diff options
Diffstat (limited to 'crypto/heimdal/lib/gssapi/spnego')
| -rw-r--r-- | crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c | 299 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/spnego/compat.c | 31 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/spnego/context_stubs.c | 374 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/spnego/cred_stubs.c | 167 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/spnego/external.c | 100 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/spnego/init_sec_context.c | 165 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/spnego/spnego-private.h | 183 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/spnego/spnego.asn1 | 2 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/spnego/spnego.opt | 1 | ||||
| -rw-r--r-- | crypto/heimdal/lib/gssapi/spnego/spnego_locl.h | 20 |
10 files changed, 566 insertions, 776 deletions
diff --git a/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c index 34e58a3..3a51dd3 100644 --- a/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c +++ b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c @@ -1,40 +1,37 @@ /* - * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). * Portions Copyright (c) 2004 PADL Software Pty Ltd. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" - -RCSID("$Id: accept_sec_context.c 21461 2007-07-10 14:01:13Z lha $"); -/* $FreeBSD$ */ +#include "spnego_locl.h" static OM_uint32 send_reject (OM_uint32 *minor_status, @@ -54,7 +51,7 @@ send_reject (OM_uint32 *minor_status, nt.u.negTokenResp.supportedMech = NULL; nt.u.negTokenResp.responseToken = NULL; nt.u.negTokenResp.mechListMIC = NULL; - + ASN1_MALLOC_ENCODE(NegotiationToken, output_token->value, output_token->length, &nt, &size, *minor_status); @@ -77,14 +74,14 @@ acceptor_approved(gss_name_t target_name, gss_OID mech) gss_create_empty_oid_set(&junk, &oidset); gss_add_oid_set_member(&junk, mech, &oidset); - + ret = gss_acquire_cred(&junk, target_name, GSS_C_INDEFINITE, oidset, GSS_C_ACCEPT, &cred, NULL, NULL); gss_release_oid_set(&junk, &oidset); if (ret != GSS_S_COMPLETE) return ret; gss_release_cred(&junk, &cred); - + return GSS_S_COMPLETE; } @@ -93,13 +90,7 @@ send_supported_mechs (OM_uint32 *minor_status, gss_buffer_t output_token) { NegotiationTokenWin nt; - char hostname[MAXHOSTNAMELEN + 1], *p; - gss_buffer_desc name_buf; - gss_OID name_type; - gss_name_t target_princ; - gss_name_t canon_princ; - OM_uint32 minor; - size_t buf_len; + size_t buf_len = 0; gss_buffer_desc data; OM_uint32 ret; @@ -117,62 +108,9 @@ send_supported_mechs (OM_uint32 *minor_status, return ret; } - memset(&target_princ, 0, sizeof(target_princ)); - if (gethostname(hostname, sizeof(hostname) - 2) != 0) { - *minor_status = errno; - free_NegotiationTokenWin(&nt); - return GSS_S_FAILURE; - } - hostname[sizeof(hostname) - 1] = '\0'; - - /* Send the constructed SAM name for this host */ - for (p = hostname; *p != '\0' && *p != '.'; p++) { - *p = toupper((unsigned char)*p); - } - *p++ = '$'; - *p = '\0'; - - name_buf.length = strlen(hostname); - name_buf.value = hostname; - - ret = gss_import_name(minor_status, &name_buf, - GSS_C_NO_OID, - &target_princ); - if (ret != GSS_S_COMPLETE) { - free_NegotiationTokenWin(&nt); - return ret; - } - - name_buf.length = 0; - name_buf.value = NULL; - - /* Canonicalize the name using the preferred mechanism */ - ret = gss_canonicalize_name(minor_status, - target_princ, - GSS_C_NO_OID, - &canon_princ); - if (ret != GSS_S_COMPLETE) { - free_NegotiationTokenWin(&nt); - gss_release_name(&minor, &target_princ); - return ret; - } - - ret = gss_display_name(minor_status, canon_princ, - &name_buf, &name_type); - if (ret != GSS_S_COMPLETE) { - free_NegotiationTokenWin(&nt); - gss_release_name(&minor, &canon_princ); - gss_release_name(&minor, &target_princ); - return ret; - } - - gss_release_name(&minor, &canon_princ); - gss_release_name(&minor, &target_princ); - ALLOC(nt.u.negTokenInit.negHints, 1); if (nt.u.negTokenInit.negHints == NULL) { *minor_status = ENOMEM; - gss_release_buffer(&minor, &name_buf); free_NegotiationTokenWin(&nt); return GSS_S_FAILURE; } @@ -180,23 +118,24 @@ send_supported_mechs (OM_uint32 *minor_status, ALLOC(nt.u.negTokenInit.negHints->hintName, 1); if (nt.u.negTokenInit.negHints->hintName == NULL) { *minor_status = ENOMEM; - gss_release_buffer(&minor, &name_buf); free_NegotiationTokenWin(&nt); return GSS_S_FAILURE; } - *(nt.u.negTokenInit.negHints->hintName) = name_buf.value; - name_buf.value = NULL; + *nt.u.negTokenInit.negHints->hintName = strdup("not_defined_in_RFC4178@please_ignore"); nt.u.negTokenInit.negHints->hintAddress = NULL; - ASN1_MALLOC_ENCODE(NegotiationTokenWin, + ASN1_MALLOC_ENCODE(NegotiationTokenWin, data.value, data.length, &nt, &buf_len, ret); free_NegotiationTokenWin(&nt); if (ret) { - return ret; + *minor_status = ret; + return GSS_S_FAILURE; } - if (data.length != buf_len) + if (data.length != buf_len) { abort(); + UNREACHABLE(return GSS_S_FAILURE); + } ret = gss_encapsulate_token(&data, GSS_SPNEGO_MECHANISM, output_token); @@ -308,7 +247,7 @@ send_accept (OM_uint32 *minor_status, } else nt.u.negTokenResp.mechListMIC = NULL; - + ASN1_MALLOC_ENCODE(NegotiationToken, output_token->value, output_token->length, &nt, &size, ret); @@ -379,7 +318,7 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, gss_OID_desc oid; gss_OID oidp; gss_OID_set mechs; - int i; + size_t i; OM_uint32 ret, junk; ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1, @@ -431,11 +370,16 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, host = getenv("GSSAPI_SPNEGO_NAME"); if (host == NULL || issuid()) { + int rv; if (gethostname(hostname, sizeof(hostname)) != 0) { *minor_status = errno; return GSS_S_FAILURE; } - asprintf(&str, "host@%s", hostname); + rv = asprintf(&str, "host@%s", hostname); + if (rv < 0 || str == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } host = str; } @@ -469,20 +413,16 @@ acceptor_complete(OM_uint32 * minor_status, { OM_uint32 ret; int require_mic, verify_mic; - gss_buffer_desc buf; - - buf.length = 0; - buf.value = NULL; ret = _gss_spnego_require_mechlist_mic(minor_status, ctx, &require_mic); if (ret) return ret; - + ctx->require_mic = require_mic; if (mic != NULL) require_mic = 1; - + if (ctx->open && require_mic) { if (mech_input_token == GSS_C_NO_BUFFER) { /* Even/One */ verify_mic = 1; @@ -494,44 +434,39 @@ acceptor_complete(OM_uint32 * minor_status, verify_mic = 0; *get_mic = 1; } - - if (verify_mic || get_mic) { + + if (verify_mic || *get_mic) { int eret; - size_t buf_len; - - ASN1_MALLOC_ENCODE(MechTypeList, + size_t buf_len = 0; + + ASN1_MALLOC_ENCODE(MechTypeList, mech_buf->value, mech_buf->length, &ctx->initiator_mech_types, &buf_len, eret); if (eret) { *minor_status = eret; return GSS_S_FAILURE; } - if (buf.length != buf_len) - abort(); + heim_assert(mech_buf->length == buf_len, "Internal ASN.1 error"); + UNREACHABLE(return GSS_S_FAILURE); } - + if (verify_mic) { ret = verify_mechlist_mic(minor_status, ctx, mech_buf, mic); if (ret) { - if (get_mic) + if (*get_mic) send_reject (minor_status, output_token); - if (buf.value) - free(buf.value); return ret; } ctx->verified_mic = 1; } - if (buf.value) - free(buf.value); - } else - *get_mic = verify_mic = 0; - + *get_mic = 0; + return GSS_S_COMPLETE; } -static OM_uint32 +static OM_uint32 GSSAPI_CALLCONV acceptor_start (OM_uint32 * minor_status, gss_ctx_id_t * context_handle, @@ -546,18 +481,16 @@ acceptor_start gss_cred_id_t *delegated_cred_handle ) { - OM_uint32 ret, junk, minor; + OM_uint32 ret, junk; NegotiationToken nt; size_t nt_len; NegTokenInit *ni; - int i; gss_buffer_desc data; gss_buffer_t mech_input_token = GSS_C_NO_BUFFER; gss_buffer_desc mech_output_token; gss_buffer_desc mech_buf; gss_OID preferred_mech_type = GSS_C_NO_OID; gssspnego_ctx