diff options
| author | nectar <nectar@FreeBSD.org> | 2004-04-03 21:22:55 +0000 |
|---|---|---|
| committer | nectar <nectar@FreeBSD.org> | 2004-04-03 21:22:55 +0000 |
| commit | 0b7467aa1d31177dfe7bb2ce98cb99a8731f25a1 (patch) | |
| tree | 72302297cfa274a4b9b86040b296290d593e34a9 /crypto/heimdal/lib/gssapi | |
| parent | 51d0d2403952fc6bc99c3bba749cecc4a7b736b1 (diff) | |
| parent | bfc5316dea97d244a21b45ed0dce56f39074ba1b (diff) | |
| download | FreeBSD-src-0b7467aa1d31177dfe7bb2ce98cb99a8731f25a1.zip FreeBSD-src-0b7467aa1d31177dfe7bb2ce98cb99a8731f25a1.tar.gz | |
This commit was generated by cvs2svn to compensate for changes in r127808,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'crypto/heimdal/lib/gssapi')
| -rw-r--r-- | crypto/heimdal/lib/gssapi/8003.c | 47 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/ChangeLog | 69 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/Makefile.am | 5 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/Makefile.in | 359 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/accept_sec_context.c | 22 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/acquire_cred.c | 12 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/add_cred.c | 56 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/arcfour.c | 623 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/arcfour.h | 98 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/context_time.c | 50 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/decapsulate.c | 81 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/encapsulate.c | 22 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/get_mic.c | 6 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/gssapi_locl.h | 33 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/init_sec_context.c | 43 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/release_cred.c | 12 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/unwrap.c | 7 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/verify_mic.c | 20 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/wrap.c | 8 |
19 files changed, 1372 insertions, 201 deletions
diff --git a/crypto/heimdal/lib/gssapi/8003.c b/crypto/heimdal/lib/gssapi/8003.c index 677a25a..3b48182 100644 --- a/crypto/heimdal/lib/gssapi/8003.c +++ b/crypto/heimdal/lib/gssapi/8003.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,10 +33,10 @@ #include "gssapi_locl.h" -RCSID("$Id: 8003.c,v 1.12 2002/10/31 14:38:49 joda Exp $"); +RCSID("$Id: 8003.c,v 1.12.2.2 2003/09/18 21:30:57 lha Exp $"); -static krb5_error_code -encode_om_uint32(OM_uint32 n, u_char *p) +krb5_error_code +gssapi_encode_om_uint32(OM_uint32 n, u_char *p) { p[0] = (n >> 0) & 0xFF; p[1] = (n >> 8) & 0xFF; @@ -45,13 +45,30 @@ encode_om_uint32(OM_uint32 n, u_char *p) return 0; } -static krb5_error_code -decode_om_uint32(u_char *p, OM_uint32 *n) +krb5_error_code +gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p) +{ + p[0] = (n >> 24) & 0xFF; + p[1] = (n >> 16) & 0xFF; + p[2] = (n >> 8) & 0xFF; + p[3] = (n >> 0) & 0xFF; + return 0; +} + +krb5_error_code +gssapi_decode_om_uint32(u_char *p, OM_uint32 *n) { *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); return 0; } +krb5_error_code +gssapi_decode_be_om_uint32(u_char *p, OM_uint32 *n) +{ + *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0); + return 0; +} + static krb5_error_code hash_input_chan_bindings (const gss_channel_bindings_t b, u_char *p) @@ -60,23 +77,23 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, MD5_CTX md5; MD5_Init(&md5); - encode_om_uint32 (b->initiator_addrtype, num); + gssapi_encode_om_uint32 (b->initiator_addrtype, num); MD5_Update (&md5, num, sizeof(num)); - encode_om_uint32 (b->initiator_address.length, num); + gssapi_encode_om_uint32 (b->initiator_address.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->initiator_address.length) MD5_Update (&md5, b->initiator_address.value, b->initiator_address.length); - encode_om_uint32 (b->acceptor_addrtype, num); + gssapi_encode_om_uint32 (b->acceptor_addrtype, num); MD5_Update (&md5, num, sizeof(num)); - encode_om_uint32 (b->acceptor_address.length, num); + gssapi_encode_om_uint32 (b->acceptor_address.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->acceptor_address.length) MD5_Update (&md5, b->acceptor_address.value, b->acceptor_address.length); - encode_om_uint32 (b->application_data.length, num); + gssapi_encode_om_uint32 (b->application_data.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->application_data.length) MD5_Update (&md5, @@ -117,7 +134,7 @@ gssapi_krb5_create_8003_checksum ( } p = result->checksum.data; - encode_om_uint32 (16, p); + gssapi_encode_om_uint32 (16, p); p += 4; if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) { memset (p, 0, 16); @@ -125,7 +142,7 @@ gssapi_krb5_create_8003_checksum ( hash_input_chan_bindings (input_chan_bindings, p); } p += 16; - encode_om_uint32 (flags, p); + gssapi_encode_om_uint32 (flags, p); p += 4; if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) { @@ -178,7 +195,7 @@ gssapi_krb5_verify_8003_checksum( } p = cksum->checksum.data; - decode_om_uint32(p, &length); + gssapi_decode_om_uint32(p, &length); if(length != sizeof(hash)) { *minor_status = 0; return GSS_S_BAD_BINDINGS; @@ -200,7 +217,7 @@ gssapi_krb5_verify_8003_checksum( p += sizeof(hash); - decode_om_uint32(p, flags); + gssapi_decode_om_uint32(p, flags); p += 4; if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) { diff --git a/crypto/heimdal/lib/gssapi/ChangeLog b/crypto/heimdal/lib/gssapi/ChangeLog index d08f72b..b18bde6 100644 --- a/crypto/heimdal/lib/gssapi/ChangeLog +++ b/crypto/heimdal/lib/gssapi/ChangeLog @@ -1,3 +1,72 @@ +2003-12-19 Love Hörnquist Åstrand <lha@it.su.se> + + * accept_sec_context.c: 1.40->1.41: Don't require timestamp to be + set on delegated token, its already protected by the outer token + (and windows doesn't alway send it) Pointed out by Zi-Bin Yang + <zbyang@decru.com> on heimdal-discuss + +2003-10-21 Love Hörnquist Åstrand <lha@it.su.se> + + * add_cred.c: 1.3->1.4: If its a MEMORY cc, make a copy. We need + to do this since now gss_release_cred will destroy the cred. This + should be really be solved a better way. + +2003-10-07 Love Hörnquist Åstrand <lha@it.su.se> + + * release_cred.c: 1.9->1.10: + (gss_release_cred): if its a mcc, destroy it rather the just release it + Found by: "Zi-Bin Yang" <zbyang@decru.com> + +2003-09-19 Love Hörnquist Åstrand <lha@it.su.se> + + * arcfour.c: 1.13->1.14: remove depenency on gss_arcfour_mic_token + and gss_arcfour_warp_token + + * arcfour.h: 1.3->1.4: remove depenency on gss_arcfour_mic_token + and gss_arcfour_warp_token + + * arcfour.c: make build + + * get_mic.c, verify_mic.c, unwrap.c, wrap.c: + glue in arcfour support + + * gssapi_locl.h: 1.32->1.33: add _gssapi_verify_pad + +2003-09-18 Love Hörnquist Åstrand <lha@it.su.se> + + * encapsulate.c: add _gssapi_make_mech_header + + * gssapi_locl.h: add "arcfour.h" and prototype for + _gssapi_make_mech_header + + * gssapi_locl.h: add gssapi_{en,de}code_{be_,}om_uint32 + + * 8003.c: 1.12->1.13: export and rename + encode_om_uint32/decode_om_uint32 and start to use them + +2003-08-16 Love Hörnquist Åstrand <lha@it.su.se> + + * verify_mic.c: 1.21->1.22: make sure minor_status is always set, + pointed out by Luke Howard <lukeh@PADL.COM> + +2003-08-15 Love Hörnquist Åstrand <lha@it.su.se> + + * context_time.c: 1.7->1.10: return time in seconds from now + + * gssapi_locl.h: add gssapi_lifetime_left + + * init_sec_context.c: part of 1.37->1.38: (init_auth): if the cred + is expired before we tries to create a token, fail so the peer + doesn't need reject us + (*): make sure time is returned in seconds from now, not in + kerberos time + + * acquire_cred.c: 1.14->1.15: (gss_aquire_cred): make sure time is + returned in seconds from now, not in kerberos time + + * accept_sec_context.c: 1.34->1.35: (gss_accept_sec_context): make + sure time is returned in seconds from now, not in kerberos time + 2003-05-07 Love Hörnquist Åstrand <lha@it.su.se> * gssapi.h: 1.27->1.28: diff --git a/crypto/heimdal/lib/gssapi/Makefile.am b/crypto/heimdal/lib/gssapi/Makefile.am index 6d232e5..2988d6a 100644 --- a/crypto/heimdal/lib/gssapi/Makefile.am +++ b/crypto/heimdal/lib/gssapi/Makefile.am @@ -1,11 +1,11 @@ -# $Id: Makefile.am,v 1.44.2.5 2003/05/12 15:20:46 joda Exp $ +# $Id: Makefile.am,v 1.44.2.7 2003/10/14 16:13:13 joda Exp $ include $(top_srcdir)/Makefile.am.common INCLUDES += -I$(srcdir)/../krb5 $(INCLUDE_des) $(INCLUDE_krb4) lib_LTLIBRARIES = libgssapi.la -libgssapi_la_LDFLAGS = -version-info 4:0:3 +libgssapi_la_LDFLAGS = -version-info 5:0:4 libgssapi_la_LIBADD = ../krb5/libkrb5.la $(LIB_des) ../asn1/libasn1.la ../roken/libroken.la man_MANS = gssapi.3 gss_acquire_cred.3 @@ -14,6 +14,7 @@ include_HEADERS = gssapi.h libgssapi_la_SOURCES = \ 8003.c \ + arcfour.c \ accept_sec_context.c \ acquire_cred.c \ add_cred.c \ diff --git a/crypto/heimdal/lib/gssapi/Makefile.in b/crypto/heimdal/lib/gssapi/Makefile.in index 7ce1a6e..565fd2c 100644 --- a/crypto/heimdal/lib/gssapi/Makefile.in +++ b/crypto/heimdal/lib/gssapi/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.6.1 from Makefile.am. +# Makefile.in generated by automake 1.7.9 from Makefile.am. # @configure_input@ -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 +# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003 # Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,113 +14,195 @@ @SET_MAKE@ -# $Id: Makefile.am,v 1.44.2.5 2003/05/12 15:20:46 joda Exp $ +# $Id: Makefile.am,v 1.44.2.7 2003/10/14 16:13:13 joda Exp $ # $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ -# $Id: Makefile.am.common,v 1.37.2.1 2003/05/08 17:08:09 joda Exp $ -SHELL = @SHELL@ +# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ srcdir = @srcdir@ top_srcdir = @top_srcdir@ VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include pkgdatadir = $(datadir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ top_builddir = ../.. -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_DATA = @INSTALL_DATA@ install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c -INSTALL_SCRIPT = @INSTALL_SCRIPT@ +install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) -transform = @program_transform_name@ +transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : -host_alias = @host_alias@ host_triplet = @host@ - -EXEEXT = @EXEEXT@ -OBJEXT = @OBJEXT@ -PATH_SEPARATOR = @PATH_SEPARATOR@ +ACLOCAL = @ACLOCAL@ +AIX4_FALSE = @AIX4_FALSE@ +AIX4_TRUE = @AIX4_TRUE@ +AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ +AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ +AIX_FALSE = @AIX_FALSE@ +AIX_TRUE = @AIX_TRUE@ AMTAR = @AMTAR@ -AS = @AS@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CANONICAL_HOST = @CANONICAL_HOST@ CATMAN = @CATMAN@ CATMANEXT = @CATMANEXT@ +CATMAN_FALSE = @CATMAN_FALSE@ +CATMAN_TRUE = @CATMAN_TRUE@ CC = @CC@ +CFLAGS = @CFLAGS@ COMPILE_ET = @COMPILE_ET@ CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ DBLIB = @DBLIB@ -DEPDIR = @DEPDIR@ +DCE_FALSE = @DCE_FALSE@ +DCE_TRUE = @DCE_TRUE@ +DEFS = @DEFS@ DIR_com_err = @DIR_com_err@ DIR_des = @DIR_des@ DIR_roken = @DIR_roken@ -DLLTOOL = @DLLTOOL@ ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ EXTRA_LIB45 = @EXTRA_LIB45@ +F77 = @F77@ +FFLAGS = @FFLAGS@ GROFF = @GROFF@ +HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ +HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ +HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ +HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ +HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ +HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ +HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ +HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ +HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ +HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ +HAVE_X_FALSE = @HAVE_X_FALSE@ +HAVE_X_TRUE = @HAVE_X_TRUE@ INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_ = @INCLUDE_@ INCLUDE_des = @INCLUDE_des@ +INCLUDE_hesiod = @INCLUDE_hesiod@ + +INCLUDE_krb4 = @INCLUDE_krb4@ + +INCLUDE_openldap = @INCLUDE_openldap@ + +INCLUDE_readline = @INCLUDE_readline@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +IRIX_FALSE = @IRIX_FALSE@ +IRIX_TRUE = @IRIX_TRUE@ +KRB4_FALSE = @KRB4_FALSE@ +KRB4_TRUE = @KRB4_TRUE@ +KRB5_FALSE = @KRB5_FALSE@ +KRB5_TRUE = @KRB5_TRUE@ +LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ LIB_NDBM = @LIB_NDBM@ +LIB_XauFileName = @LIB_XauFileName@ + +LIB_XauReadAuth = @LIB_XauReadAuth@ +LIB_XauWriteAuth = @LIB_XauWriteAuth@ +LIB_bswap16 = @LIB_bswap16@ +LIB_bswap32 = @LIB_bswap32@ LIB_com_err = @LIB_com_err@ LIB_com_err_a = @LIB_com_err_a@ LIB_com_err_so = @LIB_com_err_so@ +LIB_crypt = @LIB_crypt@ +LIB_db_create = @LIB_db_create@ +LIB_dbm_firstkey = @LIB_dbm_firstkey@ +LIB_dbopen = @LIB_dbopen@ LIB_des = @LIB_des@ LIB_des_a = @LIB_des_a@ LIB_des_appl = @LIB_des_appl@ LIB_des_so = @LIB_des_so@ +LIB_dlopen = @LIB_dlopen@ +LIB_dn_expand = @LIB_dn_expand@ +LIB_el_init = @LIB_el_init@ +LIB_freeaddrinfo = @LIB_freeaddrinfo@ +LIB_gai_strerror = @LIB_gai_strerror@ +LIB_getaddrinfo = @LIB_getaddrinfo@ +LIB_gethostbyname = @LIB_gethostbyname@ +LIB_gethostbyname2 = @LIB_gethostbyname2@ +LIB_getnameinfo = @LIB_getnameinfo@ +LIB_getpwnam_r = @LIB_getpwnam_r@ +LIB_getsockopt = @LIB_getsockopt@ +LIB_hesiod = @LIB_hesiod@ +LIB_hstrerror = @LIB_hstrerror@ LIB_kdb = @LIB_kdb@ +LIB_krb4 = @LIB_krb4@ +LIB_krb_disable_debug = @LIB_krb_disable_debug@ +LIB_krb_enable_debug = @LIB_krb_enable_debug@ +LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ +LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ +LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ +LIB_loadquery = @LIB_loadquery@ +LIB_logout = @LIB_logout@ +LIB_logwtmp = @LIB_logwtmp@ +LIB_openldap = @LIB_openldap@ +LIB_openpty = @LIB_openpty@ LIB_otp = @LIB_otp@ +LIB_pidfile = @LIB_pidfile@ +LIB_readline = @LIB_readline@ +LIB_res_nsearch = @LIB_res_nsearch@ +LIB_res_search = @LIB_res_search@ LIB_roken = @LIB_roken@ LIB_security = @LIB_security@ +LIB_setsockopt = @LIB_setsockopt@ +LIB_socket = @LIB_socket@ +LIB_syslog = @LIB_syslog@ +LIB_tgetent = @LIB_tgetent@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ +MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ +MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ +MAKEINFO = @MAKEINFO@ NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ NROFF = @NROFF@ -OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTP_FALSE = @OTP_FALSE@ +OTP_TRUE = @OTP_TRUE@ PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ RANLIB = @RANLIB@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ @@ -132,14 +214,57 @@ X_EXTRA_LIBS = @X_EXTRA_LIBS@ X_LIBS = @X_LIBS@ X_PRE_LIBS = @X_PRE_LIBS@ YACC = @YACC@ -am__include = @am__include@ -am__quote = @am__quote@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +ac_ct_RANLIB = @ac_ct_RANLIB@ +ac_ct_STRIP = @ac_ct_STRIP@ +am__leading_dot = @am__leading_dot@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +datadir = @datadir@ +do_roken_rename_FALSE = @do_roken_rename_FALSE@ +do_roken_rename_TRUE = @do_roken_rename_TRUE@ dpagaix_cflags = @dpagaix_cflags@ dpagaix_ldadd = @dpagaix_ldadd@ dpagaix_ldflags = @dpagaix_ldflags@ +el_compat_FALSE = @el_compat_FALSE@ +el_compat_TRUE = @el_compat_TRUE@ +exec_prefix = @exec_prefix@ +have_err_h_FALSE = @have_err_h_FALSE@ +have_err_h_TRUE = @have_err_h_TRUE@ +have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ +have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ +have_glob_h_FALSE = @have_glob_h_FALSE@ +have_glob_h_TRUE = @have_glob_h_TRUE@ +have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ +have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ +have_vis_h_FALSE = @have_vis_h_FALSE@ +have_vis_h_TRUE = @have_vis_h_TRUE@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +includedir = @includedir@ +infodir = @infodir@ install_sh = @install_sh@ - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 +libdir = @libdir@ +libexecdir = @libexecdir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +oldincludedir = @oldincludedir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 @@ -152,44 +277,13 @@ AM_CFLAGS = $(WFLAGS) CP = cp buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ HESIODLIB = @HESIODLIB@ HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ NROFF_MAN = groff -mandoc -Tascii @@ -203,7 +297,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la lib_LTLIBRARIES = libgssapi.la -libgssapi_la_LDFLAGS = -version-info 4:0:3 +libgssapi_la_LDFLAGS = -version-info 5:0:4 libgssapi_la_LIBADD = ../krb5/libkrb5.la $(LIB_des) ../asn1/libasn1.la ../roken/libroken.la man_MANS = gssapi.3 gss_acquire_cred.3 @@ -212,6 +306,7 @@ include_HEADERS = gssapi.h libgssapi_la_SOURCES = \ 8003.c \ + arcfour.c \ accept_sec_context.c \ acquire_cred.c \ add_cred.c \ @@ -257,6 +352,7 @@ libgssapi_la_SOURCES = \ address_to_krb5addr.c subdir = lib/gssapi +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/include/config.h CONFIG_CLEAN_FILES = @@ -264,27 +360,23 @@ LTLIBRARIES = $(lib_LTLIBRARIES) libgssapi_la_DEPENDENCIES = ../krb5/libkrb5.la ../asn1/libasn1.la \ ../roken/libroken.la -am_libgssapi_la_OBJECTS = 8003.lo accept_sec_context.lo acquire_cred.lo \ - add_cred.lo add_oid_set_member.lo canonicalize_name.lo \ - compare_name.lo compat.lo context_time.lo copy_ccache.lo \ - create_emtpy_oid_set.lo decapsulate.lo delete_sec_context.lo \ - display_name.lo display_status.lo duplicate_name.lo \ - encapsulate.lo export_sec_context.lo export_name.lo external.lo \ - get_mic.lo import_name.lo import_sec_context.lo \ - indicate_mechs.lo init.lo init_sec_context.lo \ - inquire_context.lo inquire_cred.lo inquire_cred_by_mech.lo \ - inquire_mechs_for_name.lo inquire_names_for_mech.lo \ - release_buffer.lo release_cred.lo release_name.lo \ - release_oid_set.lo process_context_token.lo \ +am_libgssapi_la_OBJECTS = 8003.lo arcfour.lo accept_sec_context.lo \ + acquire_cred.lo add_cred.lo add_oid_set_member.lo \ + canonicalize_name.lo compare_name.lo compat.lo context_time.lo \ + copy_ccache.lo create_emtpy_oid_set.lo decapsulate.lo \ + delete_sec_context.lo display_name.lo display_status.lo \ + duplicate_name.lo encapsulate.lo export_sec_context.lo \ + export_name.lo external.lo get_mic.lo import_name.lo \ + import_sec_context.lo indicate_mechs.lo init.lo \ + init_sec_context.lo inquire_context.lo inquire_cred.lo \ + inquire_cred_by_mech.lo inquire_mechs_for_name.lo \ + inquire_names_for_mech.lo release_buffer.lo release_cred.lo \ + release_name.lo release_oid_set.lo process_context_token.lo \ test_oid_set_member.lo unwrap.lo v1.lo verify_mic.lo wrap.lo \ address_to_krb5addr.lo libgssapi_la_OBJECTS = $(am_libgssapi_la_OBJECTS) -DEFS = @DEFS@ DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -294,12 +386,13 @@ LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ CCLD = $(CC) LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = @CFLAGS@ DIST_SOURCES = $(libgssapi_la_SOURCES) MANS = $(man_MANS) HEADERS = $(include_HEADERS) -DIST_COMMON = $(include_HEADERS) ChangeLog Makefile.am Makefile.in +DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.in \ + $(top_srcdir)/Makefile.am.common \ + $(top_srcdir)/cf/Makefile.am.common ChangeLog Makefile.am SOURCES = $(libgssapi_la_SOURCES) all: all-am @@ -333,6 +426,12 @@ uninstall-libLTLIBRARIES: clean-libLTLIBRARIES: -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" = "$$p" && dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done libgssapi.la: $(libgssapi_la_OBJECTS) $(libgssapi_la_DEPENDENCIES) $(LINK) -rpath $(libdir) $(libgssapi_la_LDFLAGS) $(libgssapi_la_OBJECTS) $(libgssapi_la_LIBADD) $(LIBS) @@ -346,7 +445,7 @@ distclean-compile: $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< .c.obj: - $(COMPILE) -c `cygpath -w $<` + $(COMPILE) -c `if test -f '$<'; then $(CYGPATH_W) '$<'; else $(CYGPATH_W) '$(srcdir)/$<'; fi` .c.lo: $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< @@ -376,6 +475,10 @@ install-man3: $(man3_MANS) $(man_MANS) if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ else file=$$i; fi; \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 3*) ;; \ + *) ext='3' ;; \ + esac; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ @@ -393,6 +496,10 @@ uninstall-man3: done; \ for i in $$list; do \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 3*) ;; \ + *) ext='3' ;; \ + esac; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ @@ -421,6 +528,9 @@ uninstall-includeHEADERS: ETAGS = etags ETAGSFLAGS = +CTAGS = ctags +CTAGSFLAGS = + tags: TAGS ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) @@ -446,20 +556,42 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$tags $$unique +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && cd $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) $$here distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) top_distdir = ../.. distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) distdir: $(DISTFILES) - @for file in $(DISTFILES); do \ + $(mkinstalldirs) $(distdir)/../.. $(distdir)/../../cf + @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ + list='$(DISTFILES)'; for file in $$list; do \ + case $$file in \ + $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ + $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ + esac; \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ if test "$$dir" != "$$file" && test "$$dir" != "."; then \ @@ -480,7 +612,7 @@ distdir: $(DISTFILES) fi; \ done $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ + top_distdir="$(top_distdir)" distdir="$(distdir)" \ dist-hook check-am: all-am $(MAKE) $(AM_MAKEFLAGS) check-local @@ -489,7 +621,6 @@ all-am: Makefile $(LTLIBRARIES) $(MANS) $(HEADERS) all-local installdirs: $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(man3dir) $(DESTDIR)$(includedir) - install: install-am install-exec: install-exec-am install-data: install-data-am @@ -501,7 +632,7 @@ install-am: all-am installcheck: installcheck-am install-strip: $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ `test -z '$(STRIP)' || \ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install mostlyclean-generic: @@ -509,7 +640,7 @@ mostlyclean-generic: clean-generic: distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) stamp-h stamp-h[0-9]* + -rm -f $(CONFIG_CLEAN_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -520,7 +651,7 @@ clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am - + -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-libtool distclean-tags @@ -547,7 +678,7 @@ install-man: install-man3 installcheck-am: maintainer-clean: maintainer-clean-am - + -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am @@ -555,24 +686,32 @@ mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + uninstall-am: uninstall-includeHEADERS uninstall-info-am \ uninstall-libLTLIBRARIES uninstall-man uninstall-man: uninstall-man3 -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libLTLIBRARIES clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ +.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ + clean clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am info info-am install \ install-am install-data install-data-am install-exec \ install-exec-am install-includeHEADERS install-info \ install-info-am install-libLTLIBRARIES install-man install-man3 \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - tags uninstall uninstall-am uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man \ - uninstall-man3 + mostlyclean-compile mostlyclean-generic mostlyclean-libtool pdf \ + pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-includeHEADERS uninstall-info-am \ + uninstall-libLTLIBRARIES uninstall-man uninstall-man3 install-suid-programs: diff --git a/crypto/heimdal/lib/gssapi/accept_sec_context.c b/crypto/heimdal/lib/gssapi/accept_sec_context.c index 62a0573..d923c36 100644 --- a/crypto/heimdal/lib/gssapi/accept_sec_context.c +++ b/crypto/heimdal/lib/gssapi/accept_sec_context.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: accept_sec_context.c,v 1.33 2003/03/16 17:41:12 lha Exp $"); +RCSID("$Id: accept_sec_context.c,v 1.33.2.2 2003/12/19 00:37:06 lha Exp $"); krb5_keytab gssapi_krb5_keytab; @@ -291,8 +291,8 @@ gss_accept_sec_context } if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { - krb5_ccache ccache; + int32_t ac_flags; if (delegated_cred_handle == NULL) /* XXX Create a new delegated_cred_handle? */ @@ -346,10 +346,19 @@ gss_accept_sec_context goto end_fwd; } + krb5_auth_con_getflags(gssapi_krb5_context, + (*context_handle)->auth_context, + &ac_flags); + krb5_auth_con_setflags(gssapi_krb5_context, + (*context_handle)->auth_context, + ac_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); kret = krb5_rd_cred2(gssapi_krb5_context, (*context_handle)->auth_context, ccache, &fwd_data); + krb5_auth_con_setflags(gssapi_krb5_context, + (*context_handle)->auth_context, + ac_flags); if (kret) { flags &= ~GSS_C_DELEG_FLAG; goto end_fwd; @@ -371,8 +380,13 @@ gss_accept_sec_context if (mech_type) *mech_type = GSS_KRB5_MECHANISM; - if (time_rec) - *time_rec = (*context_handle)->lifetime; + if (time_rec) { + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + time_rec); + if (ret) + goto failure; + } if(flags & GSS_C_MUTUAL_FLAG) { krb5_data outbuf; diff --git a/crypto/heimdal/lib/gssapi/acquire_cred.c b/crypto/heimdal/lib/gssapi/acquire_cred.c index 503ac91..dfe2b4c 100644 --- a/crypto/heimdal/lib/gssapi/acquire_cred.c +++ b/crypto/heimdal/lib/gssapi/acquire_cred.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: acquire_cred.c,v 1.13 2003/04/06 00:31:55 lha Exp $"); +RCSID("$Id: acquire_cred.c,v 1.13.2.1 2003/08/15 14:18:24 lha Exp $"); static krb5_error_code get_keytab(krb5_keytab *keytab) @@ -295,8 +295,14 @@ OM_uint32 gss_acquire_cred return (ret); } *minor_status = 0; - if (time_rec) - *time_rec = handle->lifetime; + if (time_rec) { + ret = gssapi_lifetime_left(minor_status, + handle->lifetime, + time_rec); + + if (ret) + return ret; + } handle->usage = cred_usage; *output_cred_handle = handle; return (GSS_S_COMPLETE); diff --git a/crypto/heimdal/lib/gssapi/add_cred.c b/crypto/heimdal/lib/gssapi/add_cred.c index 1e23a5b..53d4f33 100644 --- a/crypto/heimdal/lib/gssapi/add_cred.c +++ b/crypto/heimdal/lib/gssapi/add_cred.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: add_cred.c,v 1.2 2003/04/06 00:29:17 lha Exp $"); +RCSID("$Id: add_cred.c,v 1.2.2.1 2003/10/21 21:00:47 lha Exp $"); OM_uint32 gss_add_cred ( OM_uint32 *minor_status, @@ -152,25 +152,43 @@ OM_uint32 gss_add_cred ( goto failure; } - name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache); - if (name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - asprintf(&type_name, "%s:%s", type, name); - if (type_name == NULL) { - *minor_status = ENOMEM; - goto failure; + if (strcmp(type, "MEMORY") == 0) { + ret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, + &handle->ccache); + if (ret) { + *minor_status = ret; + goto failure; + } + + ret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, + handle->ccache); + if (ret) { + *minor_status = ret; + goto failure; + } + + } else { + + name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache); + if (name == NULL) { + *minor_status = ENOMEM; + goto failure; + } + + asprintf(&type_name, "%s:%s", type, name); + if (type_name == NULL) { + *minor_status = ENOMEM; + goto failure; + } + + kret = krb5_cc_resolve(gssapi_krb5_context, type_name, + &handle->ccache); + free(type_name); + if (kret) { + *minor_status = kret; + goto failure; + } } - - kret = krb5_cc_resolve(gssapi_krb5_context, type_name, - &handle->ccache); - free(type_name); - if (kret) { - *minor_status = kret; - goto failure; - } } ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); diff --git a/crypto/heimdal/lib/gssapi/arcfour.c b/crypto/heimdal/lib/gssapi/arcfour.c new file mode 100644 index 0000000..66d688c --- /dev/null +++ b/crypto/heimdal/lib/gssapi/arcfour.c @@ -0,0 +1,623 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapi_locl.h" + +/* + * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt + */ + +RCSID("$Id: arcfour.c,v 1.12.2.3 2003/09/19 15:15:11 lha Exp $"); + +static krb5_error_code +arcfour_mic_key(krb5_context context, krb5_keyblock *key, + void *cksum_data, size_t cksum_size, + void *key6_data, size_t key6_size) +{ + krb5_error_code ret; + + Checksum cksum_k5; + krb5_keyblock key5; + char k5_data[16]; + + Checksum cksum_k6; + + char T[4]; + + memset(T, 0, 4); + cksum_k5.checksum.data = k5_data; + cksum_k5.checksum.length = sizeof(k5_data); + + if (key->keytype == KEYTYPE_ARCFOUR_56) { + char L40[14] = "fortybits"; + + memcpy(L40 + 10, T, sizeof(T)); + ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, + L40, 