_address (gssapi_krb5_context, localp); + if (remotep) + krb5_free_address (gssapi_krb5_context, remotep); free (*context_handle); *context_handle = GSS_C_NO_CONTEXT; return ret; diff --git a/crypto/heimdal/lib/gssapi/indicate_mechs.c b/crypto/heimdal/lib/gssapi/indicate_mechs.c index c77d177..89191bb 100644 --- a/crypto/heimdal/lib/gssapi/indicate_mechs.c +++ b/crypto/heimdal/lib/gssapi/indicate_mechs.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,25 +33,23 @@ #include "gssapi_locl.h" -RCSID("$Id: indicate_mechs.c,v 1.4 2001/02/18 03:39:09 assar Exp $"); +RCSID("$Id: indicate_mechs.c,v 1.5 2003/03/16 17:38:20 lha Exp $"); OM_uint32 gss_indicate_mechs (OM_uint32 * minor_status, gss_OID_set * mech_set ) { - *mech_set = malloc(sizeof(**mech_set)); - if (*mech_set == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - (*mech_set)->count = 1; - (*mech_set)->elements = malloc((*mech_set)->count * sizeof(gss_OID_desc)); - if ((*mech_set)->elements == NULL) { - free (*mech_set); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - (*mech_set)->elements[0] = *GSS_KRB5_MECHANISM; + OM_uint32 ret; + + ret = gss_create_empty_oid_set(minor_status, mech_set); + if (ret) + return ret; + + ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, mech_set); + if (ret) + return ret; + + *minor_status = 0; return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/init_sec_context.c b/crypto/heimdal/lib/gssapi/init_sec_context.c index 2cef3a9..6473038 100644 --- a/crypto/heimdal/lib/gssapi/init_sec_context.c +++ b/crypto/heimdal/lib/gssapi/init_sec_context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: init_sec_context.c,v 1.31 2002/09/02 17:16:12 joda Exp $"); +RCSID("$Id: init_sec_context.c,v 1.36 2003/03/16 18:00:00 lha Exp $"); /* * copy the addresses from `input_chan_bindings' (if any) to @@ -111,21 +111,11 @@ do_delegation (krb5_auth_context ac, { krb5_creds creds; krb5_kdc_flags fwd_flags; - krb5_keyblock *subkey; krb5_error_code kret; memset (&creds, 0, sizeof(creds)); krb5_data_zero (fwd_data); - kret = krb5_generate_subkey (gssapi_krb5_context, &cred->session, &subkey); - if (kret) - goto out; - - kret = krb5_auth_con_setlocalsubkey(gssapi_krb5_context, ac, subkey); - krb5_free_keyblock (gssapi_krb5_context, subkey); - if (kret) - goto out; - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, &creds.client); if (kret) goto out; @@ -204,9 +194,6 @@ init_auth krb5_enctype enctype; krb5_data fwd_data; - output_token->length = 0; - output_token->value = NULL; - krb5_data_zero(&outbuf); krb5_data_zero(&fwd_data); @@ -224,6 +211,7 @@ init_auth (*context_handle)->flags = 0; (*context_handle)->more_flags = 0; (*context_handle)->ticket = NULL; + (*context_handle)->lifetime = GSS_C_INDEFINITE; kret = krb5_auth_con_init (gssapi_krb5_context, &(*context_handle)->auth_context); @@ -288,10 +276,15 @@ init_auth goto failure; } + ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); + if (ret) + goto failure; + + memset(&this_cred, 0, sizeof(this_cred)); this_cred.client = (*context_handle)->source; this_cred.server = (*context_handle)->target; - if (time_req) { + if (time_req && time_req != GSS_C_INDEFINITE) { krb5_timestamp ts; krb5_timeofday (gssapi_krb5_context, &ts); @@ -313,10 +306,22 @@ init_auth goto failure; } + (*context_handle)->lifetime = cred->times.endtime; + krb5_auth_con_setkey(gssapi_krb5_context, (*context_handle)->auth_context, &cred->session); + kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, + (*context_handle)->auth_context, + &cred->session); + if(kret) { + gssapi_krb5_set_error_string (); + *minor_status = kret; + ret = GSS_S_FAILURE; + goto failure; + } + flags = 0; ap_options = 0; if (req_flags & GSS_C_DELEG_FLAG) @@ -342,7 +347,7 @@ init_auth if (ret_flags) *ret_flags = flags; (*context_handle)->flags = flags; - (*context_handle)->more_flags = LOCAL; + (*context_handle)->more_flags |= LOCAL; ret = gssapi_krb5_create_8003_checksum (minor_status, input_chan_bindings, @@ -367,16 +372,6 @@ init_auth } #endif - kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, - (*context_handle)->auth_context, - &cred->session); - if(kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - kret = krb5_build_authenticator (gssapi_krb5_context, (*context_handle)->auth_context, enctype, @@ -417,6 +412,9 @@ init_auth if (flags & GSS_C_MUTUAL_FLAG) { return GSS_S_CONTINUE_NEEDED; } else { + if (time_rec) + *time_rec = (*context_handle)->lifetime; + (*context_handle)->more_flags |= OPEN; return GSS_S_COMPLETE; } @@ -458,6 +456,12 @@ repl_mutual krb5_data indata; krb5_ap_rep_enc_part *repl; + output_token->length = 0; + output_token->value = NULL; + + if (actual_mech_type) + *actual_mech_type = GSS_KRB5_MECHANISM; + ret = gssapi_krb5_decapsulate (minor_status, input_token, &indata, "\x02\x00"); if (ret) @@ -476,10 +480,14 @@ repl_mutual krb5_free_ap_rep_enc_part (gssapi_krb5_context, repl); - output_token->length = 0; - (*context_handle)->more_flags |= OPEN; + + if (time_rec) + *time_rec = (*context_handle)->lifetime; + if (ret_flags) + *ret_flags = (*context_handle)->flags; + *minor_status = 0; return GSS_S_COMPLETE; } @@ -503,7 +511,22 @@ OM_uint32 gss_init_sec_context OM_uint32 * time_rec ) { - gssapi_krb5_init (); + GSSAPI_KRB5_INIT (); + + output_token->length = 0; + output_token->value = NULL; + + if (ret_flags) + *ret_flags = 0; + if (time_rec) + *time_rec = 0; + + if (target_name == GSS_C_NO_NAME) { + if (actual_mech_type) + *actual_mech_type = GSS_C_NO_OID; + *minor_status = 0; + return GSS_S_BAD_NAME; + } if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) return init_auth (minor_status, diff --git a/crypto/heimdal/lib/gssapi/inquire_context.c b/crypto/heimdal/lib/gssapi/inquire_context.c index 6463253..95cd2c5 100644 --- a/crypto/heimdal/lib/gssapi/inquire_context.c +++ b/crypto/heimdal/lib/gssapi/inquire_context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: inquire_context.c,v 1.3 1999/12/02 17:05:04 joda Exp $"); +RCSID("$Id: inquire_context.c,v 1.5 2003/03/16 17:43:30 lha Exp $"); OM_uint32 gss_inquire_context ( OM_uint32 * minor_status, @@ -44,7 +44,7 @@ OM_uint32 gss_inquire_context ( gss_OID * mech_type, OM_uint32 * ctx_flags, int * locally_initiated, - int * open + int * open_context ) { OM_uint32 ret; @@ -66,7 +66,7 @@ OM_uint32 gss_inquire_context ( } if (lifetime_rec) - *lifetime_rec = GSS_C_INDEFINITE; + *lifetime_rec = context_handle->lifetime; if (mech_type) *mech_type = GSS_KRB5_MECHANISM; @@ -77,8 +77,9 @@ OM_uint32 gss_inquire_context ( if (locally_initiated) *locally_initiated = context_handle->more_flags & LOCAL; - if (open) - *open = context_handle->more_flags & OPEN; + if (open_context) + *open_context = context_handle->more_flags & OPEN; + *minor_status = 0; return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/inquire_cred.c b/crypto/heimdal/lib/gssapi/inquire_cred.c index 62f3f50..4938d56 100644 --- a/crypto/heimdal/lib/gssapi/inquire_cred.c +++ b/crypto/heimdal/lib/gssapi/inquire_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: inquire_cred.c,v 1.3 2002/08/20 12:02:45 nectar Exp $"); +RCSID("$Id: inquire_cred.c,v 1.4 2003/03/16 17:42:14 lha Exp $"); OM_uint32 gss_inquire_cred (OM_uint32 * minor_status, @@ -46,6 +46,13 @@ OM_uint32 gss_inquire_cred { OM_uint32 ret; + *minor_status = 0; + + if (name) + *name = NULL; + if (mechanisms) + *mechanisms = GSS_C_NO_OID_SET; + if (cred_handle == GSS_C_NO_CREDENTIAL) { return GSS_S_FAILURE; } diff --git a/crypto/heimdal/lib/gssapi/inquire_cred_by_mech.c b/crypto/heimdal/lib/gssapi/inquire_cred_by_mech.c new file mode 100644 index 0000000..b09d1e1 --- /dev/null +++ b/crypto/heimdal/lib/gssapi/inquire_cred_by_mech.c @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapi_locl.h" + +RCSID("$Id: inquire_cred_by_mech.c,v 1.1 2003/03/16 18:11:16 lha Exp $"); + +OM_uint32 gss_inquire_cred_by_mech ( + OM_uint32 * minor_status, + const gss_cred_id_t cred_handle, + const gss_OID mech_type, + gss_name_t * name, + OM_uint32 * initiator_lifetime, + OM_uint32 * acceptor_lifetime, + gss_cred_usage_t * cred_usage + ) +{ + OM_uint32 ret; + OM_uint32 lifetime; + + if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && + gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { + *minor_status = EINVAL; + return GSS_S_BAD_MECH; + } + + ret = gss_inquire_cred (minor_status, + cred_handle, + name, + &lifetime, + cred_usage, + NULL); + + if (ret == 0 && cred_handle != GSS_C_NO_CREDENTIAL) { + gss_cred_usage_t usage; + + usage = cred_handle->usage; + + if (initiator_lifetime) { + if (usage == GSS_C_INITIATE || usage == GSS_C_BOTH) + *initiator_lifetime = lifetime; + } + if (acceptor_lifetime) { + if (usage == GSS_C_ACCEPT || usage == GSS_C_BOTH) + *acceptor_lifetime = lifetime; + } + } + + return ret; +} diff --git a/crypto/heimdal/lib/gssapi/inquire_mechs_for_name.c b/crypto/heimdal/lib/gssapi/inquire_mechs_for_name.c new file mode 100644 index 0000000..67ebb04 --- /dev/null +++ b/crypto/heimdal/lib/gssapi/inquire_mechs_for_name.c @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapi_locl.h" + +RCSID("$Id: inquire_mechs_for_name.c,v 1.1 2003/03/16 18:12:33 lha Exp $"); + +OM_uint32 gss_inquire_mechs_for_name ( + OM_uint32 * minor_status, + const gss_name_t input_name, + gss_OID_set * mech_types + ) +{ + OM_uint32 ret; + + ret = gss_create_empty_oid_set(minor_status, mech_types); + if (ret) + return ret; + + ret = gss_add_oid_set_member(minor_status, + GSS_KRB5_MECHANISM, + mech_types); + if (ret) + gss_release_oid_set(NULL, mech_types); + + return ret; +} diff --git a/crypto/heimdal/lib/gssapi/inquire_names_for_mech.c b/crypto/heimdal/lib/gssapi/inquire_names_for_mech.c new file mode 100644 index 0000000..0e93de6 --- /dev/null +++ b/crypto/heimdal/lib/gssapi/inquire_names_for_mech.c @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapi_locl.h" + +RCSID("$Id: inquire_names_for_mech.c,v 1.1 2003/03/16 18:15:29 lha Exp $"); + + +static gss_OID *name_list[] = { + &GSS_C_NT_HOSTBASED_SERVICE, + &GSS_C_NT_USER_NAME, + &GSS_KRB5_NT_PRINCIPAL_NAME, + &GSS_C_NT_EXPORT_NAME, + NULL +}; + +OM_uint32 gss_inquire_names_for_mech ( + OM_uint32 * minor_status, + const gss_OID mechanism, + gss_OID_set * name_types + ) +{ + OM_uint32 ret; + int i; + + *minor_status = 0; + + if (gss_oid_equal(mechanism, GSS_KRB5_MECHANISM) == 0 && + gss_oid_equal(mechanism, GSS_C_NULL_OID) == 0) { + *name_types = GSS_C_NO_OID_SET; + return GSS_S_BAD_MECH; + } + + ret = gss_create_empty_oid_set(minor_status, name_types); + if (ret != GSS_S_COMPLETE) + return ret; + + for (i = 0; name_list[i] != NULL; i++) { + ret = gss_add_oid_set_member(minor_status, + *(name_list[i]), + name_types); + if (ret != GSS_S_COMPLETE) + break; + } + + if (ret != GSS_S_COMPLETE) + gss_release_oid_set(NULL, name_types); + + return GSS_S_COMPLETE; +} diff --git a/crypto/heimdal/lib/gssapi/process_context_token.c b/crypto/heimdal/lib/gssapi/process_context_token.c new file mode 100644 index 0000000..0cec33c --- /dev/null +++ b/crypto/heimdal/lib/gssapi/process_context_token.c @@ -0,0 +1,65 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapi_locl.h" + +RCSID("$Id: process_context_token.c,v 1.1 2003/03/16 18:19:05 lha Exp $"); + +OM_uint32 gss_process_context_token ( + OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t token_buffer + ) +{ + OM_uint32 ret = GSS_S_FAILURE; + gss_buffer_desc empty_buffer; + gss_qop_t qop_state; + + empty_buffer.length = 0; + empty_buffer.value = NULL; + + qop_state = GSS_C_QOP_DEFAULT; + + ret = gss_verify_mic_internal(minor_status, context_handle, + token_buffer, &empty_buffer, + GSS_C_QOP_DEFAULT, "\x01\x02"); + + if (ret == GSS_S_COMPLETE) + ret = gss_delete_sec_context(minor_status, + (gss_ctx_id_t *)&context_handle, + GSS_C_NO_BUFFER); + if (ret == GSS_S_COMPLETE) + *minor_status = 0; + + return ret; +} diff --git a/crypto/heimdal/lib/gssapi/release_buffer.c b/crypto/heimdal/lib/gssapi/release_buffer.c index f399a18..258b76f 100644 --- a/crypto/heimdal/lib/gssapi/release_buffer.c +++ b/crypto/heimdal/lib/gssapi/release_buffer.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,13 +33,14 @@ #include "gssapi_locl.h" -RCSID("$Id: release_buffer.c,v 1.4 2000/04/12 09:47:23 assar Exp $"); +RCSID("$Id: release_buffer.c,v 1.5 2003/03/16 17:58:20 lha Exp $"); OM_uint32 gss_release_buffer (OM_uint32 * minor_status, gss_buffer_t buffer ) { + *minor_status = 0; free (buffer->value); buffer->value = NULL; buffer->length = 0; diff --git a/crypto/heimdal/lib/gssapi/release_cred.c b/crypto/heimdal/lib/gssapi/release_cred.c index a414a98..172b2eb 100644 --- a/crypto/heimdal/lib/gssapi/release_cred.c +++ b/crypto/heimdal/lib/gssapi/release_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,18 +33,20 @@ #include "gssapi_locl.h" -RCSID("$Id: release_cred.c,v 1.6 2002/08/20 12:02:45 nectar Exp $"); +RCSID("$Id: release_cred.c,v 1.8 2003/03/16 17:52:19 lha Exp $"); OM_uint32 gss_release_cred (OM_uint32 * minor_status, gss_cred_id_t * cred_handle ) { + *minor_status = 0; + if (*cred_handle == GSS_C_NO_CREDENTIAL) { return GSS_S_COMPLETE; } - gssapi_krb5_init (); + GSSAPI_KRB5_INIT (); if ((*cred_handle)->principal != NULL) krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); diff --git a/crypto/heimdal/lib/gssapi/release_name.c b/crypto/heimdal/lib/gssapi/release_name.c index ce18a91..6894ffa 100644 --- a/crypto/heimdal/lib/gssapi/release_name.c +++ b/crypto/heimdal/lib/gssapi/release_name.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,16 +33,18 @@ #include "gssapi_locl.h" -RCSID("$Id: release_name.c,v 1.5 2000/04/12 09:48:27 assar Exp $"); +RCSID("$Id: release_name.c,v 1.7 2003/03/16 17:52:48 lha Exp $"); OM_uint32 gss_release_name (OM_uint32 * minor_status, gss_name_t * input_name ) { - gssapi_krb5_init (); - krb5_free_principal(gssapi_krb5_context, - *input_name); - *input_name = GSS_C_NO_NAME; - return GSS_S_COMPLETE; + GSSAPI_KRB5_INIT (); + if (minor_status) + *minor_status = 0; + krb5_free_principal(gssapi_krb5_context, + *input_name); + *input_name = GSS_C_NO_NAME; + return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/release_oid_set.c b/crypto/heimdal/lib/gssapi/release_oid_set.c index 4225788..04eb015 100644 --- a/crypto/heimdal/lib/gssapi/release_oid_set.c +++ b/crypto/heimdal/lib/gssapi/release_oid_set.