ctx; - gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle; int get_mic = 0; int first_ok = 0; @@ -567,7 +500,7 @@ acceptor_start if (input_token_buffer->length == 0) return send_supported_mechs (minor_status, output_token); - + ret = _gss_spnego_alloc_sec_context(minor_status, context_handle); if (ret != GSS_S_COMPLETE) return ret; @@ -615,38 +548,28 @@ acceptor_start /* * First we try the opportunistic token if we have support for it, * don't try to verify we have credential for the token, - * gss_accept_sec_context will (hopefully) tell us that. - * If that failes, + * gss_accept_sec_context() will (hopefully) tell us that. + * If that failes, */ ret = select_mech(minor_status, - &ni->mechTypes.val[0], + &ni->mechTypes.val[0], 0, &preferred_mech_type); if (ret == 0 && ni->mechToken != NULL) { - gss_cred_id_t mech_delegated_cred = GSS_C_NO_CREDENTIAL; - gss_cred_id_t mech_cred; gss_buffer_desc ibuf; ibuf.length = ni->mechToken->length; ibuf.value = ni->mechToken->data; mech_input_token = &ibuf; - if (acceptor_cred != NULL) - mech_cred = acceptor_cred->negotiated_cred_id; - else - mech_cred = GSS_C_NO_CREDENTIAL; - if (ctx->mech_src_name != GSS_C_NO_NAME) - gss_release_name(&minor, &ctx->mech_src_name); - - if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL) - _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id); - - ret = gss_accept_sec_context(&minor, + gss_release_name(&junk, &ctx->mech_src_name); + + ret = gss_accept_sec_context(minor_status, &ctx->negotiated_ctx_id, - mech_cred, + acceptor_cred_handle, mech_input_token, input_chan_bindings, &ctx->mech_src_name, @@ -654,20 +577,13 @@ acceptor_start &mech_output_token, &ctx->mech_flags, &ctx->mech_time_rec, - &mech_delegated_cred); + delegated_cred_handle); + if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { ctx->preferred_mech_type = preferred_mech_type; - ctx->negotiated_mech_type = preferred_mech_type; if (ret == GSS_S_COMPLETE) ctx->open = 1; - if (mech_delegated_cred && delegated_cred_handle) - ret = _gss_spnego_alloc_cred(minor_status, - mech_delegated_cred, - delegated_cred_handle); - else - gss_release_cred(&junk, &mech_delegated_cred); - ret = acceptor_complete(minor_status, ctx, &get_mic, @@ -680,6 +596,8 @@ acceptor_start goto out; first_ok = 1; + } else { + gss_mg_collect_error(preferred_mech_type, ret, *minor_status); } } @@ -687,12 +605,15 @@ acceptor_start * If opportunistic token failed, lets try the other mechs. */ - if (!first_ok) { + if (!first_ok && ni->mechToken != NULL) { + size_t j; + + preferred_mech_type = GSS_C_NO_OID; /* Call glue layer to find first mech we support */ - for (i = 1; i < ni->mechTypes.len; ++i) { + for (j = 1; j < ni->mechTypes.len; ++j) { ret = select_mech(minor_status, - &ni->mechTypes.val[i], + &ni->mechTypes.val[j], 1, &preferred_mech_type); if (ret == 0) @@ -701,11 +622,10 @@ acceptor_start if (preferred_mech_type == GSS_C_NO_OID) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); free_NegotiationToken(&nt); - return GSS_S_BAD_MECH; + return ret; } ctx->preferred_mech_type = preferred_mech_type; - ctx->negotiated_mech_type = preferred_mech_type; } /* @@ -720,10 +640,10 @@ acceptor_start output_token); if (ret) goto out; - + out: if (mech_output_token.value != NULL) - gss_release_buffer(&minor, &mech_output_token); + gss_release_buffer(&junk, &mech_output_token); if (mech_buf.value != NULL) { free(mech_buf.value); mech_buf.value = NULL; @@ -742,12 +662,8 @@ out: *src_name = (gss_name_t)name; } } - if (delegated_cred_handle != NULL) { - *delegated_cred_handle = ctx->delegated_cred_id; - ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL; - } } - + if (mech_type != NULL) *mech_type = ctx->negotiated_mech_type; if (ret_flags != NULL) @@ -760,14 +676,14 @@ out: return ret; } - _gss_spnego_internal_delete_sec_context(&minor, context_handle, + _gss_spnego_internal_delete_sec_context(&junk, context_handle, GSS_C_NO_BUFFER); - + return ret; } -static OM_uint32 +static OM_uint32 GSSAPI_CALLCONV acceptor_continue (OM_uint32 * minor_status, gss_ctx_id_t * context_handle, @@ -791,7 +707,6 @@ acceptor_continue gss_buffer_t mech_output_token = GSS_C_NO_BUFFER; gss_buffer_desc mech_buf; gssspnego_ctx ctx; - gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle; mech_buf.value = NULL; @@ -802,7 +717,7 @@ acceptor_continue * context token (negTokenInit). */ - ret = decode_NegotiationToken(input_token_buffer->value, + ret = decode_NegotiationToken(input_token_buffer->value, input_token_buffer->length, &nt, &nt_len); if (ret) { @@ -837,31 +752,13 @@ acceptor_continue } if (mech_input_token != GSS_C_NO_BUFFER) { - gss_cred_id_t mech_cred; - gss_cred_id_t mech_delegated_cred; - gss_cred_id_t *mech_delegated_cred_p; - - if (acceptor_cred != NULL) - mech_cred = acceptor_cred->negotiated_cred_id; - else - mech_cred = GSS_C_NO_CREDENTIAL; - - if (delegated_cred_handle != NULL) { - mech_delegated_cred = GSS_C_NO_CREDENTIAL; - mech_delegated_cred_p = &mech_delegated_cred; - } else { - mech_delegated_cred_p = NULL; - } if (ctx->mech_src_name != GSS_C_NO_NAME) gss_release_name(&minor, &ctx->mech_src_name); - if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL) - _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id); - ret = gss_accept_sec_context(&minor, &ctx->negotiated_ctx_id, - mech_cred, + acceptor_cred_handle, mech_input_token, input_chan_bindings, &ctx->mech_src_name, @@ -869,20 +766,14 @@ acceptor_continue &obuf, &ctx->mech_flags, &ctx->mech_time_rec, - mech_delegated_cred_p); + delegated_cred_handle); + if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { - if (mech_delegated_cred_p != NULL && - mech_delegated_cred != GSS_C_NO_CREDENTIAL) { - ret2 = _gss_spnego_alloc_cred(minor_status, - mech_delegated_cred, - &ctx->delegated_cred_id); - if (ret2 != GSS_S_COMPLETE) - ret = ret2; - } mech_output_token = &obuf; } if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) { free_NegotiationToken(&nt); + gss_mg_collect_error(ctx->negotiated_mech_type, ret, minor); send_reject (minor_status, output_token); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return ret; @@ -892,7 +783,7 @@ acceptor_continue } else ret = GSS_S_COMPLETE; - ret2 = _gss_spnego_require_mechlist_mic(minor_status, + ret2 = _gss_spnego_require_mechlist_mic(minor_status, ctx, &require_mic); if (ret2) @@ -959,10 +850,6 @@ acceptor_continue *src_name = (gss_name_t)name; } } - if (delegated_cred_handle != NULL) { - *delegated_cred_handle = ctx->delegated_cred_id; - ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL; - } } if (mech_type != NULL) @@ -983,7 +870,7 @@ acceptor_continue return ret; } -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_accept_sec_context (OM_uint32 * minor_status, gss_ctx_id_t * context_handle, @@ -1017,11 +904,11 @@ _gss_spnego_accept_sec_context *delegated_cred_handle = GSS_C_NO_CREDENTIAL; - if (*context_handle == GSS_C_NO_CONTEXT) + if (*context_handle == GSS_C_NO_CONTEXT) func = acceptor_start; else func = acceptor_continue; - + return (*func)(minor_status, context_handle, acceptor_cred_handle, input_token_buffer, input_chan_bindings, diff --git a/crypto/heimdal/lib/gssapi/spnego/compat.c b/crypto/heimdal/lib/gssapi/spnego/compat.c index 287f4f7..cf5ee30 100644 --- a/crypto/heimdal/lib/gssapi/spnego/compat.c +++ b/crypto/heimdal/lib/gssapi/spnego/compat.c @@ -30,9 +30,7 @@ * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" - -RCSID("$Id: compat.c 21866 2007-08-08 11:31:29Z lha $"); +#include "spnego_locl.h" /* * Apparently Microsoft got the OID wrong, and used @@ -43,16 +41,17 @@ RCSID("$Id: compat.c 21866 2007-08-08 11:31:29Z lha $"); * Kerberos mechanism. */ gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc = - {9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"}; + {9, rk_UNCONST("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02")}; gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc = - {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; + {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")}; /* * Allocate a SPNEGO context handle */ -OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 * minor_status, - gss_ctx_id_t *context_handle) +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_alloc_sec_context (OM_uint32 * minor_status, + gss_ctx_id_t *context_handle) { gssspnego_ctx ctx; @@ -76,7 +75,6 @@ OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 * minor_status, ctx->mech_flags = 0; ctx->mech_time_rec = 0; ctx->mech_src_name = GSS_C_NO_NAME; - ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL; ctx->open = 0; ctx->local = 0; @@ -94,7 +92,7 @@ OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 * minor_status, * Free a SPNEGO context handle. The caller must have acquired * the lock before this is called. */ -OM_uint32 _gss_spnego_internal_delete_sec_context +OM_uint32 GSSAPI_CALLCONV _gss_spnego_internal_delete_sec_context (OM_uint32 *minor_status, gss_ctx_id_t *context_handle, gss_buffer_t output_token @@ -124,8 +122,6 @@ OM_uint32 _gss_spnego_internal_delete_sec_context if (ctx->initiator_mech_types.val != NULL) free_MechTypeList(&ctx->initiator_mech_types); - _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id); - gss_release_oid(&minor, &ctx->preferred_mech_type); ctx->negotiated_mech_type = GSS_C_NO_OID; @@ -145,7 +141,6 @@ OM_uint32 _gss_spnego_internal_delete_sec_context HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); free(ctx); - *context_handle = NULL; return ret; } @@ -156,7 +151,7 @@ OM_uint32 _gss_spnego_internal_delete_sec_context * a non-preferred mechanism was negotiated */ -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_require_mechlist_mic(OM_uint32 *minor_status, gssspnego_ctx ctx, int *require_mic) @@ -234,26 +229,26 @@ add_mech_type(gss_OID mech_type, } -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status, gss_name_t target_name, OM_uint32 (*func)(gss_name_t, gss_OID), int includeMSCompatOID, - const gssspnego_cred cred_handle, + const gss_cred_id_t cred_handle, MechTypeList *mechtypelist, gss_OID *preferred_mech) { gss_OID_set supported_mechs = GSS_C_NO_OID_SET; gss_OID first_mech = GSS_C_NO_OID; OM_uint32 ret; - int i; + size_t i; mechtypelist->len = 0; mechtypelist->val = NULL; - if (cred_handle != NULL) { + if (cred_handle) { ret = gss_inquire_cred(minor_status, - cred_handle->negotiated_cred_id, + cred_handle, NULL, NULL, NULL, diff --git a/crypto/heimdal/lib/gssapi/spnego/context_stubs.c b/crypto/heimdal/lib/gssapi/spnego/context_stubs.c index 3535c7b..70ca728 100644 --- a/crypto/heimdal/lib/gssapi/spnego/context_stubs.c +++ b/crypto/heimdal/lib/gssapi/spnego/context_stubs.c @@ -30,16 +30,14 @@ * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" - -RCSID("$Id: context_stubs.c 21035 2007-06-09 15:32:47Z lha $"); +#include "spnego_locl.h" static OM_uint32 spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs) { OM_uint32 ret, junk; gss_OID_set m; - int i; + size_t i; ret = gss_indicate_mechs(minor_status, &m); if (ret != GSS_S_COMPLETE) @@ -62,12 +60,13 @@ spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs) return ret; } } + gss_release_oid_set(&junk, &m); return ret; } -OM_uint32 _gss_spnego_process_context_token +OM_uint32 GSSAPI_CALLCONV _gss_spnego_process_context_token (OM_uint32 *minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t token_buffer @@ -100,7 +99,7 @@ OM_uint32 _gss_spnego_process_context_token GSS_C_NO_BUFFER); } -OM_uint32 _gss_spnego_delete_sec_context +OM_uint32 GSSAPI_CALLCONV _gss_spnego_delete_sec_context (OM_uint32 *minor_status, gss_ctx_id_t *context_handle, gss_buffer_t output_token @@ -120,7 +119,7 @@ OM_uint32 _gss_spnego_delete_sec_context output_token); } -OM_uint32 _gss_spnego_context_time +OM_uint32 GSSAPI_CALLCONV _gss_spnego_context_time (OM_uint32 *minor_status, const gss_ctx_id_t context_handle, OM_uint32 *time_rec @@ -144,7 +143,7 @@ OM_uint32 _gss_spnego_context_time time_rec); } -OM_uint32 _gss_spnego_get_mic +OM_uint32 GSSAPI_CALLCONV _gss_spnego_get_mic (OM_uint32 *minor_status, const gss_ctx_id_t context_handle, gss_qop_t qop_req, @@ -170,7 +169,7 @@ OM_uint32 _gss_spnego_get_mic qop_req, message_buffer, message_token); } -OM_uint32 _gss_spnego_verify_mic +OM_uint32 GSSAPI_CALLCONV _gss_spnego_verify_mic (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t message_buffer, @@ -199,7 +198,7 @@ OM_uint32 _gss_spnego_verify_mic qop_state); } -OM_uint32 _gss_spnego_wrap +OM_uint32 GSSAPI_CALLCONV _gss_spnego_wrap (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, int conf_req_flag, @@ -232,7 +231,7 @@ OM_uint32 _gss_spnego_wrap output_message_buffer); } -OM_uint32 _gss_spnego_unwrap +OM_uint32 GSSAPI_CALLCONV _gss_spnego_unwrap (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t input_message_buffer, @@ -263,19 +262,7 @@ OM_uint32 _gss_spnego_unwrap qop_state); } -OM_uint32 _gss_spnego_display_status - (OM_uint32 * minor_status, - OM_uint32 status_value, - int status_type, - const gss_OID mech_type, - OM_uint32 * message_context, - gss_buffer_t status_string - ) -{ - return GSS_S_FAILURE; -} - -OM_uint32 _gss_spnego_compare_name +OM_uint32 GSSAPI_CALLCONV _gss_spnego_compare_name (OM_uint32 *minor_status, const gss_name_t name1, const gss_name_t name2, @@ -299,7 +286,7 @@ OM_uint32 _gss_spnego_compare_name return GSS_S_COMPLETE; } -OM_uint32 _gss_spnego_display_name +OM_uint32 GSSAPI_CALLCONV _gss_spnego_display_name (OM_uint32 * minor_status, const gss_name_t input_name, gss_buffer_t output_name_buffer, @@ -317,7 +304,7 @@ OM_uint32 _gss_spnego_display_name output_name_buffer, output_name_type); } -OM_uint32 _gss_spnego_import_name +OM_uint32 GSSAPI_CALLCONV _gss_spnego_import_name (OM_uint32 * minor_status, const gss_buffer_t name_buffer, const gss_OID name_type, @@ -334,13 +321,13 @@ OM_uint32 _gss_spnego_import_name *minor_status = ENOMEM; return GSS_S_FAILURE; } - + maj_stat = _gss_copy_oid(minor_status, name_type, &name->type); if (maj_stat) { free(name); return GSS_S_FAILURE; } - + maj_stat = _gss_copy_buffer(minor_status, name_buffer, &name->value); if (maj_stat) { gss_name_t rname = (gss_name_t)name; @@ -353,7 +340,7 @@ OM_uint32 _gss_spnego_import_name return GSS_S_COMPLETE; } -OM_uint32 _gss_spnego_export_name +OM_uint32 GSSAPI_CALLCONV _gss_spnego_export_name (OM_uint32 * minor_status, const gss_name_t input_name, gss_buffer_t exported_name @@ -372,7 +359,7 @@ OM_uint32 _gss_spnego_export_name return gss_export_name(minor_status, name->mech, exported_name); } -OM_uint32 _gss_spnego_release_name +OM_uint32 GSSAPI_CALLCONV _gss_spnego_release_name (OM_uint32 * minor_status, gss_name_t * input_name ) @@ -393,7 +380,7 @@ OM_uint32 _gss_spnego_release_name return GSS_S_COMPLETE; } -OM_uint32 _gss_spnego_inquire_context ( +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_context ( OM_uint32 * minor_status, const gss_ctx_id_t context_handle, gss_name_t * src_name, @@ -406,31 +393,61 @@ OM_uint32 _gss_spnego_inquire_context ( ) { gssspnego_ctx ctx; + OM_uint32 maj_stat, junk; + gss_name_t src_mn, targ_mn; *minor_status = 0; - if (context_handle == GSS_C_NO_CONTEXT) { + if (context_handle == GSS_C_NO_CONTEXT) return GSS_S_NO_CONTEXT; - } ctx = (gssspnego_ctx)context_handle; - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) return GSS_S_NO_CONTEXT; - } - return gss_inquire_context(minor_status, - ctx->negotiated_ctx_id, - src_name, - targ_name, - lifetime_rec, - mech_type, - ctx_flags, - locally_initiated, - open_context); + maj_stat = gss_inquire_context(minor_status, + ctx->negotiated_ctx_id, + &src_mn, + &targ_mn, + lifetime_rec, + mech_type, + ctx_flags, + locally_initiated, + open_context); + if (maj_stat != GSS_S_COMPLETE) + return maj_stat; + + if (src_name) { + spnego_name name = calloc(1, sizeof(*name)); + if (name == NULL) + goto enomem; + name->mech = src_mn; + *src_name = (gss_name_t)name; + } else + gss_release_name(&junk, &src_mn); + + if (targ_name) { + spnego_name name = calloc(1, sizeof(*name)); + if (name == NULL) { + gss_release_name(minor_status, src_name); + goto enomem; + } + name->mech = targ_mn; + *targ_name = (gss_name_t)name; + } else + gss_release_name(&junk, &targ_mn); + + return GSS_S_COMPLETE; + +enomem: + gss_release_name(&junk, &targ_mn); + gss_release_name(&junk, &src_mn); + *minor_status = ENOMEM; + return GSS_S_FAILURE; } -OM_uint32 _gss_spnego_wrap_size_limit ( +OM_uint32 GSSAPI_CALLCONV _gss_spnego_wrap_size_limit ( OM_uint32 * minor_status, const gss_ctx_id_t context_handle, int conf_req_flag, @@ -461,7 +478,7 @@ OM_uint32 _gss_spnego_wrap_size_limit ( max_input_size); } -OM_uint32 _gss_spnego_export_sec_context ( +OM_uint32 GSSAPI_CALLCONV _gss_spnego_export_sec_context ( OM_uint32 * minor_status, gss_ctx_id_t * context_handle, gss_buffer_t interprocess_token @@ -504,7 +521,7 @@ OM_uint32 _gss_spnego_export_sec_context ( return ret; } -OM_uint32 _gss_spnego_import_sec_context ( +OM_uint32 GSSAPI_CALLCONV _gss_spnego_import_sec_context ( OM_uint32 * minor_status, const gss_buffer_t interprocess_token, gss_ctx_id_t *context_handle @@ -540,7 +557,7 @@ OM_uint32 _gss_spnego_import_sec_context ( return GSS_S_COMPLETE; } -OM_uint32 _gss_spnego_inquire_names_for_mech ( +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_names_for_mech ( OM_uint32 * minor_status, const gss_OID mechanism, gss_OID_set * name_types @@ -548,7 +565,7 @@ OM_uint32 _gss_spnego_inquire_names_for_mech ( { gss_OID_set mechs, names, n; OM_uint32 ret, junk; - int i, j; + size_t i, j; *name_types = NULL; @@ -580,10 +597,10 @@ out: gss_release_oid_set(&junk, &mechs); - return GSS_S_COMPLETE; + return ret; } -OM_uint32 _gss_spnego_inquire_mechs_for_name ( +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_mechs_for_name ( OM_uint32 * minor_status, const gss_name_t input_name, gss_OID_set * mech_types @@ -604,7 +621,7 @@ OM_uint32 _gss_spnego_inquire_mechs_for_name ( return ret; } -OM_uint32 _gss_spnego_canonicalize_name ( +OM_uint32 GSSAPI_CALLCONV _gss_spnego_canonicalize_name ( OM_uint32 * minor_status, const gss_name_t input_name, const gss_OID mech_type, @@ -615,7 +632,7 @@ OM_uint32 _gss_spnego_canonicalize_name ( return gss_duplicate_name(minor_status, input_name, output_name); } -OM_uint32 _gss_spnego_duplicate_name ( +OM_uint32 GSSAPI_CALLCONV _gss_spnego_duplicate_name ( OM_uint32 * minor_status, const gss_name_t src_name, gss_name_t * dest_name @@ -624,207 +641,74 @@ OM_uint32 _gss_spnego_duplicate_name ( return gss_duplicate_name(minor_status, src_name, dest_name); } -OM_uint32 _gss_spnego_sign - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int qop_req, - gss_buffer_t message_buffer, - gss_buffer_t message_token - ) +#if 0 +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_wrap_iov(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int * conf_state, + gss_iov_buffer_desc *iov, + int iov_count) { - gssspnego_ctx ctx; + gssspnego_ctx ctx = (gssspnego_ctx)context_handle; *minor_status = 0; - if (context_handle == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - ctx = (gssspnego_ctx)context_handle; - - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + if (ctx == NULL || ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) return GSS_S_NO_CONTEXT; - } - return gss_sign(minor_status, - ctx->negotiated_ctx_id, - qop_req, - message_buffer, - message_token); + return gss_wrap_iov(minor_status, ctx->negotiated_ctx_id, + conf_req_flag, qop_req, conf_state, + iov, iov_count); } -OM_uint32 _gss_spnego_verify - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int * qop_state - ) +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_unwrap_iov(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int *conf_state, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count) { - gssspnego_ctx ctx; + gssspnego_ctx ctx = (gssspnego_ctx)context_handle; *minor_status = 0; - if (context_handle == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - ctx = (gssspnego_ctx)context_handle; - - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + if (ctx == NULL || ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) return GSS_S_NO_CONTEXT; - } - return gss_verify(minor_status, - ctx->negotiated_ctx_id, - message_buffer, - token_buffer, - qop_state); + return gss_unwrap_iov(minor_status, + ctx->negotiated_ctx_id, + conf_state, qop_state, + iov, iov_count); } -OM_uint32 _gss_spnego_seal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_wrap_iov_length(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) { - gssspnego_ctx ctx; + gssspnego_ctx ctx = (gssspnego_ctx)context_handle; *minor_status = 0; - if (context_handle == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - ctx = (gssspnego_ctx)context_handle; - - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + if (ctx == NULL || ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) return GSS_S_NO_CONTEXT; - } - return gss_seal(minor_status, - ctx->negotiated_ctx_id, - conf_req_flag, - qop_req, - input_message_buffer, - conf_state, - output_message_buffer); + return gss_wrap_iov_length(minor_status, ctx->negotiated_ctx_id, + conf_req_flag, qop_req, conf_state, + iov, iov_count); } -OM_uint32 _gss_spnego_unseal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - int * qop_state - ) -{ - gssspnego_ctx ctx; - - *minor_status = 0; - - if (context_handle == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - ctx = (gssspnego_ctx)context_handle; - - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - return gss_unseal(minor_status, - ctx->negotiated_ctx_id, - input_message_buffer, - output_message_buffer, - conf_state, - qop_state); -} +#endif #if 0 -OM_uint32 _gss_spnego_unwrap_ex - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t token_header_buffer, - const gss_buffer_t associated_data_buffer, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state) -{ - gssspnego_ctx ctx; - - *minor_status = 0; - - if (context_handle == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - ctx = (gssspnego_ctx)context_handle; - - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - return gss_unwrap_ex(minor_status, - ctx->negotiated_ctx_id, - token_header_buffer, - associated_data_buffer, - input_message_buffer, - output_message_buffer, - conf_state, - qop_state); -} - -OM_uint32 _gss_spnego_wrap_ex - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t associated_data_buffer, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_token_buffer, - gss_buffer_t output_message_buffer - ) -{ - gssspnego_ctx ctx; - - *minor_status = 0; - - if (context_handle == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - ctx = (gssspnego_ctx)context_handle; - - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - if ((ctx->mech_flags & GSS_C_DCE_STYLE) == 0 && - associated_data_buffer->length != input_message_buffer->length) { - *minor_status = EINVAL; - return GSS_S_BAD_QOP; - } - - return gss_wrap_ex(minor_status, - ctx->negotiated_ctx_id, - conf_req_flag, - qop_req, - associated_data_buffer, - input_message_buffer, - conf_state, - output_token_buffer, - output_message_buffer); -} - -OM_uint32 _gss_spnego_complete_auth_token +OM_uint32 GSSAPI_CALLCONV _gss_spnego_complete_auth_token (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer) @@ -849,7 +733,7 @@ OM_uint32 _gss_spnego_complete_auth_token } #endif -OM_uint32 _gss_spnego_inquire_sec_context_by_oid +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_sec_context_by_oid (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, const gss_OID desired_object, @@ -875,7 +759,7 @@ OM_uint32 _gss_spnego_inquire_sec_context_by_oid