14, 0, key, &cksum_k5); + memset(&k5_data[7], 0xAB, 9); + } else { + ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, + T, 4, 0, key, &cksum_k5); + } + if (ret) + return ret; + + key5.keytype = KEYTYPE_ARCFOUR; + key5.keyvalue = cksum_k5.checksum; + + cksum_k6.checksum.data = key6_data; + cksum_k6.checksum.length = key6_size; + + return krb5_hmac(context, CKSUMTYPE_RSA_MD5, + cksum_data, cksum_size, 0, &key5, &cksum_k6); +} + + +static krb5_error_code +arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, + u_char *sgn_cksum, size_t sgn_cksum_sz, + const char *v1, size_t l1, + const void *v2, size_t l2, + const void *v3, size_t l3) +{ + Checksum CKSUM; + u_char *ptr; + size_t len; + krb5_crypto crypto; + krb5_error_code ret; + + assert(sgn_cksum_sz == 8); + + len = l1 + l2 + l3; + + ptr = malloc(len); + if (ptr == NULL) + return ENOMEM; + + memcpy(ptr, v1, l1); + memcpy(ptr + l1, v2, l2); + memcpy(ptr + l1 + l2, v3, l3); + + ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + if (ret) { + free(ptr); + return ret; + } + + ret = krb5_create_checksum(gssapi_krb5_context, + crypto, + usage, + 0, + ptr, len, + &CKSUM); + free(ptr); + if (ret == 0) { + memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz); + free_Checksum(&CKSUM); + } + krb5_crypto_destroy(gssapi_krb5_context, crypto); + + return ret; +} + + +OM_uint32 +_gssapi_get_mic_arcfour(OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + gss_qop_t qop_req, + const gss_buffer_t message_buffer, + gss_buffer_t message_token, + krb5_keyblock *key) +{ + krb5_error_code ret; + int32_t seq_number; + size_t len, total_len; + u_char k6_data[16], *p0, *p; + RC4_KEY rc4_key; + + gssapi_krb5_encap_length (22, &len, &total_len); + + message_token->length = total_len; + message_token->value = malloc (total_len); + if (message_token->value == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + p0 = _gssapi_make_mech_header(message_token->value, + len); + p = p0; + + *p++ = 0x01; /* TOK_ID */ + *p++ = 0x01; + *p++ = 0x11; /* SGN_ALG */ + *p++ = 0x00; + *p++ = 0xff; /* Filler */ + *p++ = 0xff; + *p++ = 0xff; + *p++ = 0xff; + + p = NULL; + + ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN, + p0 + 16, 8, /* SGN_CKSUM */ + p0, 8, /* TOK_ID, SGN_ALG, Filer */ + message_buffer->value, message_buffer->length, + NULL, 0); + if (ret) { + gss_release_buffer(minor_status, message_token); + *minor_status = ret; + return GSS_S_FAILURE; + } + + ret = arcfour_mic_key(gssapi_krb5_context, key, + p0 + 16, 8, /* SGN_CKSUM */ + k6_data, sizeof(k6_data)); + if (ret) { + gss_release_buffer(minor_status, message_token); + *minor_status = ret; + return GSS_S_FAILURE; + } + + krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + &seq_number); + p = p0 + 8; /* SND_SEQ */ + gssapi_encode_be_om_uint32(seq_number, p); + + krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + ++seq_number); + + memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4); + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4 (&rc4_key, 8, p, p); + + memset(&rc4_key, 0, sizeof(rc4_key)); + memset(k6_data, 0, sizeof(k6_data)); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + + +OM_uint32 +_gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t message_buffer, + const gss_buffer_t token_buffer, + gss_qop_t * qop_state, + krb5_keyblock *key, + char *type) +{ + krb5_error_code ret; + int32_t seq_number, seq_number2; + OM_uint32 omret; + char cksum_data[8], k6_data[16], SND_SEQ[8]; + u_char *p; + int cmp; + + if (qop_state) + *qop_state = 0; + + p = token_buffer->value; + omret = gssapi_krb5_verify_header (&p, + token_buffer->length, + type); + if (omret) + return omret; + + if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ + return GSS_S_BAD_SIG; + p += 2; + if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) + return GSS_S_BAD_MIC; + p += 4; + + ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN, + cksum_data, sizeof(cksum_data), + p - 8, 8, + message_buffer->value, message_buffer->length, + NULL, 0); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + ret = arcfour_mic_key(gssapi_krb5_context, key, + cksum_data, sizeof(cksum_data), + k6_data, sizeof(k6_data)); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + cmp = memcmp(cksum_data, p + 8, 8); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; + } + + { + RC4_KEY rc4_key; + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4 (&rc4_key, 8, p, SND_SEQ); + + memset(&rc4_key, 0, sizeof(rc4_key)); + memset(k6_data, 0, sizeof(k6_data)); + } + + gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); + + if (context_handle->more_flags & LOCAL) + cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); + else + cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); + + memset(SND_SEQ, 0, sizeof(SND_SEQ)); + if (cmp != 0) { + *minor_status = 0; + return GSS_S_BAD_MIC; + } + + krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + &seq_number2); + + if (seq_number != seq_number2) { + *minor_status = 0; + return GSS_S_UNSEQ_TOKEN; + } + + krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + ++seq_number2); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +_gssapi_wrap_arcfour(OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + const gss_buffer_t input_message_buffer, + int * conf_state, + gss_buffer_t output_message_buffer, + krb5_keyblock *key) +{ + u_char Klocaldata[16], k6_data[16], *p, *p0; + size_t len, total_len, datalen; + krb5_keyblock Klocal; + krb5_error_code ret; + int32_t seq_number; + + if (conf_state) + *conf_state = 0; + + datalen = input_message_buffer->length + 1 /* padding */; + len = datalen + 30; + gssapi_krb5_encap_length (len, &len, &total_len); + + output_message_buffer->length = total_len; + output_message_buffer->value = malloc (total_len); + if (output_message_buffer->value == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + p0 = _gssapi_make_mech_header(output_message_buffer->value, + len); + p = p0; + + *p++ = 0x02; /* TOK_ID */ + *p++ = 0x01; + *p++ = 0x11; /* SGN_ALG */ + *p++ = 0x00; + if (conf_req_flag) { + *p++ = 0x10; /* SEAL_ALG */ + *p++ = 0x00; + } else { + *p++ = 0xff; /* SEAL_ALG */ + *p++ = 0xff; + } + *p++ = 0xff; /* Filler */ + *p++ = 0xff; + + p = NULL; + + krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + &seq_number); + + gssapi_encode_be_om_uint32(seq_number, p0 + 8); + + krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + ++seq_number); + + memset (p0 + 8 + 4, + (context_handle->more_flags & LOCAL) ? 