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,13 +33,15 @@ #include "gssapi_locl.h" -RCSID("$Id: release_oid_set.c,v 1.4 2000/04/19 13:06:13 assar Exp $"); +RCSID("$Id: release_oid_set.c,v 1.5 2003/03/16 17:53:25 lha Exp $"); OM_uint32 gss_release_oid_set (OM_uint32 * minor_status, gss_OID_set * set ) { + if (minor_status) + *minor_status = 0; free ((*set)->elements); free (*set); *set = GSS_C_NO_OID_SET; diff --git a/crypto/heimdal/lib/gssapi/test_acquire_cred.c b/crypto/heimdal/lib/gssapi/test_acquire_cred.c new file mode 100644 index 0000000..29ed830 --- /dev/null +++ b/crypto/heimdal/lib/gssapi/test_acquire_cred.c @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "gssapi_locl.h" +#include <err.h> + +RCSID("$Id: test_acquire_cred.c,v 1.2 2003/04/06 00:20:37 lha Exp $"); + +static void +print_time(OM_uint32 time_rec) +{ + if (time_rec == GSS_C_INDEFINITE) { + printf("cred never expire\n"); + } else { + time_t t = time_rec; + printf("expiration time: %s", ctime(&t)); + } +} + +int +main(int argc, char **argv) +{ + OM_uint32 major_status, minor_status; + gss_cred_id_t cred_handle, copy_cred; + OM_uint32 time_rec; + + major_status = gss_acquire_cred(&minor_status, + GSS_C_NO_NAME, + 0, + NULL, + GSS_C_INITIATE, + &cred_handle, + NULL, + &time_rec); + if (GSS_ERROR(major_status)) + errx(1, "acquire_cred failed"); + + + print_time(time_rec); + + major_status = gss_add_cred (&minor_status, + cred_handle, + GSS_C_NO_NAME, + GSS_KRB5_MECHANISM, + GSS_C_INITIATE, + 0, + 0, + ©_cred, + NULL, + &time_rec, + NULL); + + if (GSS_ERROR(major_status)) + errx(1, "add_cred failed"); + + print_time(time_rec); + + major_status = gss_release_cred(&minor_status, + &cred_handle); + if (GSS_ERROR(major_status)) + errx(1, "release_cred failed"); + + major_status = gss_release_cred(&minor_status, + ©_cred); + if (GSS_ERROR(major_status)) + errx(1, "release_cred failed"); + + return 0; +} diff --git a/crypto/heimdal/lib/gssapi/test_oid_set_member.c b/crypto/heimdal/lib/gssapi/test_oid_set_member.c index 47e9fa7..e747c5a 100644 --- a/crypto/heimdal/lib/gssapi/test_oid_set_member.c +++ b/crypto/heimdal/lib/gssapi/test_oid_set_member.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: test_oid_set_member.c,v 1.4 1999/12/02 17:05:04 joda Exp $"); +RCSID("$Id: test_oid_set_member.c,v 1.5 2003/03/16 17:54:06 lha Exp $"); OM_uint32 gss_test_oid_set_member ( OM_uint32 * minor_status, @@ -44,14 +44,12 @@ OM_uint32 gss_test_oid_set_member ( { size_t i; + *minor_status = 0; *present = 0; for (i = 0; i < set->count; ++i) - if (member->length == set->elements[i].length - && memcmp (member->elements, - set->elements[i].elements, - member->length) == 0) { - *present = 1; - break; - } + if (gss_oid_equal(member, &set->elements[i]) != 0) { + *present = 1; + break; + } return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/unwrap.c b/crypto/heimdal/lib/gssapi/unwrap.c index 5acb2e9..f2009be 100644 --- a/crypto/heimdal/lib/gssapi/unwrap.c +++ b/crypto/heimdal/lib/gssapi/unwrap.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: unwrap.c,v 1.21 2002/09/03 17:33:11 joda Exp $"); +RCSID("$Id: unwrap.c,v 1.22 2003/03/16 17:54:43 lha Exp $"); OM_uint32 gss_krb5_get_remotekey(const gss_ctx_id_t context_handle, @@ -53,7 +53,7 @@ gss_krb5_get_remotekey(const gss_ctx_id_t context_handle, context_handle->auth_context, &skey); if(skey == NULL) - return GSS_S_FAILURE; + return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ *key = skey; return 0; } @@ -86,10 +86,8 @@ unwrap_des ret = gssapi_krb5_verify_header (&p, input_message_buffer->length, "\x02\x01"); - if (ret) { - *minor_status = 0; + if (ret) return ret; - } if (memcmp (p, "\x00\x00", 2) != 0) return GSS_S_BAD_SIG; @@ -222,10 +220,8 @@ unwrap_des3 ret = gssapi_krb5_verify_header (&p, input_message_buffer->length, "\x02\x01"); - if (ret) { - *minor_status = 0; + if (ret) return ret; - } if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ return GSS_S_BAD_SIG; @@ -398,6 +394,8 @@ OM_uint32 gss_unwrap } krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + *minor_status = 0; + switch (keytype) { case KEYTYPE_DES : ret = unwrap_des (minor_status, context_handle, diff --git a/crypto/heimdal/lib/gssapi/verify_mic.c b/crypto/heimdal/lib/gssapi/verify_mic.c index 7915fa5..1775860 100644 --- a/crypto/heimdal/lib/gssapi/verify_mic.c +++ b/crypto/heimdal/lib/gssapi/verify_mic.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: verify_mic.c,v 1.16 2002/05/20 15:14:00 nectar Exp $"); +RCSID("$Id: verify_mic.c,v 1.18.2.2 2003/05/05 18:59:42 lha Exp $"); static OM_uint32 verify_mic_des @@ -42,7 +42,8 @@ verify_mic_des const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, - krb5_keyblock *key + krb5_keyblock *key, + char *type ) { u_char *p; @@ -57,7 +58,7 @@ verify_mic_des p = token_buffer->value; ret = gssapi_krb5_verify_header (&p, token_buffer->length, - "\x01\x01"); + type); if (ret) { *minor_status = 0; return ret; @@ -87,6 +88,7 @@ verify_mic_des if (memcmp (p - 8, hash, 8) != 0) { memset (deskey, 0, sizeof(deskey)); memset (schedule, 0, sizeof(schedule)); + *minor_status = 0; return GSS_S_BAD_MIC; } @@ -112,6 +114,7 @@ verify_mic_des memset (schedule, 0, sizeof(schedule)); if (memcmp (p, seq_data, 8) != 0) { + *minor_status = 0; return GSS_S_BAD_MIC; } @@ -119,6 +122,7 @@ verify_mic_des context_handle->auth_context, ++seq_number); + *minor_status = 0; return GSS_S_COMPLETE; } @@ -129,7 +133,8 @@ verify_mic_des3 const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, - krb5_keyblock *key + krb5_keyblock *key, + char *type ) { u_char *p; @@ -138,14 +143,15 @@ verify_mic_des3 OM_uint32 ret; krb5_crypto crypto; krb5_data seq_data; - int cmp; + int cmp, docompat; Checksum csum; char *tmp; + char ivec[8]; p = token_buffer->value; ret = gssapi_krb5_verify_header (&p, token_buffer->length, - "\x01\x01"); + type); if (ret) { *minor_status = 0; return ret; @@ -167,22 +173,34 @@ verify_mic_des3 } /* verify sequence number */ + docompat = 0; +retry: + if (docompat) + memset(ivec, 0, 8); + else + memcpy(ivec, p + 8, 8); - ret = krb5_decrypt (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - p, 8, &seq_data); + ret = krb5_decrypt_ivec (gssapi_krb5_context, + crypto, + KRB5_KU_USAGE_SEQ, + p, 8, &seq_data, ivec); if (ret) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - return GSS_S_FAILURE; + if (docompat++) { + gssapi_krb5_set_error_string (); + krb5_crypto_destroy (gssapi_krb5_context, crypto); + *minor_status = ret; + return GSS_S_FAILURE; + } else + goto retry; } if (seq_data.length != 8) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); krb5_data_free (&seq_data); - return GSS_S_BAD_MIC; + if (docompat++) { + krb5_crypto_destroy (gssapi_krb5_context, crypto); + return GSS_S_BAD_MIC; + } else + goto retry; } krb5_auth_getremoteseqnumber (gssapi_krb5_context, @@ -198,8 +216,11 @@ verify_mic_des3 cmp = memcmp (seq, seq_data.data, seq_data.length); krb5_data_free (&seq_data); if (cmp != 0) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; + if (docompat++) { + krb5_crypto_destroy (gssapi_krb5_context, crypto); + return GSS_S_BAD_MIC; + } else + goto retry; } /* verify checksum */ @@ -235,24 +256,24 @@ verify_mic_des3 ++seq_number); krb5_crypto_destroy (gssapi_krb5_context, crypto); + *minor_status = 0; return GSS_S_COMPLETE; } OM_uint32 -gss_verify_mic +gss_verify_mic_internal (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, - gss_qop_t * qop_state + gss_qop_t * qop_state, + char * type ) { krb5_keyblock *key; OM_uint32 ret; krb5_keytype keytype; - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; ret = gss_krb5_get_remotekey(context_handle, &key); if (ret) { gssapi_krb5_set_error_string (); @@ -263,11 +284,13 @@ gss_verify_mic switch (keytype) { case KEYTYPE_DES : ret = verify_mic_des (minor_status, context_handle, - message_buffer, token_buffer, qop_state, key); + message_buffer, token_buffer, qop_state, key, + type); break; case KEYTYPE_DES3 : ret = verify_mic_des3 (minor_status, context_handle, - message_buffer, token_buffer, qop_state, key); + message_buffer, token_buffer, qop_state, key, + type); break; default : *minor_status = KRB5_PROG_ETYPE_NOSUPP; @@ -275,5 +298,27 @@ gss_verify_mic break; } krb5_free_keyblock (gssapi_krb5_context, key); + + return ret; +} + +OM_uint32 +gss_verify_mic + (OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t message_buffer, + const gss_buffer_t token_buffer, + gss_qop_t * qop_state + ) +{ + OM_uint32 ret; + + if (qop_state != NULL) + *qop_state = GSS_C_QOP_DEFAULT; + + ret = gss_verify_mic_internal(minor_status, context_handle, + message_buffer, token_buffer, + qop_state, "\x01\x01"); + return ret; } diff --git a/crypto/heimdal/lib/gssapi/wrap.c b/crypto/heimdal/lib/gssapi/wrap.c index 1a9d7ea..203cc89 100644 --- a/crypto/heimdal/lib/gssapi/wrap.c +++ b/crypto/heimdal/lib/gssapi/wrap.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: wrap.c,v 1.20 2002/09/03 17:33:36 joda Exp $"); +RCSID("$Id: wrap.c,v 1.21 2003/03/16 17:57:48 lha Exp $"); OM_uint32 gss_krb5_get_localkey(const gss_ctx_id_t context_handle, @@ -109,6 +109,7 @@ gss_wrap_size_limit ( break; } krb5_free_keyblock (gssapi_krb5_context, key); + *minor_status = 0; return ret; } @@ -141,8 +142,10 @@ wrap_des output_message_buffer->length = total_len; output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) + if (output_message_buffer->value == NULL) { + *minor_status = ENOMEM; return GSS_S_FAILURE; + } p = gssapi_krb5_make_header(output_message_buffer->value, len, @@ -228,6 +231,7 @@ wrap_des } if(conf_state != NULL) *conf_state = conf_req_flag; + *minor_status = 0; return GSS_S_COMPLETE; } @@ -259,8 +263,10 @@ wrap_des3 output_message_buffer->length = total_len; output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) + if (output_message_buffer->value == NULL) { + *minor_status = ENOMEM; return GSS_S_FAILURE; + } p = gssapi_krb5_make_header(output_message_buffer->value, len, @@ -395,6 +401,7 @@ wrap_des3 } if(conf_state != NULL) *conf_state = conf_req_flag; + *minor_status = 0; return GSS_S_COMPLETE; } |