data_set); } -OM_uint32 _gss_spnego_set_sec_context_option +OM_uint32 GSSAPI_CALLCONV _gss_spnego_set_sec_context_option (OM_uint32 * minor_status, gss_ctx_id_t * context_handle, const gss_OID desired_object, @@ -889,7 +773,7 @@ OM_uint32 _gss_spnego_set_sec_context_option return GSS_S_NO_CONTEXT; } - ctx = (gssspnego_ctx)context_handle; + ctx = (gssspnego_ctx)*context_handle; if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { return GSS_S_NO_CONTEXT; @@ -901,3 +785,31 @@ OM_uint32 _gss_spnego_set_sec_context_option value); } + +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_pseudo_random(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int prf_key, + const gss_buffer_t prf_in, + ssize_t desired_output_len, + gss_buffer_t prf_out) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return gss_pseudo_random(minor_status, + ctx->negotiated_ctx_id, + prf_key, + prf_in, + desired_output_len, + prf_out); +} diff --git a/crypto/heimdal/lib/gssapi/spnego/cred_stubs.c b/crypto/heimdal/lib/gssapi/spnego/cred_stubs.c index 2362e99..353c312 100644 --- a/crypto/heimdal/lib/gssapi/spnego/cred_stubs.c +++ b/crypto/heimdal/lib/gssapi/spnego/cred_stubs.c @@ -30,63 +30,31 @@ * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" +#include "spnego_locl.h" -RCSID("$Id: cred_stubs.c 20619 2007-05-08 13:43:45Z lha $"); - -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) { - gssspnego_cred cred; OM_uint32 ret; - + *minor_status = 0; - if (*cred_handle == GSS_C_NO_CREDENTIAL) { + if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) return GSS_S_COMPLETE; - } - cred = (gssspnego_cred)*cred_handle; - ret = gss_release_cred(minor_status, &cred->negotiated_cred_id); + ret = gss_release_cred(minor_status, cred_handle); - free(cred); *cred_handle = GSS_C_NO_CREDENTIAL; return ret; } -OM_uint32 -_gss_spnego_alloc_cred(OM_uint32 *minor_status, - gss_cred_id_t mech_cred_handle, - gss_cred_id_t *cred_handle) -{ - gssspnego_cred cred; - - if (*cred_handle != GSS_C_NO_CREDENTIAL) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - cred = calloc(1, sizeof(*cred)); - if (cred == NULL) { - *cred_handle = GSS_C_NO_CREDENTIAL; - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - cred->negotiated_cred_id = mech_cred_handle; - - *cred_handle = (gss_cred_id_t)cred; - - return GSS_S_COMPLETE; -} - /* * For now, just a simple wrapper that avoids recursion. When * we support gss_{get,set}_neg_mechs() we will need to expose * more functionality. */ -OM_uint32 _gss_spnego_acquire_cred +OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred (OM_uint32 *minor_status, const gss_name_t desired_name, OM_uint32 time_req, @@ -102,9 +70,7 @@ OM_uint32 _gss_spnego_acquire_cred OM_uint32 ret, tmp; gss_OID_set_desc actual_desired_mechs; gss_OID_set mechs; - int i, j; - gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL; - gssspnego_cred cred; + size_t i, j; *output_cred_handle = GSS_C_NO_CREDENTIAL; @@ -114,7 +80,7 @@ OM_uint32 _gss_spnego_acquire_cred return ret; } } - + ret = gss_indicate_mechs(minor_status, &mechs); if (ret != GSS_S_COMPLETE) { gss_release_name(minor_status, &name); @@ -140,22 +106,14 @@ OM_uint32 _gss_spnego_acquire_cred } actual_desired_mechs.count = j; - ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL, - &cred_handle); - if (ret != GSS_S_COMPLETE) - goto out; - - cred = (gssspnego_cred)cred_handle; ret = gss_acquire_cred(minor_status, name, time_req, &actual_desired_mechs, cred_usage, - &cred->negotiated_cred_id, + output_cred_handle, actual_mechs, time_rec); if (ret != GSS_S_COMPLETE) goto out; - *output_cred_handle = cred_handle; - out: gss_release_name(minor_status, &name); gss_release_oid_set(&tmp, &mechs); @@ -163,13 +121,13 @@ out: free(actual_desired_mechs.elements); } if (ret != GSS_S_COMPLETE) { - _gss_spnego_release_cred(&tmp, &cred_handle); + _gss_spnego_release_cred(&tmp, output_cred_handle); } return ret; } -OM_uint32 _gss_spnego_inquire_cred +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred (OM_uint32 * minor_status, const gss_cred_id_t cred_handle, gss_name_t * name, @@ -178,7 +136,6 @@ OM_uint32 _gss_spnego_inquire_cred gss_OID_set * mechanisms ) { - gssspnego_cred cred; spnego_name sname = NULL; OM_uint32 ret; @@ -195,10 +152,8 @@ OM_uint32 _gss_spnego_inquire_cred } } - cred = (gssspnego_cred)cred_handle; - ret = gss_inquire_cred(minor_status, - cred->negotiated_cred_id, + cred_handle, sname ? &sname->mech : NULL, lifetime, cred_usage, @@ -214,56 +169,7 @@ OM_uint32 _gss_spnego_inquire_cred return ret; } -OM_uint32 _gss_spnego_add_cred ( - OM_uint32 * minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * initiator_time_rec, - OM_uint32 * acceptor_time_rec - ) -{ - gss_cred_id_t spnego_output_cred_handle = GSS_C_NO_CREDENTIAL; - OM_uint32 ret, tmp; - gssspnego_cred input_cred, output_cred; - - *output_cred_handle = GSS_C_NO_CREDENTIAL; - - ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL, - &spnego_output_cred_handle); - if (ret) - return ret; - - input_cred = (gssspnego_cred)input_cred_handle; - output_cred = (gssspnego_cred)spnego_output_cred_handle; - - ret = gss_add_cred(minor_status, - input_cred->negotiated_cred_id, - desired_name, - desired_mech, - cred_usage, - initiator_time_req, - acceptor_time_req, - &output_cred->negotiated_cred_id, - actual_mechs, - initiator_time_rec, - acceptor_time_rec); - if (ret) { - _gss_spnego_release_cred(&tmp, &spnego_output_cred_handle); - return ret; - } - - *output_cred_handle = spnego_output_cred_handle; - - return GSS_S_COMPLETE; -} - -OM_uint32 _gss_spnego_inquire_cred_by_mech ( +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred_by_mech ( OM_uint32 * minor_status, const gss_cred_id_t cred_handle, const gss_OID mech_type, @@ -273,7 +179,6 @@ OM_uint32 _gss_spnego_inquire_cred_by_mech ( gss_cred_usage_t * cred_usage ) { - gssspnego_cred cred; spnego_name sname = NULL; OM_uint32 ret; @@ -290,10 +195,8 @@ OM_uint32 _gss_spnego_inquire_cred_by_mech ( } } - cred = (gssspnego_cred)cred_handle; - ret = gss_inquire_cred_by_mech(minor_status, - cred->negotiated_cred_id, + cred_handle, mech_type, sname ? &sname->mech : NULL, initiator_lifetime, @@ -311,26 +214,60 @@ OM_uint32 _gss_spnego_inquire_cred_by_mech ( return GSS_S_COMPLETE; } -OM_uint32 _gss_spnego_inquire_cred_by_oid +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred_by_oid (OM_uint32 * minor_status, const gss_cred_id_t cred_handle, const gss_OID desired_object, gss_buffer_set_t *data_set) { - gssspnego_cred cred; OM_uint32 ret; if (cred_handle == GSS_C_NO_CREDENTIAL) { *minor_status = 0; return GSS_S_NO_CRED; } - cred = (gssspnego_cred)cred_handle; ret = gss_inquire_cred_by_oid(minor_status, - cred->negotiated_cred_id, + cred_handle, desired_object, data_set); return ret; } +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_set_cred_option (OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_OID object, + const gss_buffer_t value) +{ + if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = 0; + return GSS_S_NO_CRED; + } + + return gss_set_cred_option(minor_status, + cred_handle, + object, + value); +} + +#if 0 + +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_export_cred (OM_uint32 *minor_status, + gss_cred_id_t cred_handle, + gss_buffer_t value) +{ + return gss_export_cred(minor_status, cred_handle, value); +} + +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_import_cred (OM_uint32 *minor_status, + gss_buffer_t value, + gss_cred_id_t *cred_handle) +{ + return gss_import_cred(minor_status, value, cred_handle); +} + +#endif diff --git a/crypto/heimdal/lib/gssapi/spnego/external.c b/crypto/heimdal/lib/gssapi/spnego/external.c index fbc231f..e1d74e5 100644 --- a/crypto/heimdal/lib/gssapi/spnego/external.c +++ b/crypto/heimdal/lib/gssapi/spnego/external.c @@ -30,22 +30,57 @@ * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" +#include "spnego_locl.h" #include <gssapi_mech.h> -RCSID("$Id: external.c 18336 2006-10-07 22:27:13Z lha $"); - /* * RFC2478, SPNEGO: * The security mechanism of the initial * negotiation token is identified by the Object Identifier * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). */ +#if 0 +static gss_mo_desc spnego_mo[] = { + { + GSS_C_MA_SASL_MECH_NAME, + GSS_MO_MA, + "SASL mech name", + rk_UNCONST("SPNEGO"), + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_NAME, + GSS_MO_MA, + "Mechanism name", + rk_UNCONST("SPNEGO"), + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_DESCRIPTION, + GSS_MO_MA, + "Mechanism description", + rk_UNCONST("Heimdal SPNEGO Mechanism"), + _gss_mo_get_ctx_as_string, + NULL + }, + { + GSS_C_MA_MECH_NEGO, + GSS_MO_MA + }, + { + GSS_C_MA_MECH_PSEUDO, + GSS_MO_MA + } +}; +#endif static gssapi_mech_interface_desc spnego_mech = { GMI_VERSION, "spnego", - {6, (void *)"\x2b\x06\x01\x05\x05\x02"}, + {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") }, + 0, _gss_spnego_acquire_cred, _gss_spnego_release_cred, _gss_spnego_init_sec_context, @@ -57,8 +92,8 @@ static gssapi_mech_interface_desc spnego_mech = { _gss_spnego_verify_mic, _gss_spnego_wrap, _gss_spnego_unwrap, - _gss_spnego_display_status, - NULL, + NULL, /* gm_display_status */ + NULL, /* gm_indicate_mechs */ _gss_spnego_compare_name, _gss_spnego_display_name, _gss_spnego_import_name, @@ -67,14 +102,56 @@ static gssapi_mech_interface_desc spnego_mech = { _gss_spnego_inquire_cred, _gss_spnego_inquire_context, _gss_spnego_wrap_size_limit, - _gss_spnego_add_cred, + gss_add_cred, _gss_spnego_inquire_cred_by_mech, _gss_spnego_export_sec_context, _gss_spnego_import_sec_context, - _gss_spnego_inquire_names_for_mech, + NULL /* _gss_spnego_inquire_names_for_mech */, _gss_spnego_inquire_mechs_for_name, _gss_spnego_canonicalize_name, - _gss_spnego_duplicate_name + _gss_spnego_duplicate_name, + _gss_spnego_inquire_sec_context_by_oid, + _gss_spnego_inquire_cred_by_oid, + _gss_spnego_set_sec_context_option, + _gss_spnego_set_cred_option, + _gss_spnego_pseudo_random, +#if 0 + _gss_spnego_wrap_iov, + _gss_spnego_unwrap_iov, + _gss_spnego_wrap_iov_length, +#else + NULL, + NULL, + NULL, +#endif + NULL, +#if 0 + _gss_spnego_export_cred, + _gss_spnego_import_cred, +#else + NULL, + NULL, +#endif + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, +#if 0 + spnego_mo, + sizeof(spnego_mo) / sizeof(spnego_mo[0]), +#else + NULL, + 0, +#endif + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, }; gssapi_mech_interface @@ -82,8 +159,3 @@ __gss_spnego_initialize(void) { return &spnego_mech; } - -static gss_OID_desc _gss_spnego_mechanism_desc = - {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; - -gss_OID GSS_SPNEGO_MECHANISM = &_gss_spnego_mechanism_desc; diff --git a/crypto/heimdal/lib/gssapi/spnego/init_sec_context.c b/crypto/heimdal/lib/gssapi/spnego/init_sec_context.c index 7c74981..b4b1bce 100644 --- a/crypto/heimdal/lib/gssapi/spnego/init_sec_context.c +++ b/crypto/heimdal/lib/gssapi/spnego/init_sec_context.c @@ -1,42 +1,40 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). * Portions Copyright (c) 2004 PADL Software Pty Ltd. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" - -RCSID("$Id: init_sec_context.c 19411 2006-12-18 15:42:03Z lha $"); +#include "spnego_locl.h" /* - * Is target_name an sane target for `mech´. + * Is target_name an sane target for `mech´. */ static OM_uint32 @@ -45,7 +43,7 @@ initiator_approved(gss_name_t target_name, gss_OID mech) OM_uint32 min_stat, maj_stat; gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; gss_buffer_desc out; - + maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, &ctx, @@ -59,8 +57,10 @@ initiator_approved(gss_name_t target_name, gss_OID mech) &out, NULL, NULL); - if (GSS_ERROR(maj_stat)) + if (GSS_ERROR(maj_stat)) { + gss_mg_collect_error(mech, maj_stat, min_stat); return GSS_S_BAD_MECH; + } gss_release_buffer(&min_stat, &out); gss_delete_sec_context(&min_stat, &ctx, NULL); @@ -177,7 +177,7 @@ spnego_reply_internal(OM_uint32 *minor_status, static OM_uint32 spnego_initial (OM_uint32 * minor_status, - gssspnego_cred cred, + gss_cred_id_t cred, gss_ctx_id_t * context_handle, const gss_name_t target_name, const gss_OID mech_type, @@ -230,7 +230,7 @@ spnego_initial return sub; } - sub = _gss_spnego_indicate_mechtypelist(&minor, + sub = _gss_spnego_indicate_mechtypelist(&minor, ctx->target_name, initiator_approved, 0, @@ -252,8 +252,7 @@ spnego_initial /* generate optimistic token */ sub = gss_init_sec_context(&minor, - (cred != NULL) ? cred->negotiated_cred_id : - GSS_C_NO_CREDENTIAL, + cred, &ctx->negotiated_ctx_id, ctx->target_name, ctx->preferred_mech_type, @@ -268,6 +267,7 @@ spnego_initial if (GSS_ERROR(sub)) { free_NegTokenInit(&ni); *minor_status = minor; + gss_mg_collect_error(ctx->preferred_mech_type, sub, minor); _gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER); return sub; } @@ -344,7 +344,7 @@ spnego_initial ctx->initiator_mech_types.val = ni.mechTypes.val; ni.mechTypes.len = 0; ni.mechTypes.val = NULL; - + free_NegTokenInit(&ni); sub = gss_encapsulate_token(&data, @@ -374,7 +374,7 @@ spnego_initial static OM_uint32 spnego_reply (OM_uint32 * minor_status, - const gssspnego_cred cred, + const gss_cred_id_t cred, gss_ctx_id_t * context_handle, const gss_name_t target_name, const gss_OID mech_type, @@ -389,11 +389,10 @@ spnego_reply ) { OM_uint32 ret, minor; - NegTokenResp resp; - size_t len, taglen; + NegotiationToken resp; gss_OID_desc mech; int require_mic; - size_t buf_len; + size_t buf_len = 0; gss_buffer_desc mic_buf, mech_buf; gss_buffer_desc mech_output_token; gssspnego_ctx ctx; @@ -411,27 +410,23 @@ spnego_reply mech_buf.value = NULL; mech_buf.length = 0; - ret = der_match_tag_and_length(input_token->value, input_token->length, - ASN1_C_CONTEXT, CONS, 1, &len, &taglen); + ret = decode_NegotiationToken(input_token->value, input_token->length, + &resp, NULL); if (ret) - return ret; - - if (len > input_token->length - taglen) - return ASN1_OVERRUN; + return ret; - ret = decode_NegTokenResp((const unsigned char *)input_token->value+taglen, - len, &resp, NULL); - if (ret) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; + if (resp.element != choice_NegotiationToken_negTokenResp) { + free_NegotiationToken(&resp); + *minor_status = 0; + return GSS_S_BAD_MECH; } - if (resp.negResult == NULL - || *(resp.negResult) == reject - /* || resp.supportedMech == NULL */ + if (resp.u.negTokenResp.negResult == NULL + || *(resp.u.negTokenResp.negResult) == reject + /* || resp.u.negTokenResp.supportedMech == NULL */ ) { - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); return GSS_S_BAD_MECH; } @@ -442,16 +437,16 @@ spnego_reply HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - if (resp.supportedMech) { + if (resp.u.negTokenResp.supportedMech) { if (ctx->oidlen) { - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_BAD_MECH; } ret = der_put_oid(ctx->oidbuf + sizeof(ctx->oidbuf) - 1, sizeof(ctx->oidbuf), - resp.supportedMech, + resp.u.negTokenResp.supportedMech, &ctx->oidlen); /* Avoid recursively embedded SPNEGO */ if (ret || (ctx->oidlen == GSS_SPNEGO_MECHANISM->length && @@ -459,7 +454,7 @@ spnego_reply GSS_SPNEGO_MECHANISM->elements, ctx->oidlen) == 0)) { - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_BAD_MECH; } @@ -470,23 +465,24 @@ spnego_reply ctx->preferred_mech_type->elements, ctx->oidlen) != 0) { - gss_delete_sec_context(&minor, &ctx->negotiated_ctx_id, + gss_delete_sec_context(&minor, &ctx->negotiated_ctx_id, GSS_C_NO_BUFFER); ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT; } } else if (ctx->oidlen == 0) { - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_BAD_MECH; } - if (resp.responseToken != NULL || + /* if a token (of non zero length), or no context, pass to underlaying mech */ + if ((resp.u.negTokenResp.responseToken != NULL && resp.u.negTokenResp.responseToken->length) || ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { gss_buffer_desc mech_input_token; - if (resp.responseToken) { - mech_input_token.length = resp.responseToken->length; - mech_input_token.value = resp.responseToken->data; + if (resp.u.negTokenResp.responseToken) { + mech_input_token.length = resp.u.negTokenResp.responseToken->length; + mech_input_token.value = resp.u.negTokenResp.responseToken->data; } else { mech_input_token.length = 0; mech_input_token.value = NULL; @@ -499,8 +495,7 @@ spnego_reply /* Fall through as if the negotiated mechanism was requested explicitly */ ret = gss_init_sec_context(&minor, - (cred != NULL) ? cred->negotiated_cred_id : - GSS_C_NO_CREDENTIAL, + cred, &ctx->negotiated_ctx_id, ctx->target_name, &mech, @@ -514,19 +509,20 @@ spnego_reply &ctx->mech_time_rec); if (GSS_ERROR(ret)) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); + gss_mg_collect_error(&mech, ret, minor); *minor_status = minor; return ret; } if (ret == GSS_S_COMPLETE) { ctx->open = 1; } - } else if (*(resp.negResult) == accept_completed) { + } else if (*(resp.u.negTokenResp.negResult) == accept_completed) { if (ctx->maybe_open) ctx->open = 1; } - if (*(resp.negResult) == request_mic) { + if (*(resp.u.negTokenResp.negResult) == request_mic) { ctx->require_mic = 1; } @@ -535,14 +531,14 @@ spnego_reply * Verify the mechListMIC if one was provided or CFX was * used and a non-preferred mechanism was selected */ - if (resp.mechListMIC != NULL) { + if (resp.u.negTokenResp.mechListMIC != NULL) { require_mic = 1; } else { ret = _gss_spnego_require_mechlist_mic(minor_status, ctx, &require_mic); if (ret) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); gss_release_buffer(&minor, &mech_output_token); return ret; } @@ -556,23 +552,25 @@ spnego_reply &ctx->initiator_mech_types, &buf_len, ret); if (ret) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); gss_release_buffer(&minor, &mech_output_token); *minor_status = ret; return GSS_S_FAILURE; } - if (mech_buf.length != buf_len) + if (mech_buf.length != buf_len) { abort(); + UNREACHABLE(return GSS_S_FAILURE); + } - if (resp.mechListMIC == NULL) { + if (resp.u.negTokenResp.mechListMIC == NULL) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); free(mech_buf.value); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); *minor_status = 0; return GSS_S_DEFECTIVE_TOKEN; } - mic_buf.length = resp.mechListMIC->length; - mic_buf.value = resp.mechListMIC->data; + mic_buf.length = resp.u.negTokenResp.mechListMIC->length; + mic_buf.value = resp.u.negTokenResp.mechListMIC->data; if (mech_output_token.length == 0) { ret = gss_verify_mic(minor_status, @@ -584,7 +582,7 @@ spnego_reply HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); free(mech_buf.value); gss_release_buffer(&minor, &mech_output_token); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); return GSS_S_DEFECTIVE_TOKEN; } ctx->verified_mic = 1; @@ -599,7 +597,7 @@ spnego_reply if (mech_buf.value != NULL) free(mech_buf.value); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); gss_release_buffer(&minor, &mech_output_token); if (actual_mech_type) @@ -613,7 +611,8 @@ spnego_reply return ret; } -OM_uint32 _gss_spnego_init_sec_context +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_init_sec_context (OM_uint32 * minor_status, const gss_cred_id_t initiator_cred_handle, gss_ctx_id_t * context_handle, @@ -629,11 +628,9 @@ OM_uint32 _gss_spnego_init_sec_context OM_uint32 * time_rec ) { - gssspnego_cred cred = (gssspnego_cred)initiator_cred_handle; - if (*context_handle == GSS_C_NO_CONTEXT) return spnego_initial (minor_status, - cred, + initiator_cred_handle, context_handle, target_name, mech_type, @@ -647,7 +644,7 @@ OM_uint32 _gss_spnego_init_sec_context time_rec); else return spnego_reply (minor_status, - cred, + initiator_cred_handle, context_handle, target_name, mech_type, diff --git a/crypto/heimdal/lib/gssapi/spnego/spnego-private.h b/crypto/heimdal/lib/gssapi/spnego/spnego-private.h index d80db00..f50574d 100644 --- a/crypto/heimdal/lib/gssapi/spnego/spnego-private.h +++ b/crypto/heimdal/lib/gssapi/spnego/spnego-private.h @@ -7,7 +7,7 @@ gssapi_mech_interface __gss_spnego_initialize (void); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_accept_sec_context ( OM_uint32 * /*minor_status*/, gss_ctx_id_t * /*context_handle*/, @@ -21,7 +21,7 @@ _gss_spnego_accept_sec_context ( OM_uint32 * /*time_rec*/, gss_cred_id_t *delegated_cred_handle ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred ( OM_uint32 */*minor_status*/, const gss_name_t /*desired_name*/, @@ -32,92 +32,69 @@ _gss_spnego_acquire_cred ( gss_OID_set * /*actual_mechs*/, OM_uint32 * time_rec ); -OM_uint32 -_gss_spnego_add_cred ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*input_cred_handle*/, - const gss_name_t /*desired_name*/, - const gss_OID /*desired_mech*/, - gss_cred_usage_t /*cred_usage*/, - OM_uint32 /*initiator_time_req*/, - OM_uint32 /*acceptor_time_req*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * /*initiator_time_rec*/, - OM_uint32 * acceptor_time_rec ); - -OM_uint32 -_gss_spnego_alloc_cred ( - OM_uint32 */*minor_status*/, - gss_cred_id_t /*mech_cred_handle*/, - gss_cred_id_t */*cred_handle*/); - -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_alloc_sec_context ( OM_uint32 * /*minor_status*/, gss_ctx_id_t */*context_handle*/); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_canonicalize_name ( OM_uint32 * /*minor_status*/, const gss_name_t /*input_name*/, const gss_OID /*mech_type*/, gss_name_t * output_name ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_compare_name ( OM_uint32 */*minor_status*/, const gss_name_t /*name1*/, const gss_name_t /*name2*/, int * name_equal ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_context_time ( OM_uint32 */*minor_status*/, const gss_ctx_id_t /*context_handle*/, OM_uint32 *time_rec ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_delete_sec_context ( OM_uint32 */*minor_status*/, gss_ctx_id_t */*context_handle*/, gss_buffer_t output_token ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_display_name ( OM_uint32 * /*minor_status*/, const gss_name_t /*input_name*/, gss_buffer_t /*output_name_buffer*/, gss_OID * output_name_type ); -OM_uint32 -_gss_spnego_display_status ( - OM_uint32 * /*minor_status*/, - OM_uint32 /*status_value*/, - int /*status_type*/, - const gss_OID /*mech_type*/, - OM_uint32 * /*message_context*/, - gss_buffer_t status_string ); - -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_duplicate_name ( OM_uint32 * /*minor_status*/, const gss_name_t /*src_name*/, gss_name_t * dest_name ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_export_cred ( + OM_uint32 */*minor_status*/, + gss_cred_id_t /*cred_handle*/, + gss_buffer_t /*value*/); + +OM_uint32 GSSAPI_CALLCONV _gss_spnego_export_name ( OM_uint32 * /*minor_status*/, const gss_name_t /*input_name*/, gss_buffer_t exported_name ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_export_sec_context ( OM_uint32 * /*minor_status*/, gss_ctx_id_t * /*context_handle*/, gss_buffer_t interprocess_token ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_get_mic ( OM_uint32 */*minor_status*/, const gss_ctx_id_t /*context_handle*/, @@ -125,30 +102,36 @@ _gss_spnego_get_mic ( const gss_buffer_t /*message_buffer*/, gss_buffer_t message_token ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_import_cred ( + OM_uint32 */*minor_status*/, + gss_buffer_t /*value*/, + gss_cred_id_t */*cred_handle*/); + +OM_uint32 GSSAPI_CALLCONV _gss_spnego_import_name ( OM_uint32 * /*minor_status*/, const gss_buffer_t /*name_buffer*/, const gss_OID /*name_type*/, gss_name_t * output_name ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_import_sec_context ( OM_uint32 * /*minor_status*/, const gss_buffer_t /*interprocess_token*/, gss_ctx_id_t *context_handle ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_indicate_mechtypelist ( OM_uint32 */*minor_status*/, gss_name_t /*target_name*/, OM_uint32 (*/*func*/)(gss_name_t, gss_OID), int /*includeMSCompatOID*/, - const gssspnego_cred /*cred_handle*/, + const gss_cred_id_t /*cred_handle*/, MechTypeList */*mechtypelist*/, gss_OID */*preferred_mech*/); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_init_sec_context ( OM_uint32 * /*minor_status*/, const gss_cred_id_t /*initiator_cred_handle*/, @@ -164,7 +147,7 @@ _gss_spnego_init_sec_context ( OM_uint32 * /*ret_flags*/, OM_uint32 * time_rec ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_context ( OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, @@ -176,7 +159,7 @@ _gss_spnego_inquire_context ( int * /*locally_initiated*/, int * open_context ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred ( OM_uint32 * /*minor_status*/, const gss_cred_id_t /*cred_handle*/, @@ -185,7 +168,7 @@ _gss_spnego_inquire_cred ( gss_cred_usage_t * /*cred_usage*/, gss_OID_set * mechanisms ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred_by_mech ( OM_uint32 * /*minor_status*/, const gss_cred_id_t /*cred_handle*/, @@ -195,95 +178,84 @@ _gss_spnego_inquire_cred_by_mech ( OM_uint32 * /*acceptor_lifetime*/, gss_cred_usage_t * cred_usage ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred_by_oid ( OM_uint32 * /*minor_status*/, const gss_cred_id_t /*cred_handle*/, const gss_OID /*desired_object*/, gss_buffer_set_t */*data_set*/); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_mechs_for_name ( OM_uint32 * /*minor_status*/, const gss_name_t /*input_name*/, gss_OID_set * mech_types ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_names_for_mech ( OM_uint32 * /*minor_status*/, const gss_OID /*mechanism*/, gss_OID_set * name_types ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_sec_context_by_oid ( OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, const gss_OID /*desired_object*/, gss_buffer_set_t */*data_set*/); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_internal_delete_sec_context ( OM_uint32 */*minor_status*/, gss_ctx_id_t */*context_handle*/, gss_buffer_t output_token ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_process_context_token ( OM_uint32 */*minor_status*/, const gss_ctx_id_t /*context_handle*/, const gss_buffer_t token_buffer ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_pseudo_random ( + OM_uint32 */*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*prf_key*/, + const gss_buffer_t /*prf_in*/, + ssize_t /*desired_output_len*/, + gss_buffer_t /*prf_out*/); + +OM_uint32 GSSAPI_CALLCONV _gss_spnego_release_cred ( OM_uint32 */*minor_status*/, gss_cred_id_t */*cred_handle*/); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_release_name ( OM_uint32 * /*minor_status*/, gss_name_t * input_name ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_require_mechlist_mic ( OM_uint32 */*minor_status*/, gssspnego_ctx /*ctx*/, int */*require_mic*/); -OM_uint32 -_gss_spnego_seal ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - int /*qop_req*/, - gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t output_message_buffer ); +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_set_cred_option ( + OM_uint32 */*minor_status*/, + gss_cred_id_t */*cred_handle*/, + const gss_OID /*object*/, + const gss_buffer_t /*value*/); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_set_sec_context_option ( OM_uint32 * /*minor_status*/, gss_ctx_id_t * /*context_handle*/, const gss_OID /*desired_object*/, const gss_buffer_t /*value*/); -OM_uint32 -_gss_spnego_sign ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*qop_req*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t message_token ); - -OM_uint32 -_gss_spnego_unseal ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - int * qop_state ); - -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_unwrap ( OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, @@ -292,15 +264,16 @@ _gss_spnego_unwrap ( int * /*conf_state*/, gss_qop_t * qop_state ); -OM_uint32 -_gss_spnego_verify ( - OM_uint32 * /*minor_status*/, +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_unwrap_iov ( + OM_uint32 */*minor_status*/, gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*token_buffer*/, - int * qop_state ); + int */*conf_state*/, + gss_qop_t */*qop_state*/, + gss_iov_buffer_desc */*iov*/, + int /*iov_count*/); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_verify_mic ( OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, @@ -308,7 +281,7 @@ _gss_spnego_verify_mic ( const gss_buffer_t /*token_buffer*/, gss_qop_t * qop_state ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV _gss_spnego_wrap ( OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, @@ -318,7 +291,27 @@ _gss_spnego_wrap ( int * /*conf_state*/, gss_buffer_t output_message_buffer ); -OM_uint32 +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_wrap_iov ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + int * /*conf_state*/, + gss_iov_buffer_desc */*iov*/, + int /*iov_count*/); + +OM_uint32 GSSAPI_CALLCONV +_gss_spnego_wrap_iov_length ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + int */*conf_state*/, + gss_iov_buffer_desc */*iov*/, + int /*iov_count*/); + +OM_uint32 GSSAPI_CALLCONV _gss_spnego_wrap_size_limit ( OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, diff --git a/crypto/heimdal/lib/gssapi/spnego/spnego.asn1 b/crypto/heimdal/lib/gssapi/spnego/spnego.asn1 index 058f10b..048e86b 100644 --- a/crypto/heimdal/lib/gssapi/spnego/spnego.asn1 +++ b/crypto/heimdal/lib/gssapi/spnego/spnego.asn1 @@ -1,4 +1,4 @@ --- $Id: spnego.asn1 21403 2007-07-04 08:13:12Z lha $ +-- $Id$ SPNEGO DEFINITIONS ::= BEGIN diff --git a/crypto/heimdal/lib/gssapi/spnego/spnego.opt b/crypto/heimdal/lib/gssapi/spnego/spnego.opt new file mode 100644 index 0000000..cbf2f23 --- /dev/null +++ b/crypto/heimdal/lib/gssapi/spnego/spnego.opt @@ -0,0 +1 @@ +--sequence=MechTypeList diff --git a/crypto/heimdal/lib/gssapi/spnego/spnego_locl.h b/crypto/heimdal/lib/gssapi/spnego/spnego_locl.h index 1ec1704..3e151c7 100644 --- a/crypto/heimdal/lib/gssapi/spnego/spnego_locl.h +++ b/crypto/heimdal/lib/gssapi/spnego/spnego_locl.h @@ -30,15 +30,12 @@ * SUCH DAMAGE. */ -/* $Id: spnego_locl.h 19411 2006-12-18 15:42:03Z lha $ */ -/* $FreeBSD$ */ +/* $Id$ */ #ifndef SPNEGO_LOCL_H #define SPNEGO_LOCL_H -#ifdef HAVE_CONFIG_H #include <config.h> -#endif #ifdef HAVE_SYS_TYPES_H #include <sys/types.h> @@ -47,12 +44,15 @@ #include <sys/param.h> #endif +#include <roken.h> + #ifdef HAVE_PTHREAD_H #include <pthread.h> #endif -#include <gssapi/gssapi_spnego.h> #include <gssapi.h> +#include <gssapi_krb5.h> +#include <gssapi_spnego.h> #include <assert.h> #include <stdlib.h> #include <string.h> @@ -68,17 +68,14 @@ #include <gssapi_mech.h> #include "spnego_asn1.h" +#include "utils.h" #include <der.h> -#include <roken.h> +#include <heimbase.h> #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) typedef struct { - gss_cred_id_t negotiated_cred_id; -} *gssspnego_cred; - -typedef struct { MechTypeList initiator_mech_types; gss_OID preferred_mech_type; gss_OID negotiated_mech_type; @@ -86,7 +83,6 @@ typedef struct { OM_uint32 mech_flags; OM_uint32 mech_time_rec; gss_name_t mech_src_name; - gss_cred_id_t delegated_cred_id; unsigned int open : 1; unsigned int local : 1; unsigned int require_mic : 1; @@ -110,6 +106,6 @@ typedef struct { extern gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc; extern gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc; -#include <spnego/spnego-private.h> +#include <spnego-private.h> #endif /* SPNEGO_LOCL_H */ |