0 : 0xff, + 4); + + krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */ + + /* p points to data */ + p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE; + memcpy(p, input_message_buffer->value, input_message_buffer->length); + p[input_message_buffer->length] = 1; /* PADDING */ + + ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, + p0 + 16, 8, /* SGN_CKSUM */ + p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */ + p0 + 24, 8, /* Confounder */ + p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, + datalen); + if (ret) { + *minor_status = ret; + gss_release_buffer(minor_status, output_message_buffer); + return GSS_S_FAILURE; + } + + { + int i; + + Klocal.keytype = key->keytype; + Klocal.keyvalue.data = Klocaldata; + Klocal.keyvalue.length = sizeof(Klocaldata); + + for (i = 0; i < 16; i++) + Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; + } + ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, + p0 + 8, 4, /* SND_SEQ */ + k6_data, sizeof(k6_data)); + memset(Klocaldata, 0, sizeof(Klocaldata)); + if (ret) { + gss_release_buffer(minor_status, output_message_buffer); + *minor_status = ret; + return GSS_S_FAILURE; + } + + + if(conf_req_flag) { + RC4_KEY rc4_key; + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + /* XXX ? */ + RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */ + memset(&rc4_key, 0, sizeof(rc4_key)); + } + memset(k6_data, 0, sizeof(k6_data)); + + ret = arcfour_mic_key(gssapi_krb5_context, key, + p0 + 16, 8, /* SGN_CKSUM */ + k6_data, sizeof(k6_data)); + if (ret) { + gss_release_buffer(minor_status, output_message_buffer); + *minor_status = ret; + return GSS_S_FAILURE; + } + + { + RC4_KEY rc4_key; + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4 (&rc4_key, 8, p0 + 8, p0 + 8); /* SND_SEQ */ + memset(&rc4_key, 0, sizeof(rc4_key)); + memset(k6_data, 0, sizeof(k6_data)); + } + + if (conf_state) + *conf_state = conf_req_flag; + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + gss_qop_t *qop_state, + krb5_keyblock *key) +{ + u_char Klocaldata[16]; + krb5_keyblock Klocal; + krb5_error_code ret; + int32_t seq_number, seq_number2; + size_t datalen; + OM_uint32 omret; + char k6_data[16], SND_SEQ[8], Confounder[8]; + char cksum_data[8]; + u_char *p, *p0; + int cmp; + int conf_flag; + size_t padlen; + + if (conf_state) + *conf_state = 0; + if (qop_state) + *qop_state = 0; + + p0 = input_message_buffer->value; + omret = _gssapi_verify_mech_header(&p0, + input_message_buffer->length); + if (omret) + return omret; + p = p0; + + datalen = input_message_buffer->length - + (p - ((u_char *)input_message_buffer->value)) - + GSS_ARCFOUR_WRAP_TOKEN_SIZE; + + if (memcmp(p, "\x02\x01", 2) != 0) + return GSS_S_BAD_SIG; + p += 2; + if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ + return GSS_S_BAD_SIG; + p += 2; + + if (memcmp (p, "\x10\x00", 2) == 0) + conf_flag = 1; + else if (memcmp (p, "\xff\xff", 2) == 0) + conf_flag = 0; + else + return GSS_S_BAD_SIG; + + p += 2; + if (memcmp (p, "\xff\xff", 2) != 0) + return GSS_S_BAD_MIC; + p = NULL; + + ret = arcfour_mic_key(gssapi_krb5_context, key, + p0 + 16, 8, /* SGN_CKSUM */ + k6_data, sizeof(k6_data)); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + { + RC4_KEY rc4_key; + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4 (&rc4_key, 8, p0 + 8, SND_SEQ); /* SND_SEQ */ + memset(&rc4_key, 0, sizeof(rc4_key)); + memset(k6_data, 0, sizeof(k6_data)); + } + + gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); + + if (context_handle->more_flags & LOCAL) + cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); + else + cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); + + if (cmp != 0) { + *minor_status = 0; + return GSS_S_BAD_MIC; + } + + { + int i; + + Klocal.keytype = key->keytype; + Klocal.keyvalue.data = Klocaldata; + Klocal.keyvalue.length = sizeof(Klocaldata); + + for (i = 0; i < 16; i++) + Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; + } + ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, + SND_SEQ, 4, + k6_data, sizeof(k6_data)); + memset(Klocaldata, 0, sizeof(Klocaldata)); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + output_message_buffer->value = malloc(datalen); + if (output_message_buffer->value == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + output_message_buffer->length = datalen; + + if(conf_flag) { + RC4_KEY rc4_key; + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4 (&rc4_key, 8, p0 + 24, Confounder); /* Confounder */ + RC4 (&rc4_key, datalen, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, + output_message_buffer->value); + memset(&rc4_key, 0, sizeof(rc4_key)); + } else { + memcpy(Confounder, p0 + 24, 8); /* Confounder */ + memcpy(output_message_buffer->value, + p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, + datalen); + } + memset(k6_data, 0, sizeof(k6_data)); + + ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen); + if (ret) { + gss_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; + return ret; + } + output_message_buffer->length -= padlen; + + ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, + cksum_data, sizeof(cksum_data), + p0, 8, + Confounder, sizeof(Confounder), + output_message_buffer->value, + output_message_buffer->length + padlen); + if (ret) { + gss_release_buffer(minor_status, output_message_buffer); + *minor_status = ret; + return GSS_S_FAILURE; + } + + cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ + if (cmp) { + gss_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; + return GSS_S_BAD_MIC; + } + + krb5_auth_getremoteseqnumber (gssapi_krb5_context, + context_handle->auth_context, + &seq_number2); + + if (seq_number != seq_number2) { + *minor_status = 0; + return GSS_S_UNSEQ_TOKEN; + } + + krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, + context_handle->auth_context, + ++seq_number2); + + if (conf_state) + *conf_state = conf_flag; + + *minor_status = 0; + return GSS_S_COMPLETE; +} diff --git a/crypto/heimdal/lib/gssapi/arcfour.h b/crypto/heimdal/lib/gssapi/arcfour.h new file mode 100644 index 0000000..88bdfb1 --- /dev/null +++ b/crypto/heimdal/lib/gssapi/arcfour.h @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: arcfour.h,v 1.3.2.2 2003/09/19 15:14:14 lha Exp $ */ + +#ifndef GSSAPI_ARCFOUR_H_ +#define GSSAPI_ARCFOUR_H_ 1 + +/* + * The arcfour message have the following formats, these are only here + * for reference and is not used. + */ + +#if 0 +typedef struct gss_arcfour_mic_token { + u_char TOK_ID[2]; /* 01 01 */ + u_char SGN_ALG[2]; /* 11 00 */ + u_char Filler[4]; + u_char SND_SEQ[8]; + u_char SGN_CKSUM[8]; +} gss_arcfour_mic_token_desc, *gss_arcfour_mic_token; + +typedef struct gss_arcfour_wrap_token { + u_char TOK_ID[2]; /* 02 01 */ + u_char SGN_ALG[2]; + u_char SEAL_ALG[2]; + u_char Filler[2]; + u_char SND_SEQ[8]; + u_char SGN_CKSUM[8]; + u_char Confounder[8]; +} gss_arcfour_wrap_token_desc, *gss_arcfour_wrap_token; +#endif + +#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32 + +OM_uint32 _gssapi_wrap_arcfour(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + const gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer, + krb5_keyblock *key); + +OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + gss_qop_t *qop_state, + krb5_keyblock *key); + +OM_uint32 _gssapi_get_mic_arcfour(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + gss_qop_t qop_req, + const gss_buffer_t message_buffer, + gss_buffer_t message_token, + krb5_keyblock *key); + +OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t message_buffer, + const gss_buffer_t token_buffer, + gss_qop_t *qop_state, + krb5_keyblock *key, + char *type); + +#endif /* GSSAPI_ARCFOUR_H_ */ diff --git a/crypto/heimdal/lib/gssapi/context_time.c b/crypto/heimdal/lib/gssapi/context_time.c index e947df6..daeb25f 100644 --- a/crypto/heimdal/lib/gssapi/context_time.c +++ b/crypto/heimdal/lib/gssapi/context_time.c @@ -33,7 +33,31 @@ #include "gssapi_locl.h" -RCSID("$Id: context_time.c,v 1.7 2003/03/16 17:48:33 lha Exp $"); +RCSID("$Id: context_time.c,v 1.7.2.1 2003/08/15 14:25:50 lha Exp $"); + +OM_uint32 +gssapi_lifetime_left(OM_uint32 *minor_status, + OM_uint32 lifetime, + OM_uint32 *lifetime_rec) +{ + krb5_timestamp timeret; + krb5_error_code kret; + + kret = krb5_timeofday(gssapi_krb5_context, &timeret); + if (kret) { + *minor_status = kret; + gssapi_krb5_set_error_string (); + return GSS_S_FAILURE; + } + + if (lifetime < timeret) + *lifetime_rec = 0; + else + *lifetime_rec = lifetime - timeret; + + return GSS_S_COMPLETE; +} + OM_uint32 gss_context_time (OM_uint32 * minor_status, @@ -42,26 +66,20 @@ OM_uint32 gss_context_time ) { OM_uint32 lifetime; - OM_uint32 ret; - krb5_error_code kret; - krb5_timestamp timeret; + OM_uint32 major_status; GSSAPI_KRB5_INIT (); - ret = gss_inquire_context(minor_status, context_handle, - NULL, NULL, &lifetime, NULL, NULL, NULL, NULL); - if (ret) { - return ret; - } + lifetime = context_handle->lifetime; - kret = krb5_timeofday(gssapi_krb5_context, &timeret); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } + major_status = gssapi_lifetime_left(minor_status, lifetime, time_rec); + if (major_status != GSS_S_COMPLETE) + return major_status; - *time_rec = lifetime - timeret; *minor_status = 0; + + if (*time_rec == 0) + return GSS_S_CONTEXT_EXPIRED; + return GSS_S_COMPLETE; } diff --git a/crypto/heimdal/lib/gssapi/decapsulate.c b/crypto/heimdal/lib/gssapi/decapsulate.c index 29c1f5b..2425453 100644 --- a/crypto/heimdal/lib/gssapi/decapsulate.c +++ b/crypto/heimdal/lib/gssapi/decapsulate.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: decapsulate.c,v 1.7 2001/08/23 04:35:54 assar Exp $"); +RCSID("$Id: decapsulate.c,v 1.7.6.1 2003/09/18 22:00:41 lha Exp $"); OM_uint32 gssapi_krb5_verify_header(u_char **str, @@ -73,6 +73,56 @@ gssapi_krb5_verify_header(u_char **str, return GSS_S_COMPLETE; } +static ssize_t +gssapi_krb5_get_mech (const u_char *ptr, + size_t total_len, + const u_char **mech_ret) +{ + size_t len, len_len, mech_len, foo; + const u_char *p = ptr; + int e; + + if (total_len < 1) + return -1; + if (*p++ != 0x60) + return -1; + e = der_get_length (p, total_len - 1, &len, &len_len); + if (e || 1 + len_len + len != total_len) + return -1; + p += len_len; + if (*p++ != 0x06) + return -1; + e = der_get_length (p, total_len - 1 - len_len - 1, + &mech_len, &foo); + if (e) + return -1; + p += foo; + *mech_ret = p; + return mech_len; +} + +OM_uint32 +_gssapi_verify_mech_header(u_char **str, + size_t total_len) +{ + const u_char *p; + ssize_t mech_len; + + mech_len = gssapi_krb5_get_mech (*str, total_len, &p); + if (mech_len < 0) + return GSS_S_DEFECTIVE_TOKEN; + + if (mech_len != GSS_KRB5_MECHANISM->length) + return GSS_S_BAD_MECH; + if (memcmp(p, + GSS_KRB5_MECHANISM->elements, + GSS_KRB5_MECHANISM->length) != 0) + return GSS_S_BAD_MECH; + p += mech_len; + *str = (char *)p; + return GSS_S_COMPLETE; +} + /* * Remove the GSS-API wrapping from `in_token' giving `out_data. * Does not copy data, so just free `in_token'. @@ -103,3 +153,32 @@ gssapi_krb5_decapsulate( out_data->data = p; return GSS_S_COMPLETE; } + +/* + * Verify padding of a gss wrapped message and return its length. + */ + +OM_uint32 +_gssapi_verify_pad(gss_buffer_t wrapped_token, + size_t datalen, + size_t *padlen) +{ + u_char *pad; + size_t padlength; + int i; + + pad = (u_char *)wrapped_token->value + wrapped_token->length - 1; + padlength = *pad; + + if (padlength > datalen) + return GSS_S_BAD_MECH; + + for (i = padlength; i > 0 && *pad == padlength; i--, pad--) + ; + if (i != 0) + return GSS_S_BAD_MIC; + + *padlen = padlength; + + return 0; +} diff --git a/crypto/heimdal/lib/gssapi/encapsulate.c b/crypto/heimdal/lib/gssapi/encapsulate.c index e7c6750..f3cd1e4 100644 --- a/crypto/heimdal/lib/gssapi/encapsulate.c +++ b/crypto/heimdal/lib/gssapi/encapsulate.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: encapsulate.c,v 1.6 2001/08/23 04:35:54 assar Exp $"); +RCSID("$Id: encapsulate.c,v 1.6.6.1 2003/09/18 21:47:44 lha Exp $"); void gssapi_krb5_encap_length (size_t data_len, @@ -72,6 +72,26 @@ gssapi_krb5_make_header (u_char *p, return p; } +u_char * +_gssapi_make_mech_header(u_char *p, + size_t len) +{ + int e; + size_t len_len, foo; + + *p++ = 0x60; + len_len = length_len(len); + e = der_put_length (p + len_len - 1, len_len, len, &foo); + if(e || foo != len_len) + abort (); + p += len_len; + *p++ = 0x06; + *p++ = GSS_KRB5_MECHANISM->length; + memcpy (p, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); + p += GSS_KRB5_MECHANISM->length; + return p; +} + /* * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings. */ diff --git a/crypto/heimdal/lib/gssapi/get_mic.c b/crypto/heimdal/lib/gssapi/get_mic.c index e890b08..7f5b37e 100644 --- a/crypto/heimdal/lib/gssapi/get_mic.c +++ b/crypto/heimdal/lib/gssapi/get_mic.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: get_mic.c,v 1.21 2003/03/16 18:02:04 lha Exp $"); +RCSID("$Id: get_mic.c,v 1.21.2.1 2003/09/18 22:05:12 lha Exp $"); static OM_uint32 mic_des @@ -281,6 +281,10 @@ OM_uint32 gss_get_mic ret = mic_des3 (minor_status, context_handle, qop_req, message_buffer, message_token, key); break; + case KEYTYPE_ARCFOUR: + ret = _gssapi_get_mic_arcfour (minor_status, context_handle, qop_req, + message_buffer, message_token, key); + break; default : *minor_status = KRB5_PROG_ETYPE_NOSUPP; ret = GSS_S_FAILURE; diff --git a/crypto/heimdal/lib/gssapi/gssapi_locl.h b/crypto/heimdal/lib/gssapi/gssapi_locl.h index a27b27a..154c4b1 100644 --- a/crypto/heimdal/lib/gssapi/gssapi_locl.h +++ b/crypto/heimdal/lib/gssapi/gssapi_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi_locl.h,v 1.24 2003/03/16 17:30:15 lha Exp $ */ +/* $Id: gssapi_locl.h,v 1.24.2.5 2003/09/18 22:01:52 lha Exp $ */ #ifndef GSSAPI_LOCL_H #define GSSAPI_LOCL_H @@ -44,6 +44,8 @@ #include <gssapi.h> #include <assert.h> +#include "arcfour.h" + extern krb5_context gssapi_krb5_context; extern krb5_keytab gssapi_krb5_keytab; @@ -81,6 +83,10 @@ gssapi_krb5_encapsulate( gss_buffer_t output_token, u_char *type); +u_char * +_gssapi_make_mech_header(u_char *p, + size_t len); + OM_uint32 gssapi_krb5_decapsulate( OM_uint32 *minor_status, @@ -103,6 +109,14 @@ gssapi_krb5_verify_header(u_char **str, size_t total_len, char *type); + +OM_uint32 +_gssapi_verify_mech_header(u_char **str, + size_t total_len); + +OM_uint32 +_gssapi_verify_pad(gss_buffer_t, size_t, size_t *); + OM_uint32 gss_verify_mic_internal(OM_uint32 * minor_status, const gss_ctx_id_t context_handle, @@ -145,4 +159,21 @@ gssapi_krb5_get_error_string (void); OM_uint32 _gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx); +OM_uint32 +gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *); + +/* 8003 */ + +krb5_error_code +gssapi_encode_om_uint32(OM_uint32, u_char *); + +krb5_error_code +gssapi_encode_be_om_uint32(OM_uint32, u_char *); + +krb5_error_code +gssapi_decode_om_uint32(u_char *, OM_uint32 *); + +krb5_error_code +gssapi_decode_be_om_uint32(u_char *, OM_uint32 *); + #endif diff --git a/crypto/heimdal/lib/gssapi/init_sec_context.c b/crypto/heimdal/lib/gssapi/init_sec_context.c index 6473038..72286a3 100644 --- a/crypto/heimdal/lib/gssapi/init_sec_context.c +++ b/crypto/heimdal/lib/gssapi/init_sec_context.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: init_sec_context.c,v 1.36 2003/03/16 18:00:00 lha Exp $"); +RCSID("$Id: init_sec_context.c,v 1.36.2.1 2003/08/15 14:21:18 lha Exp $"); /* * copy the addresses from `input_chan_bindings' (if any) to @@ -193,6 +193,7 @@ init_auth Checksum cksum; krb5_enctype enctype; krb5_data fwd_data; + OM_uint32 lifetime_rec; krb5_data_zero(&outbuf); krb5_data_zero(&fwd_data); @@ -292,7 +293,7 @@ init_auth } else this_cred.times.endtime = 0; this_cred.session.keytype = 0; - + kret = krb5_get_credentials (gssapi_krb5_context, KRB5_TC_MATCH_KEYTYPE, ccache, @@ -308,10 +309,23 @@ init_auth (*context_handle)->lifetime = cred->times.endtime; + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + &lifetime_rec); + if (ret) { + goto failure; + } + + if (lifetime_rec == 0) { + *minor_status = 0; + ret = GSS_S_CONTEXT_EXPIRED; + goto failure; + } + krb5_auth_con_setkey(gssapi_krb5_context, (*context_handle)->auth_context, &cred->session); - + kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, (*context_handle)->auth_context, &cred->session); @@ -321,13 +335,13 @@ init_auth ret = GSS_S_FAILURE; goto failure; } - + flags = 0; ap_options = 0; if (req_flags & GSS_C_DELEG_FLAG) do_delegation ((*context_handle)->auth_context, ccache, cred, target_name, &fwd_data, &flags); - + if (req_flags & GSS_C_MUTUAL_FLAG) { flags |= GSS_C_MUTUAL_FLAG; ap_options |= AP_OPTS_MUTUAL_REQUIRED; @@ -413,7 +427,7 @@ init_auth return GSS_S_CONTINUE_NEEDED; } else { if (time_rec) - *time_rec = (*context_handle)->lifetime; + *time_rec = lifetime_rec; (*context_handle)->more_flags |= OPEN; return GSS_S_COMPLETE; @@ -479,16 +493,21 @@ repl_mutual } krb5_free_ap_rep_enc_part (gssapi_krb5_context, repl); - - (*context_handle)->more_flags |= OPEN; - if (time_rec) - *time_rec = (*context_handle)->lifetime; + (*context_handle)->more_flags |= OPEN; + + *minor_status = 0; + if (time_rec) { + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + time_rec); + } else { + ret = GSS_S_COMPLETE; + } if (ret_flags) *ret_flags = (*context_handle)->flags; - *minor_status = 0; - return GSS_S_COMPLETE; + return ret; } /* diff --git a/crypto/heimdal/lib/gssapi/release_cred.c b/crypto/heimdal/lib/gssapi/release_cred.c index 172b2eb..01cbb6a 100644 --- a/crypto/heimdal/lib/gssapi/release_cred.c +++ b/crypto/heimdal/lib/gssapi/release_cred.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: release_cred.c,v 1.8 2003/03/16 17:52:19 lha Exp $"); +RCSID("$Id: release_cred.c,v 1.8.2.1 2003/10/07 01:08:21 lha Exp $"); OM_uint32 gss_release_cred (OM_uint32 * minor_status, @@ -52,8 +52,14 @@ OM_uint32 gss_release_cred krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); if ((*cred_handle)->keytab != NULL) krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab); - if ((*cred_handle)->ccache != NULL) - krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); + if ((*cred_handle)->ccache != NULL) { + const krb5_cc_ops *ops; + ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache); + if (ops == &krb5_mcc_ops) + krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache); + else + krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); + } gss_release_oid_set(NULL, &(*cred_handle)->mechanisms); free(*cred_handle); *cred_handle = GSS_C_NO_CREDENTIAL; diff --git a/crypto/heimdal/lib/gssapi/unwrap.c b/crypto/heimdal/lib/gssapi/unwrap.c index f2009be..b798438 100644 --- a/crypto/heimdal/lib/gssapi/unwrap.c +++ b/crypto/heimdal/lib/gssapi/unwrap.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: unwrap.c,v 1.22 2003/03/16 17:54:43 lha Exp $"); +RCSID("$Id: unwrap.c,v 1.22.2.1 2003/09/18 22:05:22 lha Exp $"); OM_uint32 gss_krb5_get_remotekey(const gss_ctx_id_t context_handle, @@ -407,6 +407,11 @@ OM_uint32 gss_unwrap input_message_buffer, output_message_buffer, conf_state, qop_state, key); break; + case KEYTYPE_ARCFOUR: + ret = _gssapi_unwrap_arcfour (minor_status, context_handle, + input_message_buffer, output_message_buffer, + conf_state, qop_state, key); + break; default : *minor_status = KRB5_PROG_ETYPE_NOSUPP; ret = GSS_S_FAILURE; diff --git a/crypto/heimdal/lib/gssapi/verify_mic.c b/crypto/heimdal/lib/gssapi/verify_mic.c index 1775860..aef2d07 100644 --- a/crypto/heimdal/lib/gssapi/verify_mic.c +++ b/crypto/heimdal/lib/gssapi/verify_mic.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: verify_mic.c,v 1.18.2.2 2003/05/05 18:59:42 lha Exp $"); +RCSID("$Id: verify_mic.c,v 1.18.2.4 2003/09/18 22:05:34 lha Exp $"); static OM_uint32 verify_mic_des @@ -59,10 +59,8 @@ verify_mic_des ret = gssapi_krb5_verify_header (&p, token_buffer->length, type); - if (ret) { - *minor_status = 0; + if (ret) return ret; - } if (memcmp(p, "\x00\x00", 2) != 0) return GSS_S_BAD_SIG; @@ -88,7 +86,6 @@ verify_mic_des if (memcmp (p - 8, hash, 8) != 0) { memset (deskey, 0, sizeof(deskey)); memset (schedule, 0, sizeof(schedule)); - *minor_status = 0; return GSS_S_BAD_MIC; } @@ -114,7 +111,6 @@ verify_mic_des memset (schedule, 0, sizeof(schedule)); if (memcmp (p, seq_data, 8) != 0) { - *minor_status = 0; return GSS_S_BAD_MIC; } @@ -122,7 +118,6 @@ verify_mic_des context_handle->auth_context, ++seq_number); - *minor_status = 0; return GSS_S_COMPLETE; } @@ -152,10 +147,8 @@ verify_mic_des3 ret = gssapi_krb5_verify_header (&p, token_buffer->length, type); - if (ret) { - *minor_status = 0; + if (ret) return ret; - } if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */ return GSS_S_BAD_SIG; @@ -256,7 +249,6 @@ retry: ++seq_number); krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = 0; return GSS_S_COMPLETE; } @@ -280,6 +272,7 @@ gss_verify_mic_internal *minor_status = ret; return GSS_S_FAILURE; } + *minor_status = 0; krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : @@ -292,6 +285,11 @@ gss_verify_mic_internal message_buffer, token_buffer, qop_state, key, type); break; + case KEYTYPE_ARCFOUR : + ret = _gssapi_verify_mic_arcfour (minor_status, context_handle, + message_buffer, token_buffer, + qop_state, key, type); + break; default : *minor_status = KRB5_PROG_ETYPE_NOSUPP; ret = GSS_S_FAILURE; diff --git a/crypto/heimdal/lib/gssapi/wrap.c b/crypto/heimdal/lib/gssapi/wrap.c index 203cc89..a0f9d2f 100644 --- a/crypto/heimdal/lib/gssapi/wrap.c +++ b/crypto/heimdal/lib/gssapi/wrap.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: wrap.c,v 1.21 2003/03/16 17:57:48 lha Exp $"); +RCSID("$Id: wrap.c,v 1.21.2.1 2003/09/18 22:05:45 lha Exp $"); OM_uint32 gss_krb5_get_localkey(const gss_ctx_id_t context_handle, @@ -98,6 +98,7 @@ gss_wrap_size_limit ( switch (keytype) { case KEYTYPE_DES : + case KEYTYPE_ARCFOUR: ret = sub_wrap_size(req_output_size, max_input_size, 8, 22); break; case KEYTYPE_DES3 : @@ -438,6 +439,11 @@ OM_uint32 gss_wrap qop_req, input_message_buffer, conf_state, output_message_buffer, key); break; + case KEYTYPE_ARCFOUR: + ret = _gssapi_wrap_arcfour (minor_status, context_handle, conf_req_flag, + qop_req, input_message_buffer, conf_state, + output_message_buffer, key); + break; default : *minor_status = KRB5_PROG_ETYPE_NOSUPP; ret = GSS_S_FAILURE